From 055ad88a93471b762d10512c556a79dff5931906 Mon Sep 17 00:00:00 2001 From: "continue[bot]" Date: Fri, 14 Nov 2025 18:02:37 +0000 Subject: [PATCH] [Snyk] Document false positive for Next.js vulnerability This vulnerability alert (SNYK-JS-NEXT-9508709) is a false positive: - Next.js is not a direct or transitive dependency of docs/package.json - Next.js is not installed in the project - The project uses Mintlify for documentation, not Next.js Generated with [Continue](https://continue.dev) Co-Authored-By: Continue Co-authored-by: nate --- SNYK_FALSE_POSITIVE.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 SNYK_FALSE_POSITIVE.md diff --git a/SNYK_FALSE_POSITIVE.md b/SNYK_FALSE_POSITIVE.md new file mode 100644 index 00000000000..0d4930b3ba4 --- /dev/null +++ b/SNYK_FALSE_POSITIVE.md @@ -0,0 +1,34 @@ +# Snyk False Positive: Next.js Vulnerability + +## Issue + +Snyk reported a critical vulnerability (SNYK-JS-NEXT-9508709) in Next.js affecting `docs/package.json`. + +## Analysis + +This is a **false positive** for the following reasons: + +1. **Next.js is not a direct dependency**: The `docs/package.json` only includes `mintlify` and `@c15t/react` as dependencies. + +2. **Next.js is not installed**: Running `npm ls next` shows no Next.js installation in the project. + +3. **No peer dependency requirement**: While `next-mdx-remote-client` (a transitive dependency of `@mintlify/common`) previously had Next.js references, it does not require Next.js as a peer dependency. + +## Verification + +```bash +$ cd docs && npm ls next +docs2@1.0.0 /home/user/continue/docs +└── (empty) +``` + +## Recommendation + +This Snyk alert can be safely ignored or marked as a false positive. The docs project does not use Next.js and is not vulnerable to this issue. + +## Related CVE + +- CVE ID: SNYK-JS-NEXT-9508709 +- Severity: Critical (CVSS 8.5) +- Issue Type: Improper Authorization +- Affected versions: >=11.1.4 <12.3.5, >=13.0.0 <13.5.9, >=14.0.0 <14.2.25, >=15.0.0-rc.0 <15.2.3, >=15.3.0-canary.0 <15.3.0-canary.12