Hello,
This is not really a bug in hidden-string library, I just wanted to point out that when xdebug extension is enabled, it simply ignores __debugInfo() and dumps HiddenString object. Consider the following snippet:

require_once realpath(dirname(__DIR__)) . '/vendor/autoload.php';

$hs = new \ParagonIE\HiddenString\HiddenString('some string');
var_dump($hs); 

Output with xdebug enabled:

class ParagonIE\HiddenString\HiddenString#4 (3) {
  protected string $internalStringValue =>
  string(11) "some string"
  protected bool $disallowInline =>
  bool(true)
  protected bool $disallowSerialization =>
  bool(true)
}

Output with xdebug disabled:

object(ParagonIE\HiddenString\HiddenString)#4 (2) {
  ["internalStringValue"]=>
  string(1) "*"
  ["attention"]=>
  string(82) "If you need the value of a HiddenString, invoke getString() instead of dumping it."
}

Maybe it's good idea to point out that in documentation, or better, just throw an exception if extension is enabled. Maintener
of Xdebug state's that this is intended behavior and won't be changed.
I know that this fact is pointed out in HiddenString::__debugInfo() method comments, but not everyone reads the code :)

Thanks for reporting this. Our clients don't use Xdebug in production, so we haven't encountered this problem.