Upgrade xml-crypto

[toymachiner62]

xml-crypto needs to be upgraded as there is a security vulnerability that is addressed in version 2.x https://snyk.io/vuln/SNYK-JS-XMLCRYPTO-1023301.

saml2 is using version ^0.10.0

[toymachiner62]

#215 should resolve this.

[UjwalaK]

We have seen the same issue, the new version 2.0.6 of saml2-js uses xml-crypto of version 0.10.0 which has a security vulnerability as showed up in our scans. Forcing saml2-js to use xml-crypto of 2.0.0 didn't help.

Looking forward for an update where saml2-js will use new version of xml-crypto - 2.0.0 by default

[romain-as]

same issue for me, I can't manage to force xml-crypto 2.0.0

[jfaylon]

Same issue for me. Please resolve ASAP.

[Himself132]

I would recommend that you take a look at the issue i documented here to see if this upgrade resolve the issue I also discovered when upgrading the library

#206

[jfaylon]

https://www.npmjs.com/advisories/1583 it is a high vulnerability in the npm audit

[jfaylon]

@mcab any update?

[AYUMIHNJ]

Same issue for me. Is there any update on this?

[hikino]

I have the same issue.

[wadeperrigo]

Likewise, when will this be addressed. XML-Crypto v 2.0.0 has been out now for 4 months. How hard can it be to update the package.json file and test the functionality all still works wherever xml-crypto is loaded?

[mcab]

#228 (based off of #215) addresses this.

Feel free to reopen if this is not the case.