Update dependency helmet to v4

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
helmet (source)	^3.15.0 -> ^4.0.0

---

Release Notes

helmetjs/helmet

### [`v4.6.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​460---2021-05-01) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.5.0...v4.6.0) ##### Added - `helmet.contentSecurityPolicy`: the `useDefaults` option, defaulting to `false`, lets you selectively override defaults more easily - Explicitly define TypeScript types in `package.json`. See [#​303](https://togithub.com/helmetjs/helmet/pull/303) ### [`v4.5.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​450---2021-04-17) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.4.1...v4.5.0) ##### Added - `helmet.crossOriginEmbedderPolicy`: a new middleware for the `Cross-Origin-Embedder-Policy` header, disabled by default - `helmet.crossOriginOpenerPolicy`: a new middleware for the `Cross-Origin-Opener-Policy` header, disabled by default - `helmet.crossOriginResourcePolicy`: a new middleware for the `Cross-Origin-Resource-Policy` header, disabled by default ##### Changed - `true` enables a middleware with default options. Previously, this would fail with an error if the middleware was already enabled by default. - Log a warning when passing options to `originAgentCluster` at the top level ##### Fixed - Incorrect documentation ### [`v4.4.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​441---2021-01-18) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.4.0...v4.4.1) ##### Changed - Shrink the published package by about 2.5 kB ### [`v4.4.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​440---2021-01-17) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.3.1...v4.4.0) ##### Added - `helmet.originAgentCluster`: a new middleware for the `Origin-Agent-Cluster` header, disabled by default ### [`v4.3.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​431---2020-12-27) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.3.0...v4.3.1) ##### Fixed - `helmet.contentSecurityPolicy`: broken TypeScript types. See [#​283](https://togithub.com/helmetjs/helmet/issues/283) ### [`v4.3.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​430---2020-12-27) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.2.0...v4.3.0) ##### Added - `helmet.contentSecurityPolicy`: setting the `default-src` to `helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc` disables it ##### Changed - `helmet.frameguard`: slightly improved error messages for non-strings ### [`v4.2.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​420---2020-11-01) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.1.1...v4.2.0) ##### Added - `helmet.contentSecurityPolicy`: get the default directives with `contentSecurityPolicy.getDefaultDirectives()` ##### Changed - `helmet()` now supports objects that don't have `Object.prototype` in their chain, such as `Object.create(null)`, as options - `helmet.expectCt`: `max-age` is now first. See [#​264](https://togithub.com/helmetjs/helmet/pull/264) ### [`v4.1.1`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​411---2020-09-10) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.1.0...v4.1.1) ##### Changed - Fixed a few errors in the README ### [`v4.1.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​410---2020-08-15) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v4.0.0...v4.1.0) ##### Added - `helmet.contentSecurityPolicy`: - Directive values can now include functions, as they could in Helmet 3. See [#​243](https://togithub.com/helmetjs/helmet/issues/243) ##### Changed - Helmet should now play more nicely with TypeScript ##### Removed - The `HelmetOptions` interface is no longer exported. This only affects TypeScript users. If you need the functionality back, see [this comment](https://togithub.com/helmetjs/helmet/issues/235#issuecomment-674016883) ### [`v4.0.0`](https://togithub.com/helmetjs/helmet/blob/master/CHANGELOG.md#​400---2020-08-02) [Compare Source](https://togithub.com/helmetjs/helmet/compare/v3.23.3...v4.0.0) See the [Helmet 4 upgrade guide](https://togithub.com/helmetjs/helmet/wiki/Helmet-4-upgrade-guide) for help upgrading from Helmet 3. ##### Added - `helmet.contentSecurityPolicy`: - If no `default-src` directive is supplied, an error is thrown - Directive lists can be any iterable, not just arrays ##### Changed - This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time. - `helmet.contentSecurityPolicy`: - There is now a default set of directives if none are supplied - Duplicate keys now throw an error. See [helmetjs/csp#​73](https://togithub.com/helmetjs/csp/issues/73) - This middleware is more lenient, allowing more directive names or values - `helmet.xssFilter` now disables the buggy XSS filter by default. See [#​230](https://togithub.com/helmetjs/helmet/issues/230) ##### Removed - Dropped support for old Node versions. Node 10+ is now required - `helmet.featurePolicy`. If you still need it, use the `feature-policy` package on npm. - `helmet.hpkp`. If you still need it, use the `hpkp` package on npm. - `helmet.noCache`. If you still need it, use the `nocache` package on npm. - `helmet.contentSecurityPolicy`: - Removed browser sniffing (including the `browserSniff` and `disableAndroid` parameters). See [helmetjs/csp#​97](https://togithub.com/helmetjs/csp/issues/97) - Removed conditional support. This includes directive functions and support for a function as the `reportOnly`. [Read this if you need help.](https://togithub.com/helmetjs/helmet/wiki/Conditionally-using-middleware) - Removed a lot of checks—you should be checking your CSP with a different tool - Removed support for legacy headers (and therefore the `setAllHeaders` parameter). [Read this if you need help.](https://togithub.com/helmetjs/helmet/wiki/Setting-legacy-Content-Security-Policy-headers-in-Helmet-4) - Removed the `loose` option - Removed support for functions as directive values. You must supply an iterable of strings - `helmet.frameguard`: - Dropped support for the `ALLOW-FROM` action. [Read more here.](https://togithub.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive) - `helmet.hidePoweredBy` no longer accepts arguments. See [this article](https://togithub.com/helmetjs/helmet/wiki/How-to-set-a-custom-X%E2%80%93Powered%E2%80%93By-header) to see how to replicate the removed behavior. See [#​224](https://togithub.com/helmetjs/helmet/issues/224). - `helmet.hsts`: - Dropped support for `includeSubdomains` with a lowercase D. See [#​231](https://togithub.com/helmetjs/helmet/issues/231) - Dropped support for `setIf`. [Read this if you need help.](https://togithub.com/helmetjs/helmet/wiki/Conditionally-using-middleware) See [#​232](https://togithub.com/helmetjs/helmet/issues/232) - `helmet.xssFilter` no longer accepts options. Read ["How to disable blocking with X-XSS-Protection"](https://togithub.com/helmetjs/helmet/wiki/How-to-disable-blocking-with-X%E2%80%93XSS%E2%80%93Protection) and ["How to enable the `report` directive with X-XSS-Protection"](https://togithub.com/helmetjs/helmet/wiki/How-to-enable-the-%60report%60-directive-with-X%E2%80%93XSS%E2%80%93Protection) if you need the legacy behavior.

---

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.