guardvibe 3.2.0 → 3.4.0

package/CHANGELOG.md

@@ -5,6 +5,27 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.4.0] - 2026-06-07
+
+### Added — dependency reachability: is the vulnerable package actually imported? (438 rules / 37 tools)
+- **The dependency scan now annotates each vulnerable package with reachability** — whether it is actually imported/required anywhere in your source. A flagged dependency you never import is far lower priority than one your code calls into; this turns the daily-CVE freshness signal into a *prioritized*, actionable one.
+- **Annotate, never suppress:** findings are labeled `reachable: true/false` (and `[imported in source]` / `[not directly imported — likely unreachable]` in the audit), but nothing is dropped — a package can still be reached transitively or via dynamic/framework loading, so there are no new false negatives.
+- New module `src/tools/reachability.ts`: `packageRoot` (specifier → installable name, scoped-package aware), `extractImportedPackages` (import/require/dynamic-import/re-export forms), `collectImportedPackages` (source-tree walk, node_modules excluded), `analyzeReachability`. Import-level (package granularity).
+- Surfaced in `scan_dependencies` (per-package `reachable` + `reachabilityStatus`, summary `reachableVulnerable`) and the `audit` dependency section (`N of M directly imported in source`).
+- No rule or tool changes (438 / 37).
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
+## [3.3.0] - 2026-06-07
+
+### Added — diff-aware scanning: block what you just wrote, not the backlog (438 rules / 37 tools)
+- **`guardvibe diff [base]` is now diff-aware by default** — it reports only findings on lines the change actually **added**, instead of re-reporting pre-existing debt in every file you touched. This makes the gate actionable: it blocks the issues newly introduced vs the base, the ones an AI agent just wrote.
+- **Transparent, never silent:** the report states the mode and how many pre-existing findings on unchanged lines were hidden (`preExistingHidden` in JSON; a note in markdown). `--all-lines` restores the whole-changed-file view.
+- New module `src/tools/diff-aware.ts` — a pure, git-free unified-diff hunk parser (`addedLinesFromUnifiedDiff`) plus thin `git diff` wrappers (`getAddedLinesForDiff`, `getAddedLinesStaged`) and a `filterToAddedLines` helper. Unit-tested independent of git; works at any `--unified` context level; counts newly-added files as fully added; ignores deletions.
+- No rule or tool changes (438 / 37).
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.2.0] - 2026-06-07
 
 ### Added — `secure_this`: close the loop from "warns" to "guarantees the fix landed" (438 rules / 37 tools)

package/README.md

@@ -219,7 +219,7 @@ Malicious postinstall scripts, unpinned GitHub Actions, CI `npm` provenance / `-
 | `check_project` | Scan multiple files with security scoring (A-F) |
 | `scan_directory` | Scan a project directory from disk |
 | `scan_staged` | Pre-commit scan of git-staged files |
-| `scan_dependencies` | Check all dependencies for known CVEs (OSV) |
+| `scan_dependencies` | Check all dependencies for known CVEs (OSV) — annotates each vulnerable package with **reachability** (is it actually imported in your source?) |
 | `scan_secrets` | Detect leaked secrets, API keys, tokens |
 | `check_dependencies` | Check individual packages against OSV |
 | `check_package_health` | Typosquat detection, maintenance status, adoption metrics |
@@ -292,7 +292,8 @@ All scanning tools support `format: "json"` for machine-readable output.
 npx guardvibe scan [path]            # Scan a directory for security issues
 npx guardvibe scan . --format json   # JSON output for automation
 npx guardvibe check <file>           # Scan a single file
-npx guardvibe diff [base]            # Scan only changed files since git ref
+npx guardvibe diff [base]            # Scan changed files — reports only newly-introduced issues
+npx guardvibe diff [base] --all-lines # Include pre-existing findings in changed files too
 
 # Close the loop — scan, apply verified fixes, re-verify
 npx guardvibe secure-this <file>          # Dry run: show the fixes that would land + remaining manual work

package/build/cli/scan.js

@@ -78,9 +78,13 @@ export async function runDiffScan(base, flags) {
     const { execFileSync } = await import("child_process");
     const { analyzeFileSecurity } = await import("../tools/file-security.js");
     const { EXTENSION_MAP, CONFIG_FILE_MAP } = await import("../utils/constants.js");
+    const { getAddedLinesForDiff, filterToAddedLines } = await import("../tools/diff-aware.js");
     const format = validateFormat(flags);
     const outputFile = getOutputPath(flags);
     const root = resolve(".");
+    // Diff-aware by default: report only issues on newly-added lines. --all-lines
+    // restores the old whole-changed-file behavior (surfaces pre-existing debt too).
+    const allLines = flags["all-lines"] === true;
     let changedFiles;
     try {
         const output = execFileSync("git", ["diff", "--name-only", "--diff-filter=ACMR", base], { cwd: root, encoding: "utf-8" });
@@ -95,6 +99,7 @@ export async function runDiffScan(base, flags) {
         return;
     }
     const allFindings = [];
+    let preExistingHidden = 0;
     for (const relPath of changedFiles) {
         const fullPath = resolve(root, relPath);
         if (!existsSync(fullPath))
@@ -110,24 +115,34 @@ export async function runDiffScan(base, flags) {
         try {
             const content = readFileSync(fullPath, "utf-8");
             const findings = analyzeFileSecurity(content, language, undefined, fullPath, root);
-            for (const f of findings) {
+            let kept = findings;
+            if (!allLines) {
+                const added = getAddedLinesForDiff(base, relPath, root);
+                kept = filterToAddedLines(findings, added);
+                preExistingHidden += findings.length - kept.length;
+            }
+            for (const f of kept) {
                 allFindings.push({ file: relPath, severity: f.rule.severity, name: f.rule.name, id: f.rule.id, line: f.line, fix: f.rule.fix });
             }
         }
         catch { /* skip */ }
     }
+    const mode = allLines ? "all changed lines" : "newly-introduced lines only";
     let result;
     if (format === "json") {
         const critical = allFindings.filter(f => f.severity === "critical").length;
         const high = allFindings.filter(f => f.severity === "high").length;
         const medium = allFindings.filter(f => f.severity === "medium").length;
         result = JSON.stringify({
-            summary: { total: allFindings.length, critical, high, medium, changedFiles: changedFiles.length, blocked: critical > 0 || high > 0 },
+            summary: { total: allFindings.length, critical, high, medium, changedFiles: changedFiles.length, blocked: critical > 0 || high > 0, diffAware: !allLines, preExistingHidden },
             findings: allFindings,
         });
     }
     else {
-        const lines = [`# GuardVibe Diff Report`, ``, `Base: ${base}`, `Changed files: ${changedFiles.length}`, `Issues: ${allFindings.length}`, ``];
+        const lines = [`# GuardVibe Diff Report`, ``, `Base: ${base}`, `Mode: ${mode}`, `Changed files: ${changedFiles.length}`, `Issues: ${allFindings.length}`, ``];
+        if (!allLines && preExistingHidden > 0) {
+            lines.push(`> ${preExistingHidden} pre-existing finding(s) on unchanged lines hidden — re-run with \`--all-lines\` to see them.`, ``);
+        }
         if (allFindings.length === 0) {
             lines.push(`All changed files passed security checks.`);
         }

package/build/cli.js

@@ -23,7 +23,7 @@ function printUsage() {
 
   Commands:
     npx guardvibe scan [path]        Scan a directory for security issues
-    npx guardvibe diff [base]        Scan only changed files since a git ref
+    npx guardvibe diff [base]        Scan changed files; reports only newly-introduced issues (--all-lines for whole files)
     npx guardvibe check <file>       Scan a single file for security issues
     npx guardvibe doctor [path]      Run host security audit
     npx guardvibe audit [path]       Full security audit with PASS/FAIL verdict
@@ -50,6 +50,7 @@ function printUsage() {
                           critical (default) | high | medium | low | none
     --baseline <file>     Compare against a previous scan JSON for fix tracking
     --save-baseline       Save current scan as baseline (.guardvibe-baseline.json)
+    --all-lines           (diff) Report all findings in changed files, not just newly-added lines
     --version, -V         Print version and exit
     --help, -h            Show this help message
 

