helmet - npm Package Compare versions

Comparing version 5.0.2 to 5.1.0

CHANGELOG.md

		# Changelog

		### 5.0.2 - 2022-01-22
		## 5.1.0 - 2022-05-17

		### Added

		- `Cross-Origin-Embedder-Policy`: support `credentialless` policy. See [#365](https://github.com/helmetjs/helmet/pull/365)
		- Documented how to set both `Content-Security-Policy` and `Content-Security-Policy-Report-Only`

		### Changed

		- Cleaned up some documentation around `Origin-Agent-Cluster`

		## 5.0.2 - 2022-01-22

		### Changed

		- Improve imports for CommonJS and ECMAScript modules. See [#345](https://github.com/helmetjs/helmet/pull/345)
		- Fixed some documentation

		### 5.0.1 - 2022-01-03
		## 5.0.1 - 2022-01-03

		@@ -20,3 +31,3 @@ ### Changed

		### 5.0.0 - 2022-01-02
		## 5.0.0 - 2022-01-02

		@@ -35,2 +46,4 @@ ### Added
		- Breaking: `helmet.originAgentCluster` is enabled by default
		- `helmet.frameguard`: add TypeScript editor autocomplete. See [#322](https://github.com/helmetjs/helmet/pull/322)
		- Top-level `helmet()` function is slightly faster

		@@ -41,9 +54,2 @@ ### Removed

		## Unreleased

		### Changed

		- Top-level `helmet()` function is slightly faster
		- `helmet.frameguard`: add TypeScript editor autocomplete. See [#322](https://github.com/helmetjs/helmet/pull/322)

		## 4.6.0 - 2021-05-01
		@@ -50,0 +56,0 @@

dist/cjs/index.js

		@@ -120,5 +120,14 @@ "use strict"

		function crossOriginEmbedderPolicy() {
		const ALLOWED_POLICIES$2 = new Set(["require-corp", "credentialless"])
		function getHeaderValueFromOptions$7({ policy = "require-corp" }) {
		if (ALLOWED_POLICIES$2.has(policy)) {
		return policy
		} else {
		throw new Error(`Cross-Origin-Embedder-Policy does not support the ${JSON.stringify(policy)} policy`)
		}
		}
		function crossOriginEmbedderPolicy(options = {}) {
		const headerValue = getHeaderValueFromOptions$7(options)
		return function crossOriginEmbedderPolicyMiddleware(_req, res, next) {
		res.setHeader("Cross-Origin-Embedder-Policy", "require-corp")
		res.setHeader("Cross-Origin-Embedder-Policy", headerValue)
		next()
		@@ -125,0 +134,0 @@ }

dist/esm/index.js

		@@ -116,5 +116,14 @@ const dangerouslyDisableDefaultSrc = Symbol("dangerouslyDisableDefaultSrc")

		function crossOriginEmbedderPolicy() {
		const ALLOWED_POLICIES$2 = new Set(["require-corp", "credentialless"])
		function getHeaderValueFromOptions$7({ policy = "require-corp" }) {
		if (ALLOWED_POLICIES$2.has(policy)) {
		return policy
		} else {
		throw new Error(`Cross-Origin-Embedder-Policy does not support the ${JSON.stringify(policy)} policy`)
		}
		}
		function crossOriginEmbedderPolicy(options = {}) {
		const headerValue = getHeaderValueFromOptions$7(options)
		return function crossOriginEmbedderPolicyMiddleware(_req, res, next) {
		res.setHeader("Cross-Origin-Embedder-Policy", "require-corp")
		res.setHeader("Cross-Origin-Embedder-Policy", headerValue)
		next()
		@@ -121,0 +130,0 @@ }

dist/types/middlewares/cross-origin-embedder-policy/index.d.ts

		import { IncomingMessage, ServerResponse } from "http"
		declare function crossOriginEmbedderPolicy(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
		export interface CrossOriginEmbedderPolicyOptions {
		policy?: string
		}
		declare function crossOriginEmbedderPolicy(options?: Readonly<CrossOriginEmbedderPolicyOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void
		export default crossOriginEmbedderPolicy

