GHSA-g43v-9x7q-83pq: @hulumi/policies: HULUMI-H1 SecureBucket parent spoof bypass

May 21, 2026

Impact: @hulumi/policies versions before 1.3.2 could accept spoofed SecureBucket parent evidence for HULUMI-H1, allowing policy evaluation to miss an unsafe bucket shape.

Patched in 1.3.2: the validator now correlates evidence to the expected component/resource relationship and includes regression coverage.

Remediation: upgrade @hulumi/policies to 1.3.2 or later.

References

github.com/advisories/GHSA-g43v-9x7q-83pq
github.com/kerberosmansour/hulumi/security/advisories/GHSA-g43v-9x7q-83pq

Code Behaviors & Features

Detect and mitigate GHSA-g43v-9x7q-83pq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →