npm - guardvibe - Versions diffs - 3.1.16 → 3.1.17 - Mend

guardvibe 3.1.16 → 3.1.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/build/data/rules/core.js +1 -1
package/build/data/rules/nextjs.js +1 -1
package/build/tools/check-code.js +7 -1
package/package.json +1 -1

package/build/data/rules/core.js CHANGED Viewed

@@ -260,7 +260,7 @@ export const coreRules = [
         severity: "medium",
         owasp: "A05:2025 Security Misconfiguration",
         description: "Cookies set without secure, httpOnly, or sameSite flags.",
-        pattern: /(?:cookie|setCookie|set-cookie|res\.cookie)\s*\([^)]*(?!(?:.*secure|.*httpOnly|.*sameSite))/gi,
+        pattern: /(?:\bcookie|setCookie|set-cookie|res\.cookie)[ \t]*\([^)]*(?!(?:.*secure|.*httpOnly|.*sameSite))/gi,
         languages: ["javascript", "typescript"],
         fix: "Set all security flags: { secure: true, httpOnly: true, sameSite: 'strict' }.",
         fixCode: "res.cookie('session', token, {\n  secure: true,\n  httpOnly: true,\n  sameSite: 'strict',\n  maxAge: 3600000\n});",

package/build/data/rules/nextjs.js CHANGED Viewed

@@ -153,7 +153,7 @@ export const nextjsRules = [
         severity: "high",
         owasp: "A01:2025 Broken Access Control",
         description: "Server Action returns a full database query result without field selection. Sensitive fields (passwordHash, internalNotes) get serialized to the client.",
-        pattern: /["']use server["'][\s\S]{0,800}?(?:return\s+\w+\.)?(?:findUnique|findFirst|findMany)\s*\((?:(?!select\s*:)[\s\S])*?\)/g,
+        pattern: /["']use server["'][\s\S]{0,1500}?\breturn\b[^\n;]{0,80}?(?:findUnique|findFirst|findMany)\s*\((?:(?!select\s*:)[\s\S])*?\)/g,
         languages: ["javascript", "typescript"],
         fix: "Always use select to return only needed fields from Server Actions.",
         fixCode: '"use server";\nexport async function getUser(id: string) {\n  return prisma.user.findUnique({\n    where: { id },\n    select: { id: true, name: true, email: true },\n  });\n}',

package/build/tools/check-code.js CHANGED Viewed

@@ -370,7 +370,7 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         //   agent.get('/?q=' + sqlPayload) which match the regex but aren't database calls
         // - VG042/VG678: HTTP-response/security-header rules (tests don't serve to real users)
         const isTestFile = filePath && /(?:\.(?:[\w-]+-)?(?:spec|test|e2e|stories|cy)\.(?:ts|tsx|js|jsx|mjs|cjs)$|\/__tests__\/|\/tests?\/|\/cypress\/|\/playwright\/)/i.test(filePath);
-        if (isTestFile && ["VG001", "VG062", "VG010", "VG011", "VG012", "VG013", "VG014", "VG042", "VG130", "VG678", "VG955", "VG133", "VG1021", "VG409"].includes(rule.id))
+        if (isTestFile && ["VG001", "VG062", "VG010", "VG011", "VG012", "VG013", "VG014", "VG042", "VG100", "VG130", "VG678", "VG955", "VG133", "VG1021", "VG409"].includes(rule.id))
             continue;
         // VG955 (Missing Pagination on List Endpoint): only fire on actual request-handling
         // surfaces — API routes, App Router `route.{ts,tsx}`, pages/api, or Server Actions.
@@ -490,6 +490,12 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         // request handler to authorize. Rule still fires inside route handlers and Server Actions.
         if (rule.id === "VG1008" && isBatchScriptFile)
             continue;
+        // Skip VG961 (z.any/z.unknown) in batch scripts and cron routes — `data: z.any()` and
+        // similar opaque fields in migration/seed scripts and cron job payloads are intentional
+        // passthroughs (e.g. Tinybird `tb.buildPipe({ parameters: ..., data: z.any() })`),
+        // not "validation disabled at the entry point" misuses.
+        if (rule.id === "VG961" && (isBatchScriptFile || isCronRoute))
+            continue;
         // Skip VG132 (Missing Request Body Size Limit) on Next.js route handlers and
         // pages/api endpoints — Next.js/Vercel apply a default 4.5MB body limit at the
         // platform layer, which is what the rule is checking for.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.1.16",
+  "version": "3.1.17",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 390 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis, +25 AI-native rules (MCP supply-chain, RAG/vector poisoning, agent loop DoS, public-prefix LLM keys, sandbox bypass). Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",