continue icon indicating copy to clipboard operation
continue copied to clipboard
verified publisher icon continuedev

[Snyk] Investigation: Next.js Vulnerability - False Positive

Open continue-development-app[bot] opened this issue 2 months ago • 0 comments

Issue

Snyk Link: SNYK-JS-NEXT-9508709 Issue Type: Improper Authorization Priority: Critical Summary: Investigated the reported Next.js vulnerability in docs/package.json. Confirmed that Next.js is NOT a dependency of this project. The Snyk alert appears to be a false positive, possibly confusing next-mdx-remote-client with next.

Investigation Details

Findings

  • ✅ Verified no next package in direct dependencies
  • ✅ Checked entire dependency tree - no Next.js found
  • ✅ npm audit shows no Next.js vulnerabilities
  • ⚠️ Only packages found: next-mdx-remote-client (different package)

Root Cause

The Snyk webhook payload contained:

  • Incorrect packageName: "NVD"
  • Misattributed vulnerability: likely confused next-mdx-remote-client with next

Evidence

$ npm list next
[email protected] /home/user/continue/docs
└── (empty)

See SNYK_INVESTIGATION.md for full investigation report.

Additional Context

Snyk Issue Details 
{
  "vulnerability": {
    "id": "3ad6663f-f319-4a75-9c25-f27655c49c32",
    "title": "Improper Authorization",
    "severity": "critical",
    "url": "https://security.snyk.io/vuln/SNYK-JS-NEXT-9508709",
    "description": "Improper Authorization",
    "cvssScore": 851,
    "packageName": "NVD",
    "isUpgradable": true,
    "isPatchable": false,
    "fixedIn": [],
    "upgradePath": []
  },
  "project": {
    "id": "fa857427-b8e5-4147-9913-8d56d6835b6d",
    "name": "continuedev/continue:docs/package.json",
    "origin": "github",
    "type": "npm"
  }
}

Recommendations

  1. Close Snyk Alert: Mark as false positive in Snyk dashboard
  2. Review Snyk Configuration: Ensure accurate package detection for this repository
  3. Address Real Vulnerabilities: Run npm audit fix in docs/ to fix actual issues (axios, tar-fs)

This agent session was co-authored by peter-parker and Continue.

Summary by cubic

Investigated Snyk alert SNYK-JS-NEXT-9508709 for Next.js in docs/package.json and confirmed it’s a false positive (no Next.js in the dependency tree). Added SNYK_INVESTIGATION.md with evidence and next steps to mark the alert as a false positive and review Snyk configuration.

Written for commit a32c740d39ad6b1362ee7da7207c2aeb2b7e76ed. Summary will update automatically on new commits.

continue-development-app[bot] avatar Nov 13 '25 18:11 continue-development-app[bot]