Licensing issues with node-xml-encryption

Hi There,

  • Which SDK does this apply to? Which version of the SDK you are using?
    • node-samlp@3.4.0
    • node-saml@0.12.4
    • node-xml-encryption@0.11.2

node-xml-encryption@0.11.2 is licensed under MIT but it is using xpath@0.0.24 which is licensed under CC-BY-SA-2.0. As per CC-BY-SA-2.0, node-xml-encryption@0.11.2 (and subsequently node-saml@0.12.4 and node-samlp@3.4.0) must also be licensed under CC-BY-SA-2.0 because it uses xpath@0.0.24.

However, a simple solution exists as xpath@0.0.27 (3 patch versions later) is licensed under MIT. We can simply switch node-xml-encryption to use xpath@0.0.27, and increase the patch version of the libraries increased above in reverse order. A developer has already created a pull request to start fixing this very issue:

I have tried contacting the maintainers of node-xml-encryption on GitHub, but have not heard back from them. Would a developer at Auth0 be able to take a look and merge the pull request at their earliest convenience?


1 Like

@kimcodes - is this something you will be able to help with?

:wave: @neverendingqs thank you for bringing this to my attention! We are now aware of this issue and I can work with the maintainers. I will update as soon as I have more information for merging the PR!

1 Like

Hi @kimcodes,

Just wanted to follow up.


Bump @kimcodes. Do you have any updates?

Thank you everyone for your extended patience! I come barring great news - the PR has been merged :tada: Bump xpath version (#43) by wickedest · Pull Request #44 · auth0/node-xml-encryption · GitHub


1 Like

Thanks @kimcodes.

I have created a pull request for an upstream library affected (node-saml@0.12.4) (chore - updating xml-encryption to 0.11.2 to resolve licensing issues. by neverendingqs · Pull Request #48 · auth0/node-saml · GitHub). Would someone be able to take a look at it as well?

I think that’s the last one to be merged for this to be resolved, as node-samlp uses a caret to reference node-saml. There may be other libraries, but I couldn’t find any Auth0 ones when taking a quick glace at npm and npm.


You’re welcome.

Let me get in touch again with the right team to take a look!

@neverendingqs I believe you saw on GitHub that the PR was merged! :tada: just posting here for anyone who may come across this post in the future.

Thanks @kimcodes! A new release has been made as well, and everything looks good on my end.

1 Like