auth0 / node-samlp

SAML Protocol support for node (only IdP for now)
MIT License
136 stars 117 forks source link

update xml-crypto dependency #106

Closed jssuttles closed 3 years ago

jssuttles commented 4 years ago

Describe the problem you'd like to have solved

npm audit does not produce errors

Describe the ideal solution

xml-crypto is updated to the latest version

Additional context

https://www.npmjs.com/advisories/1583

130n commented 4 years ago

https://github.com/auth0/node-samlp/pull/105

crolarlibertyva commented 3 years ago

"npm audit" in the downstream project I work on shows the following with node v14.15.1, npm 6.14.9. The PR which was generated by snyk is over 30 days old now. How long for this change to get merged?

┌──────────────────────────────────────────────────────────────────────────────┐ │ Manual Review │ │ Some vulnerabilities require your attention to resolve │ │ │ │ Visit https://go.npm.me/audit-guide for additional guidance │ └──────────────────────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Improper Key Verification │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ xml-crypto │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=2.0.0 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ samlp │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ samlp > saml > xml-crypto │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1583 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Improper Key Verification │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ xml-crypto │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=2.0.0 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ samlp │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ samlp > xml-crypto │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1583 │ └───────────────┴──────────────────────────────────────────────────────────────┘

tomauth0 commented 3 years ago

Hi All,

I'm closing this ticket as with the updated release, all critical and high audit warnings have been resolved - xml-crypto and other vulnerable libraries have been updated in #114.

Thanks, Tom