Security issues with deep dependencies

[guyindepurker]

Hi we use the latest version of passport-wsfed-saml2 4.6.1 and we has a Security issues with the dependencies that you use and you should to update the version of them in the package.json of the library.

this is the list under "via" that you should to update:
"passport-wsfed-saml2": { "name": "passport-wsfed-saml2", "severity": "critical", "isDirect": true, "via": [ "ejs", "node-forge", "xml-crypto", "xml-encryption" ] },

Its seems that the ejs and node-forge that you used is the most critical.
You can check this and release new version of passport-wsfed-saml2.
Or you can tell me what to do with this?

[allens01]

I have got around this by setting overrides in package.json (or resolutions if you are using yarn)

"overrides": { "xml-encryption": "3.0.1", "node-forge": "1.3.1", "xml-crypto": "2.1.5", "ejs": "3.1.8" }

[nrcdvyskrebets]

here's my package.json with bumps for the latest version as of now

{
  "dependencies": {
    "passport-wsfed-saml2": "4.6.3"
  },
  "overrides": {
    "[email protected]": {
      "ejs": "3.1.7",
      "node-forge": "1.3.0",
      "xml-crypto": "2.1.5"
    }
  }
}