POC Walkthrough — `cors` (npm)

Last updated: 2026-05-24

The cors package is the canonical CVE-history walkthrough in the CleanLibrary POC. It demonstrates how the verdict shifts across versions when a known vulnerability is introduced and subsequently patched — the DENY → ALLOW upgrade-path Quick-Fix workflow that defines CleanLibrary's value at the developer's point of install.

Versions covered

Version	Decision	Severity	Reasoning
2.8.0	ALLOW	None	Healthy older release; no findings
2.8.1	ALLOW	None	Healthy
2.8.4	DENY	High	Prototype pollution vulnerability; upgrade to 2.8.5 patched release
2.8.5	ALLOW	None	Patched; recommended upgrade target from 2.8.4
2.8.6	ALLOW	None	Current; widely deployed

1. Query a verdict directly

$ curl -sH "Authorization: Bearer your-poc-key" \
  https://cleanapp.clnstrt.dev/v1/customer/verdicts/npm/cors/2.8.4 | jq

{
  "verdict_id": "01KDVDNA0000000000000001YK",
  "verdict": "VECTOR_VERDICT",
  "source": "VECTOR_VERDICT",
  "confidence": 0.98,
  "composite_score": 78,
  "severity": "HIGH",
  "reasoning": "Prototype pollution vulnerability in cors 2.8.4; upgrade to 2.8.5 patched release",
  "suggested_actions": [
    "Upgrade to cors@2.8.5 or later",
    "Audit downstream consumers for prototype pollution exposure"
  ],
  ...
}

Then check the patched version:

$ curl -sH "Authorization: Bearer your-poc-key" \
  https://cleanapp.clnstrt.dev/v1/customer/verdicts/npm/cors/2.8.5 | jq .verdict

"ALLOWED_NO_FINDINGS"

2. VS Code extension flow

Open VS Code with the CleanLibrary extension installed:

Configure cleanlib.endpoint = https://cleanapp.clnstrt.dev + cleanlib.apiKey = <your key> in Settings
Run CleanLibrary: Fetch verdict for package (Command Palette: Ctrl/Cmd+Shift+P)
Select ecosystem: npm
Package name: cors
Version: 2.8.4

Expected: Inline notification with red icon, DENY, and the Quick Fix shown in the detail pane — actionable at the developer's point of install.

Then repeat with version 2.8.5:

Expected: Green icon, ALLOW, healthy.

3. Python SDK flow

from cleanlib_sdk import CleanlibClient

client = CleanlibClient(
    endpoint="https://cleanapp.clnstrt.dev",
    api_key="your-poc-key",
)

vulnerable = client.fetch_verdict("npm", "cors", "2.8.4")
print(f"{vulnerable.decision}: {vulnerable.reasoning}")
# DENY: Prototype pollution vulnerability in cors 2.8.4; upgrade to 2.8.5 patched release

patched = client.fetch_verdict("npm", "cors", "2.8.5")
print(f"{patched.decision}: {patched.reasoning}")
# ALLOW: CORS middleware; prototype pollution patched; recommended upgrade target from 2.8.4

4. Go SDK flow

import cleanlibsdk "bitbucket.org/triamsec/cleanlib-sdk-go"

client, _ := cleanlibsdk.NewClient(
    "https://cleanapp.clnstrt.dev",
    cleanlibsdk.WithAPIKey("your-poc-key"),
)

ctx := context.Background()
vulnerable, _ := client.FetchVerdict(ctx, "npm", "cors", "2.8.4")
fmt.Printf("%s: %s\n", vulnerable.Decision, vulnerable.Reasoning)
// DENY: Prototype pollution vulnerability in cors 2.8.4; upgrade to 2.8.5 patched release

patched, _ := client.FetchVerdict(ctx, "npm", "cors", "2.8.5")
fmt.Printf("%s: %s\n", patched.Decision, patched.Reasoning)
// ALLOW: CORS middleware; prototype pollution patched

5. JS/TS SDK flow

import { CleanlibClient } from "@cleanstart/cleanlib-sdk";

const client = new CleanlibClient("https://cleanapp.clnstrt.dev", {
  apiKey: "your-poc-key",
});

const vulnerable = await client.fetchVerdict("npm", "cors", "2.8.4");
console.log(`${vulnerable.decision}: ${vulnerable.reasoning}`);
// VECTOR_VERDICT: Prototype pollution vulnerability in cors 2.8.4; upgrade to 2.8.5

const patched = await client.fetchVerdict("npm", "cors", "2.8.5");
console.log(`${patched.decision}: ${patched.reasoning}`);
// ALLOWED_NO_FINDINGS: prototype pollution patched

6. MCP server flow (Claude Desktop / Cursor / Windsurf / Cline)

Configure your MCP client per cleanlib-mcp-server README. Then in your AI conversation:

You: Get the CleanLibrary verdict for npm cors 2.8.4
AI:  [calls cleanlib_fetch_verdict tool]
     ✗ npm/cors@2.8.4 → DENY (confidence 98%)
     Reasoning: Prototype pollution vulnerability in cors 2.8.4; upgrade to 2.8.5 patched release.
     Suggested actions: Upgrade to cors@2.8.5 or later; Audit downstream consumers.

You: What about 2.8.5?
AI:  [calls cleanlib_fetch_verdict tool]
     ✓ npm/cors@2.8.5 → ALLOW (confidence 96%)
     Reasoning: CORS middleware; prototype pollution patched.

7. What this walkthrough validates

Capability	Demonstrated by cors
Verdict accuracy on a known CVE	2.8.4 returns DENY with High severity matching public CVE record
Verdict shift across versions	2.8.4 DENY → 2.8.5 ALLOW matches the actual patched-release boundary
Actionable Quick Fix recommendations	`suggested_actions` includes specific upgrade target + downstream-audit guidance
Workflow integration	Same verdict returned consistently across VS Code + SDKs + MCP + curl
Confidence signal	High-confidence DENY for known CVE (0.98) vs high-confidence ALLOW for patched (0.96)

8. What to look for during evaluation

Does the DENY trigger when you try to use cors 2.8.4 in your dependency manifest?
Is the Quick Fix actionable for your team — would you actually apply it?
Does the verdict round-trip preserve fidelity across your tooling (CLI, IDE, AI agent, audit log)?
Is the latency acceptable for your developer's interactive use case? (p95 <200ms target for in-cache verdicts)

Feedback channel: see API Key Onboarding §7.

Versions covered​

1. Query a verdict directly​

2. VS Code extension flow​

3. Python SDK flow​

4. Go SDK flow​

5. JS/TS SDK flow​

6. MCP server flow (Claude Desktop / Cursor / Windsurf / Cline)​

7. What this walkthrough validates​

8. What to look for during evaluation​