guardvibe 3.14.0 → 3.14.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +16 -0
- package/build/tools/check-code.js +14 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,22 @@ All notable changes to GuardVibe are documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [3.14.2] - 2026-06-08
|
|
9
|
+
|
|
10
|
+
### Fixed — VG964 false positives on App Router route segments (442 rules / 37 tools)
|
|
11
|
+
- **VG964 (Server-Only Module Missing) no longer fires on App Router route-segment files** — `page` / `layout` / `route` / `template` / `loading` / `error` / etc. under `app/` (without `"use client"`). These are React Server Components that Next renders as route entrypoints; they are never imported into a client bundle, so they're server-only by default and don't need the `server-only` package. The rule still targets shared modules that could be imported client-side (and Pages Router files, which do ship to the client).
|
|
12
|
+
- Found by a corpus FP audit. Validated via a clean old-vs-new diff: **VG964 14 → 5, all 9 removed are genuine App Router route segments** (e.g. payload preview routes, plane `layout.tsx`, unkey settings pages), **0 true positives lost**, 0 drift in any other rule. 4 tests. No rule or tool changes (442 / 37).
|
|
13
|
+
|
|
14
|
+
Gate green (build / lint / test / self-audit PASS / A / 0).
|
|
15
|
+
|
|
16
|
+
## [3.14.1] - 2026-06-08
|
|
17
|
+
|
|
18
|
+
### Fixed — release pipeline resilience (442 rules / 37 tools)
|
|
19
|
+
- The v3.14.0 npm publish succeeded but the MCP-registry step hit a transient **504 Gateway Time-out** from registry.modelcontextprotocol.io, leaving the registry one version behind. This patch re-publishes to bring npm + the MCP registry back in sync.
|
|
20
|
+
- **Hardened `publish.yml`:** the npm publish step is now idempotent (skips if the version already exists), so a transient MCP-registry outage can be retried via `gh run rerun --failed` without failing on a duplicate npm publish. No rule, tool, or behavior changes (442 / 37).
|
|
21
|
+
|
|
22
|
+
Gate green (build / lint / test / self-audit PASS / A / 0).
|
|
23
|
+
|
|
8
24
|
## [3.14.0] - 2026-06-08
|
|
9
25
|
|
|
10
26
|
### Added — intel maintenance: Vite / launch-editor dev-server RCE (441 → 442 rules / 37 tools)
|
|
@@ -660,6 +660,20 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
660
660
|
if (hasUseClient || hasReactStateHooks)
|
|
661
661
|
continue;
|
|
662
662
|
}
|
|
663
|
+
// VG964 (Server-Only Module Missing): App Router route-segment files
|
|
664
|
+
// (page/layout/route/template/… without "use client") are server components —
|
|
665
|
+
// route entrypoints Next renders server-side that are NEVER imported into a
|
|
666
|
+
// client bundle, so they're server-only by default and don't need the
|
|
667
|
+
// `server-only` package. The rule targets SHARED modules that could be imported
|
|
668
|
+
// client-side; skip RSC route segments to avoid false positives. Only `app/`
|
|
669
|
+
// (App Router) qualifies — Pages Router page files DO ship to the client.
|
|
670
|
+
if (rule.id === "VG964" && filePath) {
|
|
671
|
+
const fp = filePath.replace(/\\/g, "/");
|
|
672
|
+
if (/(?:^|\/)app\//.test(fp) &&
|
|
673
|
+
/(?:^|\/)(?:page|layout|route|template|default|loading|error|not-found|global-error|head)\.(?:tsx?|jsx?)$/.test(fp)) {
|
|
674
|
+
continue;
|
|
675
|
+
}
|
|
676
|
+
}
|
|
663
677
|
// Skip SQL injection rules in schema/migration .sql files (DDL, not user input)
|
|
664
678
|
if (rule.id === "VG543" && (isMigrationFile || isSqlSchemaFile))
|
|
665
679
|
continue;
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "3.14.
|
|
3
|
+
"version": "3.14.2",
|
|
4
4
|
"mcpName": "io.github.goklab/guardvibe",
|
|
5
5
|
"description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 442 rules, 37 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 71 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
|
|
6
6
|
"type": "module",
|