Skip to content

chore update xml-crypto: "2.1.6" #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

chore update xml-crypto: "2.1.6" #152

wants to merge 2 commits into from

Conversation

@phoebstr
Copy link

@phoebstr phoebstr commented Oct 7, 2025

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

  • Implemented the latest backported patch for xlm-crypto to address a critical security issue.
  • Removed the .gitignore file and package-lock file from the project.
  • Added the package-lock.json file, which is currently the industry standard in Node.js development to ensure reliability, reproducibility, and improved Software Bill of Materials (SBOM) support.

References

https://workos.com/blog/samlstorm
#149

The SAMLStorm vulnerability affects the xml-crypto Node.js library (v6.0.0 and earlier, CVE-2025-29775 & CVE-2025-29774), with a fix introduced in v6.0.1 and backported to v3.2.1 and v2.1.6. It also affects Node.js SAML implementations including @node-saml/node-saml, samlify, saml2-js, samlp, saml2-suomifi, and others. Collectively these packages have over 500k weekly downloads.

Testing

  • This change keeps test coverage unchanged

Upon executing tests, functionality should remain mostly consistent. However, be aware that some tests may fail depending on the version of Node.js being used. The linked note discusses the primary test failure:
https://github.com/phoebstr/node-samlp/blob/59ebd7dfcab414efc52d129a66db426f7f37d705/test/samlp.tests.js#L603

There are also two other failed tests; however, these failures occur due to differences in error messages returned by Node.js, which do not seem as critical compared to the mentioned issue.

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

TODO:

  • Pin all other dependencies to ensure reproducibility and minimize the risk of introducing supply chain attacks, which have been a significant concern in recent years for Node.js projects.
  • Upgrade remaining dependencies to their latest stable versions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@phoebstr