chore(deps): update dependency helmet --> v7
This MR contains the following updates:
Package | Change | Age | Adoption | Passing | Confidence |
---|---|---|---|---|---|
helmet (source) | ^4.4.1 -> ^7.0.0 |
Release Notes
helmetjs/helmet
v7.0.0
Changed
-
Breaking:
Cross-Origin-Embedder-Policy
middleware is now disabled by default. See #411
Removed
- Breaking: Drop support for Node 14 and 15. Node 16+ is now required
-
Breaking:
Expect-CT
is no longer part of Helmet. If you still need it, you can use theexpect-ct
package. See #378
v6.2.0
- Expose header names (e.g.,
strictTransportSecurity
for theStrict-Transport-Security
header, instead ofhsts
) - Rework documentation
v6.1.5
Fixed
- Fixed yet another issue with TypeScript exports. See #420
v6.1.4
Fixed
- Fix another issue with TypeScript default exports. See #418
v6.1.3
Fixed
- Fix issue with TypeScript default exports. See #417
v6.1.2
Fixed
- Retored
main
to package to help with some build tools
v6.1.1
Fixed
- Fixed missing package metadata
v6.1.0
Changed
- Improve support for various TypeScript setups, including "nodenext". See #405
v6.0.1
Fixed
-
crossOriginEmbedderPolicy
did not accept options at the top level. See #390
v6.0.0
Changed
-
Breaking:
helmet.contentSecurityPolicy
no longer setsblock-all-mixed-content
directive by default -
Breaking:
helmet.expectCt
is no longer set by default. It can, however, be explicitly enabled. It will be removed in Helmet 7. See #310 - Breaking: Increase TypeScript strictness around some arguments. Only affects TypeScript users, and may not require any code changes. See #369
-
helmet.frameguard
no longer offers a specific error when trying to useALLOW-FROM
; it just says that it is unsupported. Only the error message has changed
Removed
- Breaking: Dropped support for Node 12 and 13. Node 14+ is now required
v5.1.1
Changed
v5.1.0
Added
-
Cross-Origin-Embedder-Policy
: supportcredentialless
policy. See #365 - Documented how to set both
Content-Security-Policy
andContent-Security-Policy-Report-Only
Changed
- Cleaned up some documentation around
Origin-Agent-Cluster
v5.0.2
Changed
- Improve imports for CommonJS and ECMAScript modules. See #345
- Fixed some documentation
v5.0.1
Changed
- Fixed some documentation
Removed
- Removed some unused internal code
v5.0.0
Added
- ECMAScript module imports (i.e.,
import helmet from "helmet"
andimport { frameguard } from "helmet"
). See #320
Changed
-
Breaking:
helmet.contentSecurityPolicy
:useDefaults
option now defaults totrue
-
Breaking:
helmet.contentSecurityPolicy
:form-action
directive is now set to'self'
by default -
Breaking:
helmet.crossOriginEmbedderPolicy
is enabled by default -
Breaking:
helmet.crossOriginOpenerPolicy
is enabled by default -
Breaking:
helmet.crossOriginResourcePolicy
is enabled by default -
Breaking:
helmet.originAgentCluster
is enabled by default -
helmet.frameguard
: add TypeScript editor autocomplete. See #322 - Top-level
helmet()
function is slightly faster
Removed
- Breaking: Drop support for Node 10 and 11. Node 12+ is now required
v4.6.0
Added
-
helmet.contentSecurityPolicy
: theuseDefaults
option, defaulting tofalse
, lets you selectively override defaults more easily - Explicitly define TypeScript types in
package.json
. See #303
Configuration
-
If you want to rebase/retry this MR, check this box.