simplesamlphp/xml-security not compatiable with drupal 10.6.5

[maheshv546]

There is a security vulnerability when upgrading simplesamlphp/xml-security from 1.12.0 to 1.13.9, and we also had to downgrade the Drupal core version from 10.6.5 to 10.5.8 to update this library to 1.13.9.

1. To fix the security vulnerability, we need to upgrade simplesamlphp/xml-security from 1.12.0 to 1.13.9.
2. Upgrading to 1.13.9 requires upgrading and downgrading several packages.
3. Packages to be upgraded:
   simplesamlphp/xml-common (v1.23.2 → v1.25.0)
   simplesamlphp/simplesamlphp-assets-base (v2.3.15 → v2.4.6)
   simplesamlphp/xml-soap (v1.6.0 → v1.7.1)
   simplesamlphp/saml2 (v5.0.1 → v5.0.5)
4. Packages to be downgraded:
   simplesamlphp/assert (v1.9.1 → v1.8.1)
   drupal/core (10.6.5 → 10.5.8)
   drupal/core-recommended (10.6.5 → 10.5.8)
   webmozart/assert (1.12.1 → 1.11.0)
   twig/twig (v3.22.2 → v3.20.0)
   pear/archive_tar (1.6.0 → 1.5.0)

[tvdijen]

Are you even vulnerable to the decryption issue that's being solved?
I've tagged simplesamlphp/assert v1.8.4 that should solve the issue of needing to downgrade packages.

[maheshv546]

lando composer why-not simplesamlphp/xml-security 1.13.9

simplesamlphp/xml-security v1.13.9 requires simplesamlphp/assert (~1.8.1)
voya/drupal-platform 3.x-dev does not require simplesamlphp/assert (but v1.9.1 is installed)
simplesamlphp/xml-security v1.13.9 requires simplesamlphp/xml-common (~1.25.0)
voya/drupal-platform 3.x-dev does not require simplesamlphp/xml-common (but v1.23.2 is installed)

[tvdijen]

It all makes zero sense to me, sorry.