search

keystonejs / create-keystone-app

CLI app that makes it easy to get started with Keystone
https://keystonejs.com/tutorials/getting-started-with-create-keystone-next-app
MIT License
38 stars 10 forks source link

Update dependency @keystone-6/core to v2.3.1 [SECURITY] #366

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@keystone-6/core (source) 2.3.0 -> 2.3.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-39322

Impact

@keystone-6/core@2.2.0 || 2.3.0 users who are using the multiselect field, and provided field-level access control - are vulnerable to their field-level access control not being used.

List-level access control is NOT affected.

Field-level access control for fields other than multiselect are NOT affected.

Example, you are vulnerable if you are using field-level access control on a multiselect like the following:

const yourList = list({
  access: {
    // this is list-level access control, this is NOT impacted
  },
  fields: {
    yourFieldName: multiselect({
      // this is field-level access control, for multiselect fields
      //   this is vulnerable
      access: {
        create: ({ session }) => session?.data.isAdmin,
        update: ({ session }) => session?.data.isAdmin,
      },
      options: [
        { value: 'apples', label: 'Apples' },
        { value: 'oranges', label: 'Oranges' },
      ],
      // ...
    }),
    // ...
  },
  // ...
});

Mitigation

Please upgrade to @keystone-6/core >= 2.3.1, where this vulnerability has been closed.

Workarounds

If for some reason you cannot upgrade your dependencies, you should stop using the multiselect field.

Credits

Thanks to Marek R for reporting and submitting the pull request to fix this problem.

If you have any questions around this security advisory, please don't hesitate to contact us at security@keystonejs.com, or open an issue on GitHub.

If you have a security flaw to report for any software in this repository, please see our SECURITY policy.

Release Notes

keystonejs/keystone ### [`v2.3.1`](https://togithub.com/keystonejs/keystone/compare/f416d5b08e82bb23049908b03dd75145d5124d40...d5d0828f8b41c1930436d0352e40dd2739daf58b) [Compare Source](https://togithub.com/keystonejs/keystone/compare/f416d5b08e82bb23049908b03dd75145d5124d40...d5d0828f8b41c1930436d0352e40dd2739daf58b)

Configuration

📅 Schedule: Branch creation - "" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

changeset-bot[bot] commented 1 year ago

⚠️ No Changeset found

Latest commit: 0eda0a97c75236b2c65738a191d51925d0877f93

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR