Skip to content
This repository has been archived by the owner on Aug 6, 2024. It is now read-only.

Update dependency @keystone-6/core to v5.5.1 [SECURITY] #419

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 15, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@keystone-6/core (source) 5.1.0 -> 5.5.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-40027

Summary

When ui.isAccessAllowed is undefined, the adminMeta GraphQL query is publicly accessible, that is to say, no session is required for the query.

This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible if a session strategy is not defined.

Impact

This vulnerability does not affect developers using the @keystone-6/auth package, or any users that have written their own ui.isAccessAllowed (that is to say, you are unaffected if ui.isAccessAllowed is defined).

This vulnerability does affect developers who thought that their session strategy will, by default, enforce that adminMeta is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware.

Patches

This vulnerability has been patched in @keystone-6/core version 5.5.1.

Workarounds

You can opt to write your own isAccessAllowed to work-around this vulnerability.

References

Pull request https://github.com/keystonejs/keystone/pull/8771


Release Notes

keystonejs/keystone (@​keystone-6/core)

v5.5.1

Compare Source

v5.5.0

Compare Source

v5.4.0

Compare Source

v5.3.2

Compare Source

v5.3.1

Compare Source

v5.3.0

Compare Source

v5.2.0

Compare Source


Configuration

📅 Schedule: Branch creation - "" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-@keystone-6/core-vulnerability branch 2 times, most recently from c7b1bf5 to 1f8f869 Compare March 25, 2024 12:36
@renovate renovate bot force-pushed the renovate/npm-@keystone-6/core-vulnerability branch 2 times, most recently from 092f54d to d6f6dc2 Compare April 21, 2024 11:12
@renovate renovate bot force-pushed the renovate/npm-@keystone-6/core-vulnerability branch from d6f6dc2 to 66db188 Compare April 25, 2024 09:06
@dcousens
Copy link
Member

Superseded by keystonejs/keystone#9102

@dcousens dcousens closed this Apr 30, 2024
@dcousens dcousens deleted the renovate/npm-@keystone-6/core-vulnerability branch April 30, 2024 07:19
Copy link
Contributor Author

renovate bot commented Apr 30, 2024

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (^5.0.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant