Auth0 Home Blog Docs

Licensing issues with node-xml-encryption


Hi There,

  • Which SDK does this apply to? Which version of the SDK you are using?
    • node-samlp@3.4.0
    • node-saml@0.12.4
    • node-xml-encryption@0.11.2

node-xml-encryption@0.11.2 is licensed under MIT but it is using xpath@0.0.24 which is licensed under CC-BY-SA-2.0. As per CC-BY-SA-2.0, node-xml-encryption@0.11.2 (and subsequently node-saml@0.12.4 and node-samlp@3.4.0) must also be licensed under CC-BY-SA-2.0 because it uses xpath@0.0.24.

However, a simple solution exists as xpath@0.0.27 (3 patch versions later) is licensed under MIT. We can simply switch node-xml-encryption to use xpath@0.0.27, and increase the patch version of the libraries increased above in reverse order. A developer has already created a pull request to start fixing this very issue:

I have tried contacting the maintainers of node-xml-encryption on GitHub, but have not heard back from them. Would a developer at Auth0 be able to take a look and merge the pull request at their earliest convenience?



@kim.noel - is this something you will be able to help with?


:wave: @neverendingqs thank you for bringing this to my attention! We are now aware of this issue and I can work with the maintainers. I will update as soon as I have more information for merging the PR!


Hi @kim.noel,

Just wanted to follow up.