helmet - npm Package Versions

8.0.0

Changed

• Breaking: Strict-Transport-Security now has a max-age of 365 days, up from 180
• Breaking: Content-Security-Policy middleware now throws an error if a directive should have quotes but does not, such as self instead of 'self'. See #454
• Breaking: Content-Security-Policy's getDefaultDirectives now returns a deep copy. This only affects users who were mutating the result
• Breaking: Strict-Transport-Security now throws an error when "includeSubDomains" option is misspelled. This was previously a warning

Removed

• Breaking: Drop support for Node 16 and 17. Node 18+ is now required

7.2.0 - 2024-09-28

Changed

• Content-Security-Policy middleware now warns if a directive should have quotes but does not, such as self instead of 'self'. This will be an error in future versions. See #454

7.1.0 - 2023-11-07

Added

• helmet.crossOriginEmbedderPolicy now supports the unsafe-none directive. See #477

7.0.0 - 2023-05-06

Changed

• Breaking: Cross-Origin-Embedder-Policy middleware is now disabled by default. See #411

Removed

• Breaking: Drop support for Node 14 and 15. Node 16+ is now required
• Breaking: Expect-CT is no longer part of Helmet. If you still need it, you can use the expect-ct package. See #378

6.2.0 - 2023-05-06

• Expose header names (e.g., strictTransportSecurity for the Strict-Transport-Security header, instead of hsts)
• Rework documentation

6.1.5 - 2023-04-11

Fixed

• Fixed yet another issue with TypeScript exports. See #420

6.1.4 - 2023-04-10

Fixed

• Fix another issue with TypeScript default exports. See #418

6.1.3 - 2023-04-10

Fixed

• Fix issue with TypeScript default exports. See #417

6.1.2 - 2023-04-09

Fixed

• Retored main to package to help with some build tools

6.1.1 - 2023-04-08

Fixed

• Fixed missing package metadata