Summary
The cuid package used by @keystone-6/* and upstream dependencies is deprecated and marked as insecure by the author.
As reported by the author
Cuid and other k-sortable and non-cryptographic ids (Ulid, ObjectId, KSUID, all UUIDs) are all insecure. Use @paralleldrive/cuid2 instead.
What are doing about this?
What can I do about this?
We have added a work-around for users who want to provide custom identifiers in keystonejs/keystone#8645
What if I need a cuid?
The features marked as a security vulnerability by @paralleldrive are sometimes actually needed (as written in the README of cuid) - the problem is the inherent risks that features like this can have.
You might actually want the features of a monotonically increasing (auto-increment, k-sortable), and timestamp-based id as part of your application, and keystone should support that - but you might not want them by default.
This is why this security advisory has been accepted by me (@dcousens), we currently use cuid identifiers by default, and that should change.
Impact
I have accepted this security advisory on the basis that we don't need this kind of identifier typically, and the need for them should be driven by an application's requirements, not a convenient default.
References
TomDo1234 Reporter
Summary
The
cuidpackage used by@keystone-6/*and upstream dependencies is deprecated and marked as insecure by the author.As reported by the author
What are doing about this?
cuid2What can I do about this?
We have added a work-around for users who want to provide custom identifiers in keystonejs/keystone#8645
What if I need a
cuid?The features marked as a security vulnerability by @paralleldrive are sometimes actually needed (as written in the README of
cuid) - the problem is the inherent risks that features like this can have.You might actually want the features of a monotonically increasing (auto-increment, k-sortable), and timestamp-based id as part of your application, and keystone should support that - but you might not want them by default.
This is why this security advisory has been accepted by me (@dcousens), we currently use cuid identifiers by default, and that should change.
Impact
I have accepted this security advisory on the basis that we don't need this kind of identifier typically, and the need for them should be driven by an application's requirements, not a convenient default.
References