search

aayant-mend / NodeGoat

The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goat_Project
Apache License 2.0
0 stars 0 forks source link

Update dependency helmet to v3 #182

Open mend-for-github-com[bot] opened 4 months ago

mend-for-github-com[bot] commented 4 months ago

This PR contains the following updates:

Package Type Update Change
helmet (source) dependencies major ^2.0.0 -> ^3.0.0

By merging this PR, the issue #62 will be automatically resolved and closed:

Severity CVSS Score CVE
High High 7.5 CVE-2017-20165
Medium Medium 6.1 WS-2019-0289
Medium Medium 5.3 CVE-2017-20162
Low Low 3.7 CVE-2017-16137

Release Notes

helmetjs/helmet (helmet) ### [`v3.21.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3210---2019-09-04) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.20.1...v3.21.0) ##### Added - Updated `x-xss-protection` to v1.3.0 - Added `mode: null` to disable `mode=block` ##### Changed - Updated `helmet-csp` to v2.9.1 - Updated `bowser` subdependency from 2.5.3 to 2.5.4. See [helmet-csp#88](https://togithub.com/helmetjs/csp/pull/88) ### [`v3.20.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3201---2019-08-28) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.20.0...v3.20.1) ##### Changed - Updated `helmet-csp` to v2.9.0 ### [`v3.20.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3200---2019-07-24) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.19.0...v3.20.0) ##### Changed - Updated `helmet-csp` to v2.8.0 ### [`v3.19.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3190---2019-07-17) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.18.0...v3.19.0) ##### Changed - Updated `dns-prefetch-control` to v0.2.0 - Updated `dont-sniff-mimetype` to v1.1.0 - Updated `helmet-crossdomain` to v0.4.0 - Updated `hide-powered-by` to v1.1.0 - Updated `x-xss-protection` to v1.2.0 ### [`v3.18.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3180---2019-05-05) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.17.0...v3.18.0) ##### Added - `featurePolicy` has 19 new features: `ambientLightSensor`, `documentDomain`, `documentWrite`, `encryptedMedia`, `fontDisplayLateSwap`, `layoutAnimations`, `legacyImageFormats`, `loadingFrameDefaultEager`, `oversizedImages`, `pictureInPicture`, `serial`, `syncScript`, `unoptimizedImages`, `unoptimizedLosslessImages`, `unoptimizedLossyImages`, `unsizedMedia`, `verticalScroll`, `wakeLock`, and `xr` ##### Changed - Updated `expect-ct` to v0.2.0 - Updated `feature-policy` to v0.3.0 - Updated `frameguard` to v3.1.0 - Updated `nocache` to v2.1.0 ### [`v3.17.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3170---2019-05-03) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.16.0...v3.17.0) ##### Added - `referrerPolicy` now supports multiple values ##### Changed - Updated `referrerPolicy` to v1.2.0 ### [`v3.16.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3160---2019-03-10) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.15.1...v3.16.0) ##### Added - Add email to `bugs` field in `package.json` ##### Changed - Updated `hsts` to v2.2.0 - Updated `ienoopen` to v1.1.0 - Changelog is now in the [Keep A Changelog](https://keepachangelog.com/) format - Dropped support for Node <4. See [the commit](https://togithub.com/helmetjs/helmet/commit/a49cec3ca58cce484d2d05e1f908549caa92ed03) for more information - Updated Adam Baldwin's contact information ##### Deprecated - `helmet.hsts`'s `setIf` option has been deprecated and will be removed in `hsts@3`. See [helmetjs/hsts#22](https://togithub.com/helmetjs/hsts/issues/22) for more - The `includeSubdomains` option (with a lowercase `d`) has been deprecated and will be removed in `hsts@3`. Use the uppercase-D `includeSubDomains` option instead. See [helmetjs/hsts#21](https://togithub.com/helmetjs/hsts/issues/21) for more ### [`v3.15.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3151---2019-02-10) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.15.0...v3.15.1) ##### Deprecated - The `hpkp` middleware has been deprecated. If you still need to use this module, install the standalone `hpkp` module from npm. See [#​180](https://togithub.com/helmetjs/helmet/issues/180) for more. ### [`v3.15.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3150---2018-11-07) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.14.0...v3.15.0) ##### Added - `helmet.featurePolicy` now supports four new features ### [`v3.14.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3140---2018-10-09) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.13.0...v3.14.0) ##### Added - `helmet.featurePolicy` middleware ### [`v3.13.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3130---2018-07-22) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.12.2...v3.13.0) ##### Added - `helmet.permittedCrossDomainPolicies` middleware ### [`v3.12.2`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3122---2018-07-20) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.12.1...v3.12.2) ##### Fixed - Removed `lodash.reduce` dependency from `csp` ### [`v3.12.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3121---2018-05-16) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.12.0...v3.12.1) ##### Fixed - `expectCt` should use comma instead of semicolon as delimiter ### [`v3.12.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3120---2018-03-02) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.11.0...v3.12.0) ##### Added - `xssFilter` now supports `reportUri` option ### [`v3.11.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3110---2018-02-09) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.10.0...v3.11.0) ##### Added - Main Helmet middleware is now named to help with debugging ### [`v3.10.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3100---2018-01-23) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.9.0...v3.10.0) ##### Added - `csp` now supports `prefix-src` directive ##### Fixed - `csp` no longer loads JSON files internally, helping some module bundlers - `false` should be able to disable a CSP directive ### [`v3.9.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#390---2017-10-13) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.8.2...v3.9.0) ##### Added - `csp` now supports `strict-dynamic` value - `csp` now supports `require-sri-for` directive ##### Changed - Removed `connect` dependency ### [`v3.8.2`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#382---2017-09-27) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.8.1...v3.8.2) ##### Changed - Updated `connect` dependency to latest ### [`v3.8.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#381---2017-07-28) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.8.0...v3.8.1) ##### Fixed - `csp` does not automatically set `report-to` when setting `report-uri` ### [`v3.8.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#380---2017-07-21) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.7.0...v3.8.0) ##### Changed - `hsts` no longer cares whether it's HTTPS and always sets the header ### [`v3.7.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#370---2017-07-21) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.6.1...v3.7.0) ##### Added - `csp` now supports `report-to` directive ##### Changed - Throw an error when used incorrectly - Add a few documentation files to `npmignore` ### [`v3.6.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#361---2017-05-21) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.6.0...v3.6.1) ##### Changed - Bump `connect` version ### [`v3.6.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#360---2017-05-04) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.5.0...v3.6.0) ##### Added - `expectCt` middleware for setting the `Expect-CT` header ### [`v3.5.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#350---2017-03-06) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.4.1...v3.5.0) ##### Added - `csp` now supports the `worker-src` directive ### [`v3.4.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#341---2017-02-24) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.4.0...v3.4.1) ##### Changed - Bump `connect` version ### [`v3.4.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#340---2017-01-13) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.3.0...v3.4.0) ##### Added - `csp` now supports more `sandbox` directives ### [`v3.3.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#330---2016-12-31) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.2.0...v3.3.0) ##### Added - `referrerPolicy` allows `strict-origin` and `strict-origin-when-cross-origin` directives ##### Changed - Bump `connect` version ### [`v3.2.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#320---2016-12-22) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.1.0...v3.2.0) ##### Added - `csp` now allows `manifest-src` directive ### [`v3.1.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#310---2016-11-03) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.0.0...v3.1.0) ##### Added - `csp` now allows `frame-src` directive ### [`v3.0.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#300---2016-10-28) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v2.3.0...v3.0.0) ##### Changed - `csp` will check your directives for common mistakes and throw errors if it finds them. This can be disabled with `loose: true`. - Empty arrays are no longer allowed in `csp`. For source lists (like `script-src` or `object-src`), use the standard `scriptSrc: ["'none'"]`. The `sandbox` directive can be `sandbox: true` to block everything. - `false` can disable a CSP directive. For example, `scriptSrc: false` is the same as not specifying it. - In CSP, `reportOnly: true` no longer requires a `report-uri` to be set. - `hsts`'s `maxAge` now defaults to 180 days (instead of 1 day) - `hsts`'s `maxAge` parameter is seconds, not milliseconds - `hsts` includes subdomains by default - `domain` parameter in `frameguard` cannot be empty ##### Removed - `noEtag` option no longer present in `noCache` - iOS Chrome `connect-src` workaround in CSP module