npm - guardvibe - Versions diffs - 3.1.13 → 3.1.14 - Mend

guardvibe 3.1.13 → 3.1.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/build/data/rules/cve-versions.js +1 -1
package/build/data/rules/modern-stack.js +1 -1
package/build/tools/check-code.js +14 -0
package/package.json +1 -1

package/build/data/rules/cve-versions.js CHANGED Viewed

@@ -247,7 +247,7 @@ export const cveVersionRules = [
         severity: "critical",
         owasp: "A02:2025 Injection",
         description: "React 19.0.0 through 19.1.0 and Next.js 15.0.0 through 15.3.2 are vulnerable to React2Shell — a critical deserialization RCE in the React Flight protocol. Attackers send crafted POST payloads to any App Router endpoint to achieve remote code execution without authentication. CVSS 10.0. State-nexus threat groups exploited this within hours of disclosure (December 2025).",
-        pattern: /["']react["']\s*:\s*["'](?:\^|~|>=?)?\s*19\.[01]\.\d+["']/g,
+        pattern: /["']react["']\s*:\s*["'](?:\^|~|>=?)?\s*(?:19\.0\.\d+|19\.1\.0)["']/g,
         languages: ["json"],
         fix: "Upgrade React to 19.1.1+ and Next.js to 15.3.3+: npm install react@latest react-dom@latest next@latest",
         fixCode: '// package.json — upgrade immediately\n"react": "^19.1.1",\n"react-dom": "^19.1.1",\n"next": "^15.3.3"',

package/build/data/rules/modern-stack.js CHANGED Viewed

@@ -23,7 +23,7 @@ export const modernStackRules = [
         severity: "medium",
         owasp: "API3:2023 Broken Object Property Level Authorization",
         description: "Using z.any() or z.unknown() for request body/input validation effectively disables validation, allowing any data through.",
-        pattern: /(?:body|input|data|payload|params)\s*[:=]\s*z\.(?:any|unknown)\s*\(\s*\)/gi,
+        pattern: /\b(?:body|input|data|payload|params)\b\s*[:=]\s*z\.(?:any|unknown)\s*\(\s*\)(?!\s*\.(?:describe|nullish|nullable|optional|catch|default|transform|pipe|refine|superRefine|brand|readonly))/gi,
         languages: ["javascript", "typescript"],
         fix: "Define explicit Zod schemas for all inputs. Use z.object() with specific field types.",
         fixCode: '// BAD: no validation\nconst schema = z.object({ data: z.any() });\n\n// GOOD: explicit validation\nconst schema = z.object({\n  name: z.string().min(1).max(200),\n  email: z.string().email(),\n});',

package/build/tools/check-code.js CHANGED Viewed

@@ -615,6 +615,8 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 continue;
             if (isReactNative)
                 continue;
+            if (isBatchScriptFile)
+                continue;
             const isEmailFile = /(?:resend|nodemailer|sendEmail|sendMail|email\.send)/i.test(code);
             if (isEmailFile)
                 continue;
@@ -883,6 +885,18 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 const isServiceVerbCall = /(?:^|[\s=])(?:return\s+|await\s+)?this\.(?:get|post|put|delete|patch|head|options|fetch|request)\s*\(/i.test(matchedLine);
                 if (isServiceVerbCall && !hasSqlKeyword)
                     continue;
+                // Bare `.get(` / `.run(` / `.all(` triggers without a SQL keyword on the line.
+                // The pattern's keyword list is intentionally broad to cover SQLite verbs (`db.run`,
+                // `db.all`) and SQLite's `.prepare(...).get()` chain, but those verbs are also used
+                // by Redis (`redis.get(`key:${id}`)`), Next.js cookies/headers (`req.cookies.get(`name`)`),
+                // JS Map (`map.get(key)`), Tinybird pipes, etc. SQLite's `prepare` already triggers
+                // VG010 on the ascending side of the chain, so dropping the bare-verb form here
+                // preserves SQLite coverage while clearing the cache/cookie/Map false positives.
+                const triggerWordMatch = match[0].match(/^(\w+)/);
+                const triggerWord = triggerWordMatch ? triggerWordMatch[1].toLowerCase() : "";
+                const isWeakTrigger = triggerWord === "get" || triggerWord === "run" || triggerWord === "all";
+                if (isWeakTrigger && !hasSqlKeyword)
+                    continue;
             }
             // Skip XSS-family rules (VG012/VG408/VG042/VG852) when a lint-suppression
             // comment for the corresponding rule sits within a small window around the

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.1.13",
+  "version": "3.1.14",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 390 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis, +25 AI-native rules (MCP supply-chain, RAG/vector poisoning, agent loop DoS, public-prefix LLM keys, sandbox bypass). Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",