POC Walkthrough — cors (npm)
Last updated: 2026-05-24
The cors package is the canonical CVE-history walkthrough in the CleanLibrary POC. It demonstrates how the verdict shifts across versions when a known vulnerability is introduced and subsequently patched — the DENY → ALLOW upgrade-path Quick-Fix workflow that defines CleanLibrary's value at the developer's point of install.
Versions covered
| Version | Decision | Severity | Reasoning |
|---|---|---|---|
| 2.8.0 | ALLOW | None | Healthy older release; no findings |
| 2.8.1 | ALLOW | None | Healthy |
| 2.8.4 | DENY | High | Prototype pollution vulnerability; upgrade to 2.8.5 patched release |
| 2.8.5 | ALLOW | None | Patched; recommended upgrade target from 2.8.4 |
| 2.8.6 | ALLOW | None | Current; widely deployed |
1. Query a verdict directly
$ curl -sH "Authorization: Bearer your-poc-key" \
https://cleanapp.clnstrt.dev/v1/customer/verdicts/npm/cors/2.8.4 | jq
{
"verdict_id": "01KDVDNA0000000000000001YK",
"verdict": "VECTOR_VERDICT",
"source": "VECTOR_VERDICT",
"confidence": 0.98,
"composite_score": 78,
"severity": "HIGH",
"reasoning": "Prototype pollution vulnerability in cors 2.8.4; upgrade to 2.8.5 patched release",
"suggested_actions": [
"Upgrade to cors@2.8.5 or later",
"Audit downstream consumers for prototype pollution exposure"
],
...
}
Then check the patched version:
$ curl -sH "Authorization: Bearer your-poc-key" \
https://cleanapp.clnstrt.dev/v1/customer/verdicts/npm/cors/2.8.5 | jq .verdict
"ALLOWED_NO_FINDINGS"
2. VS Code extension flow
Open VS Code with the CleanLibrary extension installed:
- Configure
cleanlib.endpoint = https://cleanapp.clnstrt.dev+cleanlib.apiKey = <your key>in Settings - Run
CleanLibrary: Fetch verdict for package(Command Palette:Ctrl/Cmd+Shift+P) - Select ecosystem:
npm - Package name:
cors - Version:
2.8.4
Expected: Inline notification with red icon, DENY, and the Quick Fix shown in the detail pane — actionable at the developer's point of install.
Then repeat with version 2.8.5:
Expected: Green icon, ALLOW, healthy.
3. Python SDK flow
from cleanlib_sdk import CleanlibClient
client = CleanlibClient(
endpoint="https://cleanapp.clnstrt.dev",
api_key="your-poc-key",
)
vulnerable = client.fetch_verdict("npm", "cors", "2.8.4")
print(f"{vulnerable.decision}: {vulnerable.reasoning}")
# DENY: Prototype pollution vulnerability in cors 2.8.4; upgrade to 2.8.5 patched release
patched = client.fetch_verdict("npm", "cors", "2.8.5")
print(f"{patched.decision}: {patched.reasoning}")
# ALLOW: CORS middleware; prototype pollution patched; recommended upgrade target from 2.8.4
4. Go SDK flow
import cleanlibsdk "pkg.clnstrt.dev/cleanlib-sdk-go"
client, _ := cleanlibsdk.NewClient(
"https://cleanapp.clnstrt.dev",
cleanlibsdk.WithAPIKey("your-poc-key"),
)
ctx := context.Background()
vulnerable, _ := client.FetchVerdict(ctx, "npm", "cors", "2.8.4")
fmt.Printf("%s: %s\n", vulnerable.Decision, vulnerable.Reasoning)
// DENY: Prototype pollution vulnerability in cors 2.8.4; upgrade to 2.8.5 patched release
patched, _ := client.FetchVerdict(ctx, "npm", "cors", "2.8.5")
fmt.Printf("%s: %s\n", patched.Decision, patched.Reasoning)
// ALLOW: CORS middleware; prototype pollution patched
5. JS/TS SDK flow
import { CleanlibClient } from "@cleanstart/cleanlib-sdk";
const client = new CleanlibClient("https://cleanapp.clnstrt.dev", {
apiKey: "your-poc-key",
});
const vulnerable = await client.fetchVerdict("npm", "cors", "2.8.4");
console.log(`${vulnerable.decision}: ${vulnerable.reasoning}`);
// VECTOR_VERDICT: Prototype pollution vulnerability in cors 2.8.4; upgrade to 2.8.5
const patched = await client.fetchVerdict("npm", "cors", "2.8.5");
console.log(`${patched.decision}: ${patched.reasoning}`);
// ALLOWED_NO_FINDINGS: prototype pollution patched
6. MCP server flow (Claude Desktop / Cursor / Windsurf / Cline)
Configure your MCP client per the MCP Server reference. Then in your AI conversation:
You: Get the CleanLibrary verdict for npm cors 2.8.4
AI: [calls cleanlib_fetch_verdict tool]
✗ npm/cors@2.8.4 → DENY (confidence 98%)
Reasoning: Prototype pollution vulnerability in cors 2.8.4; upgrade to 2.8.5 patched release.
Suggested actions: Upgrade to cors@2.8.5 or later; Audit downstream consumers.
You: What about 2.8.5?
AI: [calls cleanlib_fetch_verdict tool]
✓ npm/cors@2.8.5 → ALLOW (confidence 96%)
Reasoning: CORS middleware; prototype pollution patched.
7. What this walkthrough validates
| Capability | Demonstrated by cors |
|---|---|
| Verdict accuracy on a known CVE | 2.8.4 returns DENY with High severity matching public CVE record |
| Verdict shift across versions | 2.8.4 DENY → 2.8.5 ALLOW matches the actual patched-release boundary |
| Actionable Quick Fix recommendations | suggested_actions includes specific upgrade target + downstream-audit guidance |
| Workflow integration | Same verdict returned consistently across VS Code + SDKs + MCP + curl |
| Confidence signal | High-confidence DENY for known CVE (0.98) vs high-confidence ALLOW for patched (0.96) |
8. What to look for during evaluation
- Does the DENY trigger when you try to use cors 2.8.4 in your dependency manifest?
- Is the Quick Fix actionable for your team — would you actually apply it?
- Does the verdict round-trip preserve fidelity across your tooling (CLI, IDE, AI agent, audit log)?
- Is the latency acceptable for your developer's interactive use case? (p95 <200ms target for in-cache verdicts)
Feedback channel: see API Key Onboarding §7.