Advisories for Npm/@Hulumi/Policies package

Impact: @hulumi/policies versions before 1.3.2 used stack-wide evidence shortcuts in several Cloudflare and deployment-governance validators. Unrelated compliant-looking evidence could suppress violations for different zones, hostnames, origins, or repositories in the same stack. Patched in 1.3.2: validators now correlate evidence to the specific protected resource and include regression coverage for unrelated-evidence bypasses. Remediation: upgrade @hulumi/policies to 1.3.2 or later.

Impact: @hulumi/policies versions before 1.3.2 could accept spoofed SecureBucket parent evidence for HULUMI-H1, allowing policy evaluation to miss an unsafe bucket shape. Patched in 1.3.2: the validator now correlates evidence to the expected component/resource relationship and includes regression coverage. Remediation: upgrade @hulumi/policies to 1.3.2 or later.

Impact: @hulumi/policies versions before 1.3.2 only checked exact AWS IAM StringLike/StringEquals condition operator keys in G_OIDC_1. Set-qualified operators such as ForAnyValue:StringLike could hide wildcard GitHub Actions OIDC sub conditions from the mandatory guardrail. Patched in 1.3.2: the AWS trust-policy inspector now evaluates set-qualified string operators and rejects unsafe GitHub OIDC sub conditions. Remediation: upgrade @hulumi/policies to 1.3.2 or later.

Impact: @hulumi/policies versions before 1.3.2 did not fully inspect inline and attached IAM policy evidence for the administrator-policy guardrail, so some admin-equivalent policy paths could pass policy evaluation. Patched in 1.3.2: the validator inspects the affected policy shapes and includes regression tests. Remediation: upgrade @hulumi/policies to 1.3.2 or later.