[Security] Update passport yaml dependency

[JoshSharpe]

Switched default signature algo for better security
Upgraded passport-saml dependency from 3.2.4 -> 5.1.0

Primary rationale is to address a critical security vulnerability.

• https://nvd.nist.gov/vuln/detail/CVE-2025-54419
• Advisory: GHSA-4mxg-3p6v-xgq3

Also addresses xml-crypto update.

[srd90]

@JoshSharpe I presume that you did not test this PR nor did you pay attention to #7756 discussion's this part:

See tips for migration from similar issue earlier this year: #7578

which says e.g. (edited 5.0.1 to 5.1.0):

Another fix would be to migrate from passport-saml 3.2.4 to @node-saml/passport-saml ^5.1.0

If migration is done there are multiple breaking and major changes to be considered.

• https://github.com/node-saml/node-saml/blob/v5.1.0/CHANGELOG.md
  • everything between ]3.0.0, 5.1.0]
• https://github.com/node-saml/passport-saml/blob/v5.1.0/CHANGELOG.md
  • everything between ]3.1.0, 5.1.0]

e.g. cert config parameter is idpCert at 5.1.0 (there are also other breaking changes). I see no changes related to breaking changes in this PR at the moment (vega - upcoming v3? - branch seems to be missing also such changes at the moment even though it has introduced dependency to @node-saml/passport-saml 5.1.0)

[JoshSharpe]

@JoshSharpe I presume that you did not test this PR nor did you pay attention to #7756 discussion's this part:

See tips for migration from similar issue earlier this year: #7578

which says e.g. (edited 5.0.1 to 5.1.0):

Another fix would be to migrate from passport-saml 3.2.4 to @node-saml/passport-saml ^5.1.0
If migration is done there are multiple breaking and major changes to be considered.

• https://github.com/node-saml/node-saml/blob/v5.1.0/CHANGELOG.md

  • everything between ]3.0.0, 5.1.0]

• https://github.com/node-saml/passport-saml/blob/v5.1.0/CHANGELOG.md

  • everything between ]3.1.0, 5.1.0]

e.g. cert config parameter is idpCert at 5.1.0 (there are also other breaking changes). I see no changes related to breaking changes in this PR at the moment (vega - upcoming v3? - branch seems to be missing also such changes at the moment even though it has introduced dependency to @node-saml/passport-saml 5.1.0)

Yeah I tested the base functionality but I was unable to test SAML specifically because I don't currently have a SAML auth client. I can try to find one to sign up for.

As far as correcting breaking changes - I did review the changelogs you posted and must have missed the field name change. I tried to disregard some of the behaviors and default changes because they are typically for improved security. But will glance over them again. Do you have experience in making this adjustment and enough knowledge to advise on additional changes? I am not a SAML user but just trying to clear this vulnerability.

[srd90]

Do you have experience in making this adjustment and enough knowledge to advise on additional changes?

I am not going to invest time to project / version of a project which has effectively ended / maintenance has ended years ago. I do not even use this wiki for anything (and I hate to think that someone might use this wiki with SAML authentication at any production env).

I have pinpointed over the years few times SAML related issues because it seems that this wiki has huge installation base (based on stars, forks and active discussion board) and due to huge number of instances chances are that there is quite a few instances which use SAML for authentication (and most probably are running versions with known vulnerabilities). Originally I spotted this project when I checked which are most popular repositories using passport-saml in order to notify maintainers about one passport-saml related issue / check whether those projects might be using passport-saml with insecure configuration ( #5180 initial approach was made via email at year 2021 ).

By posting notes to discussion board chances are that at least some wiki instance maintainer might migrate away from SAML (until currently open problem/known vuln is fixed also to this wiki)...or - hopefully - migrate away from SAML completely.

[srd90]

I tried to disregard some of the behaviors and default changes because they are typically for improved security.

One more/last thing:

You might want to pay attention to want auth / assertion signed configuration parameters which were added to 4.0.0. For more info see:

• https://stackoverflow.com/a/79091591
• [BUG] When the ID of the response is different from the ID of the assertion, no signature node is found node-saml/node-saml#378 (comment)

failing to provide possibility to configure (and document side effects of selections for end users of jswiki) those shall mean that by default both are required and you / maintainer shall face constant stream of questions why SAML authentication fails due missinng signature (most IdPs sign only response or assertion not both)

Sidenote:

It is usually not good practise to disregard security related libraries' configuration possibilities/documentation and especially in case of SAML which provides so many ways to mess up (one example being e.g. back in the 2021 when jswiki allowed turning off all signature verification by not requiring and configuring IdP cert to passport-saml ... yes ... it was also oversight from passport-saml side to even allow such situation).

Good starting point to build up background info to understand configuration choices is e.g. list of links at the end of this comment: node-saml/node-saml#326 (comment)