This release includes breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
+14 more
Affected surfaces
Summary
AI summarySSRF detection false positive reduced for provably non‑request‑controlled URLs
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Bugfix | Medium |
Reduces false positives for VG120 (SSRF) on provably non‑request‑controlled URLs. Reduces false positives for VG120 (SSRF) on provably non‑request‑controlled URLs. Source: llm_adapter@2026-06-07 Confidence: high |
— |
Full changelog
- VG120 (SSRF) no longer false-positives on URLs that are provably not request-controlled: a literal https:// constant, a process.env value (including env default parameters), or a minified bundle. new URL(...) is still treated as potentially user-controlled
- Validated old-vs-new on the corpus: 1 false positive removed, 0 true positives lost, no drift in any other rule; recall preserved by tests
- Constant-base template URLs are left for a future dataflow engine rather than narrowed unsafely; no rule or tool changes (438 / 37); gate green (PASS/A/0)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About goklab/guardvibe
Security MCP for vibe coding with 330 rules and 29 tools. Purpose-built for AI-generated code — scans Next.js, Supabase, Clerk, Stripe, Prisma, Hono, GraphQL, and 25+ modules. Cross-file taint analysis, host security audit, auto-fix, SARIF export, pre-commit hook, and CVE version detection. Zero config, runs locally.
Related context
Beta — feedback welcome: [email protected]