This release keeps dependencies and maintenance posture current for teams operating this tool.
✓ No known CVEs patched in this version
Topics
+14 more
Summary
AI summaryVG955 and VG506 now restrict checks to explicit API, Server Action, Vercel config paths; test noise reduced.
Full changelog
- VG955 (Missing Pagination) restricted to actual request-handling surfaces — API routes (
/api/,route.{ts,tsx},pages/api/) and Server Actions ('use server'directive). Lib helpers, getStaticProps, internal_utils, and test fixtures still usingfindManyare no longer flagged. Test files (*.test.ts,*.spec.ts,__tests__/) added to the existing test-noise skip list along with VG133 and VG1021. - VG506 (Hardcoded Secret in Vercel Config) restricted to
vercel.jsonpaths. The rule's_KEY/_SECRET/_TOKENregex was matching translation values in i18n locale JSONs (e.g.packages/i18n/locales/da/common.json), surfacing dozens of false hits per locale-heavy repo. The original intent was always Vercel config; path-restricted now. - VG041 (Debug mode in production) skips
/playground/,/demo/,/example/,/sandbox/paths. Demo files explicitly needDEBUG = trueas the showcase point. - Tests 1493 → 1500 (+7). Real-world impact: cal 655 → 514 (-141), juice-shop 737 → 715 (-22). No regressions on plane / NodeGoat / dvna / nodejs-goof / dub. Self-audit PASS A 100.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About goklab/guardvibe
Security MCP for vibe coding with 330 rules and 29 tools. Purpose-built for AI-generated code — scans Next.js, Supabase, Clerk, Stripe, Prisma, Hono, GraphQL, and 25+ modules. Cross-file taint analysis, host security audit, auto-fix, SARIF export, pre-commit hook, and CVE version detection. Zero config, runs locally.
Related context
Beta — feedback welcome: [email protected]