Breaking:Strict-Transport-Security now has a max-age of 365 days, up from 180
Breaking:Content-Security-Policy middleware now throws an error if a directive should have quotes but does not, such as self instead of 'self'. See #454
Breaking:Content-Security-Policy's getDefaultDirectives now returns a deep copy. This only affects users who were mutating the result
Breaking:Strict-Transport-Security now throws an error when "includeSubDomains" option is misspelled. This was previously a warning
Removed
Breaking: Drop support for Node 16 and 17. Node 18+ is now required
7.2.0 (from changelog)
Changed
Content-Security-Policy middleware now warns if a directive should have quotes but does not, such as self instead of 'self'. This will be an error in future versions. See #454
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu cancel merge
Cancels automatic merging of this PR
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ helmet (7.1.0 → 8.0.0) · Repo · Changelog
Release Notes
8.0.0 (from changelog)
7.2.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 41 commits:
8.0.0
CSP: speed up `getDefaultDirectives`
`getDefaultDirectives` should do a deep copy
HSTS: throw when misspelling "includeSubDomains" option
Content-Security-Policy: throw if directive value lacks necessary quotes
Content-Security-Policy can now use Object.hasOwn
Strict-Transport-Security: increase max-age to 1 year
Require Node 18+
7.2.0
Update changelog for 7.2.0 release
Update Jest to latest version
Enable `noUncheckedSideEffectImports` TypeScript option
Update tsx to latest version
Update TypeScript to latest version
Update @types/node to latest version
Update Prettier to latest version
Improve compression when publishing package
Update Rollup dependencies to latest versions
Update Supertest to latest version
ESLint: --cache for speed
Upgrade to ESLint v9
Fix minor README typo
Content-Security-Policy 4.0.0
Fix CommonJS imports for middleware packages
Content-Security-Policy: require Node 18+ for standalone middleware
CI should test on Node 22
Update docs, primarily around CSP
Make `git ls-files` test more reliable
Ensure that source files only contain ASCII
Content-Security-Policy: warn if directive value lacks necessary quotes
Update various TypeScript dependencies to latest versions
Minor: make CSP test error a little stricter
HSTS: add note about localhost redirects
Update devDependencies to latest versions
Update devDependencies to latest versions
Update license year for 2024
Minor: remove commented-out import from test
Update devDependencies to latest versions
CI: stop testing on Node 16
Update devDependencies to latest versions
CSP docs: recommend a 256-bit nonce
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands