Skip to content

@keystone-6/core's bundled cuid package known to be insecure

Low severity GitHub Reviewed Published Jun 11, 2023 in keystonejs/keystone • Updated Jun 23, 2023

Package

npm @keystone-6/core (npm)

Affected versions

<= 5.3.1

Patched versions

None

Description

Summary

The cuid package used by @keystone-6/* and upstream dependencies is deprecated and marked as insecure by the author.

As reported by the author

Cuid and other k-sortable and non-cryptographic ids (Ulid, ObjectId, KSUID, all UUIDs) are all insecure. Use @paralleldrive/cuid2 instead.

What are doing about this?

What can I do about this?

We have added a work-around for users who want to provide custom identifiers in keystonejs/keystone#8645

What if I need a cuid?

The features marked as a security vulnerability by @paralleldrive are sometimes actually needed (as written in the README of cuid) - the problem is the inherent risks that features like this can have.

You might actually want the features of a monotonically increasing (auto-increment, k-sortable), and timestamp-based id as part of your application, and keystone should support that - but you might not want them by default.
This is why this security advisory has been accepted by me (@dcousens), we currently use cuid identifiers by default, and that should change.

Impact

I have accepted this security advisory on the basis that we don't need this kind of identifier typically, and the need for them should be driven by an application's requirements, not a convenient default.

References

@dcousens dcousens published to keystonejs/keystone Jun 11, 2023
Published to the GitHub Advisory Database Jun 12, 2023
Reviewed Jun 12, 2023
Last updated Jun 23, 2023

Severity

Low

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-5fp6-4xw3-xqq3

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.