guardvibe 3.0.44 → 3.0.46
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/tools/check-code.js +14 -2
- package/package.json +1 -1
|
@@ -522,6 +522,12 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
522
522
|
// like "node": ">=6" are not dependency versions
|
|
523
523
|
if (rule.id === "VG020" && filePath && /(?:package-lock\.json|yarn\.lock|pnpm-lock\.yaml|npm-shrinkwrap\.json)$/.test(filePath))
|
|
524
524
|
continue;
|
|
525
|
+
// Skip all CVE version-pin rules (VG900-VG931) in lock files. The patterns are designed
|
|
526
|
+
// to match top-level dependency declarations in package.json. Lock files contain
|
|
527
|
+
// sub-package peer dependency ranges (e.g. "next": ">=13.2.0" from a transitive dep)
|
|
528
|
+
// which look like vulnerable pins but represent peer requirements, not installed versions.
|
|
529
|
+
if (filePath && /^VG9(?:0\d|1\d|2\d|3[01])$/.test(rule.id) && /(?:package-lock\.json|yarn\.lock|pnpm-lock\.yaml|npm-shrinkwrap\.json)$/.test(filePath))
|
|
530
|
+
continue;
|
|
525
531
|
// Skip VG430 (Supabase anon key on server) when file properly separates client/server
|
|
526
532
|
// or is a React Native/mobile client (anon key with AsyncStorage is correct pattern)
|
|
527
533
|
if (rule.id === "VG430") {
|
|
@@ -533,8 +539,14 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
533
539
|
if (isMobileClient)
|
|
534
540
|
continue;
|
|
535
541
|
}
|
|
536
|
-
// Skip VG448 (Supabase RPC bypass RLS) when
|
|
537
|
-
|
|
542
|
+
// Skip VG448 (Supabase RPC bypass RLS) when the file is on a server-side codepath
|
|
543
|
+
// using a service-role / admin Supabase client. RLS bypass is intentional in those
|
|
544
|
+
// contexts and is identical in posture to direct .from(...).update(...) writes that
|
|
545
|
+
// already bypass RLS via the same key — flagging only .rpc() syntax produces FPs.
|
|
546
|
+
// Naming variants covered: createServerClient (Supabase docs), createServerSupabaseClient,
|
|
547
|
+
// createServiceClient / createServiceRoleClient (common project conventions),
|
|
548
|
+
// createAdminClient (Clerk-adjacent and DIY).
|
|
549
|
+
if (rule.id === "VG448" && /(?:SUPABASE_SERVICE_ROLE|service_role|createServerSupabaseClient|createServerClient|createService(?:Role)?Client|createAdminClient|createServiceSupabase)/i.test(code))
|
|
538
550
|
continue;
|
|
539
551
|
// VG872/VG873 legitimate package filtering is handled at match level below
|
|
540
552
|
// Skip server-only import rule (VG964) for files that are inherently server-only:
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "3.0.
|
|
3
|
+
"version": "3.0.46",
|
|
4
4
|
"mcpName": "io.github.goklab/guardvibe",
|
|
5
5
|
"description": "Security MCP for vibe coding. 365 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
|
|
6
6
|
"type": "module",
|