guardvibe 3.0.22 → 3.0.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +3 -3
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -242,9 +242,9 @@ All scanning tools support `format: "json"` for machine-readable output.
242
242
  | Core OWASP | 38 | SQL injection, XSS, CSRF, command injection, CORS, SSRF, hardcoded secrets |
243
243
  | Next.js App Router | 17 | Server Actions, secret exposure, auth bypass, CSP, redirects |
244
244
  | Auth (Clerk / Auth.js / Supabase Auth) | 16 | Middleware, secret keys, session storage, role checks, SSR cookies |
245
- | Database (Supabase / Prisma / Drizzle) | 11 | Raw queries, client exposure, service role leaks, NoSQL injection |
245
+ | Database (Supabase / Prisma / Drizzle) | 12 | Raw queries, client exposure, service role leaks, NoSQL injection, Drizzle identifier injection (CVE-2026-39356) |
246
246
  | OWASP API Security | 10 | BOLA/IDOR, mass assignment, pagination, rate limiting, error leaks |
247
- | Modern Stack | 39 | Zod, tRPC, Hono, GraphQL, Uploadthing, Turso, Convex, OAuth, CSP, webhooks, AI SDK |
247
+ | Modern Stack | 40 | Zod, tRPC, Hono, GraphQL, Uploadthing, Turso, Convex, OAuth, CSP, webhooks, AI SDK, React Server Action validation (React2Shell) |
248
248
  | Deployment Config | 21 | Vercel, Next.js config, Docker Compose, Fly, Render, Netlify, Cloudflare, K8s secrets |
249
249
  | Payments (Stripe / Polar / Lemon) | 9 | Webhook signatures, key exposure, price manipulation |
250
250
  | Services (Resend / Upstash / Pinecone / PostHog) | 11 | API key leaks, PII tracking, email injection |
@@ -254,7 +254,7 @@ All scanning tools support `format: "json"` for machine-readable output.
254
254
  | AI / LLM Security | 16 | Prompt injection, MCP SSRF, excessive agency, indirect injection |
255
255
  | **AI Host Security** | **10** | **CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, MCP config audit** |
256
256
  | **AI Tool Runtime** | **4** | **MCP tool output sanitization, obfuscated descriptions, safety bypass** |
257
- | CVE Version Intelligence | 23 | Known vulnerable versions in package.json (23 CVEs) |
257
+ | CVE Version Intelligence | 27 | Known vulnerable versions in package.json — incl. Axios supply-chain backdoor, Clerk middleware bypass (GHSA-vqx2), Next.js RSC DoS (CVE-2026-23869), Hono CRLF (CVE-2026-29086) |
258
258
  | Shell / Bash | 5 | Pipe to bash, chmod 777, rm -rf, sudo password |
259
259
  | SQL | 4 | DROP/DELETE without WHERE, stacked queries, GRANT ALL |
260
260
  | Supply Chain | 16 | Malicious install scripts, lockfile integrity, dependency confusion, typosquat detection |
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "guardvibe",
3
- "version": "3.0.22",
3
+ "version": "3.0.24",
4
4
  "mcpName": "io.github.goklab/guardvibe",
5
5
  "description": "Security MCP for vibe coding. 341 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
6
6
  "type": "module",