Auth0 Home Blog Docs

Licensing issues with node-xml-encryption


#1

Hi There,

  • Which SDK does this apply to? Which version of the SDK you are using?
    • node-samlp@3.4.0
    • node-saml@0.12.4
    • node-xml-encryption@0.11.2

node-xml-encryption@0.11.2 is licensed under MIT but it is using xpath@0.0.24 which is licensed under CC-BY-SA-2.0. As per CC-BY-SA-2.0, node-xml-encryption@0.11.2 (and subsequently node-saml@0.12.4 and node-samlp@3.4.0) must also be licensed under CC-BY-SA-2.0 because it uses xpath@0.0.24.

However, a simple solution exists as xpath@0.0.27 (3 patch versions later) is licensed under MIT. We can simply switch node-xml-encryption to use xpath@0.0.27, and increase the patch version of the libraries increased above in reverse order. A developer has already created a pull request to start fixing this very issue:

I have tried contacting the maintainers of node-xml-encryption on GitHub, but have not heard back from them. Would a developer at Auth0 be able to take a look and merge the pull request at their earliest convenience?

Thanks,
Mark


#2

@kim.noel - is this something you will be able to help with?


#3

:wave: @neverendingqs thank you for bringing this to my attention! We are now aware of this issue and I can work with the maintainers. I will update as soon as I have more information for merging the PR!


#4

Hi @kim.noel,

Just wanted to follow up.

Thanks,
Mark


#6

Bump @kim.noel. Do you have any updates?


#7

Thank you everyone for your extended patience! I come barring great news - the PR has been merged :tada: https://github.com/auth0/node-xml-encryption/pull/44

@neverendingqs


#8

Thanks @kim.noel.

I have created a pull request for an upstream library affected (node-saml@0.12.4) (https://github.com/auth0/node-saml/pull/48). Would someone be able to take a look at it as well?

I think that’s the last one to be merged for this to be resolved, as node-samlp uses a caret to reference node-saml. There may be other libraries, but I couldn’t find any Auth0 ones when taking a quick glace at https://www.npmjs.com/browse/depended/xml-encryption and https://www.npmjs.com/browse/depended/saml.

Mark


#9

You’re welcome.

Let me get in touch again with the right team to take a look!


#10

@neverendingqs I believe you saw on GitHub that the PR was merged! :tada: just posting here for anyone who may come across this post in the future.


#11

Thanks @kim.noel! A new release has been made as well, and everything looks good on my end.


#12