auth0 / xml-crypto creates security vulnerability
frytg opened this issue · comments
Dan commented
Is there a reason, why this package relies on auth0/xml-crypto#v1.4.1-auth0.2
for the xml-crypto
package?
This fork seems 219 commits behind yaronn/xml-crypto
and uses 0.1.27
for xmldom
, which seems affected by CVE-2021-21366.
Possible Solution: Test and Use "xml-crypto": "^2.1.2"
(mocha returns 139 tests complete (847 ms)
)