create-react-microservice icon indicating copy to clipboard operation
create-react-microservice copied to clipboard

Published 20 hours ago β€’ verified publisher icon ImmoweltGroup

TASK: Update dependency helmet to v6

Open renovate[bot] opened this issue 3 years ago β€’ 0 comments

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
helmet (source) 3.23.3 -> 6.0.0 age adoption passing confidence

Release Notes

helmetjs/helmet

v6.0.0

Compare Source

Changed
  • Breaking: helmet.contentSecurityPolicy no longer sets block-all-mixed-content directive by default
  • Breaking: helmet.expectCt is no longer set by default. It can, however, be explicitly enabled. It will be removed in Helmet 7. See #​310
  • Breaking: Increase TypeScript strictness around some arguments. Only affects TypeScript users, and may not require any code changes. See #​369
  • helmet.frameguard no longer offers a specific error when trying to use ALLOW-FROM; it just says that it is unsupported. Only the error message has changed
Removed
  • Breaking: Dropped support for Node 12 and 13. Node 14+ is now required

v5.1.1

Compare Source

Changed

v5.1.0

Compare Source

Added
  • Cross-Origin-Embedder-Policy: support credentialless policy. See #​365
  • Documented how to set both Content-Security-Policy and Content-Security-Policy-Report-Only
Changed
  • Cleaned up some documentation around Origin-Agent-Cluster

v5.0.2

Compare Source

Changed
  • Improve imports for CommonJS and ECMAScript modules. See #​345
  • Fixed some documentation

v5.0.1

Compare Source

Changed
  • Fixed some documentation
Removed
  • Removed some unused internal code

v5.0.0

Compare Source

Added
  • ECMAScript module imports (i.e., import helmet from "helmet" and import { frameguard } from "helmet"). See #​320
Changed
  • Breaking: helmet.contentSecurityPolicy: useDefaults option now defaults to true
  • Breaking: helmet.contentSecurityPolicy: form-action directive is now set to 'self' by default
  • Breaking: helmet.crossOriginEmbedderPolicy is enabled by default
  • Breaking: helmet.crossOriginOpenerPolicy is enabled by default
  • Breaking: helmet.crossOriginResourcePolicy is enabled by default
  • Breaking: helmet.originAgentCluster is enabled by default
  • helmet.frameguard: add TypeScript editor autocomplete. See #​322
  • Top-level helmet() function is slightly faster
Removed
  • Breaking: Drop support for Node 10 and 11. Node 12+ is now required

v4.6.0

Compare Source

Added
  • helmet.contentSecurityPolicy: the useDefaults option, defaulting to false, lets you selectively override defaults more easily
  • Explicitly define TypeScript types in package.json. See #​303

v4.5.0

Compare Source

Added
  • helmet.crossOriginEmbedderPolicy: a new middleware for the Cross-Origin-Embedder-Policy header, disabled by default
  • helmet.crossOriginOpenerPolicy: a new middleware for the Cross-Origin-Opener-Policy header, disabled by default
  • helmet.crossOriginResourcePolicy: a new middleware for the Cross-Origin-Resource-Policy header, disabled by default
Changed
  • true enables a middleware with default options. Previously, this would fail with an error if the middleware was already enabled by default.
  • Log a warning when passing options to originAgentCluster at the top level
Fixed
  • Incorrect documentation

v4.4.1

Compare Source

Changed
  • Shrink the published package by about 2.5 kB

v4.4.0

Compare Source

Added
  • helmet.originAgentCluster: a new middleware for the Origin-Agent-Cluster header, disabled by default

v4.3.1

Compare Source

Fixed
  • helmet.contentSecurityPolicy: broken TypeScript types. See #​283

v4.3.0

Compare Source

Added
  • helmet.contentSecurityPolicy: setting the default-src to helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc disables it
Changed
  • helmet.frameguard: slightly improved error messages for non-strings

v4.2.0

Compare Source

Added
  • helmet.contentSecurityPolicy: get the default directives with contentSecurityPolicy.getDefaultDirectives()
Changed
  • helmet() now supports objects that don't have Object.prototype in their chain, such as Object.create(null), as options
  • helmet.expectCt: max-age is now first. See #​264

v4.1.1

Compare Source

Changed
  • Fixed a few errors in the README

v4.1.0

Compare Source

Added
  • helmet.contentSecurityPolicy:
    • Directive values can now include functions, as they could in Helmet 3. See #​243
Changed
  • Helmet should now play more nicely with TypeScript
Removed
  • The HelmetOptions interface is no longer exported. This only affects TypeScript users. If you need the functionality back, see this comment

v4.0.0

Compare Source

See the Helmet 4 upgrade guide for help upgrading from Helmet 3.

Added
  • helmet.contentSecurityPolicy:
    • If no default-src directive is supplied, an error is thrown
    • Directive lists can be any iterable, not just arrays
Changed
  • This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time.
  • helmet.contentSecurityPolicy:
    • There is now a default set of directives if none are supplied
    • Duplicate keys now throw an error. See helmetjs/csp#​73
    • This middleware is more lenient, allowing more directive names or values
  • helmet.xssFilter now disables the buggy XSS filter by default. See #​230
Removed
  • Dropped support for old Node versions. Node 10+ is now required
  • helmet.featurePolicy. If you still need it, use the feature-policy package on npm.
  • helmet.hpkp. If you still need it, use the hpkp package on npm.
  • helmet.noCache. If you still need it, use the nocache package on npm.
  • helmet.contentSecurityPolicy:
    • Removed browser sniffing (including the browserSniff and disableAndroid parameters). See helmetjs/csp#​97
    • Removed conditional support. This includes directive functions and support for a function as the reportOnly. Read this if you need help.
    • Removed a lot of checksβ€”you should be checking your CSP with a different tool
    • Removed support for legacy headers (and therefore the setAllHeaders parameter). Read this if you need help.
    • Removed the loose option
    • Removed support for functions as directive values. You must supply an iterable of strings
  • helmet.frameguard:
  • helmet.hidePoweredBy no longer accepts arguments. See this article to see how to replicate the removed behavior. See #​224.
  • helmet.hsts:
  • helmet.xssFilter no longer accepts options. Read "How to disable blocking with X-XSS-Protection" and "How to enable the report directive with X-XSS-Protection" if you need the legacy behavior.

Configuration

πŸ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

renovate[bot] avatar Aug 26 '22 18:08 renovate[bot]