Hi There,
- Which SDK does this apply to? Which version of the SDK you are using?
- node-samlp@3.4.0
- node-saml@0.12.4
- node-xml-encryption@0.11.2
node-xml-encryption@0.11.2 is licensed under MIT but it is using xpath@0.0.24 which is licensed under CC-BY-SA-2.0. As per CC-BY-SA-2.0, node-xml-encryption@0.11.2 (and subsequently node-saml@0.12.4 and node-samlp@3.4.0) must also be licensed under CC-BY-SA-2.0 because it uses xpath@0.0.24.
However, a simple solution exists as xpath@0.0.27 (3 patch versions later) is licensed under MIT. We can simply switch node-xml-encryption to use xpath@0.0.27, and increase the patch version of the libraries increased above in reverse order. A developer has already created a pull request to start fixing this very issue:
- Update xpath to fix licensing · Issue #43 · auth0/node-xml-encryption · GitHub
- Bump xpath version (#43) by wickedest · Pull Request #44 · auth0/node-xml-encryption · GitHub
I have tried contacting the maintainers of node-xml-encryption on GitHub, but have not heard back from them. Would a developer at Auth0 be able to take a look and merge the pull request at their earliest convenience?
Thanks,
Mark