Licensing issues with node-xml-encryption

neverendingqs · May 31, 2018, 4:59pm

Hi There,

Which SDK does this apply to? Which version of the SDK you are using?
- node-samlp@3.4.0
- node-saml@0.12.4
- node-xml-encryption@0.11.2

node-xml-encryption@0.11.2 is licensed under MIT but it is using xpath@0.0.24 which is licensed under CC-BY-SA-2.0. As per CC-BY-SA-2.0, node-xml-encryption@0.11.2 (and subsequently node-saml@0.12.4 and node-samlp@3.4.0) must also be licensed under CC-BY-SA-2.0 because it uses xpath@0.0.24.

However, a simple solution exists as xpath@0.0.27 (3 patch versions later) is licensed under MIT. We can simply switch node-xml-encryption to use xpath@0.0.27, and increase the patch version of the libraries increased above in reverse order. A developer has already created a pull request to start fixing this very issue:

I have tried contacting the maintainers of node-xml-encryption on GitHub, but have not heard back from them. Would a developer at Auth0 be able to take a look and merge the pull request at their earliest convenience?

Thanks,
Mark

neverendingqs · June 4, 2018, 8:09pm

@kimcodes - is this something you will be able to help with?

kimcodes · June 5, 2018, 2:32pm

@neverendingqs thank you for bringing this to my attention! We are now aware of this issue and I can work with the maintainers. I will update as soon as I have more information for merging the PR!

neverendingqs · June 13, 2018, 3:06pm

Hi @kimcodes,

Just wanted to follow up.

Thanks,
Mark

neverendingqs · June 25, 2018, 8:28pm

Bump @kimcodes. Do you have any updates?

kimcodes · July 9, 2018, 5:44pm

Thank you everyone for your extended patience! I come barring great news - the PR has been merged Bump xpath version (#43) by wickedest · Pull Request #44 · auth0/node-xml-encryption · GitHub

@neverendingqs

neverendingqs · July 10, 2018, 2:29pm

Thanks @kimcodes.

I have created a pull request for an upstream library affected (node-saml@0.12.4) (chore - updating xml-encryption to 0.11.2 to resolve licensing issues. by neverendingqs · Pull Request #48 · auth0/node-saml · GitHub). Would someone be able to take a look at it as well?

I think that’s the last one to be merged for this to be resolved, as node-samlp uses a caret to reference node-saml. There may be other libraries, but I couldn’t find any Auth0 ones when taking a quick glace at npm and npm.

Mark

kimcodes · July 10, 2018, 4:25pm

You’re welcome.

Let me get in touch again with the right team to take a look!

kimcodes · July 11, 2018, 1:18pm

@neverendingqs I believe you saw on GitHub that the PR was merged! just posting here for anyone who may come across this post in the future.

neverendingqs · July 11, 2018, 8:14pm

Thanks @kimcodes! A new release has been made as well, and everything looks good on my end.