helmetjs/helmet
### [`v4.1.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#411---2020-09-10)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.1.0...v4.1.1)
##### Changed
- Fixed a few errors in the README
### [`v4.1.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#410---2020-08-15)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.0.0...v4.1.0)
##### Added
- `helmet.contentSecurityPolicy`:
- Directive values can now include functions, as they could in Helmet 3. See [#243](https://togithub.com/helmetjs/helmet/issues/243)
##### Changed
- Helmet should now play more nicely with TypeScript
##### Removed
- The `HelmetOptions` interface is no longer exported. This only affects TypeScript users. If you need the functionality back, see [this comment](https://togithub.com/helmetjs/helmet/issues/235#issuecomment-674016883)
### [`v4.0.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#400---2020-08-02)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.23.3...v4.0.0)
See the [Helmet 4 upgrade guide](https://togithub.com/helmetjs/helmet/wiki/Helmet-4-upgrade-guide) for help upgrading from Helmet 3.
##### Added
- `helmet.contentSecurityPolicy`:
- If no `default-src` directive is supplied, an error is thrown
- Directive lists can be any iterable, not just arrays
##### Changed
- This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time.
- `helmet.contentSecurityPolicy`:
- There is now a default set of directives if none are supplied
- Duplicate keys now throw an error. See [helmetjs/csp#73](https://togithub.com/helmetjs/csp/issues/73)
- This middleware is more lenient, allowing more directive names or values
- `helmet.xssFilter` now disables the buggy XSS filter by default. See [#230](https://togithub.com/helmetjs/helmet/issues/230)
##### Removed
- Dropped support for old Node versions. Node 10+ is now required
- `helmet.featurePolicy`. If you still need it, use the `feature-policy` package on npm.
- `helmet.hpkp`. If you still need it, use the `hpkp` package on npm.
- `helmet.noCache`. If you still need it, use the `nocache` package on npm.
- `helmet.contentSecurityPolicy`:
- Removed browser sniffing (including the `browserSniff` and `disableAndroid` parameters). See [helmetjs/csp#97](https://togithub.com/helmetjs/csp/issues/97)
- Removed conditional support. This includes directive functions and support for a function as the `reportOnly`. [Read this if you need help.](https://togithub.com/helmetjs/helmet/wiki/Conditionally-using-middleware)
- Removed a lot of checks—you should be checking your CSP with a different tool
- Removed support for legacy headers (and therefore the `setAllHeaders` parameter). [Read this if you need help.](https://togithub.com/helmetjs/helmet/wiki/Setting-legacy-Content-Security-Policy-headers-in-Helmet-4)
- Removed the `loose` option
- Removed support for functions as directive values. You must supply an iterable of strings
- `helmet.frameguard`:
- Dropped support for the `ALLOW-FROM` action. [Read more here.](https://togithub.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive)
- `helmet.hidePoweredBy` no longer accepts arguments. See [this article](https://togithub.com/helmetjs/helmet/wiki/How-to-set-a-custom-X%E2%80%93Powered%E2%80%93By-header) to see how to replicate the removed behavior. See [#224](https://togithub.com/helmetjs/helmet/issues/224).
- `helmet.hsts`:
- Dropped support for `includeSubdomains` with a lowercase D. See [#231](https://togithub.com/helmetjs/helmet/issues/231)
- Dropped support for `setIf`. [Read this if you need help.](https://togithub.com/helmetjs/helmet/wiki/Conditionally-using-middleware). See [#232](https://togithub.com/helmetjs/helmet/issues/232)
- `helmet.xssFilter` no longer accepts options. Read ["How to disable blocking with X–XSS–Protection"](https://togithub.com/helmetjs/helmet/wiki/How-to-disable-blocking-with-X%E2%80%93XSS%E2%80%93Protection) and ["How to enable the `report` directive with X–XSS–Protection"](https://togithub.com/helmetjs/helmet/wiki/How-to-enable-the-%60report%60-directive-with-X%E2%80%93XSS%E2%80%93Protection) if you need the legacy behavior.
### [`v3.23.3`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#3233---2020-06-26)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.23.2...v3.23.3)
##### Changed
- `helmet.expectCt` is no longer a separate package. This should have no effect on end users.
- `helmet.frameguard` is no longer a separate package. This should have no effect on end users.
### [`v3.23.2`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#3232---2020-06-23)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.23.1...v3.23.2)
##### Changed
- `helmet.dnsPrefetchControl` is no longer a separate package. This should have no effect on end users.
### [`v3.23.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#3231---2020-06-16)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.23.0...v3.23.1)
##### Changed
- `helmet.ieNoOpen` is no longer a separate package. This should have no effect on end users.
### [`v3.23.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#3230---2020-06-12)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.22.1...v3.23.0)
##### Deprecated
- `helmet.featurePolicy` is deprecated. Use the `feature-policy` module instead.
### [`v3.22.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#3221---2020-06-10)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.22.0...v3.22.1)
##### Changed
- Rewrote internals in TypeScript. This should have no effect on end users.
### [`v3.22.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#3220---2020-03-24)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.21.3...v3.22.0)
##### Changed
- Updated `helmet-csp` to v2.10.0
- Add support for the `allow-downloads` sandbox directive. See [helmet-csp#103](https://togithub.com/helmetjs/csp/pull/103)
##### Deprecated
- `helmet.noCache` is deprecated. Use the `nocache` module instead. See [#215](https://togithub.com/helmetjs/helmet/issues/215)
### [`v3.21.3`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#3213---2020-02-24)
[Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.21.2...v3.21.3)
##### Changed
- Updated `helmet-csp` to v2.9.5
- Updated `bowser` subdependency from 2.7.0 to 2.9.0
- Fixed an issue some people were having when importing the `bowser` subdependency. See [helmet-csp#96](https://togithub.com/helmetjs/csp/issues/96) and [#101](https://togithub.com/helmetjs/csp/pull/101)
Renovate configuration
:date: Schedule: At any time (no schedule defined).
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
3.21.2
->4.1.1
Release Notes
helmetjs/helmet
### [`v4.1.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#411---2020-09-10) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.1.0...v4.1.1) ##### Changed - Fixed a few errors in the README ### [`v4.1.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#410---2020-08-15) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.0.0...v4.1.0) ##### Added - `helmet.contentSecurityPolicy`: - Directive values can now include functions, as they could in Helmet 3. See [#243](https://togithub.com/helmetjs/helmet/issues/243) ##### Changed - Helmet should now play more nicely with TypeScript ##### Removed - The `HelmetOptions` interface is no longer exported. This only affects TypeScript users. If you need the functionality back, see [this comment](https://togithub.com/helmetjs/helmet/issues/235#issuecomment-674016883) ### [`v4.0.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#400---2020-08-02) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.23.3...v4.0.0) See the [Helmet 4 upgrade guide](https://togithub.com/helmetjs/helmet/wiki/Helmet-4-upgrade-guide) for help upgrading from Helmet 3. ##### Added - `helmet.contentSecurityPolicy`: - If no `default-src` directive is supplied, an error is thrown - Directive lists can be any iterable, not just arrays ##### Changed - This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time. - `helmet.contentSecurityPolicy`: - There is now a default set of directives if none are supplied - Duplicate keys now throw an error. See [helmetjs/csp#73](https://togithub.com/helmetjs/csp/issues/73) - This middleware is more lenient, allowing more directive names or values - `helmet.xssFilter` now disables the buggy XSS filter by default. See [#230](https://togithub.com/helmetjs/helmet/issues/230) ##### Removed - Dropped support for old Node versions. Node 10+ is now required - `helmet.featurePolicy`. If you still need it, use the `feature-policy` package on npm. - `helmet.hpkp`. If you still need it, use the `hpkp` package on npm. - `helmet.noCache`. If you still