This release fixes issues for SREs watching stability and regressions.
✓ No known CVEs patched in this version
Topics
+14 more
Affected surfaces
Summary
AI summaryReduced false-positive count for VG409 open‑redirect rule from 25 to 5.
Full changelog
- VG409 (Open Redirect via User Input) skips per-match when the redirect target variable is literal-assigned (
const redirectUrl = "/auth/login") — the rule's variable-name pattern (returnTo,redirectUrl,callbackUrl,nextetc.) was matching local variables that hold hardcoded strings, not user-controlled input. Type-annotated declarations (const redirectUrl: string = "...") and template literals without interpolation are also covered. - VG409 added to the existing test-file skip list (
*.test.ts/*.spec.ts/__tests__///tests///cypress///playwright/). Test fixtures use redirect mocks that look like real user-input redirects but aren't. - Tests 1500 → 1504 (+4). Real-world impact: cal 514 → 490 (-24, mostly VG409 25 → 5). No regressions on dub / plane / juice-shop / NodeGoat / dvna / nodejs-goof. Self-audit PASS A 100.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About goklab/guardvibe
Security MCP for vibe coding with 330 rules and 29 tools. Purpose-built for AI-generated code — scans Next.js, Supabase, Clerk, Stripe, Prisma, Hono, GraphQL, and 25+ modules. Cross-file taint analysis, host security audit, auto-fix, SARIF export, pre-commit hook, and CVE version detection. Zero config, runs locally.
Related context
Beta — feedback welcome: [email protected]