Patch release. Fixes the TypeScript regression reported in #626, and retroactively documents a breaking change that shipped in 2.13.0 but was not called out in its release notes (per the discussion in #626).
🐛 Fixed
- Restore Express request type compatibility (#626, #627). 2.13.0 (commit
3d5788a) tightenedESamlHttpRequest.query/.bodyfromanytoRecord<string, string | undefined>. That type is not structurally assignable from an ExpressRequest(req.queryisqs.ParsedQs, whose values may bestring[]or nested objects), so TypeScript callers passingreq(orreq.query) intoparseLoginRequest/parseLoginResponse/parseLogoutRequest/parseLogoutResponsefailed to compile (TS2345/TS2322). The fields are nowRecord<string, unknown>— backward compatible with the pre-2.13 typing and every web framework's request object, still stricter thanany. Runtime behaviour was never affected. A type-checked regression guard was added so this cannot silently recur.
⚠️ Breaking change — shipped in 2.13.0 (PR #613, commit fee4ff1), documented here
This was an intended security fix in the 2026-04 audit but was only noted in the commit message, not the 2.13.0 release notes:
libsaml.constructMessageSignature(...)no longer defaults to RSA-SHA1. Callers omitting thesigningAlgorithmargument now get RSA-SHA256.- Unknown signature-algorithm URIs now throw
ERR_UNSUPPORTED_SIGNATURE_ALGORITHMinstead of silently downgrading to SHA-1. This closes a verification-downgrade vector reachable via the user-controlledSigAlgquery parameter.
Migration: if SHA-1 is required for an interop reason, pass signatureAlgorithms.RSA_SHA1 explicitly. Unknown/malformed algorithm URIs are now rejected by design.
🔒 Security behaviour note (also from PR #613 / 2.13.0)
setDOMParserOptions(options) now merges the XXE-safe baseline (errorHandler) instead of replacing it — passing {} or partial options no longer silently disables XXE protection. Callers may still override it explicitly.
What's Changed
Full Changelog: v2.13.0...v2.13.1
Contributors
tngan