From d950ac1fae22f86fc777a47ac9300369333a0c65 Mon Sep 17 00:00:00 2001
From: Will Murphy <willmurphyscode@users.noreply.github.com>
Date: Mon, 8 Dec 2025 15:23:36 -0500
Subject: [PATCH] fix: use vercel for vendor in nextjs CPE (#4450)

The recent react / next CVE uses "vercel" as the vendor, see
https://nvd.nist.gov/vuln/detail/CVE-2025-55182

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---
 .../internal/cpegenerate/candidate_by_package_type.go        | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go b/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go
index 90f46398e..347bd99b3 100644
--- a/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go
+++ b/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go
@@ -196,6 +196,11 @@ var defaultCandidateAdditions = buildCandidateLookup(
 			candidateAddition{AdditionalVendors: []string{"handlebarsjs"}},
 		},
 		// NPM packages
+		{
+			pkg.NpmPkg,
+			candidateKey{PkgName: "next"},
+			candidateAddition{AdditionalProducts: []string{"next.js"}, AdditionalVendors: []string{"vercel"}},
+		},
 		{
 			pkg.NpmPkg,
 			candidateKey{PkgName: "hapi"},