This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+14 more
Summary
AI summaryAdded several rule exclusions and expanded file‑type recognitions for static literals, prototype pollution, batch scripts, migrations, and test files.
Full changelog
- VG1021 (AI Tool Schema Enum from User Input): skip when var is declared as static literal array (
const X = [...]/as const) elsewhere in file - VG103 (Prototype pollution merge/extend): word-boundary on
\bbody\b/\bparams\btriggers —paramSchemaExtensionno longer matches viaparamssubstring - VG124 (Math.random for tokens): added to batch-script skip;
isBatchScriptFileregex extended to includebenchmarks?/ - VG543 (SQL stacked queries):
isMigrationFileextended to coverdrizzle/andmigrate/(verb form) directories - VG003 (Cloud API key): added to test-file skip;
isTestFileextended to cover_test.go$,/dockertest/,/testutil/,/testhelpers?/,/testfixtures?/ - unkey (Hono + Drizzle + Cloudflare Workers) onboarded as new test repo; unkey 227→153 (-74)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About goklab/guardvibe
Security MCP for vibe coding with 330 rules and 29 tools. Purpose-built for AI-generated code — scans Next.js, Supabase, Clerk, Stripe, Prisma, Hono, GraphQL, and 25+ modules. Cross-file taint analysis, host security audit, auto-fix, SARIF export, pre-commit hook, and CVE version detection. Zero config, runs locally.
Related context
Beta — feedback welcome: [email protected]