package/build/tools/diff-aware.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Parse unified-diff text and return the set of 1-based line numbers that are
+ * ADDED in the new version of the file. Works at any `--unified` context level.
+ */
+export declare function addedLinesFromUnifiedDiff(diff: string): Set<number>;
+/** Keep only findings whose line number is in the added-line set. */
+export declare function filterToAddedLines<T extends {
+    line: number;
+}>(findings: T[], added: Set<number>): T[];
+/** Lines added in `relPath` relative to a git base ref (branch/commit/HEAD~N). */
+export declare function getAddedLinesForDiff(base: string, relPath: string, cwd: string): Set<number>;
+/** Lines added in `relPath` in the staged (index) changes — for pre-commit gating. */
+export declare function getAddedLinesStaged(relPath: string, cwd: string): Set<number>;

package/build/tools/diff-aware.js

@@ -0,0 +1,78 @@
+/**
+ * Diff-aware scanning — surface only the issues that were NEWLY introduced.
+ *
+ * Scanning a changed file whole re-reports pre-existing debt the author didn't
+ * touch, which trains agents (and people) to ignore the output. Diff-aware
+ * filtering keeps only findings that land on lines the current change actually
+ * ADDED, so the gate blocks what you just wrote — not the backlog.
+ *
+ * The hunk parser is pure and git-free (unit-tested); a thin wrapper shells out
+ * to `git diff` to obtain the unified diff for a file.
+ */
+import { execFileSync } from "child_process";
+/**
+ * Parse unified-diff text and return the set of 1-based line numbers that are
+ * ADDED in the new version of the file. Works at any `--unified` context level.
+ */
+export function addedLinesFromUnifiedDiff(diff) {
+    const added = new Set();
+    let newLine = 0;
+    let inHunk = false;
+    for (const raw of diff.split("\n")) {
+        if (raw.startsWith("@@")) {
+            // @@ -oldStart,oldCount +newStart,newCount @@
+            const m = raw.match(/@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/);
+            if (m) {
+                newLine = parseInt(m[1], 10);
+                inHunk = true;
+            }
+            continue;
+        }
+        if (!inHunk || raw === "")
+            continue;
+        if (raw.startsWith("+++") || raw.startsWith("---"))
+            continue;
+        const c = raw[0];
+        if (c === "+") {
+            added.add(newLine);
+            newLine++;
+        }
+        else if (c === "-") {
+            // deletion — present only in the old file, does not advance the new line
+        }
+        else if (c === "\\") {
+            // "" — metadata, ignore
+        }
+        else {
+            // context line (leading space) — advances the new-file line counter
+            newLine++;
+        }
+    }
+    return added;
+}
+/** Keep only findings whose line number is in the added-line set. */
+export function filterToAddedLines(findings, added) {
+    return findings.filter(f => added.has(f.line));
+}
+function gitDiffAddedLines(args, relPath, cwd) {
+    try {
+        const out = execFileSync("git", ["diff", "--no-color", "--unified=0", ...args, "--", relPath], {
+            cwd,
+            encoding: "utf-8",
+            maxBuffer: 32 * 1024 * 1024,
+        });
+        return addedLinesFromUnifiedDiff(out);
+    }
+    catch {
+        // Not a git repo, untracked path, or git unavailable — caller decides fallback.
+        return new Set();
+    }
+}
+/** Lines added in `relPath` relative to a git base ref (branch/commit/HEAD~N). */
+export function getAddedLinesForDiff(base, relPath, cwd) {
+    return gitDiffAddedLines([base], relPath, cwd);
+}
+/** Lines added in `relPath` in the staged (index) changes — for pre-commit gating. */
+export function getAddedLinesStaged(relPath, cwd) {
+    return gitDiffAddedLines(["--cached"], relPath, cwd);
+}

package/build/tools/full-audit.js

@@ -248,7 +248,7 @@ export async function runFullAudit(path, options) {
         }
         if (existsSync(manifestPath)) {
             try {
-                const depsJson = await scanDependencies(manifestPath, "json");
+                const depsJson = await scanDependencies(manifestPath, "json", { root: projectRoot });
                 const parsed = safeJsonParse(depsJson);
                 if (!parsed) {
                     // scanDependencies returned a markdown error (OSV API unreachable, parse failed, etc).
@@ -259,9 +259,15 @@ export async function runFullAudit(path, options) {
                 }
                 if (parsed) {
                     const vulnPackages = parsed.summary?.vulnerable ?? 0;
+                    const reachableVulnerable = parsed.summary?.reachableVulnerable;
                     const depFindings = [];
                     let depCritical = 0, depHigh = 0, depMedium = 0;
                     for (const pkg of parsed.packages ?? []) {
+                        const pkgRec = pkg;
+                        const reachable = pkgRec.reachable;
+                        const reachNote = reachable === false
+                            ? " [not directly imported — likely unreachable]"
+                            : reachable === true ? " [imported in source]" : "";
                         for (const v of pkg.vulnerabilities ?? []) {
                             const vuln2 = v;
                             const sev = (vuln2.severity ?? "high");
@@ -276,17 +282,20 @@ export async function runFullAudit(path, options) {
                                 severity: sev,
                                 file: "package.json",
                                 line: 0,
-                                name: `${pkg.name ?? "unknown"}: ${(vuln2.id ?? "CVE")}`,
-                                description: (vuln2.summary ?? vuln2.details ?? ""),
-                                fix: `Run: npm update ${pkg.name ?? ""}`,
+                                name: `${pkgRec.name ?? "unknown"}: ${(vuln2.id ?? "CVE")}`,
+                                description: `${(vuln2.summary ?? vuln2.details ?? "")}${reachNote}`,
+                                fix: `Run: npm update ${pkgRec.name ?? ""}`,
                             });
                             allFindings.push({ ruleId: `DEP:${vuln2.id ?? "CVE"}`, severity: sev, file: "package.json", line: 0 });
                         }
                     }
                     const counts = { findings: depFindings.length, critical: depCritical, high: depHigh, medium: depMedium };
+                    const reachText = typeof reachableVulnerable === "number" && vulnPackages > 0
+                        ? ` (${reachableVulnerable} of ${vulnPackages} directly imported in source)`
+                        : "";
                     const detailText = depFindings.length === 0
                         ? "No known CVEs"
-                        : `${depFindings.length} CVE(s) across ${vulnPackages} vulnerable package(s)`;
+                        : `${depFindings.length} CVE(s) across ${vulnPackages} vulnerable package(s)${reachText}`;
                     sections.push({ name: "dependencies", status: "ok", ...counts, details: detailText, sectionFindings: depFindings });
                 }
             }

package/build/tools/reachability.d.ts

@@ -0,0 +1,19 @@
+/** The installable package name behind a module specifier, or null if not a bare package. */
+export declare function packageRoot(specifier: string): string | null;
+/** All bare package roots imported/required/re-exported in a file's source. */
+export declare function extractImportedPackages(code: string): Set<string>;
+/** Walk a source tree and collect every imported package root (node_modules excluded). */
+export declare function collectImportedPackages(root: string, opts?: {
+    maxFiles?: number;
+}): Set<string>;
+export type ReachabilityStatus = "imported" | "not_imported";
+export interface ReachabilityResult {
+    reachable: boolean;
+    status: ReachabilityStatus;
+}
+/**
+ * Annotate each package name with whether it is imported anywhere under `root`.
+ * Pass `importedOverride` (a precomputed set) to avoid a filesystem walk (used in tests
+ * and to share one walk across many packages).
+ */
+export declare function analyzeReachability(packageNames: string[], root: string, importedOverride?: Set<string>): Map<string, ReachabilityResult>;

package/build/tools/reachability.js

@@ -0,0 +1,122 @@
+// guardvibe-ignore — defines import-detection regexes; the `require(...)`/`import(...)`
+// string literals here are detector patterns, not vulnerable code.
+/**
+ * Dependency reachability — is a vulnerable package actually used by YOUR code?
+ *
+ * A vulnerable version in package.json is only exploitable from your app if the
+ * package is actually imported/required somewhere in source. Flagging every
+ * advisory regardless drowns the real ones in transitive noise. Reachability
+ * answers "do you import this?" so a flagged-but-unimported dependency can be
+ * deprioritized.
+ *
+ * IMPORTANT — annotate, never suppress: a package can still be reached
+ * transitively or via dynamic/framework loading, so we LABEL findings
+ * (reachable: true/false) and never drop them. This keeps the freshness moat
+ * honest (no false negatives) while cutting the noise.
+ *
+ * This is import-level (package granularity), not call-graph/function level.
+ */
+import { readdirSync, statSync, readFileSync } from "fs";
+import { join, extname } from "path";
+const CODE_EXT = new Set([".js", ".jsx", ".mjs", ".cjs", ".ts", ".tsx", ".mts", ".cts"]);
+const SKIP_DIR = new Set([
+    "node_modules", ".git", ".next", "dist", "build", "out", "coverage",
+    ".turbo", "vendor", ".vercel", ".cache", ".svelte-kit",
+]);
+/** The installable package name behind a module specifier, or null if not a bare package. */
+export function packageRoot(specifier) {
+    if (!specifier)
+        return null;
+    if (specifier.startsWith(".") || specifier.startsWith("/"))
+        return null; // relative / absolute
+    if (specifier.startsWith("node:"))
+        return null; // node builtin
+    const parts = specifier.split("/");
+    if (specifier.startsWith("@")) {
+        if (parts.length < 2 || !parts[1])
+            return null; // incomplete scoped specifier
+        return `${parts[0]}/${parts[1]}`;
+    }
+    return parts[0];
+}
+const IMPORT_FROM = /(?:import|export)\b[^'"]*?\bfrom\s+['"]([^'"]+)['"]/g;
+const BARE_IMPORT = /\bimport\s+['"]([^'"]+)['"]/g;
+const REQUIRE_CALL = /\brequire\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
+const DYNAMIC_IMPORT = /\bimport\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
+/** All bare package roots imported/required/re-exported in a file's source. */
+export function extractImportedPackages(code) {
+    const out = new Set();
+    const add = (spec) => {
+        const root = packageRoot(spec);
+        if (root)
+            out.add(root);
+    };
+    for (const re of [IMPORT_FROM, BARE_IMPORT, REQUIRE_CALL, DYNAMIC_IMPORT]) {
+        re.lastIndex = 0;
+        for (const m of code.matchAll(re))
+            add(m[1]);
+    }
+    return out;
+}
+/** Walk a source tree and collect every imported package root (node_modules excluded). */
+export function collectImportedPackages(root, opts = {}) {
+    const found = new Set();
+    const maxFiles = opts.maxFiles ?? 20_000;
+    let count = 0;
+    const walk = (dir) => {
+        if (count >= maxFiles)
+            return;
+        let entries;
+        try {
+            entries = readdirSync(dir);
+        }
+        catch {
+            return;
+        }
+        for (const e of entries) {
+            if (count >= maxFiles)
+                return;
+            if (SKIP_DIR.has(e))
+                continue;
+            const p = join(dir, e);
+            let st;
+            try {
+                st = statSync(p);
+            }
+            catch {
+                continue;
+            }
+            if (st.isDirectory()) {
+                walk(p);
+            }
+            else if (CODE_EXT.has(extname(e).toLowerCase()) && st.size < 1_000_000) {
+                count++;
+                let code;
+                try {
+                    code = readFileSync(p, "utf-8");
+                }
+                catch {
+                    continue;
+                }
+                for (const pkg of extractImportedPackages(code))
+                    found.add(pkg);
+            }
+        }
+    };
+    walk(root);
+    return found;
+}
+/**
+ * Annotate each package name with whether it is imported anywhere under `root`.
+ * Pass `importedOverride` (a precomputed set) to avoid a filesystem walk (used in tests
+ * and to share one walk across many packages).
+ */
+export function analyzeReachability(packageNames, root, importedOverride) {
+    const imported = importedOverride ?? collectImportedPackages(root);
+    const out = new Map();
+    for (const name of packageNames) {
+        const reachable = imported.has(name);
+        out.set(name, { reachable, status: reachable ? "imported" : "not_imported" });
+    }
+    return out;
+}

package/build/tools/scan-dependencies.d.ts

@@ -1 +1,7 @@
-export declare function scanDependencies(manifestPath: string, format?: "markdown" | "json"): Promise<string>;
+export interface ScanDependenciesOptions {
+    /** Source root to scan for imports (defaults to the manifest's directory). */
+    root?: string;
+    /** Annotate each vulnerable package with whether it is imported in source. Default true. */
+    reachability?: boolean;
+}
+export declare function scanDependencies(manifestPath: string, format?: "markdown" | "json", opts?: ScanDependenciesOptions): Promise<string>;

