fix(deps): update dependency helmet to v7 (#3814)

* fix(deps): update dependency helmet to v7 * fix: fix lock file fix lock file * fix: fix helmetjs upgrade exceptions fix helmetjs upgrade exceptions --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: simeng-li <simeng@silverhand.io>
2024-12-30 20:33:54 -05:00 · 2023-06-13 10:05:47 +08:00 · 2023-06-13 10:05:47 +08:00 · 9a9d1d2ed4
commit 9a9d1d2ed4
parent 4ed72121b8
5 changed files with 19 additions and 29 deletions
--- a/packages/cloud/package.json
+++ b/packages/cloud/package.json
@ -38,7 +38,7 @@
    "dotenv": "^16.0.0",
    "fetch-retry": "^5.0.4",
    "find-up": "^6.3.0",
-    "helmet": "^6.0.1",
+    "helmet": "^7.0.0",
    "http-proxy": "^1.18.1",
    "jose": "^4.11.0",
    "mime-types": "^2.1.35",
--- a/packages/cloud/src/middleware/with-security-headers.ts
+++ b/packages/cloud/src/middleware/with-security-headers.ts
@ -70,7 +70,6 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
    const basicSecurityHeaderSettings: HelmetOptions = {
      contentSecurityPolicy: false, // Exclusively set for console app only
      crossOriginEmbedderPolicy: { policy: 'credentialless' },
-      expectCt: false, // Not recommended, will be deprecated by modern browsers
      dnsPrefetchControl: false,
      referrerPolicy: {
        policy: 'strict-origin-when-cross-origin',
@ -88,6 +87,7 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
    // For cloud console
    // ContentSecurityPolicy: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
    await helmetPromise(
+      // @ts-expect-error: helmet typings has lots of {A?: T, B?: never} | {A?: never, B?: T} options definitions. Optional settings type can not inferred correctly.
      {
        ...basicSecurityHeaderSettings,
        frameguard: false,
--- a/packages/core/package.json
+++ b/packages/core/package.json
@ -51,7 +51,7 @@
    "find-up": "^6.3.0",
    "got": "^13.0.0",
    "hash-wasm": "^4.9.0",
-    "helmet": "^6.0.1",
+    "helmet": "^7.0.0",
    "i18next": "^22.4.15",
    "iconv-lite": "0.6.3",
    "jose": "^4.11.0",
--- a/packages/core/src/middleware/koa-security-headers.ts
+++ b/packages/core/src/middleware/koa-security-headers.ts
@ -57,13 +57,13 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
  const basicSecurityHeaderSettings: HelmetOptions = {
    contentSecurityPolicy: false, // Exclusively set per app
    crossOriginEmbedderPolicy: { policy: 'credentialless' },
-    expectCt: false, // Not recommended, will be deprecated by modern browsers
    dnsPrefetchControl: false,
    referrerPolicy: {
      policy: 'strict-origin-when-cross-origin',
    },
  };

+  // @ts-expect-error: helmet typings has lots of {A?: T, B?: never} | {A?: never, B?: T} options definitions. Optional settings type can not inferred correctly.
  const mainFlowUiSecurityHeaderSettings: HelmetOptions = {
    ...basicSecurityHeaderSettings,
    // WARNING: high risk Need to allow self hosted terms of use page loaded in an iframe
@ -87,6 +87,7 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
    },
  };

+  // @ts-expect-error: helmet typings has lots of {A?: T