Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency helmet to v3 #148

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency helmet to v3 #148

wants to merge 1 commit into from

Conversation

mend-for-github.aaakk.us.kg[bot]
Copy link
Contributor

@mend-for-github.aaakk.us.kg mend-for-github.aaakk.us.kg bot commented Feb 20, 2022
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
helmet (source) ^2.0.0 -> ^3.0.0 age adoption passing confidence

By merging this PR, the issue #166 will be automatically resolved and closed:

Severity CVSS Score CVE
Medium Medium 6.1 WS-2019-0289

Release Notes

helmetjs/helmet

v3.21.0

Compare Source

Added
  • Updated x-xss-protection to v1.3.0
    • Added mode: null to disable mode=block
Changed
  • Updated helmet-csp to v2.9.1

v3.20.1

Compare Source

Changed
  • Updated helmet-csp to v2.9.0

v3.20.0

Compare Source

Changed
  • Updated helmet-csp to v2.8.0

v3.19.0

Compare Source

Changed
  • Updated dns-prefetch-control to v0.2.0
  • Updated dont-sniff-mimetype to v1.1.0
  • Updated helmet-crossdomain to v0.4.0
  • Updated hide-powered-by to v1.1.0
  • Updated x-xss-protection to v1.2.0

v3.18.0

Compare Source

Added
  • featurePolicy has 19 new features: ambientLightSensor, documentDomain, documentWrite, encryptedMedia, fontDisplayLateSwap, layoutAnimations, legacyImageFormats, loadingFrameDefaultEager, oversizedImages, pictureInPicture, serial, syncScript, unoptimizedImages, unoptimizedLosslessImages, unoptimizedLossyImages, unsizedMedia, verticalScroll, wakeLock, and xr
Changed
  • Updated expect-ct to v0.2.0
  • Updated feature-policy to v0.3.0
  • Updated frameguard to v3.1.0
  • Updated nocache to v2.1.0

v3.17.0

Compare Source

Added
  • referrerPolicy now supports multiple values
Changed
  • Updated referrerPolicy to v1.2.0

v3.16.0

Compare Source

Added
  • Add email to bugs field in package.json
Changed
  • Updated hsts to v2.2.0
  • Updated ienoopen to v1.1.0
  • Changelog is now in the Keep A Changelog format
  • Dropped support for Node <4. See the commit for more information
  • Updated Adam Baldwin's contact information
Deprecated
  • helmet.hsts's setIf option has been deprecated and will be removed in hsts@3. See helmetjs/hsts#​22 for more
  • The includeSubdomains option (with a lowercase d) has been deprecated and will be removed in hsts@3. Use the uppercase-D includeSubDomains option instead. See helmetjs/hsts#​21 for more

v3.15.1

Compare Source

Deprecated
  • The hpkp middleware has been deprecated. If you still need to use this module, install the standalone hpkp module from npm. See #​180 for more.

v3.15.0

Compare Source

Added
  • helmet.featurePolicy now supports four new features

v3.14.0

Compare Source

Added
  • helmet.featurePolicy middleware

v3.13.0

Compare Source

Added
  • helmet.permittedCrossDomainPolicies middleware

v3.12.2

Compare Source

Fixed
  • Removed lodash.reduce dependency from csp

v3.12.1

Compare Source

Fixed
  • expectCt should use comma instead of semicolon as delimiter

v3.12.0

Compare Source

Added
  • xssFilter now supports reportUri option

v3.11.0

Compare Source

Added
  • Main Helmet middleware is now named to help with debugging

v3.10.0

Compare Source

Added
  • csp now supports prefix-src directive
Fixed
  • csp no longer loads JSON files internally, helping some module bundlers
  • false should be able to disable a CSP directive

v3.9.0

Compare Source

Added
  • csp now supports strict-dynamic value
  • csp now supports require-sri-for directive
Changed
  • Removed connect dependency

v3.8.2

Compare Source

Changed
  • Updated connect dependency to latest

v3.8.1

Compare Source

Fixed
  • csp does not automatically set report-to when setting report-uri

v3.8.0

Compare Source

Changed
  • hsts no longer cares whether it's HTTPS and always sets the header

v3.7.0

Compare Source

Added
  • csp now supports report-to directive
Changed
  • Throw an error when used incorrectly
  • Add a few documentation files to npmignore

v3.6.1

Compare Source

Changed
  • Bump connect version

v3.6.0

Compare Source

Added
  • expectCt middleware for setting the Expect-CT header

v3.5.0

Compare Source

Added
  • csp now supports the worker-src directive

v3.4.1

Compare Source

Changed
  • Bump connect version

v3.4.0

Compare Source

Added
  • csp now supports more sandbox directives

v3.3.0

Compare Source

Added
  • referrerPolicy allows strict-origin and strict-origin-when-cross-origin directives
Changed
  • Bump connect version

v3.2.0

Compare Source

Added
  • csp now allows manifest-src directive

v3.1.0

Compare Source

Added
  • csp now allows frame-src directive

v3.0.0

Compare Source

Changed
  • csp will check your directives for common mistakes and throw errors if it finds them. This can be disabled with loose: true.
  • Empty arrays are no longer allowed in csp. For source lists (like script-src or object-src), use the standard scriptSrc: ["'none'"]. The sandbox directive can be sandbox: true to block everything.
  • false can disable a CSP directive. For example, scriptSrc: false is the same as not specifying it.
  • In CSP, reportOnly: true no longer requires a report-uri to be set.
  • hsts's maxAge now defaults to 180 days (instead of 1 day)
  • hsts's maxAge parameter is seconds, not milliseconds
  • hsts includes subdomains by default
  • domain parameter in frameguard cannot be empty
Removed
  • noEtag option no longer present in noCache
  • iOS Chrome connect-src workaround in CSP module
  • If you want to rebase/retry this PR, click this checkbox.

@mend-for-github.aaakk.us.kg mend-for-github.aaakk.us.kg bot added the security fix Security fix generated by WhiteSource label Feb 20, 2022
@mend-for-github.aaakk.us.kg mend-for-github.aaakk.us.kg bot changed the title Update dependency helmet to v3 Update dependency helmet to v3 - autoclosed Feb 23, 2022
@mend-for-github.aaakk.us.kg mend-for-github.aaakk.us.kg bot deleted the whitesource-remediate/helmet-3.x branch February 23, 2022 00:47
@mend-for-github.aaakk.us.kg mend-for-github.aaakk.us.kg bot changed the title Update dependency helmet to v3 - autoclosed Update dependency helmet to v3 Feb 23, 2022
@mend-for-github.aaakk.us.kg mend-for-github.aaakk.us.kg bot restored the whitesource-remediate/helmet-3.x branch February 23, 2022 16:32
@mend-for-github.aaakk.us.kg mend-for-github.aaakk.us.kg bot changed the title Update dependency helmet to v3 Update dependency helmet to v3 - autoclosed Mar 4, 2022
@mend-for-github.aaakk.us.kg mend-for-github.aaakk.us.kg bot deleted the whitesource-remediate/helmet-3.x branch March 4, 2022 08:16
@mend-for-github.aaakk.us.kg mend-for-github.aaakk.us.kg bot changed the title Update dependency helmet to v3 - autoclosed Update dependency helmet to v3 Mar 5, 2022
@mend-for-github.aaakk.us.kg mend-for-github.aaakk.us.kg bot restored the whitesource-remediate/helmet-3.x branch March 5, 2022 02:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
security fix Security fix generated by WhiteSource
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants