Skip to content

[Snyk] Fix high severity vulnerabilities in docs dependencies #8720

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Fix high severity vulnerabilities in docs dependencies #8720

wants to merge 1 commit into from
+6 −6

Conversation

@continue-development-app
Copy link

@continue-development-app continue-development-app bot commented Nov 13, 2025
edited by cubic-dev-ai bot
Loading

Issue

Snyk Link: N/A (detected via npm audit)
Issue Type: High severity vulnerabilities
Priority: High
Summary: Fixed two high-severity vulnerabilities in the docs dependencies by upgrading axios and tar-fs to their patched versions.

Changes

  • axios: Upgraded from 1.11.0 to 1.13.2
  • tar-fs: Upgraded from 3.0.0 to 3.1.1

Testing

Ran npm audit after fixes - 0 vulnerabilities found.

Additional Context

Original Snyk Webhook Payload 
{
  "vulnerability": {
    "id": "3ad6663f-f319-4a75-9c25-f27655c49c32",
    "title": "Improper Authorization",
    "severity": "critical",
    "url": "https://security.snyk.io/vuln/SNYK-JS-NEXT-9508709",
    "description": "Improper Authorization",
    "cvssScore": 851,
    "packageName": "NVD",
    "isUpgradable": true,
    "isPatchable": false,
    "fixedIn": [],
    "upgradePath": []
  },
  "project": {
    "id": "fa857427-b8e5-4147-9913-8d56d6835b6d",
    "name": "continuedev/continue:docs/package.json",
    "origin": "github",
    "type": "npm"
  },
  "remediationHints": {
    "canUpgrade": true,
    "canPatch": false,
    "upgradeToVersions": [],
    "upgradePath": []
  }
}

Note: The Snyk webhook reported a Next.js vulnerability (SNYK-JS-NEXT-9508709), but investigation revealed that the next package is not present in this project's dependencies. Instead, npm audit identified actual vulnerabilities in axios and tar-fs which have been fixed.

This agent session was co-authored by peter-parker and Continue.

Summary by cubic

Upgraded docs dependencies to fix high-severity vulnerabilities in axios and tar-fs. npm audit now reports 0 vulnerabilities.

Written for commit 82f288e. Summary will update automatically on new commits.

@continue
[Snyk] Fix high severity vulnerabilities in docs dependencies
82f288e 
- Upgraded axios from 1.11.0 to 1.13.2 (fixes GHSA-4hjh-wcwx-xvwj)
- Upgraded tar-fs from 3.0.0 to 3.1.1 (fixes GHSA-vj76-c3g6-qr5v)

Generated with [Continue](https://continue.dev)

Co-Authored-By: Continue <[email protected]>
Co-authored-by: peter-parker <[email protected]>
@continue-development-app continue-development-app bot requested a review from a team as a code owner November 13, 2025 21:42
@continue-development-app continue-development-app bot requested review from Patrick-Erichsen and removed request for a team November 13, 2025 21:42
@dosubot dosubot bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Nov 13, 2025
@github-actions
Copy link

github-actions bot commented Nov 13, 2025

⚠️ PR Title Format

Your PR title doesn't follow the conventional commit format, but this won't block your PR from being merged. We recommend using this format for better project organization.

Expected Format:

<type>[optional scope]: <description>

Examples:

  • feat: add changelog generation support
  • fix: resolve login redirect issue
  • docs: update README with new instructions
  • chore: update dependencies

Valid Types:

feat, fix, docs, style, refactor, perf, test, build, ci, chore, revert

This helps with:

  • 📝 Automatic changelog generation
  • 🚀 Automated semantic versioning
  • 📊 Better project history tracking

This is a non-blocking warning - your PR can still be merged without fixing this.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Nov 13, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@Patrick-Erichsen Patrick-Erichsen Awaiting requested review from Patrick-Erichsen Patrick-Erichsen is a code owner automatically assigned from continuedev/continue-code-reviewers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

Issues and PRs
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant