This release includes breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
+14 more
Affected surfaces
Summary
AI summaryVG950 now AST‑aware suppression only when ownership is truly guarded in the query.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Bugfix | Medium |
VG950 now AST-aware: suppressed only when query genuinely ownership-guarded. VG950 now AST-aware: suppressed only when query genuinely ownership-guarded. Source: llm_adapter@2026-06-08 Confidence: low |
— |
Full changelog
- VG950 (BOLA find-by-id) is now AST-aware: it's suppressed only when the query is genuinely ownership-guarded — an ownership field in the WHERE clause (non-param value), or a same-function post-fetch ownership comparison against the session
- Precise where regex can't be: ignores userId-in-select, sees a separate comparison statement, and won't count an ownership field whose value is itself a route param
- Validated: VG950 22 to 15, all 7 removed are genuinely guarded, 0 true BOLA hidden, 0 false positives added. No rule or tool changes (442 / 37); gate green (PASS/A/0)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About goklab/guardvibe
Security MCP for vibe coding with 330 rules and 29 tools. Purpose-built for AI-generated code — scans Next.js, Supabase, Clerk, Stripe, Prisma, Hono, GraphQL, and 25+ modules. Cross-file taint analysis, host security audit, auto-fix, SARIF export, pre-commit hook, and CVE version detection. Zero config, runs locally.
Related context
Beta — feedback welcome: [email protected]