search

keystonejs / create-keystone-app

CLI app that makes it easy to get started with Keystone
https://keystonejs.com/tutorials/getting-started-with-create-keystone-next-app
MIT License
40 stars 10 forks source link

Update dependency @keystone-6/auth to v1.0.2 [SECURITY] #287

Closed renovate[bot] closed 2 years ago

renovate[bot] commented 2 years ago

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@keystone-6/auth 1.0.1 -> 1.0.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-0087

This security advisory relates to a capability for an attacker to exploit a reflected cross-site scripting vulnerability when using the @keystone-6/auth package.

Impact

The vulnerability can impact users of the administration user interface when following an untrusted link to the signin or init page. This is a targeted attack and may present itself in the form of phishing and or chained in conjunction with some other vulnerability.

Vulnerability mitigation

Please upgrade to @keystone-6/auth >= 1.0.2, where this vulnerability has been closed. If you are using @keystone-next/auth, we strongly recommend you upgrade to @keystone-6.

Workarounds

If for some reason you cannot upgrade the dependencies in software, you could alternatively

References

https://owasp.org/www-community/attacks/xss/

Thanks to Shivansh Khari (@​Shivansh-Khari) for discovering and reporting this vulnerability

Release Notes

keystonejs/keystone ### [`v1.0.2`](https://togithub.com/keystonejs/keystone/compare/b1d8f93181094181e4a10834215b714ad33c4aa8...e3c750ce381e93d646273118c584dc56df42cada) [Compare Source](https://togithub.com/keystonejs/keystone/compare/b1d8f93181094181e4a10834215b714ad33c4aa8...e3c750ce381e93d646273118c584dc56df42cada)

Configuration

📅 Schedule: "" in timezone Australia/Sydney.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by WhiteSource Renovate. View repository job log here.

changeset-bot[bot] commented 2 years ago

⚠️ No Changeset found

Latest commit: 7f0b99adf5b1e24de55c45ee8ef4fa4cf5bdd6cc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR