Update Dependencies

[cjbarth]

Update dependencies. This includes work to migrate to the new eslint configuration structure.

Node@20 is now the minimum supported version. Typescript@5.9 is also in use. We have not yet moved to ESM-only. That is planned for v8 of this library.

Summary by CodeRabbit

• Chores

  • Updated dependencies and tooling; Node minimum requirement raised to >=20
  • Migrated linting configuration to the new format

• Documentation

  • Added contributor guidance (AGENTS.md)

• Refactor

  • Centralized XML parsing across the codebase (internal implementation change)

• Tests

  • Updated tests to use the centralized XML parsing approach

[coderabbitai]

📝 Walkthrough

Walkthrough

Migrates ESLint from a legacy JSON config to a flat eslint.config.js, updates many dev dependencies (including Node engine >=20), adds src/utils.parseXml() and refactors XML parsing to use it across core code and tests, plus small import and test cleanups and an AGENTS.md doc.

Changes

Cohort / File(s)	Summary
ESLint config /.eslintrc.json, eslint.config.js	Removed legacy .eslintrc.json; added flat eslint.config.js with TypeScript, @eslint/js, simple-import-sort, Prettier integration and test overrides.
Package manifest package.json	Bumped many devDependencies (ESLint -> 10, @typescript-eslint, Prettier, Mocha, nyc, TypeScript -> 5.8, etc.), added @eslint/js, eslint-plugin-simple-import-sort, globals; raised Node engine to >=20.
XML parsing utility src/utils.ts, src/signed-xml.ts	Added export function parseXml(xml: string): Document in src/utils.ts and refactored src/signed-xml.ts to use utils.parseXml() instead of direct xmldom DOMParser usage; normalized XPath node handling.
Tests — parser migration test/... test/c14n-non-exclusive-unit-tests.spec.ts, test/c14nWithComments-unit-tests.spec.ts, test/canonicalization-unit-tests.spec.ts, test/document-tests.spec.ts, test/hmac-tests.spec.ts, test/key-info-tests.spec.ts, test/saml-response-tests.spec.ts, test/signature-integration-tests.spec.ts, test/signature-object-tests.spec.ts, test/signature-unit-tests.spec.ts, test/utils-tests.spec.ts, test/wsfed-metadata-tests.spec.ts	Replaced direct new xmldom.DOMParser().parseFromString(...) uses with utils.parseXml(...), removed redundant xmldom imports, adjusted some imports and minor test formatting.
Minor code/import adjustments src/signature-algorithms.ts, src/c14n-canonicalization.ts, src/enveloped-signature.ts, src/exclusive-canonicalization.ts, src/hash-algorithms.ts, src/types.ts	Small import reorder/duplication cleanups, removed one ESLint suppression comment, switched to bare catch in one spot; no public API changes.
Docs / contributor guidance AGENTS.md	Added AGENTS.md with contributor notes, scope, conventions, and verification steps.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Add support for inserting and signing Object elements inside the Signature #506 — modifies SignedXml and utilities; related to the signed-xml.ts and utils.parseXml refactor in this PR.

Suggested labels

enhancement

Poem

🐇 I hopped through configs, neat and spry,

Old lints retired, new rules on high.
One parser to rule the XML sea,
Tests aligned — tidy as can be.
A joyful twitch — commit, oh me! ✨

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The PR title "Update Dependencies" is vague and overly generic. While the primary change involves updating dependencies, the title obscures significant structural changes including ESLint configuration migration and removal of the old .eslintrc.json file.	Consider a more descriptive title such as "Migrate to ESLint flat config and update dependencies" or "Update dependencies and migrate ESLint configuration" to better reflect the major structural changes alongside dependency updates.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 82.35294% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.84%. Comparing base (627d83f) to head (7550c90).
⚠️ Report is 14 commits behind head on master.

Files with missing lines	Patch %	Lines
src/signed-xml.ts	76.92%	1 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #533      +/-   ##
==========================================
+ Coverage   73.05%   77.84%   +4.78%     
==========================================
  Files           9        9              
  Lines         902     1029     +127     
  Branches      239      270      +31     
==========================================
+ Hits          659      801     +142     
- Misses        143      185      +42     
+ Partials      100       43      -57     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/signed-xml.ts (1)

1097-1107: ⚠️ Potential issue | 🔴 Critical

Normalize resolver output in addAllReferences before validation/iteration.

Line 1097 assumes xpath.selectWithResolver(...) always returns an array, but line 950–955 already handles cases where it returns a single node. Both code paths must be consistent to avoid false "xpath not found" errors when selectWithResolver returns a single node instead of an array.

Proposed fix

-      const nodes = xpath.selectWithResolver(ref.xpath ?? "", doc, this.namespaceResolver);
-
-      if (!utils.isArrayHasLength(nodes)) {
+      const selectedNodes = xpath.selectWithResolver(ref.xpath ?? "", doc, this.namespaceResolver);
+      const nodes = isDomNode.isArrayOfNodes(selectedNodes)
+        ? selectedNodes
+        : isDomNode.isNodeLike(selectedNodes)
+          ? [selectedNodes]
+          : [];
+
+      if (!utils.isArrayHasLength(nodes)) {
         throw new Error(
           `the following xpath cannot be signed because it was not found: ${ref.xpath}`,
         );
       }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/signed-xml.ts` around lines 1097 - 1107, In addAllReferences, normalize
the output of xpath.selectWithResolver(ref.xpath ?? "", doc,
this.namespaceResolver) to always be an array before calling
utils.isArrayHasLength and before iterating; detect if the resolver returned
null/undefined or a single node and convert to [] or [node] respectively so the
subsequent length check and for (const node of nodes) {
isDomNode.assertIsElementNode(node); } behave consistently; update references to
nodes so downstream logic expects an array.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 47-70: The ESLint peer dependency conflict is caused by
eslint@^10.0.2 vs `@typescript-eslint/`* (typescript-eslint@8.56.1,
`@typescript-eslint/parser`, `@typescript-eslint/eslint-plugin`) which require
eslint ^8.57.0 || ^9.0.0; fix by either downgrading "eslint" to a 9.x range
(e.g., "^9.22.0") or upgrading all `@typescript-eslint` packages
(typescript-eslint, `@typescript-eslint/parser`, `@typescript-eslint/eslint-plugin`)
to versions that declare compatibility with ESLint 10.x, and then run npm
install to verify peers; also if the PR intends to adopt TypeScript 5.9, update
the "typescript" entry (currently "5.8") to "5.9" to match the stated objective.

---

Outside diff comments:
In `@src/signed-xml.ts`:
- Around line 1097-1107: In addAllReferences, normalize the output of
xpath.selectWithResolver(ref.xpath ?? "", doc, this.namespaceResolver) to always
be an array before calling utils.isArrayHasLength and before iterating; detect
if the resolver returned null/undefined or a single node and convert to [] or
[node] respectively so the subsequent length check and for (const node of nodes)
{ isDomNode.assertIsElementNode(node); } behave consistently; update references
to nodes so downstream logic expects an array.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5d34734c-0af7-40ed-b569-bbc100313903

📥 Commits

Reviewing files that changed from the base of the PR and between b673581 and 7550c90.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (21)

• .eslintignore
• .eslintrc.json
• AGENTS.md
• eslint.config.js
• package.json
• src/signature-algorithms.ts
• src/signed-xml.ts
• src/types.ts
• src/utils.ts
• test/c14n-non-exclusive-unit-tests.spec.ts
• test/c14nWithComments-unit-tests.spec.ts
• test/canonicalization-unit-tests.spec.ts
• test/document-tests.spec.ts
• test/hmac-tests.spec.ts
• test/key-info-tests.spec.ts
• test/saml-response-tests.spec.ts
• test/signature-integration-tests.spec.ts
• test/signature-object-tests.spec.ts
• test/signature-unit-tests.spec.ts
• test/utils-tests.spec.ts
• test/wsfed-metadata-tests.spec.ts

💤 Files with no reviewable changes (2)

• src/types.ts
• .eslintrc.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python - <<'PY'
import json, urllib.request, urllib.parse

deps = {
  "eslint": "10.0.2",
  "@eslint/js": "10.0.1",
  "@typescript-eslint/parser": "8.56.1",
  "@typescript-eslint/eslint-plugin": "8.56.1",
  "typescript-eslint": "8.56.1",
  "typescript": "5.8",
  "ejs": "4.0.1"
}

def fetch(pkg):
  url = f"https://registry.npmjs.org/{urllib.parse.quote(pkg, safe='')}"
  with urllib.request.urlopen(url) as r:
    return json.load(r)

for pkg, ver in deps.items():
  data = fetch(pkg)
  exists = ver in data.get("versions", {})
  print(f"{pkg}@{ver} exists: {exists}")
  if exists and pkg in {
      "@typescript-eslint/parser",
      "@typescript-eslint/eslint-plugin",
      "typescript-eslint"
  }:
    peer = data["versions"][ver].get("peerDependencies", {})
    print(f"  peerDependencies: {peer}")
PY

Repository: node-saml/xml-crypto

Length of output: 2682

---

🌐 Web query:

@typescript-eslint/eslint-plugin 8.56.1 npm peer dependencies TypeScript

💡 Result:

For @typescript-eslint/eslint-plugin@8.56.1, the TypeScript peer dependency range is:

• typescript: >=4.8.4 <6.0.0 [1][2]

Sources: package metadata showing the peerDependencies for @typescript-eslint/eslint-plugin@8.56.1 [1], and the typescript-eslint “Dependency Versions” page (TypeScript supported range) [2].

---

🌐 Web query:

typescript-eslint 8.56.1 npm package peer dependencies

💡 Result:

For the typescript-eslint npm package (the meta-package that depends on @typescript-eslint/eslint-plugin, @typescript-eslint/parser, etc.), the peerDependencies are:

• eslint: ^8.57.0 || ^9.0.0
• typescript: >=4.8.4 <6.0.0 [1]

These align with the TypeScript-ESLint project’s published supported ESLint version range. [2]

Sources:
[1] (app.unpkg.com)
[2] (typescript-eslint.io)

Citations:

• 1: https://app.unpkg.com/typescript-eslint%408.43.0/files/package.json
• 2: https://typescript-eslint.io/users/dependency-versions/?utm_source=openai

---

🌐 Web query:

TypeScript 5.8 5.9 npm releases versions

💡 Result:

TypeScript npm package (typescript) releases in the 5.8 and 5.9 lines (as reflected by the TypeScript repo tags / npm-dist versions) include:

• 5.8 pre-releases: 5.8.0-beta, 5.8.1-rc (tagged as v5.8-beta, v5.8-rc) [1]

• 5.8 stable: 5.8.2, 5.8.3 (tags v5.8.2, v5.8.3) [1]

• 5.9 pre-releases: 5.9.0-beta, 5.9.1-rc (tags v5.9-beta, v5.9-rc) [1]

• 5.9 stable: 5.9.2, 5.9.3 (tags v5.9.2, v5.9.3) [1][2]

Sources: GitHub tags list for microsoft/TypeScript [1] and ecosyste.ms npm registry mirror showing current latest release 5.9.3 [2].

[1] (github.com)
[2] (packages.ecosyste.ms)

Citations:

• 1: https://github.com/microsoft/TypeScript/tags
• 2: https://packages.ecosyste.ms/registries/npmjs.org/packages/typescript

---

Resolve the ESLint major version conflict: typescript-eslint@8.56.1 requires eslint ^8.57.0 || ^9.0.0, but package.json declares eslint@^10.0.2.

This incompatibility will cause npm peer dependency failures during install. Downgrade eslint to 9.x or upgrade typescript-eslint (and related @typescript-eslint/* packages) to a version compatible with ESLint 10.x.

Additionally, TypeScript is pinned to 5.8, which satisfies the peer dependency range but differs from any 5.9 adoption claim in the PR objective.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 47 - 70, The ESLint peer dependency conflict is
caused by eslint@^10.0.2 vs `@typescript-eslint/`* (typescript-eslint@8.56.1,
`@typescript-eslint/parser`, `@typescript-eslint/eslint-plugin`) which require
eslint ^8.57.0 || ^9.0.0; fix by either downgrading "eslint" to a 9.x range
(e.g., "^9.22.0") or upgrading all `@typescript-eslint` packages
(typescript-eslint, `@typescript-eslint/parser`, `@typescript-eslint/eslint-plugin`)
to versions that declare compatibility with ESLint 10.x, and then run npm
install to verify peers; also if the PR intends to adopt TypeScript 5.9, update
the "typescript" entry (currently "5.8") to "5.9" to match the stated objective.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

eslint.config.js (1)

21-24: Scope Mocha globals to test files only.

globals.mocha is currently available in all **/*.ts files, which can mask accidental test-global usage in production sources.

Proposed fix

       globals: {
         ...globals.node,
-        ...globals.mocha,
         ...globals.es2020,
         Attr: "readonly",
         ChildNode: "readonly",
@@
   {
     files: ["test/**/*.ts"],
+    languageOptions: {
+      globals: {
+        ...globals.mocha,
+      },
+    },
     rules: {
       "@typescript-eslint/no-unused-expressions": "off",
     },
   },

Also applies to: 54-58

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@eslint.config.js` around lines 21 - 24, The ESLint config is leaking Mocha
globals into all source files because ...globals.mocha is spread into the
top-level globals; remove ...globals.mocha from the top-level globals and
instead add an overrides entry (using overrides: [{ files:
["**/*.test.ts","**/*.spec.ts","test/**"], globals: { ...globals.node,
...globals.es2020, ...globals.mocha } }]) so Mocha globals are only enabled for
test files; update both places where ...globals.mocha is currently used (the
top-level globals block and the second occurrence) to follow this pattern.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@eslint.config.js`:
- Line 41: Replace the core ESLint rule "no-use-before-define" with the
TypeScript-aware "@typescript-eslint/no-use-before-define" in the config: remove
or disable "no-use-before-define" and add
"@typescript-eslint/no-use-before-define": "error" (or desired setting) so
TypeScript syntax is handled correctly; update any rule ordering or plugin
entries if needed to ensure "@typescript-eslint" rules are applied.

In `@src/signed-xml.ts`:
- Around line 601-606: The loadSignature(string) path currently assigns the
parsed Document returned by utils.parseXml(signatureNode) to this.signatureNode,
which breaks SignedInfo direct-children lookup; change the logic in
loadSignature to detect when utils.parseXml(...) returns a Document and assign
its documentElement (the root Element) to this.signatureNode instead of the
Document, then set this.signatureXml from that element's string form; apply the
same fix to the other occurrence referenced (the block around the later
assignment to this.signatureNode/this.signatureXml) so both branches store the
parsed Element rather than the whole Document.

---

Nitpick comments:
In `@eslint.config.js`:
- Around line 21-24: The ESLint config is leaking Mocha globals into all source
files because ...globals.mocha is spread into the top-level globals; remove
...globals.mocha from the top-level globals and instead add an overrides entry
(using overrides: [{ files: ["**/*.test.ts","**/*.spec.ts","test/**"], globals:
{ ...globals.node, ...globals.es2020, ...globals.mocha } }]) so Mocha globals
are only enabled for test files; update both places where ...globals.mocha is
currently used (the top-level globals block and the second occurrence) to follow
this pattern.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a283ce54-ddac-40d3-8389-2744f6845ca9

📥 Commits

Reviewing files that changed from the base of the PR and between 7550c90 and 3cf4de6.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (21)

• eslint.config.js
• package.json
• src/c14n-canonicalization.ts
• src/enveloped-signature.ts
• src/exclusive-canonicalization.ts
• src/hash-algorithms.ts
• src/signature-algorithms.ts
• src/signed-xml.ts
• src/utils.ts
• test/c14n-non-exclusive-unit-tests.spec.ts
• test/c14nWithComments-unit-tests.spec.ts
• test/canonicalization-unit-tests.spec.ts
• test/document-tests.spec.ts
• test/hmac-tests.spec.ts
• test/key-info-tests.spec.ts
• test/saml-response-tests.spec.ts
• test/signature-integration-tests.spec.ts
• test/signature-object-tests.spec.ts
• test/signature-unit-tests.spec.ts
• test/utils-tests.spec.ts
• test/wsfed-metadata-tests.spec.ts

✅ Files skipped from review due to trivial changes (3)

• src/hash-algorithms.ts
• src/c14n-canonicalization.ts
• src/exclusive-canonicalization.ts

🚧 Files skipped from review as they are similar to previous changes (10)

• test/document-tests.spec.ts
• test/c14nWithComments-unit-tests.spec.ts
• test/c14n-non-exclusive-unit-tests.spec.ts
• test/signature-unit-tests.spec.ts
• test/canonicalization-unit-tests.spec.ts
• src/utils.ts
• test/utils-tests.spec.ts
• test/key-info-tests.spec.ts
• test/hmac-tests.spec.ts
• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "eslint.config.js" -type f

Repository: node-saml/xml-crypto

Length of output: 82

---

🏁 Script executed:

cat -n eslint.config.js

Repository: node-saml/xml-crypto

Length of output: 2235

---

🏁 Script executed:

head -50 eslint.config.js | cat -n

Repository: node-saml/xml-crypto

Length of output: 1979

---

🏁 Script executed:

wc -l eslint.config.js && head -62 eslint.config.js | cat -n

Repository: node-saml/xml-crypto

Length of output: 2255

---

🌐 Web query:

no-use-before-define vs @typescript-eslint/no-use-before-define TypeScript

💡 Result:

What’s the difference?

no-use-before-define (ESLint core)

• The built-in ESLint rule that flags using identifiers before they’re declared (variables, functions, classes, etc.). (eslint.org)

@typescript-eslint/no-use-before-define (TypeScript-ESLint)

• A TypeScript-aware version that extends the ESLint core rule to better handle TypeScript syntax/semantics. (typescript-eslint.io)

Which should you use in TypeScript?

• In TypeScript projects, the common guidance is: turn off the ESLint core rule and turn on @typescript-eslint/no-use-before-define, to avoid incorrect reports and ensure TS syntax is handled properly. (typescript-eslint.io)

Typical config

// .eslintrc.cjs / .eslintrc.js
module.exports = {
  rules: {
    "no-use-before-define": "off",
    "@typescript-eslint/no-use-before-define": "error",
  },
};

(typescript-eslint.io)

Citations:

• 1: https://eslint.org/docs/latest/rules/no-use-before-define?utm_source=openai
• 2: https://typescript-eslint.io/rules/no-use-before-define/?utm_source=openai
• 3: https://typescript-eslint.io/rules/no-use-before-define/?utm_source=openai
• 4: https://typescript-eslint.io/rules/no-use-before-define/?utm_source=openai

---

Use the TypeScript-aware no-use-before-define rule.

The core ESLint rule cannot properly handle TypeScript syntax and semantics, causing incorrect or noisy lint failures. Replace it with @typescript-eslint/no-use-before-define.

Proposed fix

-      "no-use-before-define": "error",
+      "no-use-before-define": "off",
+      "@typescript-eslint/no-use-before-define": "error",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"no-use-before-define": "error",
	"no-use-before-define": "off",
	"@typescript-eslint/no-use-before-define": "error",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@eslint.config.js` at line 41, Replace the core ESLint rule
"no-use-before-define" with the TypeScript-aware
"@typescript-eslint/no-use-before-define" in the config: remove or disable
"no-use-before-define" and add "@typescript-eslint/no-use-before-define":
"error" (or desired setting) so TypeScript syntax is handled correctly; update
any rule ordering or plugin entries if needed to ensure "@typescript-eslint"
rules are applied.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Fix loadSignature(string) by storing the parsed signature element, not the whole document.

When signatureNode is a string, utils.parseXml(signatureNode) produces a document. Assigning that directly to this.signatureNode can cause SignedInfo lookup to fail in the direct-children check path.

🐛 Proposed fix

-    const signatureNodeParsed =
-      typeof signatureNode === "string" ? utils.parseXml(signatureNode) : signatureNode;
+    const signatureNodeParsed =
+      typeof signatureNode === "string"
+        ? utils.parseXml(signatureNode).documentElement
+        : signatureNode;
     this.signatureNode = signatureNodeParsed;

     this.signatureXml = signatureNodeParsed.toString();

Also applies to: 628-631

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/signed-xml.ts` around lines 601 - 606, The loadSignature(string) path
currently assigns the parsed Document returned by utils.parseXml(signatureNode)
to this.signatureNode, which breaks SignedInfo direct-children lookup; change
the logic in loadSignature to detect when utils.parseXml(...) returns a Document
and assign its documentElement (the root Element) to this.signatureNode instead
of the Document, then set this.signatureXml from that element's string form;
apply the same fix to the other occurrence referenced (the block around the
later assignment to this.signatureNode/this.signatureXml) so both branches store
the parsed Element rather than the whole Document.