Advisories for Npm/@Keystone-6/Core package

2023

Missing Authorization

Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When ui.isAccessAllowed is set as undefined, the adminMeta GraphQL query is publicly accessible (no session required). This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible (no session required) if a session strategy is not defined. This vulnerability does not affect developers using the @keystone-6/auth package, …

@keystone-6/core's bundled cuid package known to be insecure

Summary The cuid package used by @keystone-6/* and upstream dependencies is deprecated and marked as insecure by the author. As reported by the author Cuid and other k-sortable and non-cryptographic ids (Ulid, ObjectId, KSUID, all UUIDs) are all insecure. Use @paralleldrive/cuid2 instead. What are doing about this? We are waiting on Prisma to add support for cuid2 Alternatively, we might default to a random string ourselves What can I do …

2022

@keystone-6/core's NODE_ENV defaults to development with esbuild

Keystone is a headless CMS for Node.js — built with GraphQL and React.@keystone-6/core@3.0.0 || 3.0.1 users that use NODE_ENV to trigger security-sensitive functionality in their production builds is vulnerable to NODE_ENV being inlined to "development" for user code, irrespective of what your environment variables. If you do not use NODE_ENV in your user code to trigger security-sensitive functionality, you are not impacted by this vulnerability. Any dependencies that use NODE_ENV …