chore(deps): bump xmldom and related deps (RocketChat#40270)

julio-rocketchat · web-flow · commit a8244d483846 · 2026-04-23T10:21:23.000-03:00
diff --git a/.github/actions/update-version-durability/package.json b/.github/actions/update-version-durability/package.json
@@ -16,6 +16,6 @@
 		"colors": "^1.4.0",
 		"diff": "^5.1.0",
 		"semver": "^7.5.4",
-		"@xmldom/xmldom": "^0.8.10"
+		"@xmldom/xmldom": "^0.8.13"
 	}
 }
diff --git a/apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts b/apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts
@@ -208,7 +208,9 @@ export class ResponseParser {
 		let newXml = null;
 
 		if (typeof encAssertion !== 'undefined') {
-			const options = { key: this.serviceProviderOptions.privateKey };
+			// disallowDecryptionWithInsecureAlgorithm defaults to true in xml-encryption v4, but AES-CBC/3DES
+			// are still widely used by SAML IdPs in practice, so we keep the pre-v4 behaviour here.
+			const options = { key: this.serviceProviderOptions.privateKey, disallowDecryptionWithInsecureAlgorithm: false };
 			const encData = encAssertion.getElementsByTagNameNS('*', 'EncryptedData')[0];
 			xmlenc.decrypt(encData, options, (err, result) => {
 				if (err) {
@@ -350,7 +352,7 @@ export class ResponseParser {
 		const encSubject = assertion.getElementsByTagNameNS('urn:oasis:names:tc:SAML:2.0:assertion', 'EncryptedID')[0];
 
 		if (typeof encSubject !== 'undefined') {
-			const options = { key: this.serviceProviderOptions.privateKey };
+			const options = { key: this.serviceProviderOptions.privateKey, disallowDecryptionWithInsecureAlgorithm: false };
 			xmlenc.decrypt(encSubject.getElementsByTagNameNS('*', 'EncryptedData')[0], options, (err, result) => {
 				if (err) {
 					SAMLUtils.error({ err });
diff --git a/apps/meteor/package.json b/apps/meteor/package.json
@@ -306,7 +306,7 @@
 		"universal-perf-hooks": "^1.0.1",
 		"webdav": "^4.11.5",
 		"xml-crypto": "~3.2.1",
-		"xml-encryption": "~3.1.0",
+		"xml-encryption": "~4.0.0",
 		"xml2js": "~0.6.2",
 		"yaqrcode": "^0.2.1",
 		"yoga-layout": "patch:yoga-layout@npm%3A3.2.1#~/.yarn/patches/yoga-layout-npm-3.2.1-51ec934670.patch",
diff --git a/package.json b/package.json
@@ -75,7 +75,9 @@
 		"zod@npm:~4.3.6": "patch:zod@npm%3A4.3.6#~/.yarn/patches/zod-npm-4.3.6-a096e305e6.patch",
 		"@react-aria/i18n@npm:^3.0.0-nightly-fb28ab3b4-241024": "patch:@react-aria/i18n@npm%3A3.12.5#~/.yarn/patches/@react-aria-i18n-npm-3.12.5-435edff786.patch",
 		"@react-aria/i18n@npm:^3.12.5": "patch:@react-aria/i18n@npm%3A3.12.5#~/.yarn/patches/@react-aria-i18n-npm-3.12.5-435edff786.patch",
-		"@react-aria/toolbar@npm:^3.0.0-nightly.5042": "3.0.0-nightly-fb28ab3b4-241024"
+		"@react-aria/toolbar@npm:^3.0.0-nightly.5042": "3.0.0-nightly-fb28ab3b4-241024",
+		"xml-crypto/@xmldom/xmldom": "0.8.13",
+		"xml-encryption/@xmldom/xmldom": "0.8.13"
 	},
 	"dependencies": {
 		"@types/stream-buffers": "^3.0.8",
diff --git a/yarn.lock b/yarn.lock
@@ -10220,7 +10220,7 @@ __metadata:
     webdav: "npm:^4.11.5"
     webpack: "npm:~5.104.1"
     xml-crypto: "npm:~3.2.1"
-    xml-encryption: "npm:~3.1.0"
+    xml-encryption: "npm:~4.0.0"
     xml2js: "npm:~0.6.2"
     yaqrcode: "npm:^0.2.1"
     yoga-layout: "patch:yoga-layout@npm%3A3.2.1#~/.yarn/patches/yoga-layout-npm-3.2.1-51ec934670.patch"
@@ -16024,14 +16024,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@xmldom/xmldom@npm:^0.8.5, @xmldom/xmldom@npm:^0.8.8":
-  version: 0.8.10
-  resolution: "@xmldom/xmldom@npm:0.8.10"
-  checksum: 10/62400bc5e0e75b90650e33a5ceeb8d94829dd11f9b260962b71a784cd014ddccec3e603fe788af9c1e839fa4648d8c521ebd80d8b752878d3a40edabc9ce7ccf
-  languageName: node
-  linkType: hard
-
-"@xmldom/xmldom@npm:~0.8.13":
+"@xmldom/xmldom@npm:0.8.13, @xmldom/xmldom@npm:~0.8.13":
   version: 0.8.13
   resolution: "@xmldom/xmldom@npm:0.8.13"
   checksum: 10/f8f3d56fa91d5026885c0c5c00b07eae47647bda0d742ecbf8e51e06bb287ab30222977b20529ee15c364031606225ebca58907a8ecc76a3add6b3f10e6ddfc6
@@ -38481,14 +38474,14 @@ __metadata:
   languageName: node
   linkType: hard
 
-"xml-encryption@npm:~3.1.0":
-  version: 3.1.0
-  resolution: "xml-encryption@npm:3.1.0"
+"xml-encryption@npm:~4.0.0":
+  version: 4.0.0
+  resolution: "xml-encryption@npm:4.0.0"
   dependencies:
     "@xmldom/xmldom": "npm:^0.8.5"
     escape-html: "npm:^1.0.3"
     xpath: "npm:0.0.32"
-  checksum: 10/c84c1e11692181c24a1c30123fed4fa31015c58994bbdcf091f07fa79f0fb809774b1533d191c4739bf76bb0fb95f223d393e84cc48417480a1896b2b689373b
+  checksum: 10/319f5c0c591a5600f5f6846c9b27a69e6ecd7d4a2215cfb9ffac37490143d48239652097eae6ff33a0d55f8b534c03caa09e75ee260d89d3d1bc26802c1cfc36
   languageName: node
   linkType: hard
 

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,6 @@`
`16`	`16`	`"colors": "^1.4.0",`
`17`	`17`	`"diff": "^5.1.0",`
`18`	`18`	`"semver": "^7.5.4",`
`19`		`- "@xmldom/xmldom": "^0.8.10"`
	`19`	`+ "@xmldom/xmldom": "^0.8.13"`
`20`	`20`	`}`
`21`	`21`	`}`