renovate[bot]
commented
1 year ago Renovate Ignore Notification
Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 7.x releases. But if you manually upgrade to 7.x then Renovate will re-enable minor and patch updates automatically.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
This PR contains the following updates:
^6.0.1->^7.0.0Release Notes
helmetjs/helmet (helmet)
### [`v7.0.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#700---2023-05-06) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v6.2.0...v7.0.0) ##### Changed - **Breaking:** `Cross-Origin-Embedder-Policy` middleware is now disabled by default. See [#411](https://togithub.com/helmetjs/helmet/issues/411) ##### Removed - **Breaking:** Drop support for Node 14 and 15. Node 16+ is now required - **Breaking:** `Expect-CT` is no longer part of Helmet. If you still need it, you can use the [`expect-ct` package](https://www.npmjs.com/package/expect-ct). See [#378](https://togithub.com/helmetjs/helmet/issues/378) ### [`v6.2.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#620---2023-05-06) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v6.1.5...v6.2.0) - Expose header names (e.g., `strictTransportSecurity` for the `Strict-Transport-Security` header, instead of `hsts`) - Rework documentation ### [`v6.1.5`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#615---2023-04-11) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v6.1.4...v6.1.5) ##### Fixed - Fixed yet another issue with TypeScript exports. See [#420](https://togithub.com/helmetjs/helmet/pull/418) ### [`v6.1.4`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#614---2023-04-10) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v6.1.3...v6.1.4) ##### Fixed - Fix another issue with TypeScript default exports. See [#418](https://togithub.com/helmetjs/helmet/pull/418) ### [`v6.1.3`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#613---2023-04-10) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v6.1.2...v6.1.3) ##### Fixed - Fix issue with TypeScript default exports. See [#417](https://togithub.com/helmetjs/helmet/pull/417) ### [`v6.1.2`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#612---2023-04-09) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v6.1.1...v6.1.2) ##### Fixed - Retored `main` to package to help with some build tools ### [`v6.1.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#611---2023-04-08) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v6.1.0...v6.1.1) ##### Fixed - Fixed missing package metadata ### [`v6.1.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#610---2023-04-08) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v6.0.1...v6.1.0) ##### Changed - Improve support for various TypeScript setups, including "nodenext". See [#405](https://togithub.com/helmetjs/helmet/pull/405) ### [`v6.0.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#601---2022-11-29) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v6.0.0...v6.0.1) ##### Fixed - `crossOriginEmbedderPolicy` did not accept options at the top level. See [#390](https://togithub.com/helmetjs/helmet/issues/390) ### [`v6.0.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#600---2022-08-26) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v5.1.1...v6.0.0) ##### Changed - **Breaking:** `helmet.contentSecurityPolicy` no longer sets `block-all-mixed-content` directive by default - **Breaking:** `helmet.expectCt` is no longer set by default. It can, however, be explicitly enabled. It will be removed in Helmet 7. See [#310](https://togithub.com/helmetjs/helmet/issues/310) - **Breaking:** Increase TypeScript strictness around some arguments. Only affects TypeScript users, and may not require any code changes. See [#369](https://togithub.com/helmetjs/helmet/issues/369) - `helmet.frameguard` no longer offers a specific error when trying to use `ALLOW-FROM`; it just says that it is unsupported. Only the error message has changed ##### Removed - **Breaking:** Dropped support for Node 12 and 13. Node 14+ is now required ### [`v5.1.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#511---2022-07-23) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v5.1.0...v5.1.1) ##### Changed - Fix TypeScript bug with some TypeScript configurations. See [#375](https://togithub.com/helmetjs/helmet/pull/375) and [#359](https://togithub.com/helmetjs/helmet/issues/359) ### [`v5.1.