search

Tim-sandbox / nodegoat

Apache License 2.0
0 stars 1 forks source link

Update dependency helmet to v4 - autoclosed #119

Closed mend-for-github-com[bot] closed 2 years ago

mend-for-github-com[bot] commented 2 years ago

This PR contains the following updates:

Package Type Update Change
helmet (source) dependencies major ^2.0.0 -> ^4.0.0

Release Notes

helmetjs/helmet ### [`v4.6.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​460---2021-05-01) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.5.0...v4.6.0) ##### Added - `helmet.contentSecurityPolicy`: the `useDefaults` option, defaulting to `false`, lets you selectively override defaults more easily - Explicitly define TypeScript types in `package.json`. See [#​303](https://togithub.com/helmetjs/helmet/pull/303) ### [`v4.5.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​450---2021-04-17) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.4.1...v4.5.0) ##### Added - `helmet.crossOriginEmbedderPolicy`: a new middleware for the `Cross-Origin-Embedder-Policy` header, disabled by default - `helmet.crossOriginOpenerPolicy`: a new middleware for the `Cross-Origin-Opener-Policy` header, disabled by default - `helmet.crossOriginResourcePolicy`: a new middleware for the `Cross-Origin-Resource-Policy` header, disabled by default ##### Changed - `true` enables a middleware with default options. Previously, this would fail with an error if the middleware was already enabled by default. - Log a warning when passing options to `originAgentCluster` at the top level ##### Fixed - Incorrect documentation ### [`v4.4.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​441---2021-01-18) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.4.0...v4.4.1) ##### Changed - Shrink the published package by about 2.5 kB ### [`v4.4.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​440---2021-01-17) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.3.1...v4.4.0) ##### Added - `helmet.originAgentCluster`: a new middleware for the `Origin-Agent-Cluster` header, disabled by default ### [`v4.3.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​431---2020-12-27) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.3.0...v4.3.1) ##### Fixed - `helmet.contentSecurityPolicy`: broken TypeScript types. See [#​283](https://togithub.com/helmetjs/helmet/issues/283) ### [`v4.3.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​430---2020-12-27) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.2.0...v4.3.0) ##### Added - `helmet.contentSecurityPolicy`: setting the `default-src` to `helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc` disables it ##### Changed - `helmet.frameguard`: slightly improved error messages for non-strings ### [`v4.2.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​420---2020-11-01) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.1.1...v4.2.0) ##### Added - `helmet.contentSecurityPolicy`: get the default directives with `contentSecurityPolicy.getDefaultDirectives()` ##### Changed - `helmet()` now supports objects that don't have `Object.prototype` in their chain, such as `Object.create(null)`, as options - `helmet.expectCt`: `max-age` is now first. See [#​264](https://togithub.com/helmetjs/helmet/pull/264) ### [`v4.1.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​411---2020-09-10) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.1.0...v4.1.1) ##### Changed - Fixed a few errors in the README ### [`v4.1.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​410---2020-08-15) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.0.0...v4.1.0) ##### Added - `helmet.contentSecurityPolicy`: - Directive values can now include functions, as they could in Helmet 3. See [#​243](https://togithub.com/helmetjs/helmet/issues/243) ##### Changed - Helmet should now play more nicely with TypeScript ##### Removed - The `HelmetOptions` interface is no longer exported. This only affects TypeScript users. If you need the functionality back, see [this comment](https://togithub.com/helmetjs/helmet/issues/235#issuecomment-674016883) ### [`v4.0.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​400---2020-08-02) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.23.3...v4.0.0) See the [Helmet 4 upgrade guide](https://togithub.com/helmetjs/helmet/wiki/Helmet-4-upgrade-guide) for help upgrading from Helmet 3. ##### Added - `helmet.contentSecurityPolicy`: - If no `default-src` directive is supplied, an error is thrown - Directive lists can be any iterable, not just arrays ##### Changed - This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time. - `helmet.contentSecurityPolicy`: - There is now a default set of directives if none are supplied - Duplicate keys now throw an error. See [helmetjs/csp#​73](https://togithub.com/helmetjs/csp/issues/73) - This middleware is more lenient, allowing more directive names or values - `helmet.xssFilter` now disables the buggy XSS filter by default. See [#​230](https://togithub.com/helmetjs/helmet/issues/230) ##### Removed - Dropped support for old Node versions. Node 10+ is now required - `helmet.featurePolicy`. If you still need it, use the `feature-policy` package on npm. - `helmet.hpkp`. If you still need it, use the `hpkp` package on npm. - `helmet.noCache`. If you still need it, use the `nocache` package on npm. - `helmet.contentSecurityPolicy`: - Removed browser sniffing (including the `browserSniff` and `disableAndroid` parameters). See [helmetjs/csp#​97](https://togithub.com/helmetjs/csp/issues/97) - Removed conditional support. This includes directive functions and support for a function as the `reportOnly`. [Read this if you need help.](https://togithub.com/helmetjs/helmet/wiki/Conditionally-using-middleware) - Removed a lot of checks—you should be checking your CSP with a different tool - Removed support for legacy headers (and therefore the `setAllHeaders` parameter). [Read this if you need help.](https://togithub.com/helmetjs/helmet/wiki/Setting-legacy-Content-Security-Policy-headers-in-Helmet-4) - Removed the `loose` option - Removed support for functions as directive values. You must supply an iterable of strings - `helmet.frameguard`: - Dropped support for the `ALLOW-FROM` action. [Read more here.](https://togithub.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive) - `helmet.hidePoweredBy` no longer accepts arguments. See [this article](https://togithub.com/helmetjs/helmet/wiki/How-to-set-a-custom-X%E2%80%93Powered%E2%80%93By-header) to see how to replicate the removed behavior. See [#​224](https://togithub.com/helmetjs/helmet/issues/224). - `helmet.hsts`: - Dropped support for `includeSubdomains` with a lowercase D. See [#​231](https://togithub.com/helmetjs/helmet/issues/231) - Dropped support for `setIf`. [Read this if you need help.](https://togithub.com/helmetjs/helmet/wiki/Conditionally-using-middleware) See [#​232](https://togithub.com/helmetjs/helmet/issues/232) - `helmet.xssFilter` no longer accepts options. Read ["How to disable blocking with X-XSS-Protection"](https://togithub.com/helmetjs/helmet/wiki/How-to-disable-blocking-with-X%E2%80%93XSS%E2%80%93Protection) and ["How to enable the `report` directive with X-XSS-Protection"](https://togithub.com/helmetjs/helmet/wiki/How-to-enable-the-%60report%60-directive-with-X%E2%80%93XSS%E2%80%93Protection) if you need the legacy behavior. ### [`v3.23.3`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3233---2020-06-26) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.23.2...v3.23.3) ##### Changed - `helmet.expectCt` is no longer a separate package. This should have no effect on end users. - `helmet.frameguard` is no longer a separate package. This should have no effect on end users. ### [`v3.23.2`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3232---2020-06-23) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.23.1...v3.23.2) ##### Changed - `helmet.dnsPrefetchControl` is no longer a separate package. This should have no effect on end users. ### [`v3.23.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3231---2020-06-16) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.23.0...v3.23.1) ##### Changed - `helmet.ieNoOpen` is no longer a separate package. This should have no effect on end users. ### [`v3.23.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3230---2020-06-12) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.22.1...v3.23.0) ##### Deprecated - `helmet.featurePolicy` is deprecated. Use the `feature-policy` module instead. ### [`v3.22.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3221---2020-06-10) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.22.0...v3.22.1) ##### Changed - Rewrote internals in TypeScript. This should have no effect on end users. ### [`v3.22.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3220---2020-03-24) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.21.3...v3.22.0) ##### Changed - Updated `helmet-csp` to v2.10.0 - Add support for the `allow-downloads` sandbox directive. See [helmet-csp#​103](https://togithub.com/helmetjs/csp/pull/103) ##### Deprecated - `helmet.noCache` is deprecated. Use the `nocache` module instead. See [#​215](https://togithub.com/helmetjs/helmet/issues/215) ### [`v3.21.3`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3213---2020-02-24) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.21.2...v3.21.3) ##### Changed - Updated `helmet-csp` to v2.9.5 - Updated `bowser` subdependency from 2.7.0 to 2.9.0 - Fixed an issue some people were having when importing the `bowser` subdependency. See [helmet-csp#​96](https://togithub.com/helmetjs/csp/issues/96) and [#​101](https://togithub.com/helmetjs/csp/pull/101) ### [`v3.21.2`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3212---2019-10-21) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.21.1...v3.21.2) ##### Changed - Updated `helmet-csp` to v2.9.4 - Updated `bowser` subdependency from 2.6.1 to 2.7.0. See [helmet-csp#​94](https://togithub.com/helmetjs/csp/pull/94) ### [`v3.21.