Breaking:Strict-Transport-Security now has a max-age of 365 days, up from 180
Breaking:Content-Security-Policy middleware now throws an error if a directive should have quotes but does not, such as self instead of 'self'. See #454
Breaking:Content-Security-Policy's getDefaultDirectives now returns a deep copy. This only affects users who were mutating the result
Breaking:Strict-Transport-Security now throws an error when "includeSubDomains" option is misspelled. This was previously a warning
Removed
Breaking: Drop support for Node 16 and 17. Node 18+ is now required
7.2.0 (from changelog)
Changed
Content-Security-Policy middleware now warns if a directive should have quotes but does not, such as self instead of 'self'. This will be an error in future versions. See #454
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu cancel merge
Cancels automatic merging of this PR
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ helmet (7.1.0 → 8.0.0) · Repo · Changelog
Release Notes
8.0.0 (from changelog)
7.2.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 41 commits:
8.0.0CSP: speed up `getDefaultDirectives``getDefaultDirectives` should do a deep copyHSTS: throw when misspelling "includeSubDomains" optionContent-Security-Policy: throw if directive value lacks necessary quotesContent-Security-Policy can now use Object.hasOwnStrict-Transport-Security: increase max-age to 1 yearRequire Node 18+7.2.0Update changelog for 7.2.0 releaseUpdate Jest to latest versionEnable `noUncheckedSideEffectImports` TypeScript optionUpdate tsx to latest versionUpdate TypeScript to latest versionUpdate @types/node to latest versionUpdate Prettier to latest versionImprove compression when publishing packageUpdate Rollup dependencies to latest versionsUpdate Supertest to latest versionESLint: --cache for speedUpgrade to ESLint v9Fix minor README typoContent-Security-Policy 4.0.0Fix CommonJS imports for middleware packagesContent-Security-Policy: require Node 18+ for standalone middlewareCI should test on Node 22Update docs, primarily around CSPMake `git ls-files` test more reliableEnsure that source files only contain ASCIIContent-Security-Policy: warn if directive value lacks necessary quotesUpdate various TypeScript dependencies to latest versionsMinor: make CSP test error a little stricterHSTS: add note about localhost redirectsUpdate devDependencies to latest versionsUpdate devDependencies to latest versionsUpdate license year for 2024Minor: remove commented-out import from testUpdate devDependencies to latest versionsCI: stop testing on Node 16Update devDependencies to latest versionsCSP docs: recommend a 256-bit nonceDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands