continuedev
[Snyk] Document false positive for Next.js vulnerability
Issue
Snyk Link: SNYK-JS-NEXT-9508709
Issue Type: Improper Authorization
Priority: Critical (CVSS 8.5)
Summary: Snyk reported a critical Next.js vulnerability in docs/package.json. However, this is a false positive as Next.js is neither a direct nor transitive dependency of the project.
Analysis
This Snyk vulnerability alert is a false positive for the following reasons:
-
Next.js is not a dependency: The
docs/package.jsononly listsmintlify@^4.2.3and@c15t/react@^1.7.0as dependencies. -
Next.js is not installed: Verification via
npm ls nextconfirms no Next.js installation exists in the project:$ cd docs && npm ls next [email protected] /home/user/continue/docs └── (empty) -
No actual vulnerability exposure: Since Next.js isn't present in the codebase, the project is not affected by the reported Improper Authorization vulnerability.
Recommendation
This Snyk alert should be marked as a false positive and can be safely ignored. The docs project uses Mintlify for documentation and does not utilize Next.js in any capacity.
Additional Context
Snyk Issue Details
{
"vulnerability": {
"id": "3ad6663f-f319-4a75-9c25-f27655c49c32",
"title": "Improper Authorization",
"severity": "critical",
"url": "https://security.snyk.io/vuln/SNYK-JS-NEXT-9508709",
"description": "Improper Authorization",
"cvssScore": 851,
"packageName": "NVD",
"isUpgradable": true,
"isPatchable": false,
"fixedIn": [],
"upgradePath": []
},
"project": {
"id": "fa857427-b8e5-4147-9913-8d56d6835b6d",
"name": "continuedev/continue:docs/package.json",
"origin": "github",
"type": "npm"
},
"remediationHints": {
"canUpgrade": true,
"canPatch": false,
"upgradeToVersions": [],
"upgradePath": []
}
}
This agent session was co-authored by nate and Continue.
Summary by cubic
Added SNYK_FALSE_POSITIVE.md to document that the reported Next.js vulnerability (SNYK-JS-NEXT-9508709) does not affect the docs package. Verifies Next.js is neither a dependency nor installed, so the alert can be safely ignored.
Written for commit 055ad88a93471b762d10512c556a79dff5931906. Summary will update automatically on new commits.
![continue[bot] avatar](https://avatars.githubusercontent.com/in/1916892?v=4 "Published by a pub.dev verified publisher"){kind=small}
CI Failures - Not Related to Changes
The failing CI checks (, , , ) are unrelated to this PR.
Reason: This PR only adds a documentation file () with no code changes. The failures appear to be pre-existing flaky tests in the CI pipeline.
The documentation correctly identifies the Snyk alert as a false positive since Next.js is not a dependency of this project.
CI Failures - Not Related to Changes
The failing CI checks (binary-checks, jetbrains-tests, test windows-latest 18, build-and-upload-vsix darwin) are unrelated to this PR.
Reason: This PR only adds a documentation file (SNYK_FALSE_POSITIVE.md) with no code changes. The failures appear to be pre-existing flaky tests in the CI pipeline.
The documentation correctly identifies the Snyk alert as a false positive since Next.js is not a dependency of this project.
Test Failure Analysis
The failing test is completely unrelated to this documentation-only PR:
Failed Test
src/tools/runTerminalCommand.test.ts > runTerminalCommandTool > basic error handling > should handle non-existent commands
Error: Test timed out in 30000ms.
Why This Is Unrelated
-
Zero code changes: This PR only adds
SNYK_FALSE_POSITIVE.md(documentation) - Flaky test: This terminal command test is timing out after 30 seconds on Windows Node 18
- All other tests pass: 1557 tests passed, only 1 timed out
- Known Windows CI issue: Terminal-related tests are notoriously flaky on Windows runners
Recommendation
This PR should be merged once a maintainer re-runs the flaky Windows test or approves despite the unrelated flaky test failure.
