fix!: remove vulnerable node-forge dependency

david-renaud-okta · david-renaud-okta · commit 0106c611a126 · 2022-02-03T00:28:37.000-05:00
BREAKING CHANGE: Requires NodeJS >= 12 Upgraded the xml-encryption package which removes the vulnerable node-forge dependency See GHSA-8fr3-hfg3-gpgp
diff --git a/README.md b/README.md
@@ -4,6 +4,10 @@ Create SAML assertions. Supports SAML 1.1 and SAML 2.0 tokens.
 
 [![Build Status](https://travis-ci.org/auth0/node-saml.png)](https://travis-ci.org/auth0/node-saml)
 
+### Supported Node Versions
+
+node >= 12
+
 ### Usage
 
 ```js
diff --git a/package.json b/package.json
@@ -1,6 +1,9 @@
 {
   "name": "saml",
   "version": "1.0.1",
+  "engines": {
+    "node": ">=12"
+  },
   "devDependencies": {
     "@commitlint/cli": "^11.0.0",
     "@commitlint/config-conventional": "^11.0.0",
@@ -24,7 +27,7 @@
     "moment": "2.19.3",
     "valid-url": "~1.0.9",
     "xml-crypto": "^2.1.3",
-    "xml-encryption": "^1.2.1",
+    "xml-encryption": "^2.0.0",
     "xml-name-validator": "~2.0.1",
     "xpath": "0.0.5"
   },
