npm - guardvibe - Versions diffs - 3.0.45 → 3.0.46 - Mend

guardvibe 3.0.45 → 3.0.46

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/build/tools/check-code.js +8 -2
package/package.json +1 -1

package/build/tools/check-code.js CHANGED Viewed

@@ -539,8 +539,14 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
             if (isMobileClient)
                 continue;
         }
-        // Skip VG448 (Supabase RPC bypass RLS) when using service_role key (server-side)
-        if (rule.id === "VG448" && /(?:SUPABASE_SERVICE_ROLE|service_role|createServerSupabaseClient|createServerClient)/i.test(code))
+        // Skip VG448 (Supabase RPC bypass RLS) when the file is on a server-side codepath
+        // using a service-role / admin Supabase client. RLS bypass is intentional in those
+        // contexts and is identical in posture to direct .from(...).update(...) writes that
+        // already bypass RLS via the same key — flagging only .rpc() syntax produces FPs.
+        // Naming variants covered: createServerClient (Supabase docs), createServerSupabaseClient,
+        // createServiceClient / createServiceRoleClient (common project conventions),
+        // createAdminClient (Clerk-adjacent and DIY).
+        if (rule.id === "VG448" && /(?:SUPABASE_SERVICE_ROLE|service_role|createServerSupabaseClient|createServerClient|createService(?:Role)?Client|createAdminClient|createServiceSupabase)/i.test(code))
             continue;
         // VG872/VG873 legitimate package filtering is handled at match level below
         // Skip server-only import rule (VG964) for files that are inherently server-only:

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.45",
+  "version": "3.0.46",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 365 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",