chore(deps): update dependency helmet-csp to v3
This MR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
helmet-csp (source) | devDependencies | major | 2.10.0 -> 3.1.0 |
Release Notes
helmetjs/helmet
v3.1.0
Added
-
csp
now allowsframe-src
directive
v3.0.0
Changed
-
csp
will check your directives for common mistakes and throw errors if it finds them. This can be disabled withloose: true
. - Empty arrays are no longer allowed in
csp
. For source lists (likescript-src
orobject-src
), use the standardscriptSrc: ["'none'"]
. Thesandbox
directive can besandbox: true
to block everything. -
false
can disable a CSP directive. For example,scriptSrc: false
is the same as not specifying it. - In CSP,
reportOnly: true
no longer requires areport-uri
to be set. -
hsts
'smaxAge
now defaults to 180 days (instead of 1 day) -
hsts
'smaxAge
parameter is seconds, not milliseconds -
hsts
includes subdomains by default -
domain
parameter inframeguard
cannot be empty
Removed
-
noEtag
option no longer present innoCache
- iOS Chrome
connect-src
workaround in CSP module
Renovate configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.