This release keeps dependencies and maintenance posture current for teams operating this tool.
✓ No known CVEs patched in this version
Topics
+14 more
Affected surfaces
Summary
AI summaryLock‑file CVE rules for versions VG900–VG931 are now skipped to eliminate false positives.
Full changelog
- All 32 CVE version-pin rules (VG900-VG931) now skipped in lock files:
package-lock.json,yarn.lock,pnpm-lock.yaml,npm-shrinkwrap.json. - Lock files contain transitive peer-dependency ranges from sub-packages (e.g. some dependency declares
peerDependencies.next: '>=13.2.0'). The CVE rules' regexes correctly match those range strings, but they describe what a sub-package will accept, not what is actually installed; reporting them as critical produced false positives even after the top-level Next.js was patched. - Validated against three personal Next.js + Clerk + Supabase apps after a Next.js 16.2.3 upgrade: VG900/VG902 lock-file noise cleared; no regressions on dvna/NodeGoat/juice-shop/nodejs-goof/cal, and dub also benefits (348→344).
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About goklab/guardvibe
Security MCP for vibe coding with 330 rules and 29 tools. Purpose-built for AI-generated code — scans Next.js, Supabase, Clerk, Stripe, Prisma, Hono, GraphQL, and 25+ modules. Cross-file taint analysis, host security audit, auto-fix, SARIF export, pre-commit hook, and CVE version detection. Zero config, runs locally.
Related context
Beta — feedback welcome: [email protected]