npm - guardvibe - Versions diffs - 2.4.1 → 2.4.3 - Mend

guardvibe 2.4.1 → 2.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md +228 -0
package/build/tools/check-code.js +2 -2
package/build/tools/check-deps.js +1 -1
package/build/tools/review-pr.js +1 -1
package/build/tools/scan-secrets-history.js +1 -1
package/build/utils/ignore.js +2 -2
package/package.json +22 -5

package/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,228 @@
+# Changelog
+All notable changes to GuardVibe are documented in this file.
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [2.4.3] - 2026-04-04
+### Added
+- ESLint with typescript-eslint for static analysis (eslint.config.js)
+- `npm run lint` script for code quality checks
+- `npm audit` step in CI/CD pipelines
+- Dependabot configuration for automated dependency updates
+- `.gitattributes` for consistent line endings
+- `main` field in package.json for maximum compatibility
+- `funding` field in package.json
+### Changed
+- CI workflow now runs lint and security audit before tests
+- Publish workflow now runs lint and security audit before publish
+- Cleaned up unused imports and variables across codebase
+## [2.4.1] - 2026-04-04
+### Added
+- VG910: Hono SSE injection detection via `streamSSE()` (CVE-2026-29085)
+- VG911: Kubernetes Secret hardcoded value detection
+- VG912: MongoDB NoSQL injection via query operators
+## [2.4.0] - 2026-04-04
+### Added
+- Buddy format (`--format buddy`) — compact ASCII character with mood-based security feedback
+- 5 face expressions based on security grade (A through F)
+- Grade-aware contextual message pool
+### Changed
+- Claude Code hook now uses buddy format by default for real-time visual feedback
+## [2.3.9] - 2026-04-03
+### Added
+- 6 new supply chain rules (VG860-868)
+- Yarn and pnpm lockfile support
+- Advanced typosquat detection
+## [2.3.8] - 2026-04-03
+### Changed
+- Capitalize extension name to GuardVibe in Gemini CLI gallery
+## [2.3.7] - 2026-04-02
+### Added
+- Gemini CLI extensions gallery support (gemini-extension.json)
+## [2.3.6] - 2026-04-02
+### Added
+- Platform-specific setup guides for all 6 IDEs in README
+## [2.3.5] - 2026-04-01
+### Fixed
+- Correct rule count: 322 → 307 (actual), update all module counts in README
+## [2.3.4] - 2026-04-01
+### Fixed
+- Suppress false positives in generate-policy template strings
+## [2.3.3] - 2026-04-01
+### Changed
+- README: add self-scan dogfooding section, update stats to 322 rules / 25 tools
+## [2.3.2] - 2026-04-01
+### Fixed
+- Fix ReDoS in policy-check glob matching (VG107)
+## [2.3.1] - 2026-04-01
+### Changed
+- Scan visibility rules: agent always reports GuardVibe results to user
+## [1.7.1] - 2026-04-01
+### Added
+- 10 new XSS/injection rules covering form actions, file uploads, rich text editors, and template injection
+## [1.7.0] - 2026-04-01
+### Added
+- 24 new rules from proactive threat research
+- Supply chain attack detection rules
+- CI/CD pipeline security rules
+- Kubernetes misconfiguration detection
+- AI/LLM security rules
+- New CVE version intelligence entries
+## [1.6.1] - 2026-04-01
+### Added
+- 4 new supply-chain rules for npm publish leak protection
+### Security
+- Self-hardening of the publish pipeline to prevent accidental credential leaks
+## [1.6.0] - 2026-03-31
+### Added
+- Agent-native security layer
+- Command guard for dangerous shell operations
+- Config diff tool for detecting security regressions
+- Repository security posture scoring
+- Deep remediation with expanded fix suggestions
+## [1.5.0] - 2026-03-31
+### Added
+- PR review security scanning
+- Git history scan for leaked secrets
+- Policy engine with compliance enforcement
+- Taint analysis for data flow tracking
+- 100% fixCode coverage across all rules
+- Expanded patch generation for auto-fix suggestions
+## [1.4.0] - 2026-03-31
+### Added
+- `check_package_health` tool for typosquat detection, maintenance status, and adoption metrics
+- `exploit` and `audit` fields on SecurityRule for compliance demonstrations
+- fixCode secure code examples added to all 25 rules that were missing them
+### Changed
+- Compliance mapping deepened with GDPR and ISO 27001 controls
+- Performance improvements for large project scanning
+## [1.3.3] - 2026-03-31
+### Fixed
+- Node.js 18 compatibility issue
+### Security
+- npm provenance via Sigstore for cryptographic package signing
+- Branch protection enabled (force push disabled on main)
+- Tag protection for version tags (`v*`)
+- Minimal CI permissions (`contents: read` only)
+## [1.3.2] - 2026-03-31
+### Changed
+- Rebranded project as GuardVibe with new description and metadata
+## [0.6.1] - 2026-03-30
+### Fixed
+- OSV severity normalization returning incorrect values
+### Changed
+- Updated MCP SDK dependency
+## [0.6.0] - 2026-03-30
+### Added
+- `.guardviberc` configuration file support with rule disable, severity override, and scan exclusions
+- Compliance mapping for SOC2, PCI-DSS, and HIPAA with `compliance_report` tool
+- Terraform IaC security rules (VG300-VG304): S3, IAM, RDS, security groups
+- SARIF v2.1.0 output for CI/CD integration (`export_sarif` tool)
+### Fixed
+- `scan_dependencies` severity and summary showing undefined when fetching OSV details
+## [0.5.0] - 2026-03-30
+### Added
+- `fixCode` field on SecurityRule type with secure code examples for core, Go, Java, PHP, Ruby rules
+- `scan_staged` tool for pre-commit security scanning
+- Dockerfile security rules (VG200-VG204): root user, secrets in ENV, untagged images
+- CI/CD security rules (VG210-VG213): secrets interpolation, unpinned actions, write-all permissions
+- Security guides for Django, NestJS, Hono, Supabase, and tRPC
+- fixCode snippets rendered in security reports
+### Changed
+- Renamed project from VibeGuard to GuardVibe across entire codebase
+- Cleaned up all old VibeGuard references and outdated specs
+## [0.4.0] - 2026-03-30
+### Added
+- `scan_directory` tool for filesystem-native project scanning
+- `scan_dependencies` tool with manifest parsing and OSV batch query
+- `scan_secrets` tool with pattern-based and entropy-based secret detection
+- `guardvibe-ignore` inline comment suppression (supports `//`, `#`, `<!-- -->`)
+- Finding deduplication in analysis pipeline
+### Changed
+- `check_project` refactored to use structured findings instead of string parsing
+- Extracted `analyzeCode()` as reusable analysis function
+- Rules split into per-language modules for maintainability
+## [0.3.0] - 2026-03-30
+### Added
+- Project scanning with `check_project` tool
+- CLI auto-setup (`npx guardvibe init`) for Claude Code, Cursor, Gemini CLI
+- Go security rules (SQL injection, command injection, template escaping)
+- Java security rules
+- PHP security rules
+- Ruby security rules
+- Test infrastructure with tsx and node:test
+- Rule tests for core, Go, Java, PHP, Ruby
+## [0.2.0] - 2026-03-30
+### Added
+- New security rules for Python
+- Improved Python support
+## [0.1.0] - 2026-03-30
+### Added
+- Initial release as VibeGuard Security MCP server
+- Core OWASP security rules (SQL injection, XSS, CSRF, command injection)
+- `check_code` tool for code snippet analysis
+- MCP server with stdio transport

package/build/tools/check-code.js CHANGED Viewed

@@ -60,10 +60,10 @@ function isInsideStringLiteral(lines, lineNumber, code, matchIndex) {
     if (/^\s*\+\s*["']/.test(line))
         return true; // + "string continuation"
     // 3. Line contains escaped newlines (\n) suggesting it's inside a string value
-    const quotesBefore = line.substring(0, line.indexOf(trimmed.charAt(0)));
+    const _quotesBefore = line.substring(0, line.indexOf(trimmed.charAt(0)));
     if (/\\n/.test(line) && /["'`].*\\n/.test(line)) {
         // Extra check: is the match portion inside quotes on this line?
-        const matchEnd = matchIndex + 20; // approximate
+        const _matchEnd = matchIndex + 20; // approximate
         const lineStart = code.lastIndexOf("\n", matchIndex) + 1;
         const col = matchIndex - lineStart;
         const beforeCol = line.substring(0, col);

package/build/tools/check-deps.js CHANGED Viewed

@@ -10,7 +10,7 @@ export async function checkDependencies(packages) {
         ``,
     ];
     let totalVulns = 0;
-    let criticalPackages = [];
+    const criticalPackages = [];
     for (const pkg of packages) {
         try {
             const vulns = await queryOsv(pkg.name, pkg.version, pkg.ecosystem);

package/build/tools/review-pr.js CHANGED Viewed

@@ -45,7 +45,7 @@ function detectLanguage(filePath) {
         return "dockerfile";
     return CONFIG_FILE_MAP[basename(filePath)] ?? null;
 }
-function assessConfidence(rule, match) {
+function assessConfidence(rule, _match) {
     // Higher confidence for specific patterns (secrets, hardcoded values)
     if (rule.id.startsWith("VG0") || rule.id.startsWith("VG6"))
         return 0.95; // core + secrets

package/build/tools/scan-secrets-history.js CHANGED Viewed

@@ -29,7 +29,7 @@ function getFileAtCommit(cwd, commitHash, filePath) {
         return null;
     }
 }
-function fileExistsAtHead(cwd, filePath) {
+function _fileExistsAtHead(cwd, filePath) {
     const result = execGit(["cat-file", "-e", `HEAD:${filePath}`], cwd);
     // cat-file -e returns empty on success, error message on failure
     return result === "";

package/build/utils/ignore.js CHANGED Viewed

@@ -9,13 +9,13 @@
 // Supports simple glob matching: * matches any segment, ** matches any depth.
 import { readFileSync } from "fs";
 import { join } from "path";
-let ignoreCache = new Map();
+const ignoreCache = new Map();
 export function loadIgnoreFile(dir) {
     const cached = ignoreCache.get(dir);
     if (cached)
         return cached;
     const ignorePath = join(dir, ".guardvibeignore");
-    let entries = [];
+    const entries = [];
     try {
         const content = readFileSync(ignorePath, "utf-8");
         const lines = content.split("\n");

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "2.4.1",
+  "version": "2.4.3",
   "description": "Security MCP for vibe coding. 313 rules, 25 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {
@@ -8,18 +8,30 @@
     "guardvibe-init": "build/cli.js",
     "guardvibe-scan": "build/cli.js"
   },
+  "main": "./build/index.js",
+  "types": "./build/index.d.ts",
   "files": [
-    "build"
+    "build",
+    "README.md",
+    "LICENSE",
+    "CHANGELOG.md"
   ],
   "exports": {
-    ".": "./build/index.js",
-    "./plugins": "./build/plugins/types.js"
+    ".": {
+      "types": "./build/index.d.ts",
+      "default": "./build/index.js"
+    },
+    "./plugins": {
+      "types": "./build/plugins/types.d.ts",
+      "default": "./build/plugins/types.js"
+    }
   },
   "scripts": {
     "build": "tsc",
     "dev": "tsc --watch",
     "start": "node build/index.js",
     "prepare": "npm run build",
+    "lint": "eslint src/",
     "test": "node --import tsx --test tests/**/*.test.ts"
   },
   "keywords": [
@@ -77,6 +89,9 @@
     "mass-assignment",
     "auto-fix"
   ],
+  "funding": {
+    "url": "https://github.com/sponsors/goklab"
+  },
   "author": "GokLab",
   "license": "Apache-2.0",
   "homepage": "https://guardvibe.dev",
@@ -93,8 +108,10 @@
   },
   "devDependencies": {
     "@types/node": "^22.0.0",
+    "eslint": "^10.2.0",
     "tsx": "^4.21.0",
-    "typescript": "^5.7.0"
+    "typescript": "^5.7.0",
+    "typescript-eslint": "^8.58.0"
   },
   "engines": {
     "node": ">=18.0.0"