Anyone into forking this project to get its issues fixed?

Question

Anyone into forking this project to get its issues fixed?

MichaelTurbe opened this issue 4 years ago · 2 comments

At present this library is a security threat and looks abandoned by its owner. It's probably the only real option for folks who don't want to pull passport into their projects. What are thoughts on forking it to get it cleaned up?

Answer 1 · 2021-02-03T18:42:55.000Z

Hi!

I'm actively working to address the outdated dependency in #215. I'm taking this slow, given that this affects how check_saml_signature works, which is used for returning or rejecting the signed data. Flaws introduced here would be harmful.

Any extra eyes on helping close this and any outstanding PRs would be well appreciated.

Answer 2 · 2021-02-04T19:51:17.000Z

I've addressed the outstanding security vulnerability with #228, and the subsequent 3.0.0 release wraps this up.

38927a6

Feel free to reopen this issue / open other issues if you do not believe the concern has been met.