keystone icon indicating copy to clipboard operation
keystone copied to clipboard

Published 20 hours ago verified publisher icon keystonejs

Deprecation of cuid, upgrade to cuid2

Open dcousens opened this issue 2 years ago • 5 comments

https://github.com/paralleldrive/cuid has been deprecated by @ericelliott in favour of cuid2. The reasoning for the deprecation is

Cuid and other k-sortable and non-cryptographic ids (Ulid, ObjectId, KSUID, all UUIDs) are all insecure. Use @paralleldrive/cuid2 instead.

cuid2 is effectively a random 24 character base36 string. Prisma has an open issue for cuid2 https://github.com/prisma/prisma/issues/17102, which will be an easy transition for us, but is thereby blocking for now.

Related

  • https://github.com/prisma/prisma/issues/17102
  • https://github.com/keystonejs/keystone/pull/8281

dcousens avatar Jan 31 '23 00:01 dcousens

The length of cuid2 can be configured. It is base36 encoded with the first character always being a letter.

DrJume avatar Feb 09 '23 12:02 DrJume

@DrJume are you saying that we should change the default length?

~Isn't it base26?~ No, it uses .toString(36) for the rest of the string, amended the OP

dcousens avatar Feb 10 '23 11:02 dcousens

Nono, just wanted to inform you that cuid2 is not always 24 characters long. https://github.com/paralleldrive/cuid2#parameterized-length

DrJume avatar Feb 10 '23 12:02 DrJume

@tomdo1234 recently reported this as a security vulnerability, and I have opened an advisory in https://github.com/keystonejs/keystone/security/advisories/GHSA-5fp6-4xw3-xqq3 - with the following justification:

You might actually want the features of a monotonically increasing (auto-increment, k-sortable), and timestamp-based id as part of your application, and keystone should support that - but you might not want them by default. This is why this security advisory has been accepted by me (@dcousens) we currently use cuid identifiers by default, and that should change.

dcousens avatar Jun 11 '23 05:06 dcousens

As of https://github.com/keystonejs/keystone/pull/8648 (to be released soon), you can now use

  db: { idField: { kind: 'cuid2' } }

On your lists to use cuid2 as your identifiers, and you can probably upgrade your lists in a non-breaking way if you are using your identifiers relatively opaquely.

In our next major update, we will change the default to cuid2 to resolve https://github.com/keystonejs/keystone/security/advisories/GHSA-5fp6-4xw3-xqq3.

dcousens avatar Jul 10 '23 05:07 dcousens