v2.13.0

What's Changed

• Bump @xmldom/xmldom from 0.8.11 to 0.8.12 by @dependabot[bot] in #603
• Bump @xmldom/xmldom from 0.8.12 to 0.8.13 by @dependabot[bot] in #605
• Bump postcss from 8.5.6 to 8.5.12 by @dependabot[bot] in #606
• fix: reject promises with Error instances, not raw strings (#581) by @tngan in #607
• feat: support simpleSign binding for logout request/response (#584) by @tngan in #608
• docs: correct the parseResult example in saml-response (#518) by @tngan in #609
• docs: clarify that wantMessageSigned and signatureConfig are SP options (#516) by @tngan in #610
• RFC-0001: introduce .skills/ and mandatory SAML 2.0 spec citation workflow by @tngan in #611
• feat: per-request relayState for login + logout (closes #163) by @tngan in #612
• sec: 2026-04 audit — patch vite, fix XXE bypass, reject unknown sig algs by @tngan in #613
• fix: omit AuthnRequest attributes whose value is null/undefined (closes #455) by @tngan in #614
• fix: pass SessionIndex through createLogoutRequest (closes #470) by @tngan in #615
• fix: throw a clear error when redirect binding has no SSO/SLO endpoint (closes #308 #405) by @tngan in #617
• fix: surface SP/IdP signing flags in ERR_METADATA_CONFLICT_REQUEST_SIGNED_FLAG (closes #453) by @tngan in #616
• fix: default signatureConfig for SP when wantMessageSigned is true (closes #454) by @tngan in #619
• feat: per-request ForceAuthn for createLoginRequest (closes #359) by @tngan in #618
• feat: support tagPrefix.protocol and tagPrefix.assertion on IdP (closes #388) by @tngan in #620
• fix: invoke customTagReplacement even without explicit template (closes #549) by @tngan in #621
• feat: support elementsOrder option on IdP metadata (closes #429) by @tngan in #622
• feat: support RSASSA-PSS signature algorithms (closes #624) by @tngan in #625
• feat: per-request AssertionConsumerServiceIndex for createLoginRequest (closes #437) by @tngan in #623

Security Audit

GHSA-34r5-q4jw-r36m (credit to @RootUp)

Full Changelog: v2.12.0...v2.13.0