@hulumi/policies <1.4.0 URN Spoofing Vulnerability

A security vulnerability in @hulumi/policies <1.4.0 allowed URN substring matching to be spoofed via developer-controlled logical names, bypassing hardening checks. Fixed in 1.4.0 by parsing URNs structurally.

Consumers using @hulumi/policies <1.4.0 who rely on policy rules for aws:s3:Bucket, github:Repository, cloudflare:Zone, cloudflare:DnsRecord, and similar resources.

Upgrade to @hulumi/[email protected] immediately.