npm - guardvibe - Versions diffs - 3.1.0 → 3.1.1 - Mend

guardvibe 3.1.0 → 3.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/build/cli.js +4 -0
package/build/index.js +3 -0
package/build/utils/update-check.d.ts +27 -0
package/build/utils/update-check.js +125 -0
package/package.json +1 -1

package/build/cli.js CHANGED Viewed

@@ -1,7 +1,11 @@
 #!/usr/bin/env node
 import { createRequire } from "module";
+import { checkForUpdate } from "./utils/update-check.js";
 const require = createRequire(import.meta.url);
 const pkg = require("../package.json");
+// Fire-and-forget update notification (writes to stderr if newer version exists).
+// Skipped when GUARDVIBE_NO_UPDATE_CHECK=1, NO_UPDATE_NOTIFIER=1, or CI=true.
+checkForUpdate(pkg.version);
 // ── Scan entry point detection ──────────────────────────────────────
 const SCAN_SCRIPT_DETECTED = process.argv[1]?.endsWith("guardvibe-scan") ||
     process.argv[1]?.endsWith("guardvibe-scan.js");

package/build/index.js CHANGED Viewed

@@ -998,6 +998,9 @@ export async function startMcpServer() {
     return main();
 }
 async function main() {
+    // Fire-and-forget npm update check (writes a banner to stderr if newer version exists).
+    const { checkForUpdate } = await import("./utils/update-check.js");
+    checkForUpdate(pkg.version);
     // Load plugins
     const config = loadConfig(process.cwd());
     const plugins = await discoverPlugins(process.cwd(), config.plugins);

package/build/utils/update-check.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+/**
+ * Non-blocking npm update notification.
+ *
+ * On startup of the CLI or MCP server, fires an async GET against
+ * https://registry.npmjs.org/guardvibe/latest. Result is cached for 24h
+ * in ~/.cache/guardvibe/version-check.json so we never hit npm twice in
+ * a day from one machine. If a newer version is available, a 5-line
+ * banner is written to stderr — never stdout, so the MCP JSON-RPC stream
+ * is untouched.
+ *
+ * Disable with GUARDVIBE_NO_UPDATE_CHECK=1, NO_UPDATE_NOTIFIER=1,
+ * or CI=true (CI runners don't need version banners).
+ */
+/**
+ * Compare two semver strings. Returns true if `latest` is strictly newer.
+ * Handles plain MAJOR.MINOR.PATCH (no pre-release / build metadata).
+ */
+export declare function isNewer(latest: string, current: string): boolean;
+/**
+ * Fire-and-forget version check. Never throws, never blocks.
+ *
+ * Behavior:
+ *   - If env var disables it → no-op.
+ *   - If cache is fresh (< 24h) and indicates newer version → announce immediately.
+ *   - If cache is stale → fire async fetch, update cache, announce if newer.
+ */
+export declare function checkForUpdate(currentVersion: string): void;