need it, use the `nocache` package on npm. - `helmet.contentSecurityPolicy`: - Removed browser sniffing (including the `browserSniff` and `disableAndroid` parameters). See [helmetjs/csp#97](https://togithub.com/helmetjs/csp/issues/97) - Removed conditional support. This includes directive functions and support for a function as the `reportOnly`. [Read this if you need help.](https://togithub.com/helmetjs/helmet/wiki/Conditionally-using-middleware) - Removed a lot of checks—you should be checking your CSP with a different tool - Removed support for legacy headers (and therefore the `setAllHeaders` parameter). [Read this if you need help.](https://togithub.com/helmetjs/helmet/wiki/Setting-legacy-Content-Security-Policy-headers-in-Helmet-4) - Removed the `loose` option - Removed support for functions as directive values. You must supply an iterable of strings - `helmet.frameguard`: - Dropped support for the `ALLOW-FROM` action. [Read more here.](https://togithub.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive) - `helmet.hidePoweredBy` no longer accepts arguments. See [this article](https://togithub.com/helmetjs/helmet/wiki/How-to-set-a-custom-X%E2%80%93Powered%E2%80%93By-header) to see how to replicate the removed behavior. See [#224](https://togithub.com/helmetjs/helmet/issues/224). - `helmet.hsts`: - Dropped support for `includeSubdomains` with a lowercase D. See [#231](https://togithub.com/helmetjs/helmet/issues/231) - Dropped support for `setIf`. [Read this if you need help.](https://togithub.com/helmetjs/helmet/wiki/Conditionally-using-middleware). See [#232](https://togithub.com/helmetjs/helmet/issues/232) - `helmet.xssFilter` no longer accepts options. Read ["How to disable blocking with X–XSS–Protection"](https://togithub.com/helmetjs/helmet/wiki/How-to-disable-blocking-with-X%E2%80%93XSS%E2%80%93Protection) and ["How to enable the `report` directive with X–XSS–Protection"](https://togithub.com/helmetjs/helmet/wiki/How-to-enable-the-%60report%60-directive-with-X%E2%80%93XSS%E2%80%93Protection) if you need the legacy behavior. ### [`v3.23.3`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#3233---2020-06-26) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.23.2...v3.23.3) ##### Changed - `helmet.expectCt` is no longer a separate package. This should have no effect on end users. - `helmet.frameguard` is no longer a separate package. This should have no effect on end users. ### [`v3.23.2`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#3232---2020-06-23) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.23.1...v3.23.2) ##### Changed - `helmet.dnsPrefetchControl` is no longer a separate package. This should have no effect on end users. ### [`v3.23.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#3231---2020-06-16) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.23.0...v3.23.1) ##### Changed - `helmet.ieNoOpen` is no longer a separate package. This should have no effect on end users. ### [`v3.23.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#3230---2020-06-12) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.22.1...v3.23.0) ##### Deprecated - `helmet.featurePolicy` is deprecated. Use the `feature-policy` module instead. ### [`v3.22.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#3221---2020-06-10) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.22.0...v3.22.1) ##### Changed - Rewrote internals in TypeScript. This should have no effect on end users. ### [`v3.22.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#3220---2020-03-24) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.21.3...v3.22.0) ##### Changed - Updated `helmet-csp` to v2.10.0 - Add support for the `allow-downloads` sandbox directive. See [helmet-csp#103](https://togithub.com/helmetjs/csp/pull/103) ##### Deprecated - `helmet.noCache` is deprecated. Use the `nocache` module instead. See [#215](https://togithub.com/helmetjs/helmet/issues/215) ### [`v3.21.3`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#3213---2020-02-24) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.21.2...v3.21.3) ##### Changed - Updated `helmet-csp` to v2.9.5 - Updated `bowser` subdependency from 2.7.0 to 2.9.0 - Fixed an issue some people were having when importing the `bowser` subdependency. See [helmet-csp#96](https://togithub.com/helmetjs/csp/issues/96) and [#101](https://togithub.com/helmetjs/csp/pull/101)Renovate configuration
:date: Schedule: At any time (no schedule defined).
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.