GHSA-5fp6-4xw3-xqq3

Suggest an improvement
Source
https://github.com/advisories/GHSA-5fp6-4xw3-xqq3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-5fp6-4xw3-xqq3/GHSA-5fp6-4xw3-xqq3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5fp6-4xw3-xqq3
Published
2023-06-12T18:37:31Z
Modified
2023-06-23T13:56:28Z
Summary
@keystone-6/core's bundled cuid package known to be insecure
Details

Summary

The cuid package used by @keystone-6/* and upstream dependencies is deprecated and marked as insecure by the author.

As reported by the author

Cuid and other k-sortable and non-cryptographic ids (Ulid, ObjectId, KSUID, all UUIDs) are all insecure. Use @paralleldrive/cuid2 instead.

What are doing about this?

What can I do about this?

We have added a work-around for users who want to provide custom identifiers in https://github.com/keystonejs/keystone/pull/8645

What if I need a cuid?

The features marked as a security vulnerability by @paralleldrive are sometimes actually needed (as written in the README of cuid) - the problem is the inherent risks that features like this can have.

You might actually want the features of a monotonically increasing (auto-increment, k-sortable), and timestamp-based id as part of your application, and keystone should support that - but you might not want them by default. This is why this security advisory has been accepted by me (@dcousens), we currently use cuid identifiers by default, and that should change.

Impact

I have accepted this security advisory on the basis that we don't need this kind of identifier typically, and the need for them should be driven by an application's requirements, not a convenient default.

References

Affected packages

npm / @keystone-6/core

Package

Name
@keystone-6/core
View open source insights on deps.dev
Purl
pkg:npm/%40keystone-6/core

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
5.3.1