package.json

		@@ -9,3 +9,3 @@ {
		"description": "help secure Express/Connect apps with various HTTP headers",
		"version": "5.0.2",
		"version": "5.1.0",
		"keywords": [
		@@ -29,16 +29,16 @@ "express",
		"devDependencies": {
		"@rollup/plugin-typescript": "^8.3.0",
		"@rollup/plugin-typescript": "^8.3.2",
		"@types/connect": "^3.4.35",
		"@types/jest": "^27.0.3",
		"@types/supertest": "^2.0.11",
		"@typescript-eslint/eslint-plugin": "^5.4.0",
		"@typescript-eslint/parser": "^5.4.0",
		"@types/jest": "^27.5.1",
		"@types/supertest": "^2.0.12",
		"@typescript-eslint/eslint-plugin": "^5.25.0",
		"@typescript-eslint/parser": "^5.25.0",
		"connect": "^3.7.0",
		"eslint": "^8.3.0",
		"jest": "^27.3.1",
		"prettier": "^2.4.1",
		"rollup": "^2.60.2",
		"supertest": "^6.1.6",
		"ts-jest": "^27.0.7",
		"typescript": "^4.5.2"
		"eslint": "^8.15.0",
		"jest": "^28.1.0",
		"prettier": "^2.6.2",
		"rollup": "^2.73.0",
		"supertest": "^6.2.3",
		"ts-jest": "^28.0.2",
		"typescript": "^4.6.4"
		},
		@@ -49,3 +49,3 @@ "scripts": {
		"lint": "npm run lint:eslint && npm run lint:prettier",
		"lint:eslint": "eslint \"*/.ts\"",
		"lint:eslint": "eslint .",
		"lint:prettier": "prettier --check .",
		@@ -52,0 +52,0 @@ "format": "prettier --write .",

README.md

		@@ -157,3 +157,3 @@ # Helmet

		`options.reportOnly` is a boolean, defaulting to `false`. If `true`, [the `Content-Security-Policy-Report-Only` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) will be set instead.
		`options.reportOnly` is a boolean, defaulting to `false`. If `true`, [the `Content-Security-Policy-Report-Only` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) will be set instead. If you want to set _both_ the normal and `Report-Only` headers, see [this code snippet](https://github.com/helmetjs/helmet/issues/351#issuecomment-1015498560).

		@@ -238,14 +238,6 @@ You can also get the default directives object with `helmet.contentSecurityPolicy.getDefaultDirectives()`.
		<details>
		<summary><code>helmet.crossOriginEmbedderPolicy()</code></summary>
		<summary><code>helmet.crossOriginEmbedderPolicy(options)</code></summary>

		`helmet.crossOriginEmbedderPolicy` sets the `Cross-Origin-Embedder-Policy` header to `require-corp`. See [MDN's article on this header](https://developer.cdn.mozilla.net/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) for more.

		Example usage with Helmet:

		```js
		// Uses the default Helmet options and adds the `crossOriginEmbedderPolicy` middleware.
		// Sets "Cross-Origin-Embedder-Policy: require-corp"
		app.use(helmet({ crossOriginEmbedderPolicy: true }));
		```

		Standalone example:
		@@ -256,2 +248,5 @@
		app.use(helmet.crossOriginEmbedderPolicy());

		// Sets "Cross-Origin-Embedder-Policy: credentialless"
		app.use(helmet.crossOriginEmbedderPolicy({ policy: "credentialless" }));
		```
		@@ -462,10 +457,2 @@

		Example usage with Helmet:

		```js
		// Uses the default Helmet options and adds the `originAgentCluster` middleware.
		// Sets "Origin-Agent-Cluster: ?1"
		app.use(helmet({ originAgentCluster: true }));
		```

		Standalone example:
		@@ -594,3 +581,3 @@

		If you're using Express, this middleware will work, but you should use `app.disable("x-powered-by")` instead.
		Note: [Express has a built-in way to disable the `X-Powered-By` header](https://stackoverflow.com/a/12484642/804100), which you may wish to use instead of this middleware.

		@@ -597,0 +584,0 @@ Examples:

helmet - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics