npm - guardvibe - Versions diffs - 3.0.25 → 3.0.26 - Mend

guardvibe 3.0.25 → 3.0.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md +10 -0
package/build/cli/init.js +3 -3
package/build/data/rules/advanced-security.js +2 -2
package/build/data/rules/core.js +2 -2
package/build/data/rules/modern-stack.js +1 -1
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,16 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [3.0.26] - 2026-04-25
+### Fixed
+- `init claude` now writes `.mcp.json` (Claude Code v2.x project-scope filename) instead of `.claude.json` — fixes silent install failure where MCP server was never loaded
+- VG964 (server-only missing) now requires Next.js context (`from 'next/...'` or `require('next/...')`) — no longer fires on plain CommonJS Node files
+- VG138 (plaintext password compare) no longer matches `typeof password !== 'string'` type guards
+- VG148 (login brute-force) now detects rate-limit middleware passed as positional argument before bcrypt.compare
+- VG061 (JWT no expiry) now correctly recognizes `expiresIn` anywhere in the `jwt.sign` argument list
+- VG030 (missing rate limit) no longer fires when route declaration includes a `*Limiter`, `*Throttle`, `*RateLimit`, `*Brute`, or `*SlowDown` middleware
 ## [2.7.1] - 2026-04-04
 ### Fixed

package/build/cli/init.js CHANGED Viewed

@@ -11,8 +11,8 @@ const GUARDVIBE_MCP_CONFIG = {
 };
 const platforms = {
     claude: {
-        path: join(process.cwd(), ".claude.json"),
-        description: "Claude Code (.claude.json)",
+        path: join(process.cwd(), ".mcp.json"),
+        description: "Claude Code (.mcp.json)",
     },
     gemini: {
         path: join(homedir(), ".gemini", "settings.json"),
@@ -154,7 +154,7 @@ function setupSecurityGuide(platformName) {
     else if (platformName === "gemini")
         setupGeminiGuide();
     const gitignoreEntries = {
-        claude: [".claude.json", ".claude/", "CLAUDE.md"],
+        claude: [".mcp.json", ".claude/", "CLAUDE.md"],
         cursor: [".cursor/", ".cursorrules"],
         gemini: ["GEMINI.md"],
     };

package/build/data/rules/advanced-security.js CHANGED Viewed

@@ -110,7 +110,7 @@ export const advancedSecurityRules = [
         severity: "critical",
         owasp: "A02:2025 Cryptographic Failures",
         description: "Password is compared using direct string equality (=== or ==) instead of a hashing function. This means passwords are stored or transmitted in plaintext.",
-        pattern: /(?:password|passwd|pwd)\s*(?:===|!==|==|!=)\s*(?:(?:req|request|body|input|data|form|user)[\.\[]|["'])/gi,
+        pattern: /(?<!typeof\s)(?:password|passwd|pwd)\s*(?:===|!==|==|!=)\s*(?:(?:req|request|body|input|data|form|user)[\.\[]|["'](?!(?:string|number|boolean|undefined|object|function|symbol|bigint)["']))/gi,
         languages: ["javascript", "typescript", "python"],
         fix: "Never compare passwords directly. Use bcrypt.compare() or argon2.verify() to compare against hashed passwords.",
         fixCode: '// BAD: plaintext comparison\nif (user.password === inputPassword) { ... }\n\n// GOOD: hash comparison\nimport bcrypt from "bcrypt";\nconst valid = await bcrypt.compare(inputPassword, user.passwordHash);\nif (!valid) return new Response("Invalid", { status: 401 });',
@@ -240,7 +240,7 @@ export const advancedSecurityRules = [
         severity: "high",
         owasp: "A07:2025 Identification and Authentication Failures",
         description: "Login/authentication endpoint compares passwords without rate limiting or account lockout. Attackers can try unlimited password combinations.",
-        pattern: /(?:signIn|login|authenticate|logIn)\b[\s\S]{0,500}?(?:bcrypt\.compare|argon2\.verify|compare|verify)[\s\S]{0,300}?(?:(?!rateLimit|limiter|throttle|lockout|maxAttempts|failedAttempts|loginAttempts|Ratelimit)[\s\S]){5,}?(?:return|Response|res\.)/gi,
+        pattern: /(?:signIn|login|authenticate|logIn)\b(?:(?!rateLimit|limiter|throttle|lockout|maxAttempts|failedAttempts|loginAttempts|Ratelimit|brute)[\s\S]){0,500}?(?:bcrypt\.compare|argon2\.verify|compare|verify)(?:(?!rateLimit|limiter|throttle|lockout|maxAttempts|failedAttempts|loginAttempts|Ratelimit|brute)[\s\S]){5,300}?(?:return|Response|res\.)/gi,
         languages: ["javascript", "typescript"],
         fix: "Add rate limiting and account lockout to login endpoints.",
         fixCode: '// Add rate limiting to login\nimport { Ratelimit } from "@upstash/ratelimit";\nconst loginLimiter = new Ratelimit({\n  redis: Redis.fromEnv(),\n  limiter: Ratelimit.slidingWindow(5, "15 m"), // 5 attempts per 15 min\n});\n\nconst { success } = await loginLimiter.limit(email);\nif (!success) return new Response("Too many attempts", { status: 429 });',

