Data quality: Next.js CVEs only reference Git repo — missing npm package (next) ecosystem entries #4490
Description
Hi OSV team — reporting a data quality / ecosystem modeling issue affecting multiple Next.js CVEs.
For the following CVEs, the OSV records list only a Git repository
(Git / github.com/vercel/next.js) as the affected package, without an npm
ecosystem entry for the next package from the npm registry:
Affected CVEs:
Example:
On the OSV pages, the “Affected packages” section shows only:
- Type: Git
- Repo: https://github.com/vercel/next.js
and the “Affected versions” are expressed as Git tags (e.g., v15.*),
rather than as an npm ecosystem package such as:
- Ecosystem: npm
- Package name: next
Impact:
Most downstream vulnerability consumers (SCA tools, dependency scanners,
package managers) resolve Next.js via the npm registry (next package),
not directly via the Git repository. As a result, vulnerabilities may not
be correctly matched to real-world dependencies when only a Git package
is present in OSV.
Request:
For the CVEs listed above, please add affected package entries for:
- Ecosystem: npm
- Package: next
This would significantly improve accuracy for npm-based dependency
resolution and vulnerability detection.
Thanks for your work on OSV, and happy to provide additional details if
needed.