Patch Meteor allow-deny vulnerability by updating dependencies

[athyuttamre]

Announcement here: https://forums.meteor.com/t/meteor-allow-deny-vulnerability-disclosure/39500

We should investigate if this affects us, and update our dependencies regardless.

[gregcarlin]

After running meteor update allow-deny I'm getting this error when trying to run the server: https://pastebin.com/1svi9QWT. This looks to me like it might be related to the fact that meteor 1.5.1 runs with node 4.8.4. I tried updating to the lastest meteor (1.6) which runs the lastest node (8.8.1) but in the update process (meteor update) I get this error: https://pastebin.com/zCVuCMnP. As you can see from line 3 this is related to the package athyuttamre:accounts-saml2@0.0.3. Additionally, removing this package seems to allow for updating, but adding the package back results in the same error. Do you have any idea what might be causing this? I poked around in the repo (https://github.com/signmeup/accounts-saml2) but I couldn't figure anything out.

[gregcarlin]

Yeah I removed athyuttamre:accounts-saml2 by running meteor remove athyuttamre:accounts-saml2 and then was able to update to meteor 1.6 by running meteor update. At this point I could run the application properly, but obviously without SAML authentication. When trying to add the package back with meteor add athyuttamre:accounts-saml2 I get what appears to be the second error from before: https://pastebin.com/39HLPnPh