diff --git a/packages/cloud/package.json b/packages/cloud/package.json index ba8a7f739..de3a69cba 100644 --- a/packages/cloud/package.json +++ b/packages/cloud/package.json @@ -38,7 +38,7 @@ "dotenv": "^16.0.0", "fetch-retry": "^5.0.4", "find-up": "^6.3.0", - "helmet": "^6.0.1", + "helmet": "^7.0.0", "http-proxy": "^1.18.1", "jose": "^4.11.0", "mime-types": "^2.1.35", diff --git a/packages/cloud/src/middleware/with-security-headers.ts b/packages/cloud/src/middleware/with-security-headers.ts index 957c36fa4..816873547 100644 --- a/packages/cloud/src/middleware/with-security-headers.ts +++ b/packages/cloud/src/middleware/with-security-headers.ts @@ -70,7 +70,6 @@ export default function withSecurityHeaders const basicSecurityHeaderSettings: HelmetOptions = { contentSecurityPolicy: false, // Exclusively set for console app only crossOriginEmbedderPolicy: { policy: 'credentialless' }, - expectCt: false, // Not recommended, will be deprecated by modern browsers dnsPrefetchControl: false, referrerPolicy: { policy: 'strict-origin-when-cross-origin', @@ -88,6 +87,7 @@ export default function withSecurityHeaders // For cloud console // ContentSecurityPolicy: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html await helmetPromise( + // @ts-expect-error: helmet typings has lots of {A?: T, B?: never} | {A?: never, B?: T} options definitions. Optional settings type can not inferred correctly. { ...basicSecurityHeaderSettings, frameguard: false, diff --git a/packages/core/package.json b/packages/core/package.json index 63537508e..58008c5af 100644 --- a/packages/core/package.json +++ b/packages/core/package.json @@ -51,7 +51,7 @@ "find-up": "^6.3.0", "got": "^13.0.0", "hash-wasm": "^4.9.0", - "helmet": "^6.0.1", + "helmet": "^7.0.0", "i18next": "^22.4.15", "iconv-lite": "0.6.3", "jose": "^4.11.0", diff --git a/packages/core/src/middleware/koa-security-headers.ts b/packages/core/src/middleware/koa-security-headers.ts index 17085903b..5884ecd66 100644 --- a/packages/core/src/middleware/koa-security-headers.ts +++ b/packages/core/src/middleware/koa-security-headers.ts @@ -57,13 +57,13 @@ export default function koaSecurityHeaders( const basicSecurityHeaderSettings: HelmetOptions = { contentSecurityPolicy: false, // Exclusively set per app crossOriginEmbedderPolicy: { policy: 'credentialless' }, - expectCt: false, // Not recommended, will be deprecated by modern browsers dnsPrefetchControl: false, referrerPolicy: { policy: 'strict-origin-when-cross-origin', }, }; + // @ts-expect-error: helmet typings has lots of {A?: T, B?: never} | {A?: never, B?: T} options definitions. Optional settings type can not inferred correctly. const mainFlowUiSecurityHeaderSettings: HelmetOptions = { ...basicSecurityHeaderSettings, // WARNING: high risk Need to allow self hosted terms of use page loaded in an iframe @@ -87,6 +87,7 @@ export default function koaSecurityHeaders( }, }; + // @ts-expect-error: helmet typings has lots of {A?: T, B?: never} | {A?: never, B?: T} options definitions. Optional settings type can not inferred correctly. const consoleSecurityHeaderSettings: HelmetOptions = { ...basicSecurityHeaderSettings, // Guarded