Skip to content

[Snyk] Investigation: Next.js Vulnerability - False Positive #8717

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[Snyk] Investigation: Next.js Vulnerability - False Positive #8717

wants to merge 1 commit into from
+87 −0

Conversation

@continue-development-app
Copy link

@continue-development-app continue-development-app bot commented Nov 13, 2025
edited by cubic-dev-ai bot
Loading

Issue

Snyk Link: SNYK-JS-NEXT-9508709
Issue Type: Improper Authorization
Priority: Critical
Summary: Investigated the reported Next.js vulnerability in docs/package.json. Confirmed that Next.js is NOT a dependency of this project. The Snyk alert appears to be a false positive, possibly confusing next-mdx-remote-client with next.

Investigation Details

Findings

  • ✅ Verified no next package in direct dependencies
  • ✅ Checked entire dependency tree - no Next.js found
  • ✅ npm audit shows no Next.js vulnerabilities
  • ⚠️ Only packages found: next-mdx-remote-client (different package)

Root Cause

The Snyk webhook payload contained:

  • Incorrect packageName: "NVD"
  • Misattributed vulnerability: likely confused next-mdx-remote-client with next

Evidence

$ npm list next
docs2@1.0.0 /home/user/continue/docs
└── (empty)

See SNYK_INVESTIGATION.md for full investigation report.

Additional Context

Snyk Issue Details 
{
  "vulnerability": {
    "id": "3ad6663f-f319-4a75-9c25-f27655c49c32",
    "title": "Improper Authorization",
    "severity": "critical",
    "url": "https://security.snyk.io/vuln/SNYK-JS-NEXT-9508709",
    "description": "Improper Authorization",
    "cvssScore": 851,
    "packageName": "NVD",
    "isUpgradable": true,
    "isPatchable": false,
    "fixedIn": [],
    "upgradePath": []
  },
  "project": {
    "id": "fa857427-b8e5-4147-9913-8d56d6835b6d",
    "name": "continuedev/continue:docs/package.json",
    "origin": "github",
    "type": "npm"
  }
}

Recommendations

  1. Close Snyk Alert: Mark as false positive in Snyk dashboard
  2. Review Snyk Configuration: Ensure accurate package detection for this repository
  3. Address Real Vulnerabilities: Run npm audit fix in docs/ to fix actual issues (axios, tar-fs)

This agent session was co-authored by peter-parker and Continue.

Summary by cubic

Investigated Snyk alert SNYK-JS-NEXT-9508709 for Next.js in docs/package.json and confirmed it’s a false positive (no Next.js in the dependency tree). Added SNYK_INVESTIGATION.md with evidence and next steps to mark the alert as a false positive and review Snyk configuration.

Written for commit a32c740. Summary will update automatically on new commits.

@continue
[Snyk] Investigate Next.js vulnerability - False Positive
a32c740 
Investigation confirms no Next.js package exists in docs dependencies.
The Snyk alert SNYK-JS-NEXT-9508709 appears to be incorrectly attributed.

Co-authored-by: peter-parker <e2e@continue.dev>
@RomneyDa
Copy link
Collaborator

RomneyDa commented Nov 18, 2025

investigatory

@RomneyDa RomneyDa closed this Nov 18, 2025
@github-project-automation github-project-automation bot moved this from Todo to Done in Issues and PRs Nov 18, 2025
@github-actions github-actions bot locked and limited conversation to collaborators Nov 18, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Issues and PRs
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RomneyDa