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#510---2022-05-17) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v5.0.2...v5.1.0) ##### Added - `Cross-Origin-Embedder-Policy`: support `credentialless` policy. See [#365](https://togithub.com/helmetjs/helmet/pull/365) - Documented how to set both `Content-Security-Policy` and `Content-Security-Policy-Report-Only` ##### Changed - Cleaned up some documentation around `Origin-Agent-Cluster` ### [`v5.0.2`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#502---2022-01-22) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v5.0.1...v5.0.2) ##### Changed - Improve imports for CommonJS and ECMAScript modules. See [#345](https://togithub.com/helmetjs/helmet/pull/345) - Fixed some documentation ### [`v5.0.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#501---2022-01-03) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v5.0.0...v5.0.1) ##### Changed - Fixed some documentation ##### Removed - Removed some unused internal code ### [`v5.0.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#500---2022-01-02) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.6.0...v5.0.0) ##### Added - ECMAScript module imports (i.e., `import helmet from "helmet"` and `import { frameguard } from "helmet"`). See [#320](https://togithub.com/helmetjs/helmet/issues/320) ##### Changed - **Breaking:** `helmet.contentSecurityPolicy`: `useDefaults` option now defaults to `true` - **Breaking:** `helmet.contentSecurityPolicy`: `form-action` directive is now set to `'self'` by default - **Breaking:** `helmet.crossOriginEmbedderPolicy` is enabled by default - **Breaking:** `helmet.crossOriginOpenerPolicy` is enabled by default - **Breaking:** `helmet.crossOriginResourcePolicy` is enabled by default - **Breaking:** `helmet.originAgentCluster` is enabled by default - `helmet.frameguard`: add TypeScript editor autocomplete. See [#322](https://togithub.com/helmetjs/helmet/pull/322) - Top-level `helmet()` function is slightly faster ##### Removed - **Breaking:** Drop support for Node 10 and 11. Node 12+ is now required ### [`v4.6.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#460---2021-05-01) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.5.0...v4.6.0) ##### Added - `helmet.contentSecurityPolicy`: the `useDefaults` option, defaulting to `false`, lets you selectively override defaults more easily - Explicitly define TypeScript types in `package.json`. See [#303](https://togithub.com/helmetjs/helmet/pull/303) ### [`v4.5.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#450---2021-04-17) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.4.1...v4.5.0) ##### Added - `helmet.crossOriginEmbedderPolicy`: a new middleware for the `Cross-Origin-Embedder-Policy` header, disabled by default - `helmet.crossOriginOpenerPolicy`: a new middleware for the `Cross-Origin-Opener-Policy` header, disabled by default - `helmet.crossOriginResourcePolicy`: a new middleware for the `Cross-Origin-Resource-Policy` header, disabled by default ##### Changed - `true` enables a middleware with default options. Previously, this would fail with an error if the middleware was already enabled by default. - Log a warning when passing options to `originAgentCluster` at the top level ##### Fixed - Incorrect documentation ### [`v4.4.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#441---2021-01-18) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.4.0...v4.4.1) ##### Changed - Shrink the published package by about 2.5 kB ### [`v4.4.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#440---2021-01-17) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.3.1...v4.4.0) ##### Added - `helmet.originAgentCluster`: a new middleware for the `Origin-Agent-Cluster` header, disabled by default ### [`v4.3.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#431---2020-12-27) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.3.0...v4.3.1) ##### Fixed - `helmet.contentSecurityPolicy`: broken TypeScript types. See [#283](https://togithub.com/helmetjs/helmet/issues/283) ### [`v4.3.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#430---2020-12-27) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.2.0...v4.3.0) ##### Added - `helmet.contentSecurityPolicy`: setting the `default-src` to `helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc` disables it ##### Changed - `helmet.frameguard`: slightly improved error messages for non-strings ### [`v4.2.