Replies: 1 comment 1 reply
-
|
FWIW xml-encryption is not impacted by the vulnerability in xmldom < 0.7.0, at least not in any obvious way. It's still a good idea to figure this out, but it should not be a blocker for patching passport-saml. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Absolutely, I opened a PR updating what could be updated currently. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
It looks like https://github.com/auth0/node-xml-encryption is not very actively maintained - no to say abandonned (when compared to our other dependencies xml-crypto and xmldom, which accept simple PRs very quickly, which as we have seen recently, matters a lot for security).
My first idea was to merge the project into node-saml/xml-crypto#232 which xml-crypto maintainer LoneRifle doesn't seem to mind if someone takes care of it (so that's a first valid option).
Another option I'm thinking of, would be to import xml-encryption into node-saml github, and to publish that under the node-saml org namespace (and use that for node-saml of course).
What do you think?
Beta Was this translation helpful? Give feedback.
All reactions