fix(deps): update @xmldom/xmldom to ^0.9.10 for spec-compliant DOM#116
Open
esetnik wants to merge 1 commit intoauth0:masterfrom
Open
fix(deps): update @xmldom/xmldom to ^0.9.10 for spec-compliant DOM#116esetnik wants to merge 1 commit intoauth0:masterfrom
esetnik wants to merge 1 commit intoauth0:masterfrom
Conversation
@xmldom/xmldom 0.9.0 introduced two intentional spec-compliance changes that affect this library: 1. DOMParser.parseFromString() now requires a mimeType argument and throws when undefined (lib/utils.js:72, lib/saml11.js:221). 2. Element.getAttribute() now returns null (not '') for missing attributes, matching the DOM Living Standard. Changes: - Bump dependency range from ^0.7.4 to ^0.9.10. The previous range had a known XML-injection CVE (GHSA-wh4c-j3r5-mjhp / CVE-2026-34601); downstream consumers have had to apply package-manager overrides to dodge it (and have hit the 0.9.x break when the override floor went open-ended). - Pass 'text/xml' to all parseFromString() call sites in lib/ and test/ (26 sites). - Update assertions in the saml20 'includeAttributeNameFormat: false' test to expect null instead of '' for the now-missing NameFormat attribute. All 105 tests still pass; 5 pending unchanged. Refs auth0#115
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps
@xmldom/xmldomfrom^0.7.4to^0.9.10and adapts the call sites to its spec-compliant API. Tests still pass (105 / 5 pending — same as baseline).Closes #115. (Also addresses the goal of #101 — bumping out of the 0.7.x CVE floor — but goes the whole way to current
latestrather than stopping at 0.8 LTS.)Why now
@xmldom/xmldom@<0.8.12has a known XML-injection vulnerability (GHSA-wh4c-j3r5-mjhp, CVE-2026-34601). Snyk and Dependabot flag this for every consumer ofsaml@4.0.0. Most downstream projects work around it with package-manager overrides.latestdist-tag for@xmldom/xmldomis now0.9.10. When downstream overrides are open-ended (>=0.8.12etc.), a fresh resolution promotes through to 0.9.x and breakssamlat runtime — see #115.0.7.13→0.8.10) has been open and unmerged for ~2 years. This PR supersedes it and goes one major further so we don't have to revisit when 0.10 ships.What changed
@xmldom/xmldom@0.9.0made two intentional, spec-aligning changes that touch this library:1.
DOMParser.parseFromString()requires a mimeTypeOld behavior:
parseFromString(xml)parsed as XML by default.New behavior: throws
TypeError: ... mimeType "undefined" is not validwhen called without a mimeType.Fixed in 26 call sites by passing
'text/xml':lib/saml11.js:221(1 site, production)lib/utils.js:72(1 site, production)test/saml11.tests.js(4 sites)test/saml20.tests.js(6 sites)test/utils.js(14 sites)2.
Element.getAttribute()returnsnullfor missing attributesOld behavior: returned
''(non-spec).New behavior: returns
null, matching the DOM Living Standard.The only test that depended on the old behavior —
saml 2.0 #create / should not set NameFormat in attributes when includeAttributeNameFormat is false(test/saml20.tests.js:316) — has been updated to expectnull. (The corresponding#createUnsignedAssertionrun shares the sameitblock, so both pass with the single change.)No production code depended on the old behavior.
Test plan
```
$ npm install
$ npm test
...
105 passing (261ms)
5 pending
```
Same counts as on
masterbefore the bump.Notes for reviewers
lockFileMaintenance. Happy to iterate if there's a preferred shape (e.g. capping at^0.8.0LTS instead of jumping to^0.9.10, or splitting the dep bump from the test fix).xml-crypto(^2.1.3) orxml-encryption(^4.0.0) — both have newer majors but those are separate concerns.semantic-releaseis in devDeps), the conventional-commit subject should drive the changelog automatically.[Written by Claude]