-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update xml-crypto
dependency to ^2.0.0
in version 1.22.1 and publish new 1.X.X
version as PATCH or MINOR
#300
Comments
@marcosins, would you like to submit a PR? Thanks. |
I'm submitting again my changes in #305 with more clean commits |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This issue has been closed due to continued inactivity. Thank you for your understanding. If you believe this to be in error, please contact one of the code owners, listed in the |
Description
Feature request: I would like you to consider updating
xml-crypto
to version^2.0.0
instrong-soap@1.22.1
and up.xml-crypto@2.0.0
solves an Improper Key Verification vulnerability by disabling by default support for the HMAC-SHA1 'signing' algorithm, as described in their release page.For tag
1.22.1
the only instance werestrong-soap
usesxml-crypto
is here inWSSecurityCert.js
:https://github.com/strongloop/strong-soap/blob/bda154bd9610d9cdfaf0f4c800b11d19bbb5d500/src/security/WSSecurityCert.js#L9
Expected result
Either
strong-soap@1.22.2
orstrong-soap-@1.23.0
is published withxml-crypto@2.0.0
as dependency.Additional information
The text was updated successfully, but these errors were encountered: