GHSA-59f3-7227-wmh4: @hulumi/policies: Stack-wide evidence bypassed Cloudflare and deployment-governance guardrails

May 21, 2026

Impact: @hulumi/policies versions before 1.3.2 used stack-wide evidence shortcuts in several Cloudflare and deployment-governance validators. Unrelated compliant-looking evidence could suppress violations for different zones, hostnames, origins, or repositories in the same stack.

Patched in 1.3.2: validators now correlate evidence to the specific protected resource and include regression coverage for unrelated-evidence bypasses.

Remediation: upgrade @hulumi/policies to 1.3.2 or later.

References

github.com/advisories/GHSA-59f3-7227-wmh4
github.com/kerberosmansour/hulumi/security/advisories/GHSA-59f3-7227-wmh4

Code Behaviors & Features

Detect and mitigate GHSA-59f3-7227-wmh4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →