[Snyk] Document false positive for Next.js vulnerability

[continue]

Issue

Snyk Link: SNYK-JS-NEXT-9508709
Issue Type: Improper Authorization
Priority: Critical (CVSS 8.5)
Summary: Snyk reported a critical Next.js vulnerability in docs/package.json. However, this is a false positive as Next.js is neither a direct nor transitive dependency of the project.

Analysis

This Snyk vulnerability alert is a false positive for the following reasons:

1. Next.js is not a dependency: The docs/package.json only lists mintlify@^4.2.3 and @c15t/react@^1.7.0 as dependencies.

2. Next.js is not installed: Verification via npm ls next confirms no Next.js installation exists in the project:

   $ cd docs && npm ls next
   [email protected] /home/user/continue/docs
   └── (empty)

3. No actual vulnerability exposure: Since Next.js isn't present in the codebase, the project is not affected by the reported Improper Authorization vulnerability.

Recommendation

This Snyk alert should be marked as a false positive and can be safely ignored. The docs project uses Mintlify for documentation and does not utilize Next.js in any capacity.

Additional Context

Snyk Issue Details

{
  "vulnerability": {
    "id": "3ad6663f-f319-4a75-9c25-f27655c49c32",
    "title": "Improper Authorization",
    "severity": "critical",
    "url": "https://security.snyk.io/vuln/SNYK-JS-NEXT-9508709",
    "description": "Improper Authorization",
    "cvssScore": 851,
    "packageName": "NVD",
    "isUpgradable": true,
    "isPatchable": false,
    "fixedIn": [],
    "upgradePath": []
  },
  "project": {
    "id": "fa857427-b8e5-4147-9913-8d56d6835b6d",
    "name": "continuedev/continue:docs/package.json",
    "origin": "github",
    "type": "npm"
  },
  "remediationHints": {
    "canUpgrade": true,
    "canPatch": false,
    "upgradeToVersions": [],
    "upgradePath": []
  }
}

---

This agent session was co-authored by nate and Continue.

---

Summary by cubic

Added SNYK_FALSE_POSITIVE.md to document that the reported Next.js vulnerability (SNYK-JS-NEXT-9508709) does not affect the docs package. Verifies Next.js is neither a dependency nor installed, so the alert can be safely ignored.

^{Written for commit 055ad88. Summary will update automatically on new commits.}

[continue]

CI Failures - Not Related to Changes

The failing CI checks (, , , ) are unrelated to this PR.

Reason: This PR only adds a documentation file () with no code changes. The failures appear to be pre-existing flaky tests in the CI pipeline.

The documentation correctly identifies the Snyk alert as a false positive since Next.js is not a dependency of this project.

[continue]

CI Failures - Not Related to Changes

The failing CI checks (binary-checks, jetbrains-tests, test windows-latest 18, build-and-upload-vsix darwin) are unrelated to this PR.

Reason: This PR only adds a documentation file (SNYK_FALSE_POSITIVE.md) with no code changes. The failures appear to be pre-existing flaky tests in the CI pipeline.

The documentation correctly identifies the Snyk alert as a false positive since Next.js is not a dependency of this project.

[continue]

Test Failure Analysis

The failing test is completely unrelated to this documentation-only PR:

Failed Test

src/tools/runTerminalCommand.test.ts > runTerminalCommandTool > basic error handling > should handle non-existent commands
Error: Test timed out in 30000ms.

Why This Is Unrelated

1. Zero code changes: This PR only adds SNYK_FALSE_POSITIVE.md (documentation)
2. Flaky test: This terminal command test is timing out after 30 seconds on Windows Node 18
3. All other tests pass: 1557 tests passed, only 1 timed out
4. Known Windows CI issue: Terminal-related tests are notoriously flaky on Windows runners

Recommendation

This PR should be merged once a maintainer re-runs the flaky Windows test or approves despite the unrelated flaky test failure.