guardvibe 2.4.2 → 2.4.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,22 @@ All notable changes to GuardVibe are documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [2.4.3] - 2026-04-04
|
|
9
|
+
|
|
10
|
+
### Added
|
|
11
|
+
- ESLint with typescript-eslint for static analysis (eslint.config.js)
|
|
12
|
+
- `npm run lint` script for code quality checks
|
|
13
|
+
- `npm audit` step in CI/CD pipelines
|
|
14
|
+
- Dependabot configuration for automated dependency updates
|
|
15
|
+
- `.gitattributes` for consistent line endings
|
|
16
|
+
- `main` field in package.json for maximum compatibility
|
|
17
|
+
- `funding` field in package.json
|
|
18
|
+
|
|
19
|
+
### Changed
|
|
20
|
+
- CI workflow now runs lint and security audit before tests
|
|
21
|
+
- Publish workflow now runs lint and security audit before publish
|
|
22
|
+
- Cleaned up unused imports and variables across codebase
|
|
23
|
+
|
|
8
24
|
## [2.4.1] - 2026-04-04
|
|
9
25
|
|
|
10
26
|
### Added
|
|
@@ -60,10 +60,10 @@ function isInsideStringLiteral(lines, lineNumber, code, matchIndex) {
|
|
|
60
60
|
if (/^\s*\+\s*["']/.test(line))
|
|
61
61
|
return true; // + "string continuation"
|
|
62
62
|
// 3. Line contains escaped newlines (\n) suggesting it's inside a string value
|
|
63
|
-
const
|
|
63
|
+
const _quotesBefore = line.substring(0, line.indexOf(trimmed.charAt(0)));
|
|
64
64
|
if (/\\n/.test(line) && /["'`].*\\n/.test(line)) {
|
|
65
65
|
// Extra check: is the match portion inside quotes on this line?
|
|
66
|
-
const
|
|
66
|
+
const _matchEnd = matchIndex + 20; // approximate
|
|
67
67
|
const lineStart = code.lastIndexOf("\n", matchIndex) + 1;
|
|
68
68
|
const col = matchIndex - lineStart;
|
|
69
69
|
const beforeCol = line.substring(0, col);
|
|
@@ -10,7 +10,7 @@ export async function checkDependencies(packages) {
|
|
|
10
10
|
``,
|
|
11
11
|
];
|
|
12
12
|
let totalVulns = 0;
|
|
13
|
-
|
|
13
|
+
const criticalPackages = [];
|
|
14
14
|
for (const pkg of packages) {
|
|
15
15
|
try {
|
|
16
16
|
const vulns = await queryOsv(pkg.name, pkg.version, pkg.ecosystem);
|
package/build/tools/review-pr.js
CHANGED
|
@@ -45,7 +45,7 @@ function detectLanguage(filePath) {
|
|
|
45
45
|
return "dockerfile";
|
|
46
46
|
return CONFIG_FILE_MAP[basename(filePath)] ?? null;
|
|
47
47
|
}
|
|
48
|
-
function assessConfidence(rule,
|
|
48
|
+
function assessConfidence(rule, _match) {
|
|
49
49
|
// Higher confidence for specific patterns (secrets, hardcoded values)
|
|
50
50
|
if (rule.id.startsWith("VG0") || rule.id.startsWith("VG6"))
|
|
51
51
|
return 0.95; // core + secrets
|
|
@@ -29,7 +29,7 @@ function getFileAtCommit(cwd, commitHash, filePath) {
|
|
|
29
29
|
return null;
|
|
30
30
|
}
|
|
31
31
|
}
|
|
32
|
-
function
|
|
32
|
+
function _fileExistsAtHead(cwd, filePath) {
|
|
33
33
|
const result = execGit(["cat-file", "-e", `HEAD:${filePath}`], cwd);
|
|
34
34
|
// cat-file -e returns empty on success, error message on failure
|
|
35
35
|
return result === "";
|
package/build/utils/ignore.js
CHANGED
|
@@ -9,13 +9,13 @@
|
|
|
9
9
|
// Supports simple glob matching: * matches any segment, ** matches any depth.
|
|
10
10
|
import { readFileSync } from "fs";
|
|
11
11
|
import { join } from "path";
|
|
12
|
-
|
|
12
|
+
const ignoreCache = new Map();
|
|
13
13
|
export function loadIgnoreFile(dir) {
|
|
14
14
|
const cached = ignoreCache.get(dir);
|
|
15
15
|
if (cached)
|
|
16
16
|
return cached;
|
|
17
17
|
const ignorePath = join(dir, ".guardvibeignore");
|
|
18
|
-
|
|
18
|
+
const entries = [];
|
|
19
19
|
try {
|
|
20
20
|
const content = readFileSync(ignorePath, "utf-8");
|
|
21
21
|
const lines = content.split("\n");
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "2.4.
|
|
3
|
+
"version": "2.4.3",
|
|
4
4
|
"description": "Security MCP for vibe coding. 313 rules, 25 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|
|
@@ -8,6 +8,7 @@
|
|
|
8
8
|
"guardvibe-init": "build/cli.js",
|
|
9
9
|
"guardvibe-scan": "build/cli.js"
|
|
10
10
|
},
|
|
11
|
+
"main": "./build/index.js",
|
|
11
12
|
"types": "./build/index.d.ts",
|
|
12
13
|
"files": [
|
|
13
14
|
"build",
|
|
@@ -30,6 +31,7 @@
|
|
|
30
31
|
"dev": "tsc --watch",
|
|
31
32
|
"start": "node build/index.js",
|
|
32
33
|
"prepare": "npm run build",
|
|
34
|
+
"lint": "eslint src/",
|
|
33
35
|
"test": "node --import tsx --test tests/**/*.test.ts"
|
|
34
36
|
},
|
|
35
37
|
"keywords": [
|
|
@@ -87,6 +89,9 @@
|
|
|
87
89
|
"mass-assignment",
|
|
88
90
|
"auto-fix"
|
|
89
91
|
],
|
|
92
|
+
"funding": {
|
|
93
|
+
"url": "https://github.com/sponsors/goklab"
|
|
94
|
+
},
|
|
90
95
|
"author": "GokLab",
|
|
91
96
|
"license": "Apache-2.0",
|
|
92
97
|
"homepage": "https://guardvibe.dev",
|
|
@@ -103,8 +108,10 @@
|
|
|
103
108
|
},
|
|
104
109
|
"devDependencies": {
|
|
105
110
|
"@types/node": "^22.0.0",
|
|
111
|
+
"eslint": "^10.2.0",
|
|
106
112
|
"tsx": "^4.21.0",
|
|
107
|
-
"typescript": "^5.7.0"
|
|
113
|
+
"typescript": "^5.7.0",
|
|
114
|
+
"typescript-eslint": "^8.58.0"
|
|
108
115
|
},
|
|
109
116
|
"engines": {
|
|
110
117
|
"node": ">=18.0.0"
|