forked from Clever/saml2
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[pull] master from Clever:master #11
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This library can be used for quite a few versions. We'll stick to only including all LTS since 10, since that is what the current version supports.
In strict environments, name_id and session_index are not defined before they are actually used. Declare `var` before they're used. Closes #183.
The Buffer() constructor was deprecated in Node.js 6.0.0 Refs: https://nodejs.org/dist/latest-v15.x/docs/api/deprecations.html#deprecations_dep0005_buffer_constructor Closes #231.
The bodyparser module is deprected in express 4+. Closes #238.
Using webpack and typescript was not working due to problems with the default import of underscore. It is not entirely clear why it was not working, but adjusting underscore to not use `_()` direct function calls fixes the issue. Closes #233.
- Closes #183. Addresses some issues with using the example in strict mode. - Closes #231. Replaces Buffer() with Buffer.from(). - Closes #233. Uses underscore in a manner more compatible with TypeScript. - Closes #238. Replaces body-parser with urlencoded() for express >=4. - Adds maintenance notice.
SECNG-1381 | Modernize and rebuild
9.0.0 breaks compatability with Node v10.
For [0]. Any usage of @xmldom/xmldom >= 0.8.0 will normalize these, see [1] and [2]. The current xml-encryption (2.0.0) does not do this normalization, but will in 2.0.1 [3]. It's technically within the path of xmlenc.decrypt() [4], but this follows how assertions have been handled (not handling non-normalized whitespace). For xml-crypto, this was changed in 3.0.0 with [5]. [0] https://github.com/Clever/saml2/blob/6da3e9c39c326a2f6793bb87c6d12c9ab4446585/lib/saml2.coffee#L242-L245 [1] xmldom/xmldom#307 [2] xmldom/xmldom#314 [3] auth0/node-xml-encryption#101 [4] https://github.com/auth0/node-xml-encryption/blob/291f3f10d5d1d571a3b6da2d411aa323398f5650/lib/xmlenc.js#L185 [5] node-saml/xml-crypto#261
SECNG-1381 | Update dependencies
cimg/node only supports major.minor releases. The next time someone tests or runs this library, we should only have to be concerned that the major versions are proper. Following [1], we can simply have a sane base image, and use an orb to augment the node capabilities we need to use. Orb is fixed to a known good patch version. [1] CircleCI-Public/cimg-node#130
By default, this uses npm ci. If we commit a package-lock.json, that may pin transitive library dependencies. Here, we override that behavior to avoid cache issues and using package-lock.json.
Update pipeline to support major versions sanely
publish requires build to actually function. Technically, I could use build-and-test-12 as the required step, persist only that workspace and the likes, but this is getting a little more than expected.
Explicitly skip 0.8.4, which avoids GHSA-crh6-fp67-6883 [1]. [1] GHSA-crh6-fp67-6883
Addresses @xmldom/xmldom's transitive dependency by bumping it to 0.8.5 [1]. [1] https://github.com/yaronn/xml-crypto/releases/tag/v3.0.1
Major version bump brought changes that we have for xmldom to the library [1]. 3.0.2 brought xmldom past the version for [2]. [1] auth0/node-xml-encryption#104 [2] GHSA-crh6-fp67-6883
Addresses GHSA-crh6-fp67-6883 [1] by updating @xmldom/xmldom explicitly, and other dependencies that use such. [1] GHSA-crh6-fp67-6883
4.0.1 | Explicitly update @xmldom/xmldom
It called a single function (parseString) which was removed in 8efbe9e.
Remove xml2js
darioackermann
approved these changes
Jul 24, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )