Upgrade xmlbuilder2 to 4.0.1

[mymeditech]

---

Clever Coding Standards Agreement

• Author and Review Statement, "We agree this code adheres to our [Clever Global Coding Standards](https://app.getguru.com/folders/ibabX5oT/Engineering-Standards-Best-Practices?activeCard=a8a444f4-9149-4ec7-a0fd-8ba42519d93e) and other applicable [Coding Standards](https://app.getguru.com/folders/ibabX5oT/Engineering-Standards-Best-Practices)"

JIRA

No JIRA ticket provided (External contribution/Security fix)

Overview

This PR updates the project dependency xmlbuilder2 to version >=4.0 in order to mitigate a downstream security vulnerability.

Currently, saml2-js depends on xmlbuilder2@^2.4.0. This older version of xmlbuilder2 transitively pulls in [email protected], which contains a known prototype pollution vulnerability (CVE-2025-64718 / GHSA-mh29-5h37-fv8m).

By updating xmlbuilder2 to version 4.0 or higher, we ensure that a patched version of js-yaml (>=4.1.1) is used, resolving the security risk.

Vulnerability Details:

• CVE: CVE-2025-64718
• Severity: Moderate (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
• Impact: Attackers can modify the prototype of the result of a parsed YAML document via __proto__.

Testing

This is a dependency update. Testing should focus on ensuring no regression in XML generation functionality.

• Unit Tests: Ran the existing test suite to verify that saml2-js functionality remains stable with the new xmlbuilder2 version.

Rollout

• Risks: Low. While xmlbuilder2 v4.0 may have API changes compared to v2.4.0, basic usage often remains compatible.

Rollback

• Steps: Revert this commit and re-install dependencies

---

[mymeditech]

Link provided for creating jira issue is invalid: http://go/soc-pr. How does one create a Jira ticket in the Clever Jira workspace?