This release includes 4 breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
+14 more
Affected surfaces
Summary
AI summaryAuto-fix expansion removes several SDK flags and public‑prefix LLM key prefixes.
Full changelog
- Auto-fix expansion: structured edits for browser-mode AI SDK flag removal (VG874/VG998/VG1023), raw-HTML React prop → ReactMarkdown (VG1031), agent loop maxSteps cap (VG1033), sandbox bypass flag removal (VG1036), and public-prefix LLM key removal extended to VITE_/EXPO_PUBLIC_/REACT_APP_/GATSBY_/NUXT_PUBLIC_ (VG1028)
- New patch templates for SQL injection, CSRF, security headers, rate limiting, path traversal, bcrypt, JSON.parse migration (VG003/VG010/VG014/VG030/VG042/VG060/VG101/VG123/VG144/VG145/VG155/VG1012/VG1033/VG1036)
- Tests 1446/1446. Self-audit PASS / A / 100
Breaking Changes
- Removed browser-mode AI SDK flags VG874, VG998, VG1023.
- Removed raw-HTML React prop; use ReactMarkdown instead (VG1031).
- Removed sandbox bypass flag (VG1036).
- Removed public‑prefix LLM key prefixes VITE_, EXPO_PUBLIC_, REACT_APP_, GATSBY_, NUXT_PUBLIC_ (VG1028).
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About goklab/guardvibe
Security MCP for vibe coding with 330 rules and 29 tools. Purpose-built for AI-generated code — scans Next.js, Supabase, Clerk, Stripe, Prisma, Hono, GraphQL, and 25+ modules. Cross-file taint analysis, host security audit, auto-fix, SARIF export, pre-commit hook, and CVE version detection. Zero config, runs locally.
Related context
Beta — feedback welcome: [email protected]