guardvibe 3.19.0 → 3.20.0

package/CHANGELOG.md

@@ -5,6 +5,16 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.20.0] - 2026-06-14
+
+### Added — 3 fresh CVE version-pin rules from daily threat intel (442 → 445 rules / 38 tools)
+- **VG1089 — js-cookie `assign()` prototype hijack → cookie-attribute injection (CVE-2026-46625 / GHSA-qjx8-664m-686j, high).** js-cookie < 3.0.7 enumerates `Object.prototype` keys through the internal `assign()` helper, so a pollution gadget can inject `domain=`/`path=`/`secure=`/`samesite=`/`expires=` attributes into written cookies. Fixed in 3.0.7. 0-FP semver: only exact/`=` pins in the 3.0.x line are flagged (a caret/tilde there resolves to the fixed 3.0.7); 0.x–2.x majors are flagged with any range.
+- **VG1090 — PostCSS XSS via unescaped `</style>` in stringify output (CVE-2026-41305 / GHSA-qx2v-qp2m-jg93, medium).** postcss < 8.5.10 does not escape `</style>` when serializing a CSS AST; an app that re-emits user CSS into an inline `<style>` block can be broken out of for stored/reflected XSS. Fixed in 8.5.10. 0-FP semver: caret on the 8.x line resolves to the fix, so only exact/`=` pins (plus tilde within 8.0–8.4) on 8.x are flagged; 1.x–7.x majors flagged with any range.
+- **VG1091 — Axios HTTP-adapter proxy prototype-pollution gadget (CVE-2026-44494 / GHSA-35jp-ww65-95wh, high).** axios < 1.16.0 reads `config.proxy` in the Node HTTP adapter without an own-property check; a `Object.prototype.proxy` gadget routes every request through an attacker-controlled proxy (MITM / credential theft). Fixed in 1.16.0. **Distinct from VG1042 (pre-1.15.2 cluster):** a project that pinned 1.15.2 on VG1042's advice is still exposed, so this rule flags exactly the residual 1.15.2–1.15.x window (caret resolves to the fixed 1.16.0 → not flagged), with no double-firing against VG1042.
+- 26 new pattern tests in `tests/rules/cve-versions.test.ts` (detect affected pins, ignore patched + caret-resolves-to-fixed + adjacent-rule overlap). CVE version-pin rule count 71 → 74. All three sourced from the daily GHSA/OSV/CISA-KEV intel brief and verified against the upstream advisories; everything else in that brief (Clerk ×3, Drizzle, Next/RSC cluster, React RCE, Anthropic SDK memory tool, Vercel AI SDK filetype, MCP path traversal, Miasma) was already covered. Zero new runtime dependencies.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.19.0] - 2026-06-10
 
 ### Added — secure_prompt: prompt-level security, shift left (442 rules / 37 → 38 tools)

package/README.md

@@ -13,20 +13,21 @@
 - **🎯 Deterministic, not probabilistic.** Same code = same result, every run (content-hashed). Your AI guesses; GuardVibe doesn't.
 - **🗺️ Sees the whole repo.** Cross-file taint + auth-coverage across every route — catches the unprotected endpoint your agent's narrow context missed.
 - **🔍 An independent second pair of eyes.** The thing that wrote the code can't review itself. GuardVibe is the outside checker on AI-written code — in the loop *while* your AI codes (real-time edit hook), not after.
+- **⬅️ NEW: Starts before the first line of code.** Every scanner on earth — including your agent reviewing itself — acts *after* the code exists. [`secure_prompt`](#prompt-level-security-shift-left) acts *before*: it analyzes the coding prompt itself, detects the stack and attack surfaces it implies, and embeds severity-ranked GuardVibe requirements into the prompt your AI executes. The vulnerability is prevented, not caught. Deterministic, zero LLM calls — and if the prompt is already secure, it passes through untouched.
 
