@forge/csp - npm Package Compare versions

Comparing version 0.0.0-experimental-ed3737f to 0.0.0-experimental-f85f9b1

CHANGELOG.md

 # @forge/csp
 
-## 0.0.0-experimental-ed3737f
+## 2.1.1
 
+### Patch Changes
+
+- 907ce6c: Add navigate-to CSP directive
+
+## 2.1.1-next.0
+
+### Patch Changes
+
+- 907ce6c: Add navigate-to CSP directive
+
+## 2.1.0
+
 ### Minor Changes
 
+- eeee3d3: Added ws://localhost to CSP
+
+## 2.1.0-next.0
+
+### Minor Changes
+
+- eeee3d3f: Added ws://localhost to CSP
+
+## 2.0.1
+
+### Patch Changes
+
+- 2a60561: Allow Forge Content Security Policy to load stylesheets from unpkg.com to enable an interim theme mounting solution for Atlassian Design System: Design Tokens
+
+## 2.0.1-next.0
+
+### Patch Changes
+
+- 2a605619: Allow Forge Content Security Policy to load stylesheets from unpkg.com to enable an interim theme mounting solution for Atlassian Design System: Design Tokens
+
+## 2.0.0
+
+### Major Changes
+
+- 3c0ac54: Move egress related services out of @forge/csp into new @forge/egress package
+
+## 2.0.0-next.0
+
+### Major Changes
+
+- 3c0ac54: Move egress related services out of @forge/csp into new @forge/egress package
+
+## 1.11.0
+
+### Minor Changes
+
+- 671a6a63: Skip generating hashes for inline scripts if unsafe-inline is provided
+
+## 1.11.0-next.0
+
+### Minor Changes
+
+- 671a6a6: Skip generating hashes for inline scripts if unsafe-inline is provided
+
+## 1.10.0
+
+### Minor Changes
+
+- e95919f: Added blob csp support for script content permissions with manifest validation
+- 56164fe: Add allow-pointer-lock to iframe sandbox
+
+## 1.10.0-next.1
+
+### Minor Changes
+
+- e95919f: Added blob csp support for script content permissions with manifest validation
+
+## 1.10.0-next.0
+
+### Minor Changes
+
+- 56164fe: Add allow-pointer-lock to iframe sandbox
+
+## 1.9.0
+
+### Minor Changes
+
+- 1c196ff: Add support for external fetch client to reference remote
+
+### Patch Changes
+
+- 1dba082: Enabling new frame ancestors '_.atl-paas.net' and '_.atlassian.com'
+
+## 1.9.0-next.1
+
+### Minor Changes
+
+- 1c196ff: Add support for external fetch client to reference remote
+
+## 1.8.1-next.0
+
+### Patch Changes
+
+- 04e4152: Enabling new frame ancestors '_.atl-paas.net' and '_.atlassian.com'
+
+## 1.8.0
+
+### Minor Changes
+
+- d5f3fac: Remove deprecated method for handling CSP user config
+- f002362: Revert change for deprecated CSP
+
+## 1.8.0-next.1
+
+### Minor Changes
+
+- f002362: Revert change for deprecated CSP
+
+## 1.8.0-next.0
+
+### Minor Changes
+
+- d5f3fac: Remove deprecated method for handling CSP user config
+
+## 1.7.1
+
+### Patch Changes
+
+- 4b41a80: Added egress messaging to install prompts
+
+## 1.7.1-next.0
+
+### Patch Changes
+
+- 4b41a80: Added egress messaging to install prompts
+
+## 1.7.0
+
+### Minor Changes
+
+- ef00257: Add \*.jira.com to allowed host site list
+
+### Patch Changes
+
+- d7a1fe3: Update dependencies to remove any transitive dependencies on request
+
+## 1.7.0-next.1
+
+### Patch Changes
+
+- d7a1fe3: Update dependencies to remove any transitive dependencies on request
+
+## 1.7.0-next.0
+
+### Minor Changes
+
+- ef00257: Add \*.jira.com to allowed host site list
+
+## 1.6.0
+
+### Minor Changes
+
+- 8714f5a: Add support for fonts and frames as part of Egress Permissions for Custom UI apps
+
+### Patch Changes
+
+- f8ae8a2: Add support for Bitbucket origin in Custom UI
+
+## 1.6.0-next.1
+
+### Patch Changes
+
+- f8ae8a2: Add support for Bitbucket origin in Custom UI
+
+## 1.6.0-next.0
+
+### Minor Changes
+
+- 8714f5a: Add support for fonts and frames as part of Egress Permissions for Custom UI apps
+
+## 1.5.0
+
+### Minor Changes
+
+- 638194f: Fix logic to detect missing fetch egress permission
+
+## 1.5.0-next.0
+
+### Minor Changes
+
+- 638194f: Fix logic to detect missing fetch egress permission
+
+## 1.4.0
+
+### Minor Changes
+
+- 05f608f: Added external fetch linting
+
+### Patch Changes
+
+- bd9194a: Added error protection to egress filtering for URLs with no protocol
+
+## 1.4.0-next.1
+
+### Patch Changes
+
+- bd9194a: Added error protection to egress filtering for URLs with no protocol
+
+## 1.4.0-next.0
+
+### Minor Changes
+
+- 05f608f: Added external fetch linting
+
+## 1.3.0
+
+### Minor Changes
+
+- 9ec2911: Allow style-src as part of Egress Permissions for Custom UI apps
+
+### Patch Changes
+
+- 2ddcdb2: Update frame-ancestors for dev
+- 2b3c55d: Fix to restrict frame ancestors of Custom UI apps
+
+## 1.3.0-next.2
+
+### Patch Changes
+
+- 2ddcdb2: Update frame-ancestors for dev
+
+## 1.3.0-next.1
+
+### Minor Changes
+
+- 9ec2911: Allow style-src as part of Egress Permissions for Custom UI apps
+
+## 1.2.1-next.0
+
+### Patch Changes
+
+- 2b3c55d: Fix to restrict frame ancestors of Custom UI apps
+
+## 1.2.0
+
+### Minor Changes
+
+- 6c482ef: Add `allow-downloads allow-modals` to sandbox
+
+## 1.2.0-next.0
+
+### Minor Changes
+
+- 6c482ef: Add `allow-downloads allow-modals` to sandbox
+
+## 1.1.0
+
+### Minor Changes
+
 - f478087: Added logic handle external egress permissions
@@ -8,0 +259,0 @@ - c3ee9e7: Convert permissions.external to CSP options for Custom UI

out/index.d.ts

@@ -1,4 +0,3 @@
-export * from './csp-injection-service';
-export * from './csp-processing-service';
+export * from './csp';
 export * from './types';
 //# sourceMappingURL=index.d.ts.map

out/index.js

 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 const tslib_1 = require("tslib");
-tslib_1.__exportStar(require("./csp-injection-service"), exports);
-tslib_1.__exportStar(require("./csp-processing-service"), exports);
+tslib_1.__exportStar(require("./csp"), exports);
 tslib_1.__exportStar(require("./types"), exports);

out/types.d.ts

@@ -10,8 +10,8 @@ /// <reference types="node" />
     SCRIPT_SRC = "script-src",
-    CONNECT_SRC = "connect-src"
+    STYLE_SRC = "style-src",
+    CONNECT_SRC = "connect-src",
+    FONT_SRC = "font-src",
+    FRAME_SRC = "frame-src"
 }
-export declare type MappedExternalCsp = Record<ExternalCspType, string[]>;
-export interface CSPDetails extends MappedExternalCsp {
-    'style-src': string[];
-}
+export declare type CSPDetails = Record<ExternalCspType, string[]>;
 //# sourceMappingURL=types.d.ts.map

out/types.js

@@ -9,3 +9,6 @@ "use strict";
     ExternalCspType["SCRIPT_SRC"] = "script-src";
+    ExternalCspType["STYLE_SRC"] = "style-src";
     ExternalCspType["CONNECT_SRC"] = "connect-src";
+    ExternalCspType["FONT_SRC"] = "font-src";
+    ExternalCspType["FRAME_SRC"] = "frame-src";
 })(ExternalCspType = exports.ExternalCspType || (exports.ExternalCspType = {}));

package.json

 {
   "name": "@forge/csp",
-  "version": "0.0.0-experimental-ed3737f",
+  "version": "0.0.0-experimental-f85f9b1",
   "description": "Contains the CSP configuration for Custom UI resources in Forge",
@@ -14,10 +14,10 @@ "main": "out/index.js",
   "devDependencies": {
-    "@forge/cli-shared": "^0.0.0-experimental-ed3737f",
-    "@forge/manifest": "^0.0.0-experimental-ed3737f",
-    "@types/jest": "^26.0.0"
+    "@forge/cli-shared": "0.0.0-experimental-f85f9b1",
+    "@forge/manifest": "0.0.0-experimental-f85f9b1",
+    "@types/jest": "^29.1.2"
   },
   "dependencies": {
-    "cheerio": "^0.20.0",
+    "cheerio": "^0.22.0",
     "content-security-policy-parser": "^0.3.0"
   }
 }

New alerts

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

24517

increased by52.57%

Number of package files

17

increased by21.43%

Lines of code

314

increased by30.29%

Worsened metrics

Number of medium supply chain risk alerts

11

increased by266.67%

Dependency changes

• + Addedcheerio@0.22.0(transitive)

• + Addeddomhandler@2.4.2(transitive)

• + Addedhtmlparser2@3.10.1(transitive)

• + Addedlodash.assignin@4.2.0(transitive)

• + Addedlodash.bind@4.2.1(transitive)

• + Addedlodash.defaults@4.2.0(transitive)

• + Addedlodash.filter@4.6.0(transitive)

• + Addedlodash.flatten@4.4.0(transitive)

• + Addedlodash.foreach@4.5.0(transitive)

• + Addedlodash.map@4.6.0(transitive)

• + Addedlodash.merge@4.6.2(transitive)

• + Addedlodash.pick@4.4.0(transitive)

• + Addedlodash.reduce@4.6.0(transitive)

• + Addedlodash.reject@4.6.0(transitive)

• + Addedlodash.some@4.6.0(transitive)

• + Addedreadable-stream@3.6.2(transitive)

• + Addedstring_decoder@1.3.0(transitive)

• + Addedutil-deprecate@1.0.2(transitive)

• - Removedabab@1.0.4(transitive)

• - Removedacorn@2.7.0(transitive)

• - Removedacorn-globals@1.0.9(transitive)

• - Removedajv@6.12.6(transitive)

• - Removedasn1@0.2.6(transitive)

• - Removedassert-plus@1.0.0(transitive)

• - Removedasynckit@0.4.0(transitive)

• - Removedaws-sign2@0.7.0(transitive)

• - Removedaws4@1.13.2(transitive)

• - Removedbcrypt-pbkdf@1.0.2(transitive)

• - Removedcaseless@0.12.0(transitive)

• - Removedcheerio@0.20.0(transitive)

• - Removedcombined-stream@1.0.8(transitive)

• - Removedcore-util-is@1.0.21.0.3(transitive)

• - Removedcssom@0.3.8(transitive)

• - Removedcssstyle@0.2.37(transitive)

• - Removeddashdash@1.14.1(transitive)

• - Removeddeep-is@0.1.4(transitive)

• - Removeddelayed-stream@1.0.0(transitive)

• - Removeddomhandler@2.3.0(transitive)

• - Removedecc-jsbn@0.1.2(transitive)

• - Removedentities@1.0.0(transitive)

• - Removedescodegen@1.14.3(transitive)

• - Removedesprima@4.0.1(transitive)

• - Removedestraverse@4.3.0(transitive)

• - Removedesutils@2.0.3(transitive)

• - Removedextend@3.0.2(transitive)

• - Removedextsprintf@1.3.0(transitive)

• - Removedfast-deep-equal@3.1.3(transitive)

• - Removedfast-json-stable-stringify@2.1.0(transitive)

• - Removedfast-levenshtein@2.0.6(transitive)

• - Removedforever-agent@0.6.1(transitive)

• - Removedform-data@2.3.3(transitive)

• - Removedgetpass@0.1.7(transitive)

• - Removedhar-schema@2.0.0(transitive)

• - Removedhar-validator@5.1.5(transitive)

• - Removedhtmlparser2@3.8.3(transitive)

• - Removedhttp-signature@1.2.0(transitive)

• - Removedis-typedarray@1.0.0(transitive)

• - Removedisarray@0.0.1(transitive)

• - Removedisstream@0.1.2(transitive)

• - Removedjsbn@0.1.1(transitive)

• - Removedjsdom@7.2.2(transitive)

• - Removedjson-schema@0.4.0(transitive)

• - Removedjson-schema-traverse@0.4.1(transitive)

• - Removedjson-stringify-safe@5.0.1(transitive)

• - Removedjsprim@1.4.2(transitive)

• - Removedlevn@0.3.0(transitive)

• - Removedlodash@4.17.21(transitive)

• - Removedmime-db@1.52.0(transitive)

• - Removedmime-types@2.1.35(transitive)

• - Removednwmatcher@1.4.4(transitive)

• - Removedoauth-sign@0.9.0(transitive)

• - Removedoptionator@0.8.3(transitive)

• - Removedparse5@1.5.1(transitive)

• - Removedperformance-now@2.1.0(transitive)

• - Removedprelude-ls@1.1.2(transitive)

• - Removedpsl@1.15.0(transitive)

• - Removedpunycode@2.3.1(transitive)

• - Removedqs@6.5.3(transitive)

• - Removedreadable-stream@1.1.14(transitive)

• - Removedrequest@2.88.2(transitive)

• - Removedsafer-buffer@2.1.2(transitive)

• - Removedsax@1.4.1(transitive)

• - Removedsource-map@0.6.1(transitive)

• - Removedsshpk@1.18.0(transitive)

• - Removedstring_decoder@0.10.31(transitive)

• - Removedsymbol-tree@3.2.4(transitive)

• - Removedtough-cookie@2.5.0(transitive)

• - Removedtr46@0.0.3(transitive)

• - Removedtunnel-agent@0.6.0(transitive)

• - Removedtweetnacl@0.14.5(transitive)

• - Removedtype-check@0.3.2(transitive)

• - Removeduri-js@4.4.1(transitive)

• - Removeduuid@3.4.0(transitive)

• - Removedverror@1.10.0(transitive)

• - Removedwebidl-conversions@2.0.1(transitive)

• - Removedwhatwg-url-compat@0.6.5(transitive)

• - Removedword-wrap@1.2.5(transitive)

• - Removedxml-name-validator@2.0.1(transitive)

• Updatedcheerio@^0.22.0