package/build/tools/scan-dependencies.js

@@ -1,8 +1,9 @@
 import { readFileSync } from "fs";
-import { basename } from "path";
+import { basename, dirname } from "path";
 import { parseManifest } from "../utils/manifest-parser.js";
 import { queryOsvBatch, formatVulnerability, normalizeSeverity } from "../utils/osv-client.js";
-export async function scanDependencies(manifestPath, format = "markdown") {
+import { analyzeReachability } from "./reachability.js";
+export async function scanDependencies(manifestPath, format = "markdown", opts = {}) {
     let content;
     try {
         content = readFileSync(manifestPath, "utf-8");
@@ -42,6 +43,20 @@ export async function scanDependencies(manifestPath, format = "markdown") {
     }
     let totalVulns = 0;
     const criticalPackages = [];
+    // --- Reachability: is each vulnerable package actually imported in YOUR source? ---
+    // Annotate only (never suppress) — a package may still be reached transitively.
+    const vulnerableNames = packages
+        .filter(p => (vulnResults.get(`${p.name}@${p.version}`) || []).length > 0)
+        .map(p => p.name);
+    let reach = null;
+    if (opts.reachability !== false && vulnerableNames.length > 0) {
+        try {
+            reach = analyzeReachability(vulnerableNames, opts.root ?? dirname(manifestPath));
+        }
+        catch {
+            reach = null;
+        }
+    }
     // Build per-package vulnerability data
     const pkgResults = [];
     for (const pkg of packages) {
@@ -51,8 +66,11 @@ export async function scanDependencies(manifestPath, format = "markdown") {
             continue;
         totalVulns += vulns.length;
         criticalPackages.push(key);
+        const r = reach?.get(pkg.name);
         pkgResults.push({
             name: pkg.name, version: pkg.version, ecosystem: pkg.ecosystem,
+            reachable: r?.reachable,
+            reachabilityStatus: r?.status,
             vulnerabilities: vulns.map(v => ({
                 id: v.id, severity: normalizeSeverity(v), summary: v.summary,
                 fixedIn: (v.affected ?? []).flatMap((a) => (a.ranges ?? []).flatMap((r) => r.events.filter((e) => e.fixed).map((e) => e.fixed))).join(", ") || undefined,
@@ -60,6 +78,11 @@ export async function scanDependencies(manifestPath, format = "markdown") {
             })),
         });
         lines.push(`## ${key} (${pkg.ecosystem}) — ${vulns.length} vulnerabilities`, ``);
+        if (r) {
+            lines.push(r.reachable
+                ? `_Reachability: imported in your source._`
+                : `_Reachability: not directly imported — likely unreachable (may still be used transitively)._`, ``);
+        }
         for (const vuln of vulns) {
             lines.push(formatVulnerability(vuln), ``);
         }
@@ -78,6 +101,7 @@ export async function scanDependencies(manifestPath, format = "markdown") {
                 vulnerable: criticalPackages.length,
                 vulnerablePackages: criticalPackages.length,
                 totalAdvisories: totalVulns,
+                ...(reach ? { reachableVulnerable: [...reach.values()].filter(x => x.reachable).length } : {}),
                 ...sevCounts,
             },
             packages: pkgResults,
@@ -91,6 +115,10 @@ export async function scanDependencies(manifestPath, format = "markdown") {
         lines.push(`**${totalVulns} vulnerabilities** found in ${criticalPackages.length} packages:`, ``);
         for (const pkg of criticalPackages)
             lines.push(`- ${pkg}`);
+        if (reach) {
+            const reachableCount = [...reach.values()].filter(x => x.reachable).length;
+            lines.push(``, `**Reachability:** ${reachableCount} of ${reach.size} vulnerable package(s) are directly imported in your source — prioritize those.`);
+        }
         lines.push(``, `**Action:** Update affected packages to their fixed versions.`);
     }
     return lines.join("\n");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.2.0",
+  "version": "3.4.0",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 438 rules, 37 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 67 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",