guardvibe 1.8.3 → 1.8.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/build/data/rules/api-security.js +1 -1
  2. package/build/data/rules/supply-chain.js +1 -1
  3. package/package.json +1 -1
package/build/data/rules/api-security.js CHANGED
@@ -71,7 +71,7 @@ export const apiSecurityRules = [
71
71
  severity: "medium",
72
72
  owasp: "API4:2023 Unrestricted Resource Consumption",
73
73
  description: "Database query returns all records without pagination (no limit/take/top). An attacker can request the entire table, causing DoS or exposing excessive data.",
74
- pattern: /(?:findMany|find|select|from)\s*\((?:(?!limit|take|top|pageSize|per_?page|first|last|\.limit|LIMIT)[\s\S]){5,}?\)/gi,
74
+ pattern: /(?:\.findMany|\.findAll|\.getAll|\.fetchAll)\s*\((?:(?!limit|take|top|pageSize|per_?page|first|last|\.limit|LIMIT)[\s\S]){5,}?\)/gi,
75
75
  languages: ["javascript", "typescript"],
76
76
  fix: "Always add pagination: use take/limit with a maximum value. Never return unbounded result sets.",
77
77
  fixCode: '// Add pagination\nconst items = await prisma.item.findMany({\n take: Math.min(Number(searchParams.get("limit")) || 20, 100),\n skip: Number(searchParams.get("offset")) || 0,\n});',
package/build/data/rules/supply-chain.js CHANGED
@@ -78,7 +78,7 @@ export const supplyChainRules = [
78
78
  severity: "critical",
79
79
  owasp: "A02:2025 Injection",
80
80
  description: "Source code contains invisible Unicode characters (zero-width spaces, variation selectors, PUA codepoints). The GlassWorm attack (2025-2026) used these to encode malicious payloads that are invisible in every code editor, compromising 433+ repositories across GitHub, npm, and VSCode.",
81
- pattern: /[\u200B\u200C\u200D\uFEFF\u00AD\u2060\u2061\u2062\u2063\u2064\uFE00-\uFE0F]/g,
81
+ pattern: /[\u200B\u200C\u200D\uFEFF\u2060\u2061\u2062\u2063\u2064]{2,}/g,
82
82
  languages: ["javascript", "typescript", "python", "go"],
83
83
  fix: "Remove all invisible Unicode characters from source code. Use a linter rule to prevent them.",
84
84
  fixCode: '// Detect invisible characters with a pre-commit hook:\n// grep -rP "[\\x{200B}\\x{200C}\\x{200D}\\x{FEFF}\\x{00AD}\\x{FE00}-\\x{FE0F}]" src/\n\n// Or add an ESLint rule:\n// "no-irregular-whitespace": "error"',
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "guardvibe",
3
- "version": "1.8.3",
3
+ "version": "1.8.4",
4
4
  "description": "Security MCP for vibe coding. 277 rules, 22 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
5
5
  "type": "module",
6
6
  "bin": {