chore(deps): bump xmldom and related deps (#40270)

2 weeks ago · a8244d4838
parent aa6187e6c9
commit a8244d4838
5 changed files with 15 additions and 18 deletions
--- a/.github/actions/update-version-durability/package.json
+++ b/.github/actions/update-version-durability/package.json
@ -16,6 +16,6 @@
 		"colors": "^1.4.0",
 		"diff": "^5.1.0",
 		"semver": "^7.5.4",
-		"@xmldom/xmldom": "^0.8.10"
+		"@xmldom/xmldom": "^0.8.13"
 	}
 }
--- a/apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts
+++ b/apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts
@ -208,7 +208,9 @@ export class ResponseParser {
 		let newXml = null;

 		if (typeof encAssertion !== 'undefined') {
-			const options = { key: this.serviceProviderOptions.privateKey };
+			// disallowDecryptionWithInsecureAlgorithm defaults to true in xml-encryption v4, but AES-CBC/3DES
+			// are still widely used by SAML IdPs in practice, so we keep the pre-v4 behaviour here.
+			const options = { key: this.serviceProviderOptions.privateKey, disallowDecryptionWithInsecureAlgorithm: false };
 			const encData = encAssertion.getElementsByTagNameNS('*', 'EncryptedData')[0];
 			xmlenc.decrypt(encData, options, (err, result) => {
 				if (err) {
@ -350,7 +352,7 @@ export class ResponseParser {
 		const encSubject = assertion.getElementsByTagNameNS('urn:oasis:names:tc:SAML:2.0:assertion', 'EncryptedID')[0];

 		if (typeof encSubject !== 'undefined') {
-			const options = { key: this.serviceProviderOptions.privateKey };
+			const options = { key: this.serviceProviderOptions.privateKey, disallowDecryptionWithInsecureAlgorithm: false };
 			xmlenc.decrypt(encSubject.getElementsByTagNameNS('*', 'EncryptedData')[0], options, (err, result) => {
 				if (err) {
 					SAMLUtils.error({ err });
--- a/apps/meteor/package.json
+++ b/apps/meteor/package.json
@ -306,7 +306,7 @@
 		"universal-perf-hooks": "^1.0.1",
 		"webdav": "^4.11.5",
 		"xml-crypto": "~3.2.1",
-		"xml-encryption": "~3.1.0",
+		"xml-encryption": "~4.0.0",
 		"xml2js": "~0.6.2",
 		"yaqrcode": "^0.2.1",
 		"yoga-layout": "patch:yoga-layout@npm%3A3.2.1#~/.yarn/patches/yoga-layout-npm-3.2.1-51ec934670.patch",
--- a/package.json
+++ b/package.json
@ -75,7 +75,9 @@
 		"zod@npm:~4.3.6": "patch:zod@npm%3A4.3.6#~/.yarn/patches/zod-npm-4.3.6-a096e305e6.patch",
 		"@react-aria/i18n@npm:^3.0.0-nightly-fb28ab3b4-241024": "patch:@react-aria/i18n@npm%3A3.12.5#~/.yarn/patches/@react-aria-i18n-npm-3.12.5-435edff786.patch",
 		"@react-aria/i18n@npm:^3.12.5": "patch:@react-aria/i18n@npm%3A3.12.5#~/.yarn/patches/@react-aria-i18n-npm-3.12.5-435edff786.patch",
-		"@react-aria/toolbar@npm:^3.0.0-nightly.5042": "3.0.0-nightly-fb28ab3b4-241024"
+		"@react-aria/toolbar@npm:^3.0.0-nightly.5042": "3.0.0-nightly-fb28ab3b4-241024",
+		"xml-crypto/@xmldom/xmldom": "0.8.13",
+		"xml-encryption/@xmldom/xmldom": "0.8.13"
 	},
 	"dependencies": {
 		"@types/stream-buffers": "^3.0.8",
--- a/yarn.lock
+++ b/yarn.lock
@ -10220,7 +10220,7 @@ __metadata:
    webdav: "npm:^4.11.5"
    webpack: "npm:~5.104.1"
    xml-crypto: "npm:~3.2.1"
-    xml-encryption: "npm:~3.1.0"
+    xml-encryption: "npm:~4.0.0"
    xml2js: "npm:~0.6.2"
    yaqrcode: "npm:^0.2.1"
    yoga-layout: "patch:yoga-layout@npm%3A3.2.1#~/.yarn/patches/yoga-layout-npm-3.2.1-51ec934670.patch"
@ -16024,14 +16024,7 @@ __metadata:
  languageName: node
  linkType: hard

-"@xmldom/xmldom@npm:^0.8.5, @xmldom/xmldom@npm:^0.8.8":
-  version: 0.8.10
-  resolution: "@xmldom/xmldom@npm:0.8.10"
-  checksum: 10/62400bc5e0e75b90650e33a5ceeb8d94829dd11f9b260962b71a784cd014ddccec3e603fe788af9c1e839fa4648d8c521ebd80d8b752878d3a40edabc9ce7ccf
-  languageName: node
-  linkType: hard
-
-"@xmldom/xmldom@npm:~0.8.13":
+"@xmldom/xmldom@npm:0.8.13, @xmldom/xmldom@npm:~0.8.13":
  version: 0.8.13
  resolution: "@xmldom/xmldom@npm:0.8.13"
  checksum: 10/f8f3d56fa91d5026885c0c5c00b07eae47647bda0d742ecbf8e51e06bb287ab30222977b20529ee15c364031606225ebca58907a8ecc76a3add6b3f10e6ddfc6
@ -38481,14 +38474,14 @@ __metadata:
  languageName: node
  linkType: hard

-"xml-encryption@npm:~3.1.0":
-  version: 3.1.0
-  resolution: "xml-encryption@npm:3.1.0"
+"xml-encryption@npm:~4.0.0":
+  version: 4.0.0
+  resolution: "xml-encryption@npm:4.0.0"
  dependencies:
    "@xmldom/xmldom": "npm:^0.8.5"
    escape-html: "npm:^1.0.3"
    xpath: "npm:0.0.32"
-  checksum: 10/c84c1e11692181c24a1c30123fed4fa31015c58994bbdcf091f07fa79f0fb809774b1533d191c4739bf76bb0fb95f223d393e84cc48417480a1896b2b689373b
+  checksum: 10/319f5c0c591a5600f5f6846c9b27a69e6ecd7d4a2215cfb9ffac37490143d48239652097eae6ff33a0d55f8b534c03caa09e75ee260d89d3d1bc26802c1cfc36
  languageName: node
  linkType: hard