Patch release. Fixes the TypeScript regression reported in #626, and retroactively documents a breaking change that shipped in 2.13.0 but was not called out in its release notes (per the discussion in #626).

🐛 Fixed

• Restore Express request type compatibility (#626, #627). 2.13.0 (commit 3d5788a) tightened ESamlHttpRequest.query / .body from any to Record<string, string | undefined>. That type is not structurally assignable from an Express Request (req.query is qs.ParsedQs, whose values may be string[] or nested objects), so TypeScript callers passing req (or req.query) into parseLoginRequest / parseLoginResponse / parseLogoutRequest / parseLogoutResponse failed to compile (TS2345 / TS2322). The fields are now Record<string, unknown> — backward compatible with the pre-2.13 typing and every web framework's request object, still stricter than any. Runtime behaviour was never affected. A type-checked regression guard was added so this cannot silently recur.

⚠️ Breaking change — shipped in 2.13.0 (PR #613, commit fee4ff1), documented here

This was an intended security fix in the 2026-04 audit but was only noted in the commit message, not the 2.13.0 release notes:

• libsaml.constructMessageSignature(...) no longer defaults to RSA-SHA1. Callers omitting the signingAlgorithm argument now get RSA-SHA256.
• Unknown signature-algorithm URIs now throw ERR_UNSUPPORTED_SIGNATURE_ALGORITHM instead of silently downgrading to SHA-1. This closes a verification-downgrade vector reachable via the user-controlled SigAlg query parameter.

Migration: if SHA-1 is required for an interop reason, pass signatureAlgorithms.RSA_SHA1 explicitly. Unknown/malformed algorithm URIs are now rejected by design.

🔒 Security behaviour note (also from PR #613 / 2.13.0)

setDOMParserOptions(options) now merges the XXE-safe baseline (errorHandler) instead of replacing it — passing {} or partial options no longer silently disables XXE protection. Callers may still override it explicitly.

What's Changed

• fix: restore Express request type compatibility in ESamlHttpRequest (closes #626) by @tngan in #627

Full Changelog: v2.13.0...v2.13.1

What's Changed

• Bump @xmldom/xmldom from 0.8.11 to 0.8.12 by @dependabot[bot] in #603
• Bump @xmldom/xmldom from 0.8.12 to 0.8.13 by @dependabot[bot] in #605
• Bump postcss from 8.5.6 to 8.5.12 by @dependabot[bot] in #606
• fix: reject promises with Error instances, not raw strings (#581) by @tngan in #607
• feat: support simpleSign binding for logout request/response (#584) by @tngan in #608
• docs: correct the parseResult example in saml-response (#518) by @tngan in #609
• docs: clarify that wantMessageSigned and signatureConfig are SP options (#516) by @tngan in #610
• RFC-0001: introduce .skills/ and mandatory SAML 2.0 spec citation workflow by @tngan in #611
• feat: per-request relayState for login + logout (closes #163) by @tngan in #612
• sec: 2026-04 audit — patch vite, fix XXE bypass, reject unknown sig algs by @tngan in #613
• fix: omit AuthnRequest attributes whose value is null/undefined (closes #455) by @tngan in #614
• fix: pass SessionIndex through createLogoutRequest (closes #470) by @tngan in #615
• fix: throw a clear error when redirect binding has no SSO/SLO endpoint (closes #308 #405) by @tngan in #617
• fix: surface SP/IdP signing flags in ERR_METADATA_CONFLICT_REQUEST_SIGNED_FLAG (closes #453) by @tngan in #616
• fix: default signatureConfig for SP when wantMessageSigned is true (closes #454) by @tngan in #619
• feat: per-request ForceAuthn for createLoginRequest (closes #359) by @tngan in #618
• feat: support tagPrefix.protocol and tagPrefix.assertion on IdP (closes #388) by @tngan in #620
• fix: invoke customTagReplacement even without explicit template (closes #549) by @tngan in #621
• feat: support elementsOrder option on IdP metadata (closes #429) by @tngan in #622
• feat: support RSASSA-PSS signature algorithms (closes #624) by @tngan in #625
• feat: per-request AssertionConsumerServiceIndex for createLoginRequest (closes #437) by @tngan in #623

Security Audit

GHSA-34r5-q4jw-r36m (credit to @RootUp)

Full Changelog: v2.12.0...v2.13.0

What's Changed

• fix: security audit - XPath injection, XXE protection, dependency update ab87376
• fix: maintain the commonjs build and remove camel case lib import by @tngan in #601

Full Changelog: v2.11.0...v2.12.0

What's Changed

• [fix] Replace node-forge with Node.js native crypto by @simplyluke in #598
• Bump rollup from 4.53.2 to 4.59.0 by @dependabot[bot] in #597
• Bump minimatch from 3.1.2 to 3.1.5 by @dependabot[bot] in #596
• Bump preact from 10.27.2 to 10.28.2 by @dependabot[bot] in #593
• Bump mdast-util-to-hast from 13.2.0 to 13.2.1 by @dependabot[bot] in #589

New Contributors

• @simplyluke made their first contribution in #598

Full Changelog: v2.10.2...v2.11.0

What's Changed

• Refactor to support encrypted assertions by @ahacker1-securesaml in #571
• Doc update and fix the test build by @tngan in #585
• Bump node-forge from 1.3.1 to 1.3.2 by @dependabot[bot] in #587
• Bump js-yaml from 3.14.1 to 3.14.2 by @dependabot[bot] in #586

New Contributors

• @ahacker1-securesaml made their first contribution in #571

Full Changelog: v2.10.0...v2.10.2

Overview

Samlify version 2.10.0 addresses a critical security vulnerability (CVE-2025-47949) related to a Signature Wrapping attack in versions prior to 2.10.0. This release includes critical fixes to prevent attackers from forging SAML Responses to authenticate as any user. All users are strongly recommended to upgrade to version 2.10.0 to mitigate this risk.
Security Fixes

CVE-2025-47949: Signature Wrapping Attack Vulnerability

• Issue: A vulnerability in Samlify versions prior to 2.10.0 allowed attackers to exploit improper validation of signed XML documents, enabling them to forge a SAML Response and authenticate as any user, provided they had a signed XML document from the identity provider.
• Fix: Enhanced validation of signed XML documents to prevent Signature Wrapping attacks, ensuring secure SAML-based single sign-on (SSO) authentication.
  Impact: This vulnerability had a CVSS score of 9.9, indicating a critical severity. It posed a high-priority risk for SAML-based SSO systems.
• Recommendation: Immediately upgrade to Samlify version 2.10.0 or later to address this vulnerability.

Ensure that your application is thoroughly tested after upgrading to confirm compatibility with your SAML-based SSO implementation.
References

GitHub Security Advisory: GHSA-r683-v43c-6xqv
CVE Details: CVE-2025-47949

Acknowledgments

We thank the security researchers and contributors who identified and reported this vulnerability, enabling us to deliver a timely fix to protect our users. @ahacker1-securesaml

Full Changelog: v2.9.1...v2.10.0

• Fix escapeTag for non-string replacement values. (#561) - @mastermatt
• Bump xml-crypto (#559) - @JacobBrackett (since v2.9.0)

What's Changed

• Adds allowCreate documentation by @sunsheeppoplar in #540
• Bump braces from 3.0.2 to 3.0.3 by @dependabot in #542
• Bump micromatch from 4.0.5 to 4.0.8 by @dependabot in #546
• Bump cross-spawn from 7.0.3 to 7.0.6 by @dependabot in #553
• Bump xml-crypto by @JacobBrackett in #559
• Fix escapeTag for non-string replacement values. by @mastermatt in #561

New Contributors

• @sunsheeppoplar made their first contribution in #540
• @JacobBrackett made their first contribution in #559

Full Changelog: v2.8.11...v2.9.1

• Xml entity escape @Munawwar
• Add dom parser options for context customization #535 @bsShoham

fix encryption for @xmldom/xmldom 0.8.6 upgrade #511 (@mastermatt)

fix: system locale effects camelcase conversion #507 (@ayZagen)
fix: support unencrypted PKCS#8 keys again #503 (@mastermatt)