This release includes breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
+14 more
Summary
AI summaryFalse positive removal for BOLA delete/update pattern when ownership is checked via session after fetch.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Bugfix | Medium |
Fixes false-positive BOLA detection for bare-id mutations with ownership comparison. Fixes false-positive BOLA detection for bare-id mutations with ownership comparison. Source: llm_adapter@2026-06-09 Confidence: high |
— |
Full changelog
- VG951 (BOLA delete/update) is now AST-aware for the find → compare → mutate pattern: a bare-id mutation preceded by a post-fetch ownership comparison against the session is no longer falsely flagged.
- Validated on real production code (clean stash diff): 2 false positives removed, both genuinely ownership-guarded; 0 true positives lost, 0 other-rule drift.
- Reuses the existing AST engine (shared anchor + ownership-comparison helpers); no rule or tool count change (442 / 37).
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About goklab/guardvibe
Security MCP for vibe coding with 330 rules and 29 tools. Purpose-built for AI-generated code — scans Next.js, Supabase, Clerk, Stripe, Prisma, Hono, GraphQL, and 25+ modules. Cross-file taint analysis, host security audit, auto-fix, SARIF export, pre-commit hook, and CVE version detection. Zero config, runs locally.
Related context
Beta — feedback welcome: [email protected]