[Snyk] Fix for 3 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Prototype Pollution SNYK-JS-NODEFORGE-598677	No	Proof of Concept
	Signature Validation Bypass SNYK-JS-XMLCRYPTO-1023301	Yes	No Known Exploit
	XML External Entity (XXE) Injection SNYK-JS-XMLDOM-1084960	Yes	No Known Exploit

Commit messages

Package name: xml-crypto

The new version differs by 37 commits.

• ca0e3c3 2.1.0
• 2136f8e Bump xmldom from 0.1.27 to 0.5.0 (Secure SAML implementation issue. node-saml/passport-saml#225)
• 9d5727b Merge pull request Need help with project support? node-saml/passport-saml#220 from dosullivan557/master
• 52aa883 Merge pull request Support multiple and dynamic signing certificates node-saml/passport-saml#218 from paulish/master
• 66fbb50 Bump junit from 4.12 to 4.13.1 in /test/validators/XmlCryptoJava (updated xml-encryption dep node-saml/passport-saml#217)
• 6985e40 ignore example files
• f65947f upversion
• 0410b22 Formatting package json
• 6c794eb Formatting package json
• 8b09330 Updated package json
• 37c117a 2.1.0
• 666225d Updated package json to not pull in example into module build
• 4e8d41e + use existingPrefixes while lookup for references
• 3d9db71 [SECURITY] Disable HMAC sig methods by default due to key confusion
• d295ecc 1.5.3
• 79fc2ac Merge pull request TestShib: Error Message: No peer endpoint available to which to send SAML response node-saml/passport-saml#209 from troyfactor4/master
• f982b0c return response as well even if async
• 4ffe0aa Async response for built in algo sign/verify
• 713f3d8 1.5.2
• 638ab6c Lock ejs to 2.6.1
• 2730604 1.5.1
• 07e2320 Merge pull request Issue #206: Support signing AuthnRequests using the HTTP-POST Binding node-saml/passport-saml#207 from troyfactor4/master
• 234bc0b enable more use cases by returning the xml object in callback
• 01d462d Test suites of other projects (mocha) that include v1.5.0 fail with error: "Error: global leak detected: existingPrefixes"

See the full diff

Package name: xml-encryption

The new version differs by 15 commits.

• ca3796b chore: Release version 1.2.3 (How to add signature on AuthnRequest node-saml/passport-saml#83)
• 1996dd7 fix: package.json & package-lock.json to reduce vulnerabilities (Make passport-saml work with wso2 is, node-saml/passport-saml#81)
• 435b1d0 dont pull in tests (Pass 'RelayState' from query string into req body node-saml/passport-saml#80)
• 4fa183c chore: remove codeql analysis (Add note to docs about usefulness of testshib for debugging node-saml/passport-saml#78)
• f412aac Merge pull request "Invalid RSAES-OAEP padding" Error node-saml/passport-saml#76 from auth0/update_forge
• 9b6df94 Bumps a new patch version
• cd9c41d Update node-forge to the latest version
• 52183cb Merge pull request Add parameter @ForceAuthn to SAML AuthnRequest.  node-saml/passport-saml#73 from auth0/esarafianou-codeql-scan
• 62abb0f Create codeql-analysis.yml to trigger scans
• 1f013c5 release 1.2.0 (Use logoutUrl for generateLogoutRequest node-saml/passport-saml#72)
• b5a912b feat: sinon is a dev dependency (add passReqToCallback option to be compatible with other strategies node-saml/passport-saml#71)
• 30edc80 fix(utils): fix accidental duplicate export. (add passReqToCallback parameter node-saml/passport-saml#70)
• 77efd10 chore: release 1.1.0 (Take into account multiple parted certs node-saml/passport-saml#69)
• 25d22fd feat: Add warning when insecure algorithm is used. (gulp test never quits because of InMemoryCacheProvider node-saml/passport-saml#68)
• f5651cc feat: Add support for AES-GCM family (feat: allow the auth context to be configured node-saml/passport-saml#67)

See the full diff

Package name: xmldom

The new version differs by 160 commits.

• f763b00 xmldom version 0.5.0
• d4201b9 Merge pull request from GHSA-h6q6-9hqw-rwfv
• a4d717c Update MDN links in readme.md (Access attributes from IdP? node-saml/passport-saml#188)
• e984b3f Update @ stryker-mutator/core -> ^4.4.1 - devDependencies (saml authentication provider node-saml/passport-saml#184)
• c762161 Update stryker monorepo (major) (Clone of 117 node-saml/passport-saml#140)
• fd47c51 Fix breaking preprocessors' directives when parsing attributes (Fixes #170: Clarify that the certificate are looking for is: node-saml/passport-saml#171)
• baa67f5 Update xmltest -> ^1.5.0 - devDependencies (Fixes #180: Signature validation will error if empty signature is pro… node-saml/passport-saml#182)
• 64c7388 fix(dom): Escape `]]>` when serializing CharData (How to specify multiple authnContext while configuring saml stratergy? node-saml/passport-saml#181)
• b73a965 Update eslint-config-prettier -> ^7.2.0 - devDependencies (set default ForceAuth: false node-saml/passport-saml#179)
• 21bc17e Switch to (only) MIT license (Changing session path to not default. node-saml/passport-saml#178)
• ad773c9 test: Use toBe/toStrictEqual instead of toEqual (Does this lib work client side only? node-saml/passport-saml#175)
• 23608d9 chore: Add karfau as contributor (How is ejs used? node-saml/passport-saml#177)
• dbd2171 Export DOMException; remove custom assertions; etc. (PEM_read_bio_PUBKEY Error When Parsing OneLogin Response node-saml/passport-saml#174)
• 8698e6b Update eslint-config-prettier -> 7 - devDependencies (Question: Access to profile attributes node-saml/passport-saml#165)
• 7aa75c7 Update nodemon -> ^2.0.7 - devDependencies (clarify signing vs encryption cert in README node-saml/passport-saml#170)
• 8236db1 build(deps): bump node-notifier from 8.0.0 to 8.0.1 (Host parameter is ignored node-saml/passport-saml#169)
• 484005e Update eslint -> ^7.18.0 - devDependencies (Call for new maintainer node-saml/passport-saml#162)
• c33b2f5 Update eslint-plugin-prettier -> ^3.3.1 - devDependencies (Inclusive namespace support node-saml/passport-saml#164)
• 5d13108 Update actions/setup-node action -> 2 - action (Google SAML node-saml/passport-saml#167)
• 7f32da6 Update prettier -> ^2.2.1 - devDependencies (A valid signed response contained a valid signed assertion triggers "invalid signature" node-saml/passport-saml#163)
• d4040a7 build(deps): bump ini from 1.3.5 to 1.3.8 (Support detached encrypted key node-saml/passport-saml#166)
• f7b44d9 Update eslint -> ^7.12.1 - devDependencies (Allow setting the additionalParams in .authenticate node-saml/passport-saml#157)
• 7493052 Update jest -> ^26.6.3 - devDependencies (Support for attribute query? node-saml/passport-saml#161)
• 2107a91 Update jest -> ^26.6.2 - devDependencies (Crash/Hang in SAML Postback parsing. node-saml/passport-saml#159)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic