Hi,
saml2-js@4.0.4 depends on xmlbuilder2@^2.4.0, which uses js-yaml@3.14.0 and has a prototype pollution vulnerability (CVE-2025-64718).
Could saml2-js update xmlbuilder2 to >=4.0 so that a patched js-yaml (>=4.1.1) can be used? This would mitigate the security risk.
This issue description was drafted with the assistance of ChatGPT.
Thanks!
Hi,
saml2-js@4.0.4 depends on xmlbuilder2@^2.4.0, which uses js-yaml@3.14.0 and has a prototype pollution vulnerability (CVE-2025-64718).
Could saml2-js update xmlbuilder2 to >=4.0 so that a patched js-yaml (>=4.1.1) can be used? This would mitigate the security risk.
This issue description was drafted with the assistance of ChatGPT.
Thanks!