profile
viewpoint
Evan Hahn EvanHahn https://evanhahn.com/ I am a software engineer who lives in a haunted mansion

Alhadis/language-viml 17

Vim script syntax highlighting for Atom and GitHub.

agiantwhale/caenhacks 15

Take advantage of University of Michigan's CAEN environment.

EvanHahn/airtable-cli 8

a command line interface to Airtable (WIP)

brandly/wrenpm 7

A package manager for Wren

EvanHahn/arraywrap.js 6

if it's not an array, wrap it in an array. if it's already an array, do nothing.

EvanHahn/atom-language-brainfuck 6

Brainfuck syntax for Atom

350org/strikes-poster-generator 3

A mini web app that lets anyone create a printable poster or flyer with their own custom text.

brandly/tunes 1

super broken music player built on node-webkit

EvanHahn/apiguide 1

API Design Guide

EvanHahn/Aubrey 1

turn any key-value store into a powerful collection (WIP)

issue commenthelmetjs/helmet

CSP: `defaultSrc` should not be required

My understanding, which may be wrong, is that a missing default-src directive is the same as default-src *. I wanted to make sure that Helmet's users explicitly opted into this behavior because I feel that it's a little dangerous.

Would you be okay setting default-src to *? (Do I misunderstand the way this directive works?)

As another option, you can avoid Helmet's CSP module entirely to get more control. Here's a quick sketch of what that could look like:

const contentSecurityPolicy = [
  "script-src 'self' example.com",
  "style-src 'self'",
  // ...
].join(";");

app.use((req, res, next) => {
  res.setHeader("Content-Security-Policy", contentSecurityPolicy);
  next();
});

I'm open to reverting this behavior but want to learn more before I do so.

jnardone

comment created time in 9 hours

push eventEvanHahn/js13kgames-2013

Evan Hahn

commit sha d275eb639e2d9e938ea3d9013baf9c11a25d46a9

Remove all personality from readme

view details

push time in 13 hours

issue commentDefinitelyTyped/DefinitelyTyped

Removing a package's types if another package depends on them

It looks like https://github.com/microsoft/DefinitelyTyped-tools/pull/76 has been merged but not deployed, so I don't think I can remove helmet from this repo yet. Maybe that's wrong!

@sandersn How would you update @types/koa-helmet? What would you change? If relevant, helmet@4's types are fairly different from helmet@3.

I realize I don't know much about how DefinitelyTyped operates...apologies.

EvanHahn

comment created time in 18 hours

push eventEvanHahn/DefinitelyTyped

Antoine Doubovetzky

commit sha fd6cdb6097eb50a75caadd3d72df06a434d02238

🤖 Merge PR #46507 (react-native) add missing onTextLayout prop on TextProps by @AntoineDoubovetzky * :sparkles: (react-native) add missing onTextLayout prop on TextProps Text component has an onTextLayout prop (https://reactnative.dev/docs/text#ontextlayout) but it is missing from the definitions * :white_check_mark: (react-native) add tests on Text component

view details

ezsh

commit sha f2c45f435aab4107d0959223442761c31a61d3f8

🤖 Merge PR #46340 [twine-sugarcube] update to 2.33 and fixes by @ezsh * [twine-sugarcube] update to 2.33 and fixes * Add custom Jquery event types.

view details

Rohit Garg

commit sha bbc8c7c7b7e92ba094ea349d56977e00f6f7f42d

🤖 Merge PR #46444 Add `allCells` in UseTableRowProps by @gargroh implementation at - https://github.com/tannerlinsley/react-table/blob/master/src/hooks/useTable.js#L405

view details

Carlos Ingles

commit sha 0ae251399bb159ed93783354bb78652ecf4a4503

🤖 Merge PR #46518 [@types/yup] fix InferType working with nested optional properties by @carlosingles * fix nested optional properties fixes #45100 * add additional test cases

view details

Alice Gaudon

commit sha d7003e1d18fbd85567a64f8991401799dcb4b26d

🤖 Merge PR #46448 [ldapjs] add missing close method to Server by @ArisuOngaku

view details

thg-ryan-jackson

commit sha 2b4d8200aa9adc34dd7389d121656d07faf03f3c

🤖 Merge PR #46246 Update angular-cookies to 1.8.x by @thg-ryan-jackson * add tests for angular-cookies * update angular-cookies to 1.8.x * remove deprecated types

view details

Piotr Błażejewicz (Peter Blazejewicz)

commit sha 6e50238259ac57070c10a1bc5fba7b12f0c1880a

🤖 Merge PR #46509 update(react-helmet): 6.1 ES exports changes by @peterblazejewicz This commit updates definition by: - adding support for 6.1 change introducing named and default exports support (this fixes errorrs like ` JSX element type 'Helmet' does not have any construct or call signatures.` - minor version bump - maintainer added https://github.com/nfl/react-helmet/pull/547 https://github.com/nfl/react-helmet/releases/tag/6.1.0 Thanks!

view details

Alex Lisenkov

commit sha 68c3aeae8f8b1da7ced791148986f911d556d276

🤖 Merge PR #46255 react-test-renderer: add array return types for fragment components by @AlexLisenkov

view details

Masafumi Koba

commit sha 15146dc22858b0fcdb7a70d32a65e885be7c2d9c

🤖 Merge PR #46344 [postcss-less] improve definitions by @ybiquitous - Add the missing `VariableAtRule.value` property. - https://github.com/shellscape/postcss-less/blob/v3.1.4/lib/nodes/variable.js#L24 - https://github.com/shellscape/postcss-less/blob/v3.1.4/lib/nodes/variable.js#L30 - Add the missing `ExtendDeclaration` interface. See the test code below: - https://github.com/shellscape/postcss-less/blob/v3.1.4/lib/LessParser.js#L187 ```console $ node -e "require('postcss-less').parse('&:extend(.a)').walkDecls(console.log)" <ref *1> Declaration { raws: { before: '', between: ':' }, type: 'decl', parent: Root { raws: { semicolon: false, after: '' }, type: 'root', nodes: [ [Circular *1] ], source: { input: [Input], start: [Object] }, lastEach: 1, indexes: { '1': 0 } }, source: { start: { line: 1, column: 1 }, input: Input { css: '&:extend(.a)', hasBOM: false, id: '<input css 1>' }, end: { line: 1, column: 12 } }, prop: '&', value: 'extend(.a)', extend: true } 0 ```

view details

Ulysse Manceron

commit sha be5c4773c1bd3df7798cfc07c8eb0caeeeb2c827

🤖 Merge PR #46514 spotify-api: Fixed playlist-object-simplified not having a description by @UlysseM * Update index.d.ts https://developer.spotify.com/documentation/web-api/reference/object-model/#playlist-object-simplified The description is also a part of the simplified playlist object, * fixed unit test

view details

gin0606

commit sha 4eb18eb7f4e4ab941a132a8074b71bc5e3a4c0f9

🤖 Merge PR #46542 [@types/react-native-canvas] Fix Canvas#toDataURL type definition. by @gin0606 https://github.com/iddan/react-native-canvas#canvastodataurl

view details

Cristian Calugar

commit sha 11fb13b06227da1da0d98d6e8c8fb0432fb3bfcf

🤖 Merge PR #46427 unl-core new type definitions by @cristian-calugar * feat(unl-core): New type definitions * feat(unl-core): New type definitions * fix(unl-core): Fixed lint error

view details

push time in 18 hours

push eventEvanHahn/evanhahn-dot-com

Evan Hahn

commit sha 1858fc595fc421a97f745e5a830e329f04b97919

Add JS1024 2020 entry to list of projects

view details

push time in a day

issue commentDefinitelyTyped/DefinitelyTyped

Removing a package's types if another package depends on them

Sounds good! I'll keep an eye on https://github.com/microsoft/DefinitelyTyped-tools/pull/76.

EvanHahn

comment created time in 2 days

issue closedhelmetjs/helmet

Show how to use helmetjs without express

Hey, I think it would be awesome if helmetjs would be more open for other frameworks (or use without any).

As far as I understand, this is already possible (https://github.com/helmetjs/helmet/issues/100), correct? I think it would be good to document this prominently in the repo.

closed time in 2 days

lukasoppermann

issue commenthelmetjs/helmet

Show how to use helmetjs without express

Finally got around to this and put it in a wiki page, "How to use Helmet without Express".

I'm going to close this issue because I think I've addressed your issue, but feel free to comment further.

lukasoppermann

comment created time in 2 days

GollumEvent

issue commenthelmetjs/helmet

Issues with TypeScript imports in 4.0.0

I'd like to fix the Helmet types.

Helmet is a CommonJS module (in other words, it uses module.exports and not export ...). Therefore, without esModuleInterop, I would expect users to do something like this:

import helmet = require("helmet");

With esModuleInterop, I'd expect something like this to work:

import helmet from "helmet";

I'm not an expert at how TypeScript modules work, nor am I certain why some people are having problems and some are not.

If anyone has suggestions for how to fix this, I'd appreciate it!

zen0wu

comment created time in 2 days

issue closedhelmetjs/helmet

Expression is not callable in 4.0.0

After updating to 4.0.0 version the helmet middleware configuration throws an error:

This expression is not callable.
 Type 'typeof import("/node_modules/helmet/dist/index")' has no call signatures.ts(2349)

This is the code Im trying to run:

import * as helmet from 'helmet';
import * as express from "express";

const app = express();

// express middleware configuration
app.use(helmet())

closed time in 2 days

MarluanEspiritusanto

issue commenthelmetjs/helmet

Expression is not callable in 4.0.0

This issue looks the same as #235, so I'm going to close this issue and move discussion there.

MarluanEspiritusanto

comment created time in 2 days

issue commenthelmetjs/helmet

Expression is not callable in 4.0.0

I'd like to fix the Helmet types.

Helmet is a CommonJS module (in other words, it uses module.exports and not export ...). Therefore, without esModuleInterop, I would expect users to do something like this:

import helmet = require("helmet");

Though I'm not an expert at how TypeScript modules work.

MarluanEspiritusanto

comment created time in 2 days

issue commentDefinitelyTyped/DefinitelyTyped

Removing a package's types if another package depends on them

To make sure I understand: it sounds like the first step is to properly version Helmet v3 in DefiniteyTyped. Is that right?

EvanHahn

comment created time in 2 days

issue commenthelmetjs/helmet

New export behavior is broken in 4.0.0

A couple of questions to help me debug:

  1. What does your tsconfig.json look like? Specifically, what is the value of esModuleInterop?
  2. Do you still have @types/helmet installed?
zen0wu

comment created time in 2 days

issue commenthelmetjs/helmet

Expression is not callable in 4.0.0

Would you be willing to enable esModuleInterop, if that fixes your problem?

MarluanEspiritusanto

comment created time in 2 days

issue commenthelmetjs/helmet

New export behavior is broken in 4.0.0

What does your build setup look like? I didn't experience this problem when testing things, but I may have made a mistake.

Also: are you using helmet or helmet-csp?

zen0wu

comment created time in 2 days

issue commenthelmetjs/helmet

Expression is not callable in 4.0.0

What does your tsconfig.json look like, if you can share it?

MarluanEspiritusanto

comment created time in 2 days

issue openedDefinitelyTyped/DefinitelyTyped

Removing a package's types if another package depends on them

I am the maintainer of helmet. I just released helmet@4 which bundles type definitions, so I tried removing them from DefinitelyTyped (with npm run not-needed).

However, this breaks koa-helmet, which depends on helmet@3's types.

How can I remove helmet@4's types from DefinitelyTyped without breaking koa-helmet?

created time in 3 days

push eventhelmetjs/eslint-config-helmet

Evan Hahn

commit sha 1a8b073460a85e8f4ceb2611753a2ff96515138d

This module is no longer used

view details

push time in 3 days

push eventhelmetjs/hsts

Evan Hahn

commit sha e90114a83462ff6e7f04f4eeaed0f15653ac5d93

Mark this module as having moved to helmetjs/helmet

view details

push time in 3 days

push eventhelmetjs/x-xss-protection

Evan Hahn

commit sha 5bc958726a59be2f29c69950be2a8733742df891

Mark this module as having moved to helmetjs/helmet

view details

push time in 3 days

push eventhelmetjs/csp

Evan Hahn

commit sha df6cbcae75e5732aa5ee2da11a42df11b2c98ac9

Mark this module as having moved to helmetjs/helmet

view details

push time in 3 days

pull request commenthelmetjs/helmetjs.github.io

Spanish translation of the docs

Helmet 4 was just released, so there should be a lot less work. Thank you, and take your time!

LautaroJayat

comment created time in 3 days

issue closedhelmetjs/helmet

X-XSS-Protection: header should be disabled by default

Following a decision by Google Chrome developers to disable Auditor, developers should be able to disable the auditor for older browsers and set it to 0. The X-XSS-PROTECTION header was found to have a multitude of issues, instead of helping the developers protect their application. The following discussion describes the issue at hand with more references: https://github.com/OWASP/CheatSheetSeries/issues/376 A PR is currently open to tackle the issue at the CheatSheet Series project: https://github.com/OWASP/CheatSheetSeries/pull/378

If approved, we can help with creating a PR for this issue. Available for further discussions 😄

closed time in 3 days

ThunderSon

issue commenthelmetjs/helmet

X-XSS-Protection: header should be disabled by default

Helmet v4 (and x-xss-protection@2) was just released, which disables this header.

Thanks for reporting and for discussing this with me.

ThunderSon

comment created time in 3 days

issue commenthelmetjs/helmet

Expect-CT: put max-age first

Helmet 4 (and expect-ct@1.0.0) was just released, so feel free to go ahead with your change. No rush, though!

EvanHahn

comment created time in 3 days

issue closedhelmetjs/csp

Cannot Use Function Instead of Array as Value of Directive

I would like to be able to dynamically determine the whole set of values of a directive instead of only dynamically determining specific values within that set, in cases where I may want to include 0 or multiple additional such values.

This appears to be supported in parse-dynamic-directive, but is disallowed by check-directive/source-list. I did see that in a previous issue it was recommended to just create the middleware each time request, but it would be nice to see Function support at the directive value-set level seeing as it is already allowed at the directive value level. Additionally, although by checking the source code I know there's no stateful behavior in this middleware, it would be nice to not have to consider that in the first place.

It looks like this could be fixed by just adding a if (isFunction(value)) { return } case to check-options/check-directive/source-list.js before the Array.isArray() case. I could open a PR with that change.

closed time in 3 days

joedski

issue commenthelmetjs/csp

Cannot Use Function Instead of Array as Value of Directive

helmet@4 and helmet-csp@3 were just released, which don't allow functions to be used anywhere in the options. However, I've put together a guide showing how to do this, which you can read here.

I'm going to be archiving this repository soon and moving everything to https://github.com/helmetjs/helmet/, so feel free to open an issue there if you run into any problems.

joedski

comment created time in 3 days

issue commenthelmetjs/csp

Duplicate keys should error

This has been addressed in helmet@4 and helmet-csp@3.0.0.

I'm going to be archiving this repository soon and moving everything to https://github.com/helmetjs/helmet/, so feel free to open an issue there if you run into any problems.

EvanHahn

comment created time in 3 days

issue closedhelmetjs/csp

No CSP headers for iOS WebViews

When visiting a page through an iOS WebView, no CSP headers are emitted.

One can e.g. open the Facebook or LinkedIn app on iOS and click on any link, which will cause a WebView to appear. If the URL being visited uses this package, no CSP headers will be emitted.

This happens because the user agent string being passed is determined to be Safari. The version number however, is not determined.

An example WebView user agent from an iphone: Mozilla/5.0 (iPhone; CPU iPhone OS 13_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [LinkedInApp]

Here is where it ends up:

https://github.com/helmetjs/csp/blob/8bf3360019b61be93b8cf18a1bad8fe9fe43578f/lib/get-header-keys-for-browser.ts#L95-L97

And after that:

https://github.com/helmetjs/csp/blob/8bf3360019b61be93b8cf18a1bad8fe9fe43578f/index.ts#L40-L43

Returning no headers if the version number cannot be determined seems like the default behavior for the other browser vendors as well. I do not think this is a good idea. It should default to at least the most recent header name.

closed time in 3 days

emilmuller

issue commenthelmetjs/csp

No CSP headers for iOS WebViews

This has been addressed in helmet@4 and helmet-csp@3.0.0.

I'm going to be archiving this repository soon and moving everything to https://github.com/helmetjs/helmet/, so feel free to open an issue there if you run into any problems.

emilmuller

comment created time in 3 days

issue closedhelmetjs/csp

Add support for trusted-types

Reference: https://github.com/w3c/webappsec-trusted-types Spec: https://w3c.github.io/webappsec-trusted-types/dist/spec/ MDN: https://developer.mozilla.org/es/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types Web.dev post: https://web.dev/trusted-types/

The first browser to support this will be Chrome 83.

closed time in 3 days

Cherry

issue commenthelmetjs/csp

Add support for trusted-types

This has been addressed in helmet@4 and helmet-csp@3.0.0.

I'm going to be archiving this repository soon and moving everything to https://github.com/helmetjs/helmet/, so feel free to open an issue there if you run into any problems.

Cherry

comment created time in 3 days

issue closedhelmetjs/csp

Remove browser sniffing

I plan to remove browser sniffing from the next major version of helmet-csp.

Different browsers have different support for Content Security Policies. Some only support certain directives, where some have different headers (like X-Webkit-CSP). Currently, this module sniffs the browser's User-Agent to figure out what headers to set. However, I'm planning to remove this from the next major version.

My reasons:

  1. Browser sniffing has been the source of many bugs due to its complexity.
  2. Browser sniffing makes this module difficult for me to maintain confidently.
  3. Modern browsers' CSP implementations are fairly stable, and user share of old browsers is dropping. That makes browser sniffing less useful.
  4. Content Security Policies are typically used as defense-in-depth rather than the first line of defense against attacks. For example, you should probably sanitize user input and not rely on CSP.
  5. Parsing and switching on the User-Agent is slower and uses more memory.

I opened this issue to track the work, but mostly to solicit feedback. If you rely on browser sniffing and would be sad to see it go, or if you have other thoughts, let me know!

closed time in 3 days

EvanHahn

issue commenthelmetjs/csp

Remove browser sniffing

This has been addressed in helmet@4 and helmet-csp@3.0.0.

I'm going to be archiving this repository soon and moving everything to https://github.com/helmetjs/helmet/, so feel free to open an issue there if you run into any problems.

EvanHahn

comment created time in 3 days

issue closedhelmetjs/csp

Add support for script-src-elem directive

now that script-src-elem is a thing with CSPv3, can we use it with express already? Can I do something like

app.use(
	helmet(
		{
			contentSecurityPolicy: {
				directives: {
					scriptSrcElem: [
						"'self'",
						( request, response ) => `'nonce-${response.locals.nonce}'`
					]
				},
				browserSniff: false
			}
		}
	),
	sapper.middleware(),
	compression({ threshold: 0 })
);

ie using scriptSrcElem instead of scriptSrc?

closed time in 3 days

evdama

issue commenthelmetjs/csp

Add support for script-src-elem directive

This has been addressed in helmet@4 and helmet-csp@3.0.0.

I'm going to be archiving this repository soon and moving everything to https://github.com/helmetjs/helmet/, so feel free to open an issue there if you run into any problems.

evdama

comment created time in 3 days

issue closedhelmetjs/csp

reportTo directive

report-to directive is set with reportUri directive validation, which is kind of incorrect (report-uri needs a uri, report-to needs a group name).

Looking at reportUri directive validation definition it is just a non-empty string. This is correct for both reportUri and reportTo CSP values.. shouldn't we change the type name?

As a note, the only thing reportTo CSP property depends on is the Report-to header, but I guess there is no easy way to do that validation here.

closed time in 3 days

sericaia

issue commenthelmetjs/csp

reportTo directive

This has been addressed in helmet@4 and helmet-csp@3.0.0.

I'm going to be archiving this repository soon and moving everything to https://github.com/helmetjs/helmet/, so feel free to open an issue there if you run into any problems.

sericaia

comment created time in 3 days

issue closedhelmetjs/csp

Duplicate keys should error

This should be invalid:

csp({
  directives: {
    'script-src': ['example.com'],
    scriptSrc: ['example.com']
  }
})

This is a breaking change, so we'll need to do it in Helmet 4.

closed time in 3 days

EvanHahn

issue commenthelmetjs/csp

Duplicate keys should error

This has been addressed in helmet@4 and helmet-csp@3.0.0.

EvanHahn

comment created time in 3 days

issue closedhelmetjs/helmet

Add X-Permitted-Cross-Domain-Policies: none as default

This is a 4.x change.

closed time in 3 days

EvanHahn

issue commenthelmetjs/helmet

Add X-Permitted-Cross-Domain-Policies: none as default

This header is enabled by default in helmet@4.

EvanHahn

comment created time in 3 days

push eventhelmetjs/helmet

Evan Hahn

commit sha b82a51f81d6fb6ba3bb09fd56e2aea8c1d2ee04a

Content-Security-Policy 3.0.0

view details

push time in 3 days

issue closedhelmetjs/helmet

Integrate TS types into Helmet directly

I noticed that for a while the helmetjs project has been active in reviewing updates to the DefinetelyTyped definitions for helmet and wondered if it was worth migrating the types to this repository.

They could still be a second class citizen, but it would mean users only need to include a single dependency to get the types and the helmet project would be able to ship changes more readily to the types without having to wait for the changes to go out via DT.

This may not be practical as it'll add overhead to the maintainership of helmet, but if time is already being spent to review the types it could actually reduce the effort even if changes are left to the community to submit PR's for.

As a user of helmet and typescript I'd be happy to help maintain the types and be tagged as a reviewer if in any community PR's.

This discussion has been bought over from https://github.com/DefinitelyTyped/DefinitelyTyped/pull/33507

closed time in 3 days

BlueHatbRit

issue commenthelmetjs/helmet

Integrate TS types into Helmet directly

TypeScript types were added to Helmet in version 4, which you can install with npm install helmet@4. Closing this issue because I believe this is resolved, but feel free to comment or open a new issue.

BlueHatbRit

comment created time in 3 days

issue closedhelmetjs/helmet

Exporting TypeScript types

Whilst migrating the main helmet package over to TypeScript, I discovered an issue to do with exporting types:

Property 'dnsPrefetchControl' of exported interface has or is using name 'DnsPrefetchControlOptions' from private module '"./node_modules/dns-prefetch-control/dist/index"'.

In this example, I believe the DnsPrefetchControlOptions type needs to be exported in the main module definition. However, because we are using CJS exports, we cannot simply prefix the type definition with export (as there can only be a single export). Instead, the suggested way is to use namespaces:

/* eslint-disable @typescript-eslint/no-namespace */
namespace dnsPrefetchControl {
  export interface DnsPrefetchControlOptions {
    /* ... */
  }
}

// eslint-disable-next-line no-redeclare
function dnsPrefetchControl (options: dnsPrefetchControl.DnsPrefetchControlOptions = {}) {
  /* ... */
}

In the interest of preserving CJS exports, does this seem like a reasonable way for now? In the future, we can make a breaking change to use ES modules everywhere which would make things a lot nicer, but this change would at least make it possible to migrate this module to TypeScript. 👍

closed time in 3 days

benhjames

issue commenthelmetjs/helmet

Exporting TypeScript types

TypeScript types were added to Helmet in version 4, which you can install with npm install helmet@4. Closing this issue because I believe this is resolved, but feel free to comment or open a new issue.

benhjames

comment created time in 3 days

push eventEvanHahn/DefinitelyTyped

Nathan Shively-Sanders

commit sha 2be3bf45228f4781aa07813cff5fbf894005d62f

Update kap-plugin for conf 7 (#46405) 1. conf 7 uses #private, which requires Typescript 3.8 and target: "es2015" or higher. 2. conf 7's get returns `string | undefined`, not `string`, which is stricter. 3. conf 7's get accepts any `string`, not just the declared property names, which is less strict.

view details

Noah Wilson

commit sha dce226c1a577562f8218360e28b7ffa3d2c64a0c

🤖 Merge PR #46243 ssh2-sftp-client add posixRename and retry connect opts by @noahw3

view details

Pedro Luiz Cabral Salomon Prado

commit sha 14e185d5c8ca3491630e39956cdce3ee45045774

🤖 Merge PR #46379 update SaveOptions interface used in parameter of Model.prototype.save() by @pedroprado010 As documented at https://mongoosejs.com/docs/api/model.html#model_Model-save

view details

Jakub Skoneczny

commit sha e5d0f2ebdc98d4ea48ddf8fd208972fdc2f85071

🤖 Merge PR #46200 Add type definitions for merge-refs by @Skona27

view details

Dan Chif

commit sha c0bcb9f3a3e0c5e3a72921e551d8309177c7ae4b

🤖 Merge PR #46366 added types find-remove by @nadchif

view details

Piotr Błażejewicz (Peter Blazejewicz)

commit sha 18204efa01987655fecb84d3899510c025517081

🤖 Merge PR #46358 update(swagger-ui-dist): update module detail and minor version bump by @peterblazejewicz This commit tries to correct the module definition to match actual shape of the module: - direct access to exported absolute path function - namespace based access from main module - minor version bump (3.30) - maintainer added - minor cleanup This change should be bacward compatible with pre-existin client code. https://github.com/swagger-api/swagger-ui/blob/master/swagger-ui-dist-package/absolute-path.js https://github.com/swagger-api/swagger-ui/blob/master/swagger-ui-dist-package/index.js https://www.npmjs.com/package/swagger-ui-dist Thanks!

view details

RonaldZielaznicki

commit sha 67d62077592c04a901e7b3071257b075fed8cf41

🤖 Merge PR #46298 Bittorrent protocol add dynamic property key for extensions by @RonaldZielaznicki * Add dynamic property to Wire Interface * Attempt to access wire extensions name to test that extension can be accessed.

view details

Federico Dondi

commit sha 74b97c3dcbb30154ee0aea35cdcebe2be4738667

🤖 Merge PR #46156 [@types/mongoose] add "post" hooks for Array-returning queries by @federico-dondi

view details

Alexander Tartmin

commit sha 876d482024faf8e376e43007ced9119df937b381

🤖 Merge PR #46390 Added declaration file for react-native-event-source by @Baskerville42

view details

bjarkler

commit sha d96c662064beb0d18a6fda75c06322a205766dc0

Update Trusted Types definitions to match spec (#46321) This addresses divergence in the current type definitions from the Trusted Types specification. The types were also rearranged to match spec order to make comparison easier. Tests were also updated accordingly. Had to bump compiler version to 3.1 to facilitate strongly typed rest parameters. The same had to be done for dompurify which depends on the trusted-types definitions. Thanks to @engelsdamien for the TypedPolicy implementation.

view details

Michael Ness

commit sha a8dcb6163f0e7729abb9d4451d3f1e139da6986d

🤖 Merge PR #46352 [@types/underscore] Collection and Array Tests - SortBy, IndexBy, CountBy, and Invoke by @reubenrybnik * Updating type definitions for sortBy, indexBy, and countBy and adding tests. * Switching "iterator" to "iteratee" for a few test groups. * Making a few adjustments to groupBy to better match similar functions. * Updating type definitions for invoke and adding tests. * Constraining allowed iteratee results for groupBy, indexBy, and countBy to EnumerableKey.

view details

Gareth Jones

commit sha f11aec785ee84314e47b4959b5cd580c896a35d8

🤖 Merge PR #46348 fix(node): restore `process` & `console` globals by @G-Rath

view details

Piotr Błażejewicz (Peter Blazejewicz)

commit sha 3e31d2867d650f457d0943bb437f160293c7fcf5

🤖 Merge PR #46345 feat(create-banner): new module definition by @peterblazejewicz - definition file - tests https://github.com/fengyuanchen/create-banner Thanks!n

view details

Piotr Błażejewicz (Peter Blazejewicz)

commit sha 5386d540aa7a594a7ae4ee3089198679883bbdfb

🤖 Merge PR #46346 feat(postcss-header): new type definitioin by @peterblazejewicz - new definition file postcss plugin - tests https://www.npmjs.com/package/postcss-header https://github.com/fengyuanchen/postcss-header Thanks!

view details

Rachita Bansal

commit sha cd47dd02b9c5ead8c17e8771d942bd6633e0f4f9

🤖 Merge PR #46364 Adding type definitions for query-string-params. by @bansalrachita

view details

Jasmin Bom

commit sha 4601622df0aef0f97351dc05b58239d7a8c4fa8e

🤖 Merge PR #46342 Lots of fixes for firefox-webext-browser by @jsmnbom - Fix handling of some functions with optional parameters (browser.runtime.connect, browser.alarms.create, etc, jsmnbom/definitelytyped-firefox-webext-browser#36) - Fix a couple of return types (browser.alarms.get, browser.cookies.get, browser.cookies.remove) jsmnbom/definitelytyped-firefox-webext-browser#35 - Fix additional types from events having "Undefined in their name" - Make "enums" with a single item not output an additional type - Finally always use addtionaltypes for internal interfaces (with underscores in front) - this allows for using them in user code jsmnbom/definitelytyped-firefox-webext-browser#31

view details

ExE Boss

commit sha 661506820433050469e8d608e3059b0166d043be

🤖 Merge PR #46413 fix(es‑abstract): Correct `PromiseResolve` type definition by @ExE-Boss

view details

Nathan Levin-Greenhaw

commit sha b27845dbeaebc9b2d5cfbb742238fbc32dd10ded

🤖 Merge PR #46111 [@types/react-dates] two new fields to existing shapes by @njlg Co-authored-by: Nathan Levin-Greenhaw <nlevin-greenhaw@cmdtymkt.com>

view details

Martin Pärtel

commit sha 59020cc50ac0888a561fe2ff012115ddae6b1e47

🤖 Merge PR #46399 array.prototype.flatmap: support ReadonlyArray by @mpartel * array.prototype.flatmap: support ReadonlyArray * array.prototype.flatmap: support readonly result from callback

view details

qxg

commit sha 23aae8ba48af84c64dbd2bf7c7000d9fba815db1

🤖 Merge PR #45945 [ramda] Aligned chain type definition to its implementation by @qxg Co-authored-by: qxg <qxg@@users.noreply.github.com>

view details

push time in 3 days

create barnchEvanHahn/DefinitelyTyped

branch : helmet-v4

created branch time in 3 days

delete branch helmetjs/helmetjs.github.io

delete branch : 4.x

delete time in 3 days

push eventhelmetjs/helmetjs.github.io

Evan Hahn

commit sha e38ed4c5dfe8bb7f73bbae2d94d8dca4e4acb6d1

Update site for 4.x release See [#48](https://github.com/helmetjs/helmetjs.github.io/pull/48).

view details

push time in 3 days

PR merged helmetjs/helmetjs.github.io

Update site for 4.x release

I plan to merge this shortly after deploying helmet@4. See https://github.com/helmetjs/helmet/pull/197 for progress there.

+530 -2017

0 comment

30 changed files

EvanHahn

pr closed time in 3 days

created taghelmetjs/helmet

tagv4.0.0

Help secure Express apps with various HTTP headers

created time in 3 days

push eventhelmetjs/helmet

Evan Hahn

commit sha bdb09348c17c78698b0c94f0f6cc6b3968cd43f9

4.0.0

view details

push time in 3 days

delete branch helmetjs/helmet

delete branch : 4.x

delete time in 3 days

push eventhelmetjs/helmet

George Zografos

commit sha 61fe8a3de50cbf98904b760fbf91fe8df6ab92b4

Remove hpkp from helmet See [#192](https://github.com/helmetjs/helmet/pull/192).

view details

Evan Hahn

commit sha 22bd7e9d7d48d9f108336cc92490bc8ba7215085

Start a changelog for 4.0.0

view details

Evan Hahn

commit sha 0c4e114c16bfdf858b78f2539aeec50e51584b84

Remove Feature-Policy middleware

view details

Evan Hahn

commit sha 03fbb2cd75a093fe203c2caf197cf95ab2a3f95b

Remove helmet.noCache Closes [#215][0]. [0]: https://github.com/helmetjs/helmet/issues/215

view details

Evan Hahn

commit sha 39ddc392c34ffa7853cf6b6820a253ce24cea7c5

X-Frame-Options: simplify code, drop support for ALLOW-FROM

view details

Evan Hahn

commit sha ab556c272f85c84f34ccc04d7417f3412e6afd39

Require Node 10+ According to [the Node release schedule][0], Node 10 is the minimum supported version. Closes [#146][1]. [0]: https://github.com/nodejs/Release [1]: https://github.com/helmetjs/helmet/issues/146

view details

Ameen Abdeen

commit sha 98b94a27801bac4881778082f0ce07d9327e7f02

Removed setTo argument from xPoweredBy

view details

Ameen Abdeen

commit sha b2e247525a01da1d6e2d9ac1c2b0a96c2e9e5519

Added the link to the wiki

view details

Ameen Abdeen

commit sha b9df8e8271bce4c68920c5b4532e8c3e8e6d0d84

Fixed lint issues

view details

Ameen Abdeen

commit sha 384b343e16694d07e8b2c9b6044950b2133a8306

Resolved all comments by EvanHahn

view details

Ameen Abdeen

commit sha bdd9ed96724000ec4f0c3b89a1c7e83b6ceeae29

Resolved merge conflicts in CHANGELOG.md

view details

Evan Hahn

commit sha df561bb6a74ecfb26382f8ebfd27b21c17e1d9ab

Import Referrer-Policy (referrer-policy) middleware This imports the [helmet-csp package][0] into this repo as part of my effort to make Helmet a monorepo. You can find its prior history in the old repo. Similar to: * 936cd27c91364a91d108a9fe31b81c92fb423338 which imported `referrer-policy` * 141f13168c49e87662bf17bef1de2282883c5d12 which imported `crossdomain` * ff12fb70f20e60c12f6522f37cd1f4eaaaa98f48 which imported `dont-sniff-mimetype` * 2b64d114d36ed15d1002d118b5457855775dfa4d which imported `hide-powered-by` * 790660182bd2db31ff8aeeb8450e46947a91f6e8 which imported `frameguard` * d03c55582754252e92213cc3c5b780c22ae2d798 which imported `expect-ct` * e933c288336e6d8f9ee0de0a8caaa0c9a397a001 which imported `dns-prefetch-control` * 13b496f801ee3c77ae9cf91f13c6838263786cc3 which imported `ienoopen` [0]: https://github.com/helmetjs/csp

view details

Evan Hahn

commit sha 88d17a8e7e80e6f45c7275a84e2aad192ca8a132

Fix npm scripts on Windows Closes [#227][0]. [0]: https://github.com/helmetjs/helmet/issues/227 (cherry picked from commit a4e02c56df299b31154b07a1c9553bfe6defe378)

view details

Ameen Abdeen

commit sha 0464ae956714ce0587a105cfe15fcd97f4d57663

Removed bullet point within Removed header

view details

Evan Hahn

commit sha 38e695dd2d980f9273f59ec64b9f6f4367ed5ef4

X-Powered-By: remove the `setTo` option Co-authored-by: Ameen Abdeen <ameen@linearsquared.com> See [#226][0]. Closes [#224][1]. [0]: https://github.com/helmetjs/helmet/pull/226 [1]: https://github.com/helmetjs/helmet/issues/224

view details

Evan Hahn

commit sha a6d1f5e4779cc8d437404b81ae7a1d1493746029

X-Powered-By: fix up changelog

view details

Evan Hahn

commit sha e1746c15f475bcccbc6fe3f2c674cebbe5892395

Add Ameen Abdeen to the contributors list See [this comment][0]. [0]: https://github.com/helmetjs/helmet/pull/226#issuecomment-656454205

view details

Evan Hahn

commit sha f98ff722629dad07bb68c2bc2c0d06208e22f67c

Import X-XSS-Protection middleware This imports the [x-xss-protection package][0] into this repo as part of my effort to make Helmet a monorepo. You can find its prior history in the old repo. Similar to: * df561bb6a74ecfb26382f8ebfd27b21c17e1d9ab which imported `helmet-csp` * 936cd27c91364a91d108a9fe31b81c92fb423338 which imported `referrer-policy` * 141f13168c49e87662bf17bef1de2282883c5d12 which imported `crossdomain` * ff12fb70f20e60c12f6522f37cd1f4eaaaa98f48 which imported `dont-sniff-mimetype` * 2b64d114d36ed15d1002d118b5457855775dfa4d which imported `hide-powered-by` * 790660182bd2db31ff8aeeb8450e46947a91f6e8 which imported `frameguard` * d03c55582754252e92213cc3c5b780c22ae2d798 which imported `expect-ct` * e933c288336e6d8f9ee0de0a8caaa0c9a397a001 which imported `dns-prefetch-control` * 13b496f801ee3c77ae9cf91f13c6838263786cc3 which imported `ienoopen` [0]: https://github.com/helmetjs/x-xss-protection

view details

Evan Hahn

commit sha 788d69bebb41d3e62cae76bdf1c440f6d03e45de

Import Strict-Transport-Security (hsts) middleware This imports the [hsts package][0] into this repo as part of my effort to make Helmet a monorepo. You can find its prior history in the old repo. Similar to: * f98ff722629dad07bb68c2bc2c0d06208e22f67c which imported `x-xss-protection` * df561bb6a74ecfb26382f8ebfd27b21c17e1d9ab which imported `helmet-csp` * 936cd27c91364a91d108a9fe31b81c92fb423338 which imported `referrer-policy` * 141f13168c49e87662bf17bef1de2282883c5d12 which imported `crossdomain` * ff12fb70f20e60c12f6522f37cd1f4eaaaa98f48 which imported `dont-sniff-mimetype` * 2b64d114d36ed15d1002d118b5457855775dfa4d which imported `hide-powered-by` * 790660182bd2db31ff8aeeb8450e46947a91f6e8 which imported `frameguard` * d03c55582754252e92213cc3c5b780c22ae2d798 which imported `expect-ct` * e933c288336e6d8f9ee0de0a8caaa0c9a397a001 which imported `dns-prefetch-control` * 13b496f801ee3c77ae9cf91f13c6838263786cc3 which imported `ienoopen` [0]: https://github.com/helmetjs/hsts

view details

Evan Hahn

commit sha 7b4273421f200c89943b0e32fc5d7cc08a3347dd

Add type awareness and fixes to top level

view details

push time in 3 days

PR merged helmetjs/helmet

Release v4.0.0

Planned release date: 2020-08-02

Currently published: helmet@4.0.0-rc.2. Feedback welcome!

  • [x] Additions
    • [x] Export TypeScript types (see #188, #209)
  • [x] Changes
    • [x] Enable all middlewares by default
    • [x] Content-Security-Policy: add default value
    • [x] Content-Security-Policy: fail if duplicate directives are found
    • [x] Content-Security-Policy: fail if syntactically directive names/values are found
    • [x] X-XSS-Protection should be disabled by default (see #230)
    • [x] Move all submodules into this repo (internal-only change)
      • [x] X-Download-Options middleware (see #221)
      • [x] Content-Security-Policy middleware
      • [x] Permitted-Cross-Domain-Policies middleware
      • [x] X-DNS-Prefetch-Control middleware
      • [x] Expect-CT middleware
      • [x] X-Frame-Options middleware
      • [x] X-Powered-By middleware
      • [x] Strict-Transport-Security middleware
      • [x] X-Content-Type-Options middleware
      • [x] Referrer-Policy middleware
      • [x] X-XSS-Protection middleware
    • [x] Update documentation
  • [x] Removals
    • [x] Drop support for old Node versions (see #146)
    • [x] Remove helmet.hpkp (see #180, #192)
    • [x] Remove helmet.noCache (see #215)
    • [x] Remove helmet.featurePolicy
    • [x] Content-Security-Policy: remove most checks
    • [x] Content-Security-Policy: remove functions as directive values
    • [x] Content-Security-Policy: remove loose
    • [x] Content-Security-Policy: remove setAllHeaders
    • [x] Content-Security-Policy: remove browser sniffing, including disableAndroid and browserSniff options (see https://github.com/helmetjs/csp/issues/97)
    • [x] Strict-Transport-Security: remove setIf (see #232)
    • [x] Strict-Transport-Security: remove includeSubdomains (lowercase "D") (see #231)
    • [x] X-Frame-Options: drop ALLOW-FROM support
    • [x] X-Frame-Options: drop String support
    • [x] X-Powered-By: remove setTo option (see #224)
+2809 -2697

4 comments

56 changed files

EvanHahn

pr closed time in 3 days

push eventhelmetjs/helmet

Evan Hahn

commit sha 6d3f0286e85e1b7761bed36eb4c44db9303850f4

Update changelog for 4.0.0 release

view details

push time in 3 days

push eventhelmetjs/helmet

Evan Hahn

commit sha 4fbf5bdab406e96bf200967c8907e5b14473fa6e

Update devDependencies to latest versions

view details

push time in 3 days

delete branch EvanHahn/import-pinboard-to-standard-notes

delete branch : dependabot/npm_and_yarn/elliptic-6.5.3

delete time in 6 days

push eventEvanHahn/import-pinboard-to-standard-notes

dependabot[bot]

commit sha dfe0a3aaaf2cba44fb36826f8bb15f30236b6f45

Bump elliptic from 6.5.2 to 6.5.3 Bumps [elliptic](https://github.com/indutny/elliptic) from 6.5.2 to 6.5.3. - [Release notes](https://github.com/indutny/elliptic/releases) - [Commits](https://github.com/indutny/elliptic/compare/v6.5.2...v6.5.3) Signed-off-by: dependabot[bot] <support@github.com>

view details

push time in 6 days

PR merged EvanHahn/import-pinboard-to-standard-notes

Bump elliptic from 6.5.2 to 6.5.3 dependencies

Bumps elliptic from 6.5.2 to 6.5.3. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/indutny/elliptic/commit/8647803dc3d90506aa03021737f7b061ba959ae1"><code>8647803</code></a> 6.5.3</li> <li><a href="https://github.com/indutny/elliptic/commit/856fe4d99fe7b6200556e6400b3bf585b1721bec"><code>856fe4d</code></a> signature: prevent malleability and overflows</li> <li>See full diff in <a href="https://github.com/indutny/elliptic/compare/v6.5.2...v6.5.3">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+3 -3

0 comment

1 changed file

dependabot[bot]

pr closed time in 6 days

pull request commenthelmetjs/helmetjs.github.io

Spanish translation of the docs

No problem! Take your time.

LautaroJayat

comment created time in 6 days

issue commenthelmetjs/csp

'unsafe-inline' should be allowed in style-src and connect-src

This won't be validated in helmet@4. Closing as a "won't fix".

EvanHahn

comment created time in 7 days

issue closedhelmetjs/csp

'unsafe-inline' should be allowed in style-src and connect-src

MDN says that style-src and connect-src support 'unsafe-inline', among others. As part of this work, we should:

  1. Verify that MDN is correct
  2. Add new directive values to this module

See the original issue, https://github.com/helmetjs/helmet/issues/187.

closed time in 7 days

EvanHahn

issue commenthelmetjs/csp

Add support for navigate-to directive

This will be supported in the next major version of this module (and Helmet v4). I plan to release both of those this Sunday, 2020-08-02. You can try it now by running npm install helmet@next.

I'm going to close this issue for now, and you should be able to upgrade to the latest major version on Sunday.

EvanHahn

comment created time in 7 days

issue closedhelmetjs/csp

Add support for navigate-to directive

See https://github.com/twitter/secureheaders/issues/387.

closed time in 7 days

EvanHahn

delete branch helmetjs/content-security-policy-builder

delete branch : 3.x

delete time in 7 days

pull request commenthelmetjs/content-security-policy-builder

3.x

This module is considered "complete" and so I'm going to abandon this change.

EvanHahn

comment created time in 7 days

PR closed helmetjs/csp

Add script-src-elem directive

This PR is to add the script-src-elem directive to the Helmet CSP package.

+13 -2

6 comments

5 changed files

psyraxaus

pr closed time in 7 days

pull request commenthelmetjs/csp

Add script-src-elem directive

The next version of this module (and Helmet 4) will support this directive so I'm going to close this pull request. I plan to release it on Sunday, 2020-08-02. You can try out the release candidate with npm install helmet@next.

Thanks for your work!

psyraxaus

comment created time in 7 days

delete branch helmetjs/content-security-policy-builder

delete branch : remove_invalid_characters

delete time in 7 days

pull request commenthelmetjs/content-security-policy-builder

WIP: Remove invalid characters

Not planning on doing more maintenance of this module. Closing.

EvanHahn

comment created time in 7 days

PR closed helmetjs/csp

Release helmet-csp@3
+2 -2

1 comment

2 changed files

EvanHahn

pr closed time in 7 days

delete branch helmetjs/csp

delete branch : 3.0

delete time in 7 days

pull request commenthelmetjs/csp

Release helmet-csp@3

This is now obsolete because helmet-csp's code will live in the main Helmet repo. Closing.

EvanHahn

comment created time in 7 days

issue commenthelmetjs/csp

Add support for trusted-types

Helmet v4 will support this. I plan to release it this Sunday, 2020-08-02. You can try out the release candidate by running npm install helmet@next.

I'll close this issue once Helmet 4 is out.

Cherry

comment created time in 7 days

pull request commenthelmetjs/helmetjs.github.io

Spanish translation of the docs

I plan to release Helmet version 4 on 2020-08-02. In that release, I will be removing large sections of the documentation (see #48). That means that this pull request can be much smaller and easier for you to maintain. I wanted to let you know!

I will leave another comment next week after the release is finished.

LautaroJayat

comment created time in 7 days

PR closed helmetjs/csp

defaulting to Content-Security-Policy for unrecognized browser versio… in progress

…n numbers

+6 -6

3 comments

1 changed file

emilmuller

pr closed time in 7 days

pull request commenthelmetjs/csp

defaulting to Content-Security-Policy for unrecognized browser versio…

The next version of this module will remove all browser sniffing which means this change will be unnecessary. I'm going to close this PR.

Let me know if you have any questions!

emilmuller

comment created time in 7 days

issue closedhelmetjs/helmetjs.github.io

Audit the site for insecure HTTP links; switch them to HTTPS

There's at least one offender on the CSP page.

This is a good starter task.

closed time in 7 days

EvanHahn

issue commenthelmetjs/helmetjs.github.io

Audit the site for insecure HTTP links; switch them to HTTPS

This will be fixed when helmet@4 is released, so I'm going to close this issue. See #48 for more.

EvanHahn

comment created time in 7 days

issue closedhelmetjs/feature-policy

Add a "disable everything" feature

For example, currently writing an API - Feature-Policy: None would be absolutely magical.

I did take a look at the Moz docs and I couldn't quite figure out if it's supported yet.

closed time in 7 days

simon--poole

issue commenthelmetjs/feature-policy

Add a "disable everything" feature

Because the Feature-Policy header has been deprecated in favor of Permissions-Policy and Document-Policy, I'm putting this module in "maintenance mode" and won't be adding new features, including this one. If that's a problem, I'm more than happy to help people out with a fork.

See #10 and https://github.com/helmetjs/helmet/issues/234 for more discussion.

simon--poole

comment created time in 7 days

issue closedhelmetjs/feature-policy

Changes to Feature-Policy

Just a heads-up, the experimental Feature-Policy header has been renamed, it is now Permissions-Policy. Feature-Policy will probably be supported for quite some time, for backwards-compatibility in browsers that support it today.

Relatedly, there's also the Document-Policy header.

At this point I'm not quite sure which directives defined for the initial Feature-Policy header fit into which of the new headers. I'll follow the progress and perhaps report back here, but probably best to rely on MDN documentation updates.

closed time in 7 days

Malvoz

issue commenthelmetjs/feature-policy

Changes to Feature-Policy

I've thought about this a bit.

I plan to continue maintaining this module as is, even though Feature-Policy is a deprecated header. I will also be removing it from helmet version 4, which I plan to release on 2020-08-02 (a few days from now).

I've created https://github.com/helmetjs/helmet/issues/234 to continue this discussion.

Malvoz

comment created time in 7 days

issue openedhelmetjs/helmet

Evaluate successors to Feature-Policy

The Feature-Policy header has been deprecated in favor of Permissions-Policy and Document-Policy. I think it's too early to decide what Helmet should do with these headers, but I wanted to make an issue to track it.

See https://github.com/helmetjs/feature-policy/issues/10 for a little more discussion.

created time in 7 days

delete branch helmetjs/helmet

delete branch : dependabot/npm_and_yarn/lodash-4.17.19

delete time in 7 days

PR closed helmetjs/helmet

Bump lodash from 4.17.15 to 4.17.19 dependencies

Bumps lodash from 4.17.15 to 4.17.19. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/lodash/lodash/releases">lodash's releases</a>.</em></p> <blockquote> <h2>4.17.16</h2> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/lodash/lodash/commit/d7fbc52ee0466a6d248f047b5d5c3e6d1e099056"><code>d7fbc52</code></a> Bump to v4.17.19</li> <li><a href="https://github.com/lodash/lodash/commit/2e1c0f22f425e9c013815b2cd7c2ebd51f49a8d6"><code>2e1c0f2</code></a> Add npm-package</li> <li><a href="https://github.com/lodash/lodash/commit/1b6c282299f4e0271f932b466c67f0f822aa308e"><code>1b6c282</code></a> Bump to v4.17.18</li> <li><a href="https://github.com/lodash/lodash/commit/a370ac81408de2da77a82b3c4b61a01a3b9c2fac"><code>a370ac8</code></a> Bump to v4.17.17</li> <li><a href="https://github.com/lodash/lodash/commit/1144918f3578a84fcc4986da9b806e63a6175cbb"><code>1144918</code></a> Rebuild lodash and docs</li> <li><a href="https://github.com/lodash/lodash/commit/3a3b0fd339c2109563f7e8167dc95265ed82ef3e"><code>3a3b0fd</code></a> Bump to v4.17.16</li> <li><a href="https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12"><code>c84fe82</code></a> fix(zipObjectDeep): prototype pollution (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4759">#4759</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/e7b28ea6cb17b4ca021e7c9d66218c8c89782f32"><code>e7b28ea</code></a> Sanitize sourceURL so it cannot affect evaled code (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4518">#4518</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/0cec225778d4ac26c2bac95031ecc92a94f08bbb"><code>0cec225</code></a> Fix lodash.isEqual for circular references (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4320">#4320</a>) (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4515">#4515</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/94c3a8133cb4fcdb50db72b4fd14dd884b195cd5"><code>94c3a81</code></a> Document matches* shorthands for over* methods (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4510">#4510</a>) (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4514">#4514</a>)</li> <li>Additional commits viewable in <a href="https://github.com/lodash/lodash/compare/4.17.15...4.17.19">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~mathias">mathias</a>, a new releaser for lodash since your current version.</p> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+3 -3

1 comment

1 changed file

dependabot[bot]

pr closed time in 7 days

pull request commenthelmetjs/helmet

Bump lodash from 4.17.15 to 4.17.19

This will be fixed when version 4 is deployed on Sunday. Closing.

dependabot[bot]

comment created time in 7 days

delete branch helmetjs/csp

delete branch : dependabot/npm_and_yarn/lodash-4.17.19

delete time in 7 days

PR closed helmetjs/csp

Bump lodash from 4.17.15 to 4.17.19 dependencies

Bumps lodash from 4.17.15 to 4.17.19. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/lodash/lodash/releases">lodash's releases</a>.</em></p> <blockquote> <h2>4.17.16</h2> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/lodash/lodash/commit/d7fbc52ee0466a6d248f047b5d5c3e6d1e099056"><code>d7fbc52</code></a> Bump to v4.17.19</li> <li><a href="https://github.com/lodash/lodash/commit/2e1c0f22f425e9c013815b2cd7c2ebd51f49a8d6"><code>2e1c0f2</code></a> Add npm-package</li> <li><a href="https://github.com/lodash/lodash/commit/1b6c282299f4e0271f932b466c67f0f822aa308e"><code>1b6c282</code></a> Bump to v4.17.18</li> <li><a href="https://github.com/lodash/lodash/commit/a370ac81408de2da77a82b3c4b61a01a3b9c2fac"><code>a370ac8</code></a> Bump to v4.17.17</li> <li><a href="https://github.com/lodash/lodash/commit/1144918f3578a84fcc4986da9b806e63a6175cbb"><code>1144918</code></a> Rebuild lodash and docs</li> <li><a href="https://github.com/lodash/lodash/commit/3a3b0fd339c2109563f7e8167dc95265ed82ef3e"><code>3a3b0fd</code></a> Bump to v4.17.16</li> <li><a href="https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12"><code>c84fe82</code></a> fix(zipObjectDeep): prototype pollution (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4759">#4759</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/e7b28ea6cb17b4ca021e7c9d66218c8c89782f32"><code>e7b28ea</code></a> Sanitize sourceURL so it cannot affect evaled code (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4518">#4518</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/0cec225778d4ac26c2bac95031ecc92a94f08bbb"><code>0cec225</code></a> Fix lodash.isEqual for circular references (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4320">#4320</a>) (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4515">#4515</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/94c3a8133cb4fcdb50db72b4fd14dd884b195cd5"><code>94c3a81</code></a> Document matches* shorthands for over* methods (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4510">#4510</a>) (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4514">#4514</a>)</li> <li>Additional commits viewable in <a href="https://github.com/lodash/lodash/compare/4.17.15...4.17.19">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~mathias">mathias</a>, a new releaser for lodash since your current version.</p> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+3 -3

1 comment

1 changed file

dependabot[bot]

pr closed time in 7 days

pull request commenthelmetjs/csp

Bump lodash from 4.17.15 to 4.17.19

This repository will soon be folded into the main Helmet repo. Closing.

dependabot[bot]

comment created time in 7 days

delete branch helmetjs/hsts

delete branch : dependabot/npm_and_yarn/lodash-4.17.19

delete time in 7 days

PR closed helmetjs/hsts

Bump lodash from 4.17.15 to 4.17.19 dependencies

Bumps lodash from 4.17.15 to 4.17.19. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/lodash/lodash/releases">lodash's releases</a>.</em></p> <blockquote> <h2>4.17.16</h2> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/lodash/lodash/commit/d7fbc52ee0466a6d248f047b5d5c3e6d1e099056"><code>d7fbc52</code></a> Bump to v4.17.19</li> <li><a href="https://github.com/lodash/lodash/commit/2e1c0f22f425e9c013815b2cd7c2ebd51f49a8d6"><code>2e1c0f2</code></a> Add npm-package</li> <li><a href="https://github.com/lodash/lodash/commit/1b6c282299f4e0271f932b466c67f0f822aa308e"><code>1b6c282</code></a> Bump to v4.17.18</li> <li><a href="https://github.com/lodash/lodash/commit/a370ac81408de2da77a82b3c4b61a01a3b9c2fac"><code>a370ac8</code></a> Bump to v4.17.17</li> <li><a href="https://github.com/lodash/lodash/commit/1144918f3578a84fcc4986da9b806e63a6175cbb"><code>1144918</code></a> Rebuild lodash and docs</li> <li><a href="https://github.com/lodash/lodash/commit/3a3b0fd339c2109563f7e8167dc95265ed82ef3e"><code>3a3b0fd</code></a> Bump to v4.17.16</li> <li><a href="https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12"><code>c84fe82</code></a> fix(zipObjectDeep): prototype pollution (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4759">#4759</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/e7b28ea6cb17b4ca021e7c9d66218c8c89782f32"><code>e7b28ea</code></a> Sanitize sourceURL so it cannot affect evaled code (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4518">#4518</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/0cec225778d4ac26c2bac95031ecc92a94f08bbb"><code>0cec225</code></a> Fix lodash.isEqual for circular references (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4320">#4320</a>) (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4515">#4515</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/94c3a8133cb4fcdb50db72b4fd14dd884b195cd5"><code>94c3a81</code></a> Document matches* shorthands for over* methods (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4510">#4510</a>) (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4514">#4514</a>)</li> <li>Additional commits viewable in <a href="https://github.com/lodash/lodash/compare/4.17.15...4.17.19">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~mathias">mathias</a>, a new releaser for lodash since your current version.</p> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+3 -3

1 comment

1 changed file

dependabot[bot]

pr closed time in 7 days

pull request commenthelmetjs/hsts

Bump lodash from 4.17.15 to 4.17.19

This repository will soon be folded into the main Helmet repo. Closing.

dependabot[bot]

comment created time in 7 days

more