This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+14 more
Affected surfaces
Summary
AI summaryServer Action syntax now requires explicit return token before query calls.
Full changelog
- VG412 (Server Action returns full DB object): require explicit
returntoken before findUnique/findFirst/findMany within 80 chars — internal-lookup-then-return-{success,error} actions no longer flagged - VG100 (insecure cookie config): pattern uses
[ \t]instead of\sto prevent cross-line match (a comment ending in 'cookie' followed by Next.jscookies().set(...)no longer fires); word-boundary on barecookieexcludescookies; rule added to test-file skip list - VG961 (z.any/z.unknown): added batch-script and cron-route skip (
tb.buildPipe({ data: z.any() })and migration scripts no longer flagged)
Breaking Changes
- Server Action syntax mandates an explicit `return` token before `findUnique`, `findFirst`, and `findMany` calls.
Security Fixes
- VG100 – Cookie configuration rule now uses `[ \t]` instead of `\s` to prevent cross-line matches, avoiding false positives on comments containing 'cookie'.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About goklab/guardvibe
Security MCP for vibe coding with 330 rules and 29 tools. Purpose-built for AI-generated code — scans Next.js, Supabase, Clerk, Stripe, Prisma, Hono, GraphQL, and 25+ modules. Cross-file taint analysis, host security audit, auto-fix, SARIF export, pre-commit hook, and CVE version detection. Zero config, runs locally.
Related context
Beta — feedback welcome: [email protected]