continue icon indicating copy to clipboard operation
continue copied to clipboard
verified publisher icon continuedev

[Snyk] Fix high severity vulnerabilities in docs dependencies

Open continue-development-app[bot] opened this issue 2 months ago • 1 comments

Issue

Snyk Link: N/A (detected via npm audit) Issue Type: High severity vulnerabilities Priority: High Summary: Fixed two high-severity vulnerabilities in the docs dependencies by upgrading axios and tar-fs to their patched versions.

Changes

  • axios: Upgraded from 1.11.0 to 1.13.2
    • Fixes DoS attack through lack of data size check (GHSA-4hjh-wcwx-xvwj)
  • tar-fs: Upgraded from 3.0.0 to 3.1.1
    • Fixes symlink validation bypass vulnerability (GHSA-vj76-c3g6-qr5v)

Testing

Ran npm audit after fixes - 0 vulnerabilities found.

Additional Context

Original Snyk Webhook Payload 
{
  "vulnerability": {
    "id": "3ad6663f-f319-4a75-9c25-f27655c49c32",
    "title": "Improper Authorization",
    "severity": "critical",
    "url": "https://security.snyk.io/vuln/SNYK-JS-NEXT-9508709",
    "description": "Improper Authorization",
    "cvssScore": 851,
    "packageName": "NVD",
    "isUpgradable": true,
    "isPatchable": false,
    "fixedIn": [],
    "upgradePath": []
  },
  "project": {
    "id": "fa857427-b8e5-4147-9913-8d56d6835b6d",
    "name": "continuedev/continue:docs/package.json",
    "origin": "github",
    "type": "npm"
  },
  "remediationHints": {
    "canUpgrade": true,
    "canPatch": false,
    "upgradeToVersions": [],
    "upgradePath": []
  }
}

Note: The Snyk webhook reported a Next.js vulnerability (SNYK-JS-NEXT-9508709), but investigation revealed that the next package is not present in this project's dependencies. Instead, npm audit identified actual vulnerabilities in axios and tar-fs which have been fixed.

This agent session was co-authored by peter-parker and Continue.

Summary by cubic

Upgraded docs dependencies to fix high-severity vulnerabilities in axios and tar-fs. npm audit now reports 0 vulnerabilities.

  • Dependencies
    • axios: 1.11.0 → 1.13.2 (fixes DoS risk; GHSA-4hjh-wcwx-xvwj)
    • tar-fs: 3.1.0 → 3.1.1 (fixes symlink validation bypass; GHSA-vj76-c3g6-qr5v)

Written for commit 82f288e9e531092db4a21b8a9a83a2b7ec9b3359. Summary will update automatically on new commits.

continue-development-app[bot] avatar Nov 13 '25 21:11 continue-development-app[bot]

⚠️ PR Title Format

Your PR title doesn't follow the conventional commit format, but this won't block your PR from being merged. We recommend using this format for better project organization.

Expected Format:

<type>[optional scope]: <description>

Examples:

  • feat: add changelog generation support
  • fix: resolve login redirect issue
  • docs: update README with new instructions
  • chore: update dependencies

Valid Types:

feat, fix, docs, style, refactor, perf, test, build, ci, chore, revert

This helps with:

  • 📝 Automatic changelog generation
  • 🚀 Automated semantic versioning
  • 📊 Better project history tracking

This is a non-blocking warning - your PR can still be merged without fixing this.

github-actions[bot] avatar Nov 13 '25 21:11 github-actions[bot]

https://github.com/continuedev/continue/pull/8776

RomneyDa avatar Nov 18 '25 18:11 RomneyDa