-**The security MCP built for vibe coding.** 442 security rules, 38 tools covering the entire AI-generated code journey — from the prompt itself to production deployment.
+**The security MCP built for vibe coding.** 445 security rules, 38 tools covering the entire AI-generated code journey — from the prompt itself to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
 
 ## Why a tool, when your AI is so good?
 
-"More rules" was never the moat — a strong model already knows most security rules by heart. What it *can't* do is be deterministic, know the CVE published after its training cutoff, hold your whole repo in context, or objectively review the code it just wrote. Those four gaps are structural; they don't close as models improve. GuardVibe is the layer that fills them — running *while* your AI codes, not in a separate audit later.
+"More rules" was never the moat — a strong model already knows most security rules by heart. What it *can't* do is be deterministic, know the CVE published after its training cutoff, hold your whole repo in context, or objectively review the code it just wrote. Those four gaps are structural; they don't close as models improve. GuardVibe is the layer that fills them — running *while* your AI codes, not in a separate audit later. And since v3.19, it runs *before* your AI codes too: `secure_prompt` rewrites the task itself so the security requirements are in the prompt, not in the post-mortem.
 
 ## Why GuardVibe
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **442 security rules, 38 tools** purpose-built for the stacks AI agents generate
+- **445 security rules, 38 tools** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -64,7 +65,7 @@ GuardVibe is purpose-built for the AI coding workflow. Traditional tools are exc
 | CVE version detection | 71 packages, refreshed daily | Extensive | Extensive |
 | Compliance mapping (SOC2, PCI-DSS, HIPAA) | Built-in | Paid tier | None |
 | SARIF CI/CD export | Yes | Yes | Limited |
-| Rule count | 442 (focused, 68 AI-native) | 5000+ (broad) | N/A |
+| Rule count | 445 (focused, 68 AI-native) | 5000+ (broad) | N/A |
 
 **When to use GuardVibe:** You're building with AI agents and want security scanning integrated into your coding workflow — no dashboard, no account, no CI setup.
 
@@ -287,7 +288,7 @@ Same user intent — but the model now generates auth code with the guardrails s
 
 All scanning tools support `format: "json"` for machine-readable output.
 
-## Security Rules (442 rules across 25 modules)
+## Security Rules (445 rules across 25 modules)
 
 | Category | Rules | Coverage |
 |----------|-------|----------|

package/build/data/rules/cve-versions.js

@@ -829,4 +829,40 @@ export const cveVersionRules = [
         fixCode: '// package.json\n"vite": "^5.4.9"  // or ^6',
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
+    {
+        id: "VG1089",
+        name: "js-cookie assign() Prototype Hijack — Cookie Attribute Injection (CVE-2026-46625 / GHSA-qjx8-664m-686j)",
+        severity: "high",
+        owasp: "A03:2025 Injection",
+        description: "js-cookie versions before 3.0.7 are vulnerable to a per-instance prototype hijack in the internal assign() helper. assign() copies properties with a for…in loop plus plain assignment, so any key planted on Object.prototype is enumerated and copied into the merged attributes object. When set() later serialises that object, attacker-polluted keys land in the Set-Cookie string as attribute pairs — letting an attacker force domain=, path=, secure=, samesite=, or expires= on cookies the application writes (cookie scoping abuse / fixation). Fixed in 3.0.7. Only exact (or =) pins in the 3.0.x line are flagged — a caret/tilde range there resolves to the fixed 3.0.7; older 0.x–2.x majors are flagged with any range since they never reach the fix.",
+        pattern: /["']js-cookie["']\s*:\s*["'](?:(?:\^|~|>=?)?\s*[0-2]\.\d+\.\d+|=?\s*3\.0\.[0-6])["']/g,
+        languages: ["json"],
+        fix: "Upgrade js-cookie to 3.0.7 or later: npm install js-cookie@latest. As defence-in-depth, freeze Object.prototype at bootstrap (Object.freeze(Object.prototype)) and never spread untrusted objects into cookie-attribute options.",
+        fixCode: '// package.json\n"js-cookie": "^3.0.7"  // or latest\n\n// Defence-in-depth — block prototype writes at startup\nObject.freeze(Object.prototype);',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.2"],
+    },
+    {
+        id: "VG1090",
+        name: "PostCSS XSS via Unescaped </style> in Stringify Output (CVE-2026-41305 / GHSA-qx2v-qp2m-jg93)",
+        severity: "medium",
+        owasp: "A03:2025 Injection",
+        description: "postcss versions before 8.5.10 do not escape a </style> sequence when stringifying a CSS AST back to text. An app that parses user-submitted CSS and re-emits it into an inline <style> block lets an attacker close the style element early with </style> and inject arbitrary markup/script — a stored or reflected XSS. Fixed in 8.5.10. Caret ranges on the 8.x line resolve to the fixed 8.5.10, so only exact/= pins (and tilde within 8.0–8.4) on the 8.x line are flagged; 1.x–7.x majors are flagged with any range since they never reach the fix.",
+        pattern: /["']postcss["']\s*:\s*["'](?:(?:\^|~|>=?)?\s*[1-7]\.\d+\.\d+|~?\s*8\.[0-4]\.\d+|=?\s*8\.5\.[0-9](?![0-9]))["']/g,
+        languages: ["json"],
+        fix: "Upgrade postcss to 8.5.10 or later: npm install postcss@latest. If you embed processed CSS in an inline <style> tag, also HTML-escape </style> (or serve the CSS from an external stylesheet) as defence-in-depth.",
+        fixCode: '// package.json\n"postcss": "^8.5.10"  // or latest',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.5.7"],
+    },
+    {
+        id: "VG1091",
+        name: "Axios HTTP-Adapter Proxy Prototype-Pollution Gadget (CVE-2026-44494 / GHSA-35jp-ww65-95wh)",
+        severity: "high",
+        owasp: "A10:2025 SSRF",
+        description: "axios versions before 1.16.0 read config.proxy in the Node HTTP adapter without an own-property check. Because `proxy` is not set in axios defaults, a prototype-pollution gadget elsewhere in the process (Object.prototype.proxy = {...}) is picked up on every request, routing traffic through an attacker-controlled proxy — full MITM, credential theft, and response tampering. Fixed in 1.16.0 (own-property checks for proxy/socketPath/transport). Distinct from VG1042 (the pre-1.15.2 cluster): a project that took VG1042's advice and pinned 1.15.2–1.15.x is STILL exposed to this gadget, so this rule flags exactly that residual window (1.15.2 through 1.15.x). Caret ranges resolve to the fixed 1.16.0 and are not flagged.",
+        pattern: /["']axios["']\s*:\s*["'](?:~|=)?\s*1\.15\.(?:[2-9]|[1-9]\d)["']/g,
+        languages: ["json"],
+        fix: "Upgrade axios to 1.16.0 or later: npm install axios@latest. As defence-in-depth, freeze Object.prototype at startup so a pollution gadget cannot inject a proxy: Object.freeze(Object.prototype).",
+        fixCode: '// package.json\n"axios": "^1.16.0"  // or latest\n\n// Defence-in-depth — block prototype writes at bootstrap\nObject.freeze(Object.prototype);',
+        compliance: ["SOC2:CC6.1", "SOC2:CC7.1", "PCI-DSS:Req6.2"],
+    },
 ];

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "guardvibe",
-  "version": "3.19.0",
+  "version": "3.20.0",
   "mcpName": "io.github.goklab/guardvibe",
-  "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 442 rules, 38 tools, CLI + doctor. Prompt-level shift-left security (secure_prompt — embed security requirements BEFORE code generation), host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 71 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
+  "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 445 rules, 38 tools, CLI + doctor. Prompt-level shift-left security (secure_prompt — embed security requirements BEFORE code generation), host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 74 CVE rules refreshed daily from GHSA/OSV/CISA KEV — js-cookie cookie-attribute injection, PostCSS </style> stringify XSS, Axios proxy prototype-pollution gadget, Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",
   "bin": {
     "guardvibe": "build/cli.js",
@@ -119,7 +119,7 @@
     "@types/node": "^25.5.2",
     "c8": "^11.0.0",
     "eslint": "^10.2.0",
-    "tsx": "^4.21.0",
+    "tsx": "^4.22.4",
     "typescript-eslint": "^8.58.0"
   },
   "engines": {