package/build/data/rules/core.js CHANGED Viewed

@@ -140,7 +140,7 @@ export const coreRules = [
         severity: "medium",
         owasp: "A04:2025 Insecure Design",
         description: "Authentication or API endpoints without rate limiting are vulnerable to brute force attacks.",
-        pattern: /(?:app|router)\.\s*(?:get|post|put|delete|patch|use)\s*\(\s*['"](?:\/login|\/auth|\/signin|\/register|\/signup|\/forgot-password)/gi,
+        pattern: /(?:app|router)\.\s*(?:get|post|put|delete|patch|use)\s*\(\s*['"](?:\/login|\/auth|\/signin|\/register|\/signup|\/forgot-password)['"]\s*,(?!\s*(?:\w*[Ll]imiter|\w*[Tt]hrottle|\w*[Rr]ate[Ll]imit|\w*[Bb]rute|\w*[Ss]low[Dd]own))/gi,
         languages: ["javascript", "typescript", "python", "go"],
         fix: "Add rate limiting middleware. Express: npm install express-rate-limit. FastAPI: use slowapi. Apply stricter limits on auth endpoints (e.g. 5 requests/minute).",
         fixCode: "// Express rate limiting\nimport rateLimit from 'express-rate-limit';\napp.use('/api/', rateLimit({ windowMs: 15 * 60 * 1000, max: 100 }));",
@@ -200,7 +200,7 @@ export const coreRules = [
         severity: "high",
         owasp: "A07:2025 Auth Failures",
         description: "JWT token created without expiration time.",
-        pattern: /jwt\.sign\s*\([^)]*(?!\bexpiresIn\b)[^)]*\)/gi,
+        pattern: /jwt\.sign\s*\((?:(?!\bexpiresIn\b)[^)])*\)/gi,
         languages: ["javascript", "typescript"],
         fix: "Always set token expiration: jwt.sign(payload, secret, { expiresIn: '15m' }).",
         fixCode: "// Always set expiration\nconst token = jwt.sign(payload, secret, { expiresIn: '15m' });",

package/build/data/rules/modern-stack.js CHANGED Viewed

@@ -65,7 +65,7 @@ export const modernStackRules = [
         severity: "high",
         owasp: "A01:2025 Broken Access Control",
         description: 'File contains sensitive server-side logic (database queries, secret access) but does not import "server-only". Without this guard, the module can be accidentally imported by a Client Component, leaking server code to the browser bundle.',
-        pattern: /^(?![\s\S]*?(?:['"]server-only['"]|['"]use server['"]|['"]use client['"])[\s\S]*?)[\s\S]*?(?:process\.env\.(?!NEXT_PUBLIC_)\w+(?:_KEY|_SECRET|_TOKEN)|(?:prisma|db|supabase)\.(?:query|from|\$queryRaw))/g,
+        pattern: /^(?=[\s\S]*?(?:from\s+['"]next(?:\/[^'"]*)?['"]|require\s*\(\s*['"]next(?:\/[^'"]*)?['"]))(?![\s\S]*?(?:['"]server-only['"]|['"]use server['"]|['"]use client['"])[\s\S]*?)[\s\S]*?(?:process\.env\.(?!NEXT_PUBLIC_)\w+(?:_KEY|_SECRET|_TOKEN)|(?:prisma|db|supabase)\.(?:query|from|\$queryRaw))/g,
         languages: ["javascript", "typescript"],
         fix: 'Add import "server-only" at the top of files that contain server-side logic.',
         fixCode: '// Add at the very top of server-only modules\nimport "server-only";\n\n// Now this file cannot be imported by Client Components\nexport async function getSecretData() {\n  const key = process.env.SECRET_KEY;\n  return prisma.user.findMany();\n}',

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.25",
+  "version": "3.0.26",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 341 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",