by CSP header bellow diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 167ffc98e..40abb9ad8 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -276,8 +276,8 @@ importers: specifier: ^6.3.0 version: 6.3.0 helmet: - specifier: ^6.0.1 - version: 6.0.1 + specifier: ^7.0.0 + version: 7.0.0 http-proxy: specifier: ^1.18.1 version: 1.18.1 @@ -3127,8 +3127,8 @@ importers: specifier: ^4.9.0 version: 4.9.0 helmet: - specifier: ^6.0.1 - version: 6.0.1 + specifier: ^7.0.0 + version: 7.0.0 i18next: specifier: ^22.4.15 version: 22.4.15 @@ -9877,16 +9877,16 @@ packages: /acorn-globals@7.0.1: resolution: {integrity: sha512-umOSDSDrfHbTNPuNpC2NSnnA3LUrqpevPb4T9jRx4MagXNS0rs+gwiTcAvqCRmsD6utzsrzNt+ebm00SNWiC3Q==} dependencies: - acorn: 8.8.1 + acorn: 8.8.2 acorn-walk: 8.2.0 dev: true - /acorn-jsx@5.3.2(acorn@8.8.1): + /acorn-jsx@5.3.2(acorn@8.8.2): resolution: {integrity: sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ==} peerDependencies: acorn: ^6.0.0 || ^7.0.0 || ^8.0.0 dependencies: - acorn: 8.8.1 + acorn: 8.8.2 dev: true /acorn-walk@8.2.0: @@ -10082,16 +10082,6 @@ packages: engines: {node: '>=8'} dev: true - /array.prototype.flat@1.3.0: - resolution: {integrity: sha512-12IUEkHsAhA4DY5s0FPgNXIdc8VRSqD9Zp78a5au9abH/SOBrsp082JOWFNTjkMozh8mqcdiKuaLGhPeYztxSw==} - engines: {node: '>= 0.4'} - dependencies: - call-bind: 1.0.2 - define-properties: 1.1.4 - es-abstract: 1.20.4 - es-shim-unscopables: 1.0.0 - dev: true - /array.prototype.flat@1.3.1: resolution: {integrity: sha512-roTU0KWIOmJ4DRLmwKd19Otg0/mT3qPNt0Qb3GWW8iObuZXxrjB/pzn0R3hqpRSWg4HCwqx+0vwOnWnvlOyeIA==} engines: {node: '>= 0.4'} @@ -11365,7 +11355,6 @@ packages: /deepmerge@4.3.1: resolution: {integrity: sha512-3sUqbMEc77XqpdNO7FRyRog+eW3ph+GYCbj+rK+uYyRMuwsVy0rMiVtPn+QJlKFvWP/1PYpapqYn0Me2knFn+A==} engines: {node: '>=0.10.0'} - dev: true /defaults@1.0.4: resolution: {integrity: sha512-eFuaLoy/Rxalv2kr+lqMlUnrDWV+3j4pljOIJgLIhI058IQfWJ7vXhyEIHu+HtC738klGALYxOKDO0bQP3tg8A==} @@ -12205,8 +12194,8 @@ packages: resolution: {integrity: sha512-XwctdmTO6SIvCzd9810yyNzIrOrqNYV9Koizx4C/mRhf9uq0o4yHoCEU/670pOxOL/MSraektvSAji79kX90Vg==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} dependencies: - acorn: 8.8.1 - acorn-jsx: 5.3.2(acorn@8.8.1) + acorn: 8.8.2 + acorn-jsx: 5.3.2(acorn@8.8.2) eslint-visitor-keys: 3.3.0 dev: true @@ -12389,7 +12378,7 @@ packages: engines: {node: '>= 10.0.0'} dependencies: ajv: 6.12.6 - deepmerge: 4.2.2 + deepmerge: 4.3.1 rfdc: 1.3.0 string-similarity: 4.0.4 @@ -13079,9 +13068,9 @@ packages: space-separated-tokens: 1.1.5 dev: true - /helmet@6.0.1: - resolution: {integrity: sha512-8wo+VdQhTMVBMCITYZaGTbE4lvlthelPYSvoyNvk4RECTmrVjMerp9RfUOQXZWLvCcAn1pKj7ZRxK4lI9Alrcw==} - engines: {node: '>=14.0.0'} + /helmet@7.0.0: + resolution: {integrity: sha512-MsIgYmdBh460ZZ8cJC81q4XJknjG567wzEmv46WOBblDb6TUd3z8/GhgmsM9pn8g2B80tAJ4m5/d3Bi1KrSUBQ==} + engines: {node: '>=16.0.0'} dev: false /hexoid@1.0.0: @@ -18477,7 +18466,7 @@ packages: engines: {node: '>=6'} hasBin: true dependencies: - array.prototype.flat: 1.3.0 + array.prototype.flat: 1.3.1 breakword: 1.0.5 grapheme-splitter: 1.0.4 strip-ansi: 6.0.1