CVE-2022-39382

Name of the Vulnerable Software and Affected Versions @keystone-6/core versions 3.0.0 through 3.0.1

Description The issue arises when NODE ENV is inlined to "development" for user code, regardless of the environment variables. This affects users who use NODE ENV to trigger security-sensitive functionality in their production builds. The application's dependencies, found in node modules, are typically not compiled and should be unaffected. The vulnerability has been fixed in @keystone-6/core@3.0.2.

Recommendations For @keystone-6/core versions 3.0.0 through 3.0.1, update to @keystone-6/core@3.0.2 to resolve the issue. As a temporary workaround, consider removing any code that uses NODE ENV in a way that may reasonably impact application security.