Skip to content

[Snyk] Investigation: Next.js Vulnerability - False Positive #8717

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[Snyk] Investigation: Next.js Vulnerability - False Positive #8717

wants to merge 1 commit into from

Conversation

@continue-development-app
Copy link

@continue-development-app continue-development-app bot commented Nov 13, 2025
edited by cubic-dev-ai bot
Loading

Issue

Snyk Link: SNYK-JS-NEXT-9508709
Issue Type: Improper Authorization
Priority: Critical
Summary: Investigated the reported Next.js vulnerability in docs/package.json. Confirmed that Next.js is NOT a dependency of this project. The Snyk alert appears to be a false positive, possibly confusing next-mdx-remote-client with next.

Investigation Details

Findings

  • ✅ Verified no next package in direct dependencies
  • ✅ Checked entire dependency tree - no Next.js found
  • ✅ npm audit shows no Next.js vulnerabilities
  • ⚠️ Only packages found: next-mdx-remote-client (different package)

Root Cause

The Snyk webhook payload contained:

  • Incorrect packageName: "NVD"
  • Misattributed vulnerability: likely confused next-mdx-remote-client with next

Evidence

$ npm list next
[email protected] /home/user/continue/docs
└── (empty)

See SNYK_INVESTIGATION.md for full investigation report.

Additional Context

Snyk Issue Details 
{
  "vulnerability": {
    "id": "3ad6663f-f319-4a75-9c25-f27655c49c32",
    "title": "Improper Authorization",
    "severity": "critical",
    "url": "https://security.snyk.io/vuln/SNYK-JS-NEXT-9508709",
    "description": "Improper Authorization",
    "cvssScore": 851,
    "packageName": "NVD",
    "isUpgradable": true,
    "isPatchable": false,
    "fixedIn": [],
    "upgradePath": []
  },
  "project": {
    "id": "fa857427-b8e5-4147-9913-8d56d6835b6d",
    "name": "continuedev/continue:docs/package.json",
    "origin": "github",
    "type": "npm"
  }
}

Recommendations

  1. Close Snyk Alert: Mark as false positive in Snyk dashboard
  2. Review Snyk Configuration: Ensure accurate package detection for this repository
  3. Address Real Vulnerabilities: Run npm audit fix in docs/ to fix actual issues (axios, tar-fs)

This agent session was co-authored by peter-parker and Continue.

Summary by cubic

Investigated Snyk alert SNYK-JS-NEXT-9508709 for Next.js in docs/package.json and confirmed it’s a false positive (no Next.js in the dependency tree). Added SNYK_INVESTIGATION.md with evidence and next steps to mark the alert as a false positive and review Snyk configuration.

Written for commit a32c740. Summary will update automatically on new commits.

@continue
[Snyk] Investigate Next.js vulnerability - False Positive
a32c740 
Investigation confirms no Next.js package exists in docs dependencies.
The Snyk alert SNYK-JS-NEXT-9508709 appears to be incorrectly attributed.

Co-authored-by: peter-parker <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Issues and PRs
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant