chore(deps): update dependency helmet to v8

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
helmet (source)	dependencies	major	^3.21.1 -> ^8.0.0

---

Release Notes

helmetjs/helmet (helmet)

v8.0.0

Compare Source

Changed

• Breaking: Strict-Transport-Security now has a max-age of 365 days, up from 180
• Breaking: Content-Security-Policy middleware now throws an error if a directive should have quotes but does not, such as self instead of 'self'. See #​454
• Breaking: Content-Security-Policy's getDefaultDirectives now returns a deep copy. This only affects users who were mutating the result
• Breaking: Strict-Transport-Security now throws an error when "includeSubDomains" option is misspelled. This was previously a warning

Removed

• Breaking: Drop support for Node 16 and 17. Node 18+ is now required

v7.2.0

Compare Source

Changed

• Content-Security-Policy middleware now warns if a directive should have quotes but does not, such as self instead of 'self'. This will be an error in future versions. See #​454

v7.1.0

Compare Source

Added

• helmet.crossOriginEmbedderPolicy now supports the unsafe-none directive. See #​477

v7.0.0

Compare Source

Changed

• Breaking: Cross-Origin-Embedder-Policy middleware is now disabled by default. See #​411

Removed

• Breaking: Drop support for Node 14 and 15. Node 16+ is now required
• Breaking: Expect-CT is no longer part of Helmet. If you still need it, you can use the expect-ct package. See #​378

v6.2.0

Compare Source

• Expose header names (e.g., strictTransportSecurity for the Strict-Transport-Security header, instead of hsts)
• Rework documentation

v6.1.5

Compare Source

Fixed

• Fixed yet another issue with TypeScript exports. See #​420

v6.1.4

Compare Source

Fixed

• Fix another issue with TypeScript default exports. See #​418

v6.1.3

Compare Source

Fixed

• Fix issue with TypeScript default exports. See #​417

v6.1.2

Compare Source

Fixed

• Retored main to package to help with some build tools

v6.1.1

Compare Source

Fixed

• Fixed missing package metadata

v6.1.0

Compare Source

Changed

• Improve support for various TypeScript setups, including "nodenext". See #​405

v6.0.1

Compare Source

Fixed

• crossOriginEmbedderPolicy did not accept options at the top level. See #​390

v6.0.0

Compare Source

Changed

• Breaking: helmet.contentSecurityPolicy no longer sets block-all-mixed-content directive by default
• Breaking: helmet.expectCt is no longer set by default. It can, however, be explicitly enabled. It will be removed in Helmet 7. See #​310
• Breaking: Increase TypeScript strictness around some arguments. Only affects TypeScript users, and may not require any code changes. See #​369
• helmet.frameguard no longer offers a specific error when trying to use ALLOW-FROM; it just says that it is unsupported. Only the error message has changed

Removed

• Breaking: Dropped support for Node 12 and 13. Node 14+ is now required

v5.1.1

Compare Source

Changed

• Fix TypeScript bug with some TypeScript configurations. See #​375 and #​359

v5.1.0

Compare Source

Added

• Cross-Origin-Embedder-Policy: support credentialless policy. See #​365
• Documented how to set both Content-Security-Policy and Content-Security-Policy-Report-Only

Changed

• Cleaned up some documentation around Origin-Agent-Cluster

v5.0.2

Compare Source

Changed

• Improve imports for CommonJS and ECMAScript modules. See #​345
• Fixed some documentation

v5.0.1

Compare Source

Changed

• Fixed some documentation

Removed

• Removed some unused internal code

v5.0.0

Compare Source

Added

• ECMAScript module imports (i.e., import helmet from "helmet" and import { frameguard } from "helmet"). See #​320

Changed

• Breaking: helmet.contentSecurityPolicy: useDefaults option now defaults to true
• Breaking: helmet.contentSecurityPolicy: form-action directive is now set to 'self' by default
• Breaking: helmet.crossOriginEmbedderPolicy is enabled by default
• Breaking: helmet.crossOriginOpenerPolicy is enabled by default
• Breaking: helmet.crossOriginResourcePolicy is enabled by default
• Breaking: helmet.originAgentCluster is enabled by default
• helmet.frameguard: add TypeScript editor autocomplete. See #​322
• Top-level helmet() function is slightly faster

Removed

• Breaking: Drop support for Node 10 and 11. Node 12+ is now required

v4.6.0

Compare Source

Added

• helmet.contentSecurityPolicy: the useDefaults option, defaulting to false, lets you selectively override defaults more easily
• Explicitly define TypeScript types in package.json. See #​303

v4.5.0

Compare Source

Added

• helmet.crossOriginEmbedderPolicy: a new middleware for the Cross-Origin-Embedder-Policy header, disabled by default
• helmet.crossOriginOpenerPolicy: a new middleware for the Cross-Origin-Opener-Policy header, disabled by default
• helmet.crossOriginResourcePolicy: a new middleware for the Cross-Origin-Resource-Policy header, disabled by default

Changed

• true enables a middleware with default options. Previously, this would fail with an error if the middleware was already enabled by default.
• Log a warning when passing options to originAgentCluster at the top level

Fixed

• Incorrect documentation

v4.4.1

Compare Source

Changed

• Shrink the published package by about 2.5 kB

v4.4.0

Compare Source

Added

• helmet.originAgentCluster: a new middleware for the Origin-Agent-Cluster header, disabled by default

v4.3.1

Compare Source

Fixed

• helmet.contentSecurityPolicy: broken TypeScript types. See #​283

v4.3.0

Compare Source

Added

• helmet.contentSecurityPolicy: setting the default-src to helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc disables it

Changed

• helmet.frameguard: slightly improved error messages for non-strings

v4.2.0

Compare Source

Added

• helmet.contentSecurityPolicy: get the default directives with contentSecurityPolicy.getDefaultDirectives()

Changed

• helmet() now supports objects that don't have Object.prototype in their chain, such as Object.create(null), as options
• helmet.expectCt: max-age is now first. See #​264

v4.1.1

Compare Source

Changed

• Fixed a few errors in the README

v4.1.0

Compare Source

Added

• helmet.contentSecurityPolicy:
  • Directive values can now include functions, as they could in Helmet 3. See #​243

Changed

• Helmet should now play more nicely with TypeScript

Removed

• The HelmetOptions interface is no longer exported. This only affects TypeScript users. If you need the functionality back, see this comment

v4.0.0

Compare Source

See the Helmet 4 upgrade guide for help upgrading from Helmet 3.

Added

• helmet.contentSecurityPolicy:
  • If no default-src directive is supplied, an error is thrown
  • Directive lists can be any iterable, not just arrays

Changed

• This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time.
• helmet.contentSecurityPolicy:
  • There is now a default set of directives if none are supplied
  • Duplicate keys now throw an error. See helmetjs/csp#73
  • This middleware is more lenient, allowing more directive names or values
• helmet.xssFilter now disables the buggy XSS filter by default. See #​230

Removed

• Dropped support for old Node versions. Node 10+ is now required
• helmet.featurePolicy. If you still need it, use the feature-policy package on npm.
• helmet.hpkp. If you still need it, use the hpkp package on npm.
• helmet.noCache. If you still need it, use the nocache package on npm.
• helmet.contentSecurityPolicy:
  • Removed browser sniffing (including the browserSniff and disableAndroid parameters). See helmetjs/csp#97
  • Removed conditional support. This includes directive functions and support for a function as the reportOnly. Read this if you need help.
  • Removed a lot of checks—you should be checking your CSP with a different tool
  • Removed support for legacy headers (and therefore the setAllHeaders parameter). Read this if you need help.
  • Removed the loose option
  • Removed support for functions as directive values. You must supply an iterable of strings
• helmet.frameguard:
  • Dropped support for the ALLOW-FROM action. Read more here.
• helmet.hidePoweredBy no longer accepts arguments. See this article to see how to replicate the removed behavior. See #​224.
• helmet.hsts:
  • Dropped support for includeSubdomains with a lowercase D. See #​231
  • Dropped support for setIf. Read this if you need help. See #​232
• helmet.xssFilter no longer accepts options. Read "How to disable blocking with X-XSS-Protection" and "How to enable the report directive with X-XSS-Protection" if you need the legacy behavior.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request updates the helmet dependency from version 3.21.1 to 8.0.0. This is a major version update, which includes breaking changes. The update was performed by renovate bot.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
Updated helmet dependency to v8	Updated helmet dependency from ^3.21.1 to ^8.0.0 in package.json. Updated helmet dependency in package-lock.json.	package.json package-lock.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!
• Generate a plan of action for an issue: Comment @sourcery-ai plan on
  an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!