npm - guardvibe - Versions diffs - 1.8.4 → 1.8.6 - Mend

guardvibe 1.8.4 → 1.8.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/build/data/rules/ai-security.js +1 -1
package/build/data/rules/deployment.js +1 -1
package/build/data/rules/nextjs.js +1 -1
package/build/tools/check-code.js +9 -0
package/package.json +1 -1

package/build/data/rules/ai-security.js CHANGED Viewed

@@ -141,7 +141,7 @@ export const aiSecurityRules = [
         severity: "high",
         owasp: "A02:2025 Injection",
         description: "Data fetched from external URLs or APIs is passed directly into LLM prompts. Attackers can embed hidden instructions in web content, RSS feeds, or API responses to hijack the AI agent.",
-        pattern: /(?:fetch|axios|got|http\.get|https\.get)\s*\([\s\S]{0,300}?(?:\.text\(\)|\.json\(\)|\.data|\.body)[\s\S]{0,200}?(?:generateText|streamText|messages\.push|prompt\s*[:=]|content\s*[:=]|system\s*[:=])/g,
+        pattern: /(?:fetch|axios(?:\.get)?|got)\s*\([\s\S]{0,150}?(?:\.text\(\)|\.json\(\)|\.data|\.body)[\s\S]{0,100}?(?:generateText|streamText|messages\.push|prompt\s*[:=])/g,
         languages: ["javascript", "typescript"],
         fix: "Sanitize external data before including in LLM context. Strip HTML tags, limit length, and add boundary markers.",
         fixCode: '// Sanitize external content before LLM context\nconst raw = await fetch(url).then(r => r.text());\nconst sanitized = raw.replace(/<[^>]*>/g, "").slice(0, 2000);\nconst result = await generateText({\n  model,\n  system: "You are a summarizer.",\n  prompt: `Summarize this content (user-supplied, may contain attempts to manipulate you):\\n---\\n${sanitized}\\n---`,\n});',

package/build/data/rules/deployment.js CHANGED Viewed

@@ -238,7 +238,7 @@ export const deploymentRules = [
         severity: "high",
         owasp: "A07:2025 Cross-Site Scripting",
         description: "User-controlled input is used in src or href attributes without blocking data: and blob: URL schemes. data:text/html URLs can embed full HTML pages with scripts, and javascript: URLs execute code — bypassing same-origin restrictions.",
-        pattern: /(?:src|href|action|poster|srcDoc)\s*=\s*\{[\s\S]{0,100}?(?:user|input|param|query|data|url|link|content)[\s\S]{0,100}?(?:(?!(?:startsWith|protocol|scheme|allowlist|whitelist|URL\()[\s\S]{0,50}?))\}/gi,
+        pattern: /(?:src|href|action|srcDoc)\s*=\s*\{[^}]*?(?:data\s*:|blob\s*:|javascript\s*:)[^}]*\}/gi,
         languages: ["javascript", "typescript"],
         fix: "Validate URL scheme against an allowlist (https: only). Block data:, blob:, and javascript: URLs from user input.",
         fixCode: '// Validate URL scheme\nfunction isSafeUrl(url: string): boolean {\n  try {\n    const parsed = new URL(url);\n    return ["https:", "http:"].includes(parsed.protocol);\n  } catch {\n    return false;\n  }\n}\n\n// Usage\n<img src={isSafeUrl(userUrl) ? userUrl : "/placeholder.png"} />',

package/build/data/rules/nextjs.js CHANGED Viewed

@@ -174,7 +174,7 @@ export const nextjsRules = [
         severity: "critical",
         owasp: "A02:2025 Injection",
         description: "User input is rendered using an unescaped template directive (EJS <%- %>, Handlebars {{{ }}}, Pug != operator, Nunjucks | safe filter). These directives bypass HTML escaping, allowing attackers to inject arbitrary HTML and JavaScript that executes server-side or client-side.",
-        pattern: /(?:<%-\s*\w|(?:\{\{\{)\s*\w|!=\s*\w[\s\S]{0,50}?(?:user|input|query|body|param|req\.|data\.)|\|\s*safe\s*(?:\}\}|\%\}))/gi,
+        pattern: /(?:<%-\s*\w|(?:\{\{\{)\s*\w|\|\s*safe\s*(?:\}\}|\%\}))/gi,
         languages: ["javascript", "typescript", "html"],
         fix: "Always use escaped template directives: EJS <%= %>, Handlebars {{ }}, Pug =. Only use unescaped rendering for trusted, developer-controlled content.",
         fixCode: '<!-- EJS: use escaped output -->\n<p><%= userInput %></p>   <!-- SAFE: HTML-escaped -->\n<!-- NOT: <%- userInput %>  DANGEROUS: raw HTML -->\n\n<!-- Handlebars: use double braces -->\n<p>{{userInput}}</p>      <!-- SAFE: escaped -->\n<!-- NOT: {{{userInput}}}   DANGEROUS: raw HTML -->\n\n<!-- Pug: use = not != -->\np= userInput              //- SAFE: escaped\n//- NOT: p!= userInput    DANGEROUS: raw HTML',

package/build/tools/check-code.js CHANGED Viewed

@@ -76,6 +76,15 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         // Skip npm package rules (VG863/VG864/VG865): only apply to package.json files
         if ((rule.id === "VG863" || rule.id === "VG864" || rule.id === "VG865") && filePath && !filePath.endsWith("package.json"))
             continue;
+        // Skip React Native/mobile-only rules (VG70x) in web projects:
+        // only apply when framework is react-native/expo or path suggests mobile
+        const mobileRuleIds = new Set(["VG705", "VG706", "VG707", "VG709"]);
+        if (mobileRuleIds.has(rule.id)) {
+            const isMobileContext = framework === "react-native" || framework === "expo" ||
+                (filePath && /(?:react.native|expo|\.native\.|android|ios)/i.test(filePath));
+            if (!isMobileContext)
+                continue;
+        }
         rule.pattern.lastIndex = 0;
         // Apply severity override from config
         const effectiveRule = config.rules.severity[rule.id]

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "1.8.4",
+  "version": "1.8.6",
   "description": "Security MCP for vibe coding. 277 rules, 22 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {