Skip to content

Update dependency helmet to v3#4

Open
mend-for-github-com[bot] wants to merge 1 commit intomainfrom
whitesource-remediate/helmet-3.x
Open

Update dependency helmet to v3#4
mend-for-github-com[bot] wants to merge 1 commit intomainfrom
whitesource-remediate/helmet-3.x

Conversation

@mend-for-github-com
Copy link
Copy Markdown

@mend-for-github-com mend-for-github-com bot commented Nov 6, 2023
edited
Loading

This PR contains the following updates:

Package Type Update Change
helmet (source) dependencies major ^2.0.0^3.0.0

By merging this PR, the issue #16 will be automatically resolved and closed:

Severity CVSS Score Vulnerability Reachability
Medium Medium 4.3 CVE-2017-20162
Low Low 3.5 CVE-2017-20165

Release Notes

helmetjs/helmet (helmet)

v3.8.2

Compare Source

Changed
  • Updated connect dependency to latest

v3.8.1

Compare Source

Fixed
  • csp does not automatically set report-to when setting report-uri

v3.8.0

Compare Source

Changed
  • hsts no longer cares whether it's HTTPS and always sets the header

v3.7.0

Compare Source

Added
  • csp now supports report-to directive
Changed
  • Throw an error when used incorrectly
  • Add a few documentation files to npmignore

v3.6.1

Compare Source

Changed
  • Bump connect version

v3.6.0

Compare Source

Added
  • expectCt middleware for setting the Expect-CT header

v3.5.0

Compare Source

Added
  • csp now supports the worker-src directive

v3.4.1

Compare Source

Changed
  • Bump connect version

v3.4.0

Compare Source

Added
  • csp now supports more sandbox directives

v3.3.0

Compare Source

Added
  • referrerPolicy allows strict-origin and strict-origin-when-cross-origin directives
Changed
  • Bump connect version

v3.2.0

Compare Source

Added
  • csp now allows manifest-src directive

v3.1.0

Compare Source

Added
  • csp now allows frame-src directive

v3.0.0

Compare Source

Changed
  • csp will check your directives for common mistakes and throw errors if it finds them. This can be disabled with loose: true.
  • Empty arrays are no longer allowed in csp. For source lists (like script-src or object-src), use the standard scriptSrc: ["'none'"]. The sandbox directive can be sandbox: true to block everything.
  • false can disable a CSP directive. For example, scriptSrc: false is the same as not specifying it.
  • In CSP, reportOnly: true no longer requires a report-uri to be set.
  • hsts's maxAge now defaults to 180 days (instead of 1 day)
  • hsts's maxAge parameter is seconds, not milliseconds
  • hsts includes subdomains by default
  • domain parameter in frameguard cannot be empty
Removed
  • noEtag option no longer present in noCache
  • iOS Chrome connect-src workaround in CSP module
  • If you want to rebase/retry this PR, check this box

@mend-for-github-com mend-for-github-com bot added the security fix Security fix generated by Mend label Nov 6, 2023
@mend-for-github-com mend-for-github-com bot changed the title Update dependency helmet to v3 Update dependency helmet to v3 - autoclosed Aug 18, 2025
@mend-for-github-com mend-for-github-com bot deleted the whitesource-remediate/helmet-3.x branch August 18, 2025 18:21
@mend-for-github-com mend-for-github-com bot changed the title Update dependency helmet to v3 - autoclosed Update dependency helmet to v3 Aug 21, 2025
@mend-for-github-com mend-for-github-com bot reopened this Aug 21, 2025
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/helmet-3.x branch from cc57bf2 to 9c46c8b Compare August 21, 2025 12:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security fix Security fix generated by Mend

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants