Replies: 1 comment 1 reply
-
|
FWIW xml-encryption is not impacted by the vulnerability in xmldom < 0.7.0, at least not in any obvious way. It's still a good idea to figure this out, but it should not be a blocker for patching passport-saml. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Absolutely, I opened a PR updating what could be updated currently. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
It looks like https://github.com/auth0/node-xml-encryption is not very actively maintained - no to say abandonned (when compared to our other dependencies xml-crypto and xmldom, which accept simple PRs very quickly, which as we have seen recently, matters a lot for security).
My first idea was to merge the project into node-saml/xml-crypto#232 which xml-crypto maintainer LoneRifle doesn't seem to mind if someone takes care of it (so that's a first valid option).
Another option I'm thinking of, would be to import xml-encryption into node-saml github, and to publish that under the node-saml org namespace (and use that for node-saml of course).
What do you think?
Beta Was this translation helpful? Give feedback.
All reactions