feat: add guided production virtual patch demo#88
Merged
mariojgt merged 2 commits intoJul 15, 2026
Merged
Conversation
|
Comprehensive demo feature with clear docs and extensive testing coverage. 🎯 Quality: 95% Elite · 📦 Size: Extra Large — strongly consider breaking this down 🛡️ Standards: no pre-flight fit check ran for this change — wire 📈 This month: Your 235th PR — above team average · Averaging Good |
Contributor
Author
|
/review |
mariojgt
approved these changes
Jul 15, 2026
patchstackdave
approved these changes
Jul 15, 2026
patchstackdave
left a comment
Contributor
There was a problem hiding this comment.
I wonder if we should perhaps also bake in the other sample rules we have that (should) get added through "patchstack-connect protect --demo" or we keep it separate.
| waitForDemoRule, | ||
| } from '../src/demo.js'; | ||
|
|
||
| const UUID = '550e8400-e29b-41d4-a716-446655440000'; |
Contributor
There was a problem hiding this comment.
Demo UUID hardcoded is fine?
84007ab
into
agent/support-javascript-express-guards
4 checks passed
ejntaylor
added a commit
that referenced
this pull request
Jul 15, 2026
* feat: add production virtual patch demo * feat: add guided virtual patch demo
ejntaylor
added a commit
that referenced
this pull request
Jul 15, 2026
* feat: add production virtual patch demo * feat: add guided virtual patch demo
ejntaylor
added a commit
that referenced
this pull request
Jul 15, 2026
* fix: support JavaScript Express guards * feat: add guided production virtual patch demo (#88) * feat: add production virtual patch demo * feat: add guided virtual patch demo
Contributor
Author
|
I think so - would be good to demo a bunch of different types. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
demo node-serialize, a production-backed walkthrough that scans the exact vulnerable dependency, waits for live rule 18843, installs and verifies the runtime guard, then prints shell-safe exploit and benign requestsdemo-guide node-serialize, a read-only, state-aware local walkthrough with the next exact command, restart instructions, expected proof, and cleanupWhy
Bolt's Host connection provisions the site, but demonstrating a server-side virtual patch still required several manual and easy-to-miss steps: re-reporting the manifest after adding the vulnerable dependency, waiting for the live rule, wiring the runtime guard, restarting the app, and constructing a shell-safe exploit request.
These commands turn that process into one guided local workflow. No deployment is required.
Impact
The active demo is intentionally constrained to production mode, the Host-persisted site UUID, and exactly
node-serialize@0.0.4in the lockfile. It does not install or execute the vulnerable package, start or restart the server, or send test traffic. The companion guide is read-only and does not contact Patchstack.Stack dependency
This is stacked on the JavaScript Express guard work in #87, which itself depends on #86. Merge order: #86 → #87 → this PR; retarget each stacked PR to
mainafter its dependency merges.Validation
npm run typechecknpm test— 42 files, 490 testsnpm run build