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#420---2020-11-01) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.1.1...v4.2.0) ##### Added - `helmet.contentSecurityPolicy`: get the default directives with `contentSecurityPolicy.getDefaultDirectives()` ##### Changed - `helmet()` now supports objects that don't have `Object.prototype` in their chain, such as `Object.create(null)`, as options - `helmet.expectCt`: `max-age` is now first. See [#264](https://togithub.com/helmetjs/helmet/pull/264) ### [`v4.1.1`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#411---2020-09-10) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.1.0...v4.1.1) ##### Changed - Fixed a few errors in the README ### [`v4.1.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#410---2020-08-15) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.0.0...v4.1.0) ##### Added - `helmet.contentSecurityPolicy`: - Directive values can now include functions, as they could in Helmet 3. See [#243](https://togithub.com/helmetjs/helmet/issues/243) ##### Changed - Helmet should now play more nicely with TypeScript ##### Removed - The `HelmetOptions` interface is no longer exported. This only affects TypeScript users. If you need the functionality back, see [this comment](https://togithub.com/helmetjs/helmet/issues/235#issuecomment-674016883) ### [`v4.0.0`](https://togithub.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#400---2020-08-02) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.23.3...v4.0.0) See the [Helmet 4 upgrade guide](https://togithub.com/helmetjs/helmet/wiki/Helmet-4-upgrade-guide) for help upgrading from Helmet 3. ##### Added - `helmet.contentSecurityPolicy`: - If no `default-src` directive is supplied, an error is thrown - Directive lists can be any iterable, not just arrays ##### Changed - This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time. - `helmet.contentSecurityPolicy`: - There is now a default set of directives if none are supplied - Duplicate keys now throw an error. See [helmetjs/csp#73](https://togithub.com/helmetjs/csp/issues/73) - This middleware is more lenient, allowing more directive names or values - `helmet.xssFilter` now disables the buggy XSS filter by default. See [#230](https://togithub.com/helmetjs/helmet/issues/230) ##### Removed - Dropped support for old Node versions. Node 10+ is now required - `helmet.featurePolicy`. If you still need it, use the `feature-policy` package on npm. - `helmet.hpkp`. If you still need it, use the `hpkp` package on npm. - `helmet.noCache`. If you still need it, use the `nocache` package on npm. - `helmet.contentSecurityPolicy`: - Removed browser sniffing (including the `browserSniff` and `disableAndroid` parameters). See [helmetjs/csp#97](https://togithub.com/helmetjs/csp/issues/97) - Removed conditional support. This includes directive functions and support for a function as the `reportOnly`. [Read this if you need help.](https://togithub.com/helmetjs/helmet/wiki/Conditionally-using-middleware) - Removed a lot of checks—you should be checking your CSP with a different tool - Removed support for legacy headers (and therefore the `setAllHeaders` parameter). [Read this if you need help.](https://togithub.com/helmetjs/helmet/wiki/Setting-legacy-Content-Security-Policy-headers-in-Helmet-4) - Removed the `loose` option - Removed support for functions as directive values. You must supply an iterable of strings - `helmet.frameguard`: - Dropped support for the `ALLOW-FROM` action. [Read more here.](https://togithub.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive) - `helmet.hidePoweredBy` no longer accepts arguments. See [this article](https://togithub.com/helmetjs/helmet/wiki/How-to-set-a-custom-X%E2%80%93Powered%E2%80%93By-header) to see how to replicate the removed behavior. See [#224](https://togithub.com/helmetjs/helmet/issues/224). - `helmet.hsts`: - Dropped support for `includeSubdomains` with a lowercase D. See [#231](https://togithub.com/helmetjs/helmet/issues/231) - Dropped support for `setIf`. [Read this if you need help.](https://togithub.com/helmetjs/helmet/wiki/Conditionally-using-middleware) See [#232](https://togithub.com/helmetjs/helmet/issues/232) - `helmet.xssFilter` no longer accepts options. Read ["How to disable blocking with X-XSS-Protection"](https://togithub.com/helmetjs/helmet/wiki/How-to-disable-blocking-with-X%E2%80%93XSS%E2%80%93Protection) and ["How to enable the `report` directive with X-XSS-Protection"](https://togithub.com/helmetjs/helmet/wiki/How-to-enable-the-%60report%60-directive-with-X%E2%80%93XSS%E2%80%93Protection) if you need the legacy behavior.Configuration
📅 Schedule: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.