package/build/utils/update-check.js ADDED Viewed

@@ -0,0 +1,125 @@
+/**
+ * Non-blocking npm update notification.
+ *
+ * On startup of the CLI or MCP server, fires an async GET against
+ * https://registry.npmjs.org/guardvibe/latest. Result is cached for 24h
+ * in ~/.cache/guardvibe/version-check.json so we never hit npm twice in
+ * a day from one machine. If a newer version is available, a 5-line
+ * banner is written to stderr — never stdout, so the MCP JSON-RPC stream
+ * is untouched.
+ *
+ * Disable with GUARDVIBE_NO_UPDATE_CHECK=1, NO_UPDATE_NOTIFIER=1,
+ * or CI=true (CI runners don't need version banners).
+ */
+import { readFileSync, writeFileSync, mkdirSync } from "node:fs";
+import { join, dirname } from "node:path";
+import { homedir, tmpdir } from "node:os";
+const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24h
+const NPM_URL = "https://registry.npmjs.org/guardvibe/latest";
+const FETCH_TIMEOUT_MS = 2000;
+function cachePath() {
+    const home = process.env.HOME ?? homedir();
+    const baseDir = home && home.length > 0 ? join(home, ".cache", "guardvibe") : join(tmpdir(), "guardvibe");
+    return join(baseDir, "version-check.json");
+}
+function readCache() {
+    try {
+        const raw = readFileSync(cachePath(), "utf-8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+function writeCache(data) {
+    try {
+        const path = cachePath();
+        mkdirSync(dirname(path), { recursive: true });
+        writeFileSync(path, JSON.stringify(data));
+    }
+    catch {
+        // Cache write failure is non-fatal; silently swallow.
+    }
+}
+/**
+ * Compare two semver strings. Returns true if `latest` is strictly newer.
+ * Handles plain MAJOR.MINOR.PATCH (no pre-release / build metadata).
+ */
+export function isNewer(latest, current) {
+    const parse = (v) => v.split(".").map(n => parseInt(n, 10));
+    const la = parse(latest);
+    const ca = parse(current);
+    for (let i = 0; i < 3; i++) {
+        const l = la[i] ?? 0;
+        const c = ca[i] ?? 0;
+        if (l !== c)
+            return l > c;
+    }
+    return false;
+}
+async function fetchLatest() {
+    try {
+        const ctrl = new AbortController();
+        const timer = setTimeout(() => ctrl.abort(), FETCH_TIMEOUT_MS);
+        // guardvibe-ignore VG120 — NPM_URL is a hardcoded module-level constant, not user input
+        const res = await fetch(NPM_URL, { signal: ctrl.signal });
+        clearTimeout(timer);
+        if (!res.ok)
+            return null;
+        const data = (await res.json());
+        return typeof data.version === "string" ? data.version : null;
+    }
+    catch {
+        return null;
+    }
+}
+function announceUpdate(latest, current) {
+    const lines = [
+        "",
+        "  ┌──────────────────────────────────────────────────────────┐",
+        `  │  GuardVibe ${current} → ${latest} available`,
+        "  │  Upgrade: re-run `npx guardvibe init <host>` to pin the new",
+        "  │           version into your .mcp.json (or `npx guardvibe@latest`)",
+        "  │  Silence: set GUARDVIBE_NO_UPDATE_CHECK=1",
+        "  └──────────────────────────────────────────────────────────┘",
+        "",
+    ];
+    process.stderr.write(lines.join("\n"));
+}
+function isDisabled() {
+    return (process.env.GUARDVIBE_NO_UPDATE_CHECK === "1" ||
+        process.env.NO_UPDATE_NOTIFIER === "1" ||
+        process.env.CI === "true" ||
+        process.env.CI === "1");
+}
+/**
+ * Fire-and-forget version check. Never throws, never blocks.
+ *
+ * Behavior:
+ *   - If env var disables it → no-op.
+ *   - If cache is fresh (< 24h) and indicates newer version → announce immediately.
+ *   - If cache is stale → fire async fetch, update cache, announce if newer.
+ */
+export function checkForUpdate(currentVersion) {
+    if (isDisabled())
+        return;
+    const cache = readCache();
+    const now = Date.now();
+    if (cache && cache.latest && now - cache.checkedAt < CACHE_TTL_MS) {
+        if (isNewer(cache.latest, currentVersion)) {
+            announceUpdate(cache.latest, currentVersion);
+        }
+        return;
+    }
+    // Cache missing or stale — refresh in background, don't await.
+    fetchLatest()
+        .then(latest => {
+        writeCache({ checkedAt: now, latest });
+        if (latest && isNewer(latest, currentVersion)) {
+            announceUpdate(latest, currentVersion);
+        }
+    })
+        .catch(() => {
+        // Non-fatal.
+    });
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.1.0",
+  "version": "3.1.1",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 390 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis, +25 AI-native rules (MCP supply-chain, RAG/vector poisoning, agent loop DoS, public-prefix LLM keys, sandbox bypass). Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",