Skip to content

chore(deps): update dependency helmet --> v7

FW Serviceworker requested to merge deps/helmet-7.x into master

This MR contains the following updates:

Package Change Age Adoption Passing Confidence
helmet (source) ^4.4.1 -> ^7.0.0 age adoption passing confidence

Release Notes

helmetjs/helmet

v7.0.0

Compare Source

Changed
  • Breaking: Cross-Origin-Embedder-Policy middleware is now disabled by default. See #​411
Removed
  • Breaking: Drop support for Node 14 and 15. Node 16+ is now required
  • Breaking: Expect-CT is no longer part of Helmet. If you still need it, you can use the expect-ct package. See #​378

v6.2.0

Compare Source

  • Expose header names (e.g., strictTransportSecurity for the Strict-Transport-Security header, instead of hsts)
  • Rework documentation

v6.1.5

Compare Source

Fixed
  • Fixed yet another issue with TypeScript exports. See #​420

v6.1.4

Compare Source

Fixed
  • Fix another issue with TypeScript default exports. See #​418

v6.1.3

Compare Source

Fixed
  • Fix issue with TypeScript default exports. See #​417

v6.1.2

Compare Source

Fixed
  • Retored main to package to help with some build tools

v6.1.1

Compare Source

Fixed
  • Fixed missing package metadata

v6.1.0

Compare Source

Changed
  • Improve support for various TypeScript setups, including "nodenext". See #​405

v6.0.1

Compare Source

Fixed
  • crossOriginEmbedderPolicy did not accept options at the top level. See #​390

v6.0.0

Compare Source

Changed
  • Breaking: helmet.contentSecurityPolicy no longer sets block-all-mixed-content directive by default
  • Breaking: helmet.expectCt is no longer set by default. It can, however, be explicitly enabled. It will be removed in Helmet 7. See #​310
  • Breaking: Increase TypeScript strictness around some arguments. Only affects TypeScript users, and may not require any code changes. See #​369
  • helmet.frameguard no longer offers a specific error when trying to use ALLOW-FROM; it just says that it is unsupported. Only the error message has changed
Removed
  • Breaking: Dropped support for Node 12 and 13. Node 14+ is now required

v5.1.1

Compare Source

Changed
  • Fix TypeScript bug with some TypeScript configurations. See #​375 and #​359

v5.1.0

Compare Source

Added
  • Cross-Origin-Embedder-Policy: support credentialless policy. See #​365
  • Documented how to set both Content-Security-Policy and Content-Security-Policy-Report-Only
Changed
  • Cleaned up some documentation around Origin-Agent-Cluster

v5.0.2

Compare Source

Changed
  • Improve imports for CommonJS and ECMAScript modules. See #​345
  • Fixed some documentation

v5.0.1

Compare Source

Changed
  • Fixed some documentation
Removed
  • Removed some unused internal code

v5.0.0

Compare Source

Added
  • ECMAScript module imports (i.e., import helmet from "helmet" and import { frameguard } from "helmet"). See #​320
Changed
  • Breaking: helmet.contentSecurityPolicy: useDefaults option now defaults to true
  • Breaking: helmet.contentSecurityPolicy: form-action directive is now set to 'self' by default
  • Breaking: helmet.crossOriginEmbedderPolicy is enabled by default
  • Breaking: helmet.crossOriginOpenerPolicy is enabled by default
  • Breaking: helmet.crossOriginResourcePolicy is enabled by default
  • Breaking: helmet.originAgentCluster is enabled by default
  • helmet.frameguard: add TypeScript editor autocomplete. See #​322
  • Top-level helmet() function is slightly faster
Removed
  • Breaking: Drop support for Node 10 and 11. Node 12+ is now required

v4.6.0

Compare Source

Added
  • helmet.contentSecurityPolicy: the useDefaults option, defaulting to false, lets you selectively override defaults more easily
  • Explicitly define TypeScript types in package.json. See #​303

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.


  • If you want to rebase/retry this MR, check this box.

Merge request reports

Loading