Closed lukemarkwordtlibertyits closed 3 years ago
The CI is failing for v4.8.5 because the latest version of xml-encryption utilizes default argument assignment. This was not supported until Node 6. Considering workarounds. xml-encryption is also maintained by Auth0. Its CLI only checks for backwards compatibility from Node 8 onward. Curious as to why different projects have different backwards compatibility checks?
I think this would warrant a major revision since it drops support for node v4 it seems like.
@luuuis would this and #105 be able to merge in and released as 5.0.0?
Would be nice to get these merged in as our vulnerability reports are flagging this lib.
Thank you for the suggested updates - we've updated the saml version to v1.0.0 in #114 and updated other libs flagged by npm audit.
These changes are released in v5.0.0.
This update also migrates the CI for this repo from Travis to Github Actions - as part of this move we've dropped build support for node v4, v6 & v8.
I'm closing this PR as the changes have been applied - thanks again. Tom
By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.
Description
Updated node-saml dependency to latest version (1.0.0)
References
In response to this issue.
Testing
[x] This change adds test coverage for new/changed/fixed functionality
All unit tests passed.
Used updated dependency in local application. Ran various regression tests and penetration tests. All tests passed.
Tests Ran Included
Validation of Saml Request Parsing.
Validation of Saml Response Creation.
Validation of Signature by running basic SAML modify attack against application.
Validation of defense against XSW attacks 1 - 8.
Validation of defense against comment truncation attacks.
Checklist
[x] I have added documentation for new/changed functionality in this PR or in auth0.com/docs
[x] All active GitHub checks for tests, formatting, and security are passing
[x] The correct base branch is being used, if not
master