update xml-crypto dependency

Question

update xml-crypto dependency

jssuttles opened this issue 4 years ago · 3 comments

jssuttles commented 4 years ago

Describe the problem you'd like to have solved

npm audit does not produce errors

Describe the ideal solution

xml-crypto is updated to the latest version

Additional context

https://www.npmjs.com/advisories/1583

130n commented 4 years ago

#105

Answer 1 · 2020-12-16T14:15:13.000Z

"npm audit" in the downstream project I work on shows the following with node v14.15.1, npm 6.14.9. The PR which was generated by snyk is over 30 days old now. How long for this change to get merged?

┌──────────────────────────────────────────────────────────────────────────────┐ │ Manual Review │ │ Some vulnerabilities require your attention to resolve │ │ │ │ Visit https://go.npm.me/audit-guide for additional guidance │ └──────────────────────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Improper Key Verification │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ xml-crypto │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=2.0.0 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ samlp │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ samlp > saml > xml-crypto │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1583 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Improper Key Verification │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ xml-crypto │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=2.0.0 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ samlp │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ samlp > xml-crypto │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1583 │ └───────────────┴──────────────────────────────────────────────────────────────┘

Answer 2 · 2021-02-10T14:47:59.000Z

Hi All,

I'm closing this ticket as with the updated release, all critical and high audit warnings have been resolved - xml-crypto and other vulnerable libraries have been updated in #114.

Thanks,
Tom