Auth0 Home Blog Docs

Licensing issues with node-xml-encryption


Hi There,

  • Which SDK does this apply to? Which version of the SDK you are using?
    • node-samlp@3.4.0
    • node-saml@0.12.4
    • node-xml-encryption@0.11.2

node-xml-encryption@0.11.2 is licensed under MIT but it is using xpath@0.0.24 which is licensed under CC-BY-SA-2.0. As per CC-BY-SA-2.0, node-xml-encryption@0.11.2 (and subsequently node-saml@0.12.4 and node-samlp@3.4.0) must also be licensed under CC-BY-SA-2.0 because it uses xpath@0.0.24.

However, a simple solution exists as xpath@0.0.27 (3 patch versions later) is licensed under MIT. We can simply switch node-xml-encryption to use xpath@0.0.27, and increase the patch version of the libraries increased above in reverse order. A developer has already created a pull request to start fixing this very issue:

I have tried contacting the maintainers of node-xml-encryption on GitHub, but have not heard back from them. Would a developer at Auth0 be able to take a look and merge the pull request at their earliest convenience?



@kim.noel - is this something you will be able to help with?


:wave: @neverendingqs thank you for bringing this to my attention! We are now aware of this issue and I can work with the maintainers. I will update as soon as I have more information for merging the PR!


Hi @kim.noel,

Just wanted to follow up.



Bump @kim.noel. Do you have any updates?


Thank you everyone for your extended patience! I come barring great news - the PR has been merged :tada:



Thanks @kim.noel.

I have created a pull request for an upstream library affected (node-saml@0.12.4) ( Would someone be able to take a look at it as well?

I think that’s the last one to be merged for this to be resolved, as node-samlp uses a caret to reference node-saml. There may be other libraries, but I couldn’t find any Auth0 ones when taking a quick glace at and



You’re welcome.

Let me get in touch again with the right team to take a look!


@neverendingqs I believe you saw on GitHub that the PR was merged! :tada: just posting here for anyone who may come across this post in the future.


Thanks @kim.noel! A new release has been made as well, and everything looks good on my end.