Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[pull] master from Clever:master #11

Merged
merged 31 commits into from
Jul 24, 2023
Merged

[pull] master from Clever:master #11

merged 31 commits into from
Jul 24, 2023

Conversation

pull[bot]
Copy link

@pull pull bot commented Jul 24, 2023
edited

See Commits and Changes for more details.

Created by pull[bot]

Can you help keep this open source service alive? 💖 Please sponsor : )

mcab and others added 30 commits October 14, 2022 17:58
@mcab
ci: Update to test multiple versions
3d328e8 
This library can be used for quite a few versions. We'll stick to only
including all LTS since 10, since that is what the current version
supports.
@adamsea @mcab
docs: Prevent post_assert from throwing an error
cf7e7a1 
In strict environments, name_id and session_index are not defined
before they are actually used. Declare `var` before they're used.

Closes #183.
@targos @mcab
chore: use non-deprecated Buffer.from API
345ec94 
The Buffer() constructor was deprecated in Node.js 6.0.0

Refs: https://nodejs.org/dist/latest-v15.x/docs/api/deprecations.html#deprecations_dep0005_buffer_constructor

Closes #231.
@dbauszus-glx @mcab
docs: Remove old body-parser module
e01eade 
The bodyparser module is deprected in express 4+.

Closes #238.
@mcab
docs: Update README to clarify intent for library
f369295 
See #164.

Closes #130, #239, #258.
@mcab
chore: fixes webpackability
bb12cc3 
Using webpack and typescript was not working due to problems with
the default import of underscore. It is not entirely clear why
it was not working, but adjusting underscore to not use `_()`
direct function calls fixes the issue.

Closes #233.
@mcab
docs: Maintenance notice
9e19c65
@mcab
3.1.0
c197310 
- Closes #183. Addresses some issues with using the example in strict mode.
- Closes #231. Replaces Buffer() with Buffer.from().
- Closes #233. Uses underscore in a manner more compatible with TypeScript.
- Closes #238. Replaces body-parser with urlencoded() for express >=4.
- Adds maintenance notice.
@mcab
Merge pull request #260 from Clever/SECNG-1381/update-modernize-rebuild
46df4ae 
SECNG-1381 | Modernize and rebuild
@mcab
ci: Fix publishing
6da3e9c
@mcab
chore: Ignore additional files for npm
5e25e09
@mcab
deps: Update xml-encryption from ^1.2.1 to ^2.0.0
964a5a0 
Closes #252.
@mcab
deps: Update xmldom ^0.4.0 to @xmldom/xmldom ^0.8.3
9299ffa 
Closes #237, #232, #248, #246, #240, #234.
@mcab
deps: Update xml-crypto from ^2.0.0 to ^3.0.0
3de2fd6
@mcab
chore: Tidy dependencies
b13ee9d
@mcab
deps: Update mocha from ^8.2.0 to ^8.4.0
beeb396 
9.0.0 breaks compatability with Node v10.
@mcab
chore: Remove whitespace normalization before xml-crypto calls
50e8ce6 
For [0].

Any usage of @xmldom/xmldom >= 0.8.0 will normalize these, see [1] and [2].

The current xml-encryption (2.0.0) does not do this normalization, but will
in 2.0.1 [3]. It's technically within the path of xmlenc.decrypt() [4], but
this follows how assertions have been handled (not handling non-normalized
whitespace).

For xml-crypto, this was changed in 3.0.0 with [5].

[0] https://github.com/Clever/saml2/blob/6da3e9c39c326a2f6793bb87c6d12c9ab4446585/lib/saml2.coffee#L242-L245
[1] xmldom/xmldom#307
[2] xmldom/xmldom#314
[3] auth0/node-xml-encryption#101
[4] https://github.com/auth0/node-xml-encryption/blob/291f3f10d5d1d571a3b6da2d411aa323398f5650/lib/xmlenc.js#L185
[5] node-saml/xml-crypto#261
@mcab
4.0.0
cfb5ce4 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
@mcab
Merge pull request #261 from Clever/SECNG-1381/update-dependencies
9900264 
SECNG-1381 | Update dependencies
@mcab
ci: Update pipeline to support major versions sanely
a5388b8 
cimg/node only supports major.minor releases. The next time someone
tests or runs this library, we should only have to be concerned that
the major versions are proper.

Following [1], we can simply have a sane base image, and use an orb
to augment the node capabilities we need to use.

Orb is fixed to a known good patch version.

[1] CircleCI-Public/cimg-node#130
@mcab
ci: Override installing packages command
477e7b4 
By default, this uses npm ci. If we commit a package-lock.json, that
may pin transitive library dependencies. Here, we override that behavior
to avoid cache issues and using package-lock.json.
@mcab
Merge pull request #262 from Clever/mcab/fix-ci-majors
13359fb 
Update pipeline to support major versions sanely
@mcab
ci: Readd build step
fe5925d 
publish requires build to actually function.

Technically, I could use build-and-test-12 as the required step, persist only
that workspace and the likes, but this is getting a little more than expected.
@mcab
chore: Bump @xmldom/xmldom from ^0.8.3 to ^0.8.6
80f5c7b 
Explicitly skip 0.8.4, which avoids GHSA-crh6-fp67-6883 [1].

[1] GHSA-crh6-fp67-6883
@mcab
chore: Bump xml-crypto from ^3.0.0 to ^3.0.1
35e3b9a 
Addresses @xmldom/xmldom's transitive dependency by bumping
it to 0.8.5 [1].

[1] https://github.com/yaronn/xml-crypto/releases/tag/v3.0.1
@mcab
chore: Bump xml-encryption from ^2.0.0 to ^3.0.2
015be26 
Major version bump brought changes that we have for xmldom to the library [1].

3.0.2 brought xmldom past the version for [2].

[1] auth0/node-xml-encryption#104
[2] GHSA-crh6-fp67-6883
@mcab
4.0.1
fe30eee 
Addresses GHSA-crh6-fp67-6883 [1] by updating @xmldom/xmldom explicitly,
and other dependencies that use such.

[1] GHSA-crh6-fp67-6883
@mcab
Merge pull request #265 from Clever/mcab/explicitly-update-dependency
8d726a6 
4.0.1 | Explicitly update @xmldom/xmldom
@mcab
deps: Remove xml2js
d64266c 
It called a single function (parseString) which was removed in 8efbe9e.
@mcab
4.0.2
9530cea 
- d64266c: Remove xml2js, because it is not explicitly called.
@pull pull bot added the ⤵️ pull label Jul 24, 2023
@pull pull bot added the merge-conflict Resolve conflicts manually label Jul 24, 2023
@darioackermann darioackermann merged commit 2ca8f5a into darioackermann:master Jul 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@darioackermann darioackermann darioackermann approved these changes

Assignees
No one assigned
Labels
⤵️ pull merge-conflict Resolve conflicts manually
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@darioackermann @mcab @adamsea @targos @dbauszus-glx