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3211---2019-09-20) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.21.0...v3.21.1) ##### Fixed - Updated `helmet-csp` to v2.9.2 - Fixed a bug where a request from Firefox 4 could delete `default-src` from future responses - Fixed tablet PC detection by updating `bowser` subdependency to latest version ### [`v3.21.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3210---2019-09-04) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.20.1...v3.21.0) ##### Added - Updated `x-xss-protection` to v1.3.0 - Added `mode: null` to disable `mode=block` ##### Changed - Updated `helmet-csp` to v2.9.1 - Updated `bowser` subdependency from 2.5.3 to 2.5.4. See [helmet-csp#​88](https://togithub.com/helmetjs/csp/pull/88) ### [`v3.20.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3201---2019-08-28) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.20.0...v3.20.1) ##### Changed - Updated `helmet-csp` to v2.9.0 ### [`v3.20.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3200---2019-07-24) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.19.0...v3.20.0) ##### Changed - Updated `helmet-csp` to v2.8.0 ### [`v3.19.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3190---2019-07-17) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.18.0...v3.19.0) ##### Changed - Updated `dns-prefetch-control` to v0.2.0 - Updated `dont-sniff-mimetype` to v1.1.0 - Updated `helmet-crossdomain` to v0.4.0 - Updated `hide-powered-by` to v1.1.0 - Updated `x-xss-protection` to v1.2.0 ### [`v3.18.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3180---2019-05-05) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.17.0...v3.18.0) ##### Added - `featurePolicy` has 19 new features: `ambientLightSensor`, `documentDomain`, `documentWrite`, `encryptedMedia`, `fontDisplayLateSwap`, `layoutAnimations`, `legacyImageFormats`, `loadingFrameDefaultEager`, `oversizedImages`, `pictureInPicture`, `serial`, `syncScript`, `unoptimizedImages`, `unoptimizedLosslessImages`, `unoptimizedLossyImages`, `unsizedMedia`, `verticalScroll`, `wakeLock`, and `xr` ##### Changed - Updated `expect-ct` to v0.2.0 - Updated `feature-policy` to v0.3.0 - Updated `frameguard` to v3.1.0 - Updated `nocache` to v2.1.0 ### [`v3.17.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3170---2019-05-03) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.16.0...v3.17.0) ##### Added - `referrerPolicy` now supports multiple values ##### Changed - Updated `referrerPolicy` to v1.2.0 ### [`v3.16.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3160---2019-03-10) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.15.1...v3.16.0) ##### Added - Add email to `bugs` field in `package.json` ##### Changed - Updated `hsts` to v2.2.0 - Updated `ienoopen` to v1.1.0 - Changelog is now in the [Keep A Changelog](https://keepachangelog.com/) format - Dropped support for Node <4. See [the commit](https://togithub.com/helmetjs/helmet/commit/a49cec3ca58cce484d2d05e1f908549caa92ed03) for more information - Updated Adam Baldwin's contact information ##### Deprecated - `helmet.hsts`'s `setIf` option has been deprecated and will be removed in `hsts@3`. See [helmetjs/hsts#​22](https://togithub.com/helmetjs/hsts/issues/22) for more - The `includeSubdomains` option (with a lowercase `d`) has been deprecated and will be removed in `hsts@3`. Use the uppercase-D `includeSubDomains` option instead. See [helmetjs/hsts#​21](https://togithub.com/helmetjs/hsts/issues/21) for more ### [`v3.15.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3151---2019-02-10) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.15.0...v3.15.1) ##### Deprecated - The `hpkp` middleware has been deprecated. If you still need to use this module, install the standalone `hpkp` module from npm. See [#​180](https://togithub.com/helmetjs/helmet/issues/180) for more. ### [`v3.15.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3150---2018-11-07) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.14.0...v3.15.0) ##### Added - `helmet.featurePolicy` now supports four new features ### [`v3.14.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3140---2018-10-09) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.13.0...v3.14.0) ##### Added - `helmet.featurePolicy` middleware ### [`v3.13.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3130---2018-07-22) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.12.2...v3.13.0) ##### Added - `helmet.permittedCrossDomainPolicies` middleware ### [`v3.12.2`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3122---2018-07-20) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.12.1...v3.12.2) ##### Fixed - Removed `lodash.reduce` dependency from `csp` ### [`v3.12.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3121---2018-05-16) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.12.0...v3.12.1) ##### Fixed - `expectCt` should use comma instead of semicolon as delimiter ### [`v3.12.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3120---2018-03-02) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.11.0...v3.12.0) ##### Added - `xssFilter` now supports `reportUri` option ### [`v3.11.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3110---2018-02-09) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.10.0...v3.11.0) ##### Added - Main Helmet middleware is now named to help with debugging ### [`v3.10.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​3100---2018-01-23) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.9.0...v3.10.0) ##### Added - `csp` now supports `prefix-src` directive ##### Fixed - `csp` no longer loads JSON files internally, helping some module bundlers - `false` should be able to disable a CSP directive ### [`v3.9.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​390---2017-10-13) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.8.2...v3.9.0) ##### Added - `csp` now supports `strict-dynamic` value - `csp` now supports `require-sri-for` directive ##### Changed - Removed `connect` dependency ### [`v3.8.2`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​382---2017-09-27) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.8.1...v3.8.2) ##### Changed - Updated `connect` dependency to latest ### [`v3.8.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​381---2017-07-28) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.8.0...v3.8.1) ##### Fixed - `csp` does not automatically set `report-to` when setting `report-uri` ### [`v3.8.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​380---2017-07-21) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.7.0...v3.8.0) ##### Changed - `hsts` no longer cares whether it's HTTPS and always sets the header ### [`v3.7.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​370---2017-07-21) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.6.1...v3.7.0) ##### Added - `csp` now supports `report-to` directive ##### Changed - Throw an error when used incorrectly - Add a few documentation files to `npmignore` ### [`v3.6.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​361---2017-05-21) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.6.0...v3.6.1) ##### Changed - Bump `connect` version ### [`v3.6.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​360---2017-05-04) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.5.0...v3.6.0) ##### Added - `expectCt` middleware for setting the `Expect-CT` header ### [`v3.5.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​350---2017-03-06) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.4.1...v3.5.0) ##### Added - `csp` now supports the `worker-src` directive ### [`v3.4.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​341---2017-02-24) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.4.0...v3.4.1) ##### Changed - Bump `connect` version ### [`v3.4.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​340---2017-01-13) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.3.0...v3.4.0) ##### Added - `csp` now supports more `sandbox` directives ### [`v3.3.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​330---2016-12-31) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.2.0...v3.3.0) ##### Added - `referrerPolicy` allows `strict-origin` and `strict-origin-when-cross-origin` directives ##### Changed - Bump `connect` version ### [`v3.2.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​320---2016-12-22) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.1.0...v3.2.0) ##### Added - `csp` now allows `manifest-src` directive ### [`v3.1.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​310---2016-11-03) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.0.0...v3.1.0) ##### Added - `csp` now allows `frame-src` directive ### [`v3.0.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​300---2016-10-28) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v2.3.0...v3.0.0) ##### Changed - `csp` will check your directives for common mistakes and throw errors if it finds them. This can be disabled with `loose: true`. - Empty arrays are no longer allowed in `csp`. For source lists (like `script-src` or `object-src`), use the standard `scriptSrc: ["'none'"]`. The `sandbox` directive can be `sandbox: true` to block everything. - `false` can disable a CSP directive. For example, `scriptSrc: false` is the same as not specifying it. - In CSP, `reportOnly: true` no longer requires a `report-uri` to be set. - `hsts`'s `maxAge` now defaults to 180 days (instead of 1 day) - `hsts`'s `maxAge` parameter is seconds, not milliseconds - `hsts` includes subdomains by default - `domain` parameter in `frameguard` cannot be empty ##### Removed - `noEtag` option no longer present in `noCache` - iOS Chrome `connect-src` workaround in CSP module

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.