security: remove debug dependency

[ahacker1-securesaml]

Description

Removes debug dependency, see https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

while malware has been removed, we should be reducing dependencies in general to improve security (prevents threat of future compromise)

Summary by CodeRabbit

• New Features

  • Added a public method to generate service provider metadata for integrations.

• Refactor

  • Switched internal debug logging mechanism and reduced noisy logs; preserved runtime behavior.
  • Minor error-message text correction in XML handling.

• Chores

  • Removed unused debug-related dependency.
  • Tightened linting to treat console usage as an error.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Removed debug and @types/debug dependencies; replaced Debug-based logging with Node's util.debuglog (debugLog); added a PEM-resolution helper and a new public method SAML.generateServiceProviderMetadata; adjusted imports in XML handling; tightened ESLint no-console from "warn" to ["error"]. Core behaviors preserved.

Changes

Cohort / File(s)	Summary
Dependency cleanup package.json	Removed dependencies debug ("^4.4.0") and @types/debug ("^4.1.12") from dependencies.
SAML changes src/saml.ts	Replaced Debug logger with util.debuglog (debugLog); reorganized/expanded imports; added helper resolveAndParseKeyInfosToPem for resolving idpCert(s) to PEM strings; added public method `generateServiceProviderMetadata(this: SAML, decryptionCert: string
XML changes src/xml.ts	Replaced Debug logger with util.debuglog (debugLog); adjusted imports (added @xmldom/is-dom-node, @xmldom/xmldom, moved algorithms import); updated catch logging to use gated debugLog; fixed minor error message typo; no exported signatures changed.
Lint rule tightening eslint.config.mjs	Changed no-console rule for **/*.{js,ts} from the string "warn" to the array ["error"] (no other rule edits in this diff).

Sequence Diagram(s)

sequenceDiagram
  participant Caller as Consumer
  participant SAML as SAML.instance
  participant Module as saml module (generateServiceProviderMetadata)

  Note over SAML,Module #e6f7ff: New public method added to SAML class
  Caller->>SAML: generateServiceProviderMetadata(decryptionCert, publicCerts)
  SAML->>Module: generateServiceProviderMetadata(options + certs)
  Module-->>SAML: metadata XML string
  SAML-->>Caller: metadata XML string

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

I hop through lines where secrets dwell,
I trade a noisy carrot for a quieter bell.
I stitch the PEMs, a tidy little feat,
A metadata ribbon, neat and sweet.
Bunny approves — small changes, light feet. 🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 668c502 and 69ca9c5.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (4)

• eslint.config.mjs (1 hunks)
• package.json (0 hunks)
• src/saml.ts (3 hunks)
• src/xml.ts (4 hunks)

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/saml.ts (1)

866-872: Remove leftover commented debug call (non-blocking).

Since the debug dependency is gone, keep the catch clean to avoid confusion.

-      // debug("validatePostResponse resulted in an error: %s", err);

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1d8d66f and deb3413.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• package.json (0 hunks)
• src/saml.ts (1 hunks)
• src/xml.ts (1 hunks)

💤 Files with no reviewable changes (1)

• package.json

🧰 Additional context used

🪛 GitHub Actions: Build Status

src/xml.ts

[error] 242-242: ESLint: 'err' is defined but never used. (@typescript-eslint/no-unused-vars)

[markstos]

I agree with the rationale here.

And while leaving commented out code usually is a code smell. Here it's helpful if we want to temporarily add back a debug function.

Another option would be a zero-dependency equivalent, like:

if (process.env.DEBUG='true') {
   console.error('Some debug logging');
}

@cjbarth Which approach appeals to you?

[cjbarth]

@markstos , why wouldn't we just use console.debug()? For cases where we aren't serializing a lot of data, the overhead should be minimal. It would be nice to get rid of that dependency (unless we're going to go full-in on it).

This is preferable to me than uncommented code because this is a library and I doubt people will be modifying the code just to do some testing/debugging.

[ahacker1-securesaml]

I left it commented out, so maintainers can choose a strategy that is best.

Let's use console.debug:

if (process.env.NODE_SAML_DEBUG='true') {
   console.debug('Some debug logging');
}

or

console.debug('...')

[cjbarth]

There's no need for the if guard IMO.

[ahacker1-securesaml]

Looks good to me!

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

eslint.config.mjs (2)

38-38: Consider util.debuglog for opt‑in, namespaced debug without an env guard.
Keeps zero dependency, avoids unconditional stdout in libraries, and mirrors debug’s opt‑in via NODE_DEBUG=node-saml.

TypeScript example (outside this file):

import { debuglog } from "node:util";
const debug = debuglog("node-saml");

// Usage:
debug("validatePostResponse resulted in an error: %s", err);

---

38-38: Optional: relax console rules in tests/fixtures.
If your tests or sample code use console.log/info/trace, consider disabling no-console just for **/*.spec.{js,ts} or adding those methods to allow in that block to reduce friction.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f205a75 and a2600fd.

📒 Files selected for processing (3)

• eslint.config.mjs (1 hunks)
• src/saml.ts (1 hunks)
• src/xml.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• src/saml.ts
• src/xml.ts

🔇 Additional comments (1)

eslint.config.mjs (1)

38-38: Console policy tightened to allow only debug/warn/error — aligns with removing debug. LGTM.
This matches the move to console.debug while still blocking noisy console.log/info.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/xml.ts (1)

225-235: Missing XPath-injection guard in validateXmlSignatureWithPemFile.

Unlike getVerifiedXml(), this path interpolates refId into an XPath literal without rejecting quotes. A crafted refId containing ' or " could alter the XPath and defeat the intended check. Add the same guard here before building the XPath.

   const refId = refUri[0] === "#" ? refUri.substring(1) : refUri;
+  // prevent XPath injection
+  if (refId.includes("'") || refId.includes('"')) {
+    throw new Error("ref URI included quote character ' or \". Not a valid ID, and not allowed");
+  }
   // If we can't find the reference at the top level, reject
   const idAttribute = currentNode.getAttribute("ID") ? "ID" : "Id";

🧹 Nitpick comments (3)

src/xml.ts (2)

136-138: Typo in error message ("it's" → "its").

Minor user-facing string polish.

-      throw new Error("Invalid signature: Referenced node does not refer to it's parent element");
+      throw new Error("Invalid signature: Referenced node does not refer to its parent element");

---

241-246: Optional: enrich debug detail while keeping noise contained.

Log stack/message discriminately; still silent unless NODE_DEBUG matches.

-  } catch (err) {
-    debugLog("signature check resulted in an error: %s", err);
+  } catch (err) {
+    debugLog(
+      "signature check resulted in an error: %s",
+      err instanceof Error ? (err.stack ?? err.message) : util.inspect(err),
+    );
     return false;
   }

src/saml.ts (1)

653-665: Cache semantics OK; consider deduping PEMs (optional).

If upstream returns duplicates, you can normalize once to reduce work in .some() checks. Low impact.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a2600fd and 668c502.

📒 Files selected for processing (3)

• eslint.config.mjs (1 hunks)
• src/saml.ts (3 hunks)
• src/xml.ts (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• eslint.config.mjs

🧰 Additional context used

🧬 Code graph analysis (1)

src/saml.ts (1)

test/tests.spec.ts (8)

• saml (3295-3310)
• samlConfig (561-582)
• samlConfig (450-466)
• samlConfig (662-682)
• samlConfig (584-602)
• samlConfig (540-559)
• samlConfig (684-728)
• samlConfig (1613-1638)

🔇 Additional comments (6)

src/xml.ts (2)

20-20: Good swap to util.debuglog("node-saml").

Removes third-party risk; zero-cost when NODE_DEBUG is unset.

---

121-126: Nice: XPath injection guard on refId.

This mirrors the project’s prior hardening and is worth keeping.

src/saml.ts (4)

48-49: Good move to util.debuglog.

Aligns with library use (no console.* and opt-in via NODE_DEBUG).

---

868-874: LGTM: debug-only error logging with proper cache cleanup and rethrow.

Behavior preserved; logging is opt-in.

---

1356-1362: Scope check: new public API generateServiceProviderMetadata().

This is a semver-minor public surface addition unrelated to “remove debug.” Confirm it’s intentionally part of this PR and update changelog/docs accordingly. Tests already exercise it (good).

---

53-72: IdP cert callback signature confirmed — promisify usage is correct.
IdpCertCallback is defined as (callback: (err: Error | null, publicCert?: string | string[]) => void) => void in src/types.ts:78 and tests (test/samlTests.spec.ts — e.g. lines ~108,122,135,195) call it with a single cb; util.promisify(idpCert as IdpCertCallback)() is appropriate.

[cjbarth]

225-235: Missing XPath-injection guard in validateXmlSignatureWithPemFile.

Unlike getVerifiedXml(), this path interpolates refId into an XPath literal without rejecting quotes. A crafted refId containing ' or " could alter the XPath and defeat the intended check. Add the same guard here before building the XPath.

   const refId = refUri[0] === "#" ? refUri.substring(1) : refUri;
+  // prevent XPath injection
+  if (refId.includes("'") || refId.includes('"')) {
+    throw new Error("ref URI included quote character ' or \". Not a valid ID, and not allowed");
+  }
   // If we can't find the reference at the top level, reject
   const idAttribute = currentNode.getAttribute("ID") ? "ID" : "Id";

@ahacker1-securesaml or @srd90, what do you think of this suggestion from coderabbitai?

[ahacker1-securesaml]

validateXmlSignatureWithPemFile

I believe that this was an old method used to verify signatures. Now we have getVerifiedXML(), which has been tested to work. we can remove the old method, and replace usages with getVerifiedXML(). I will do this in a separate PR.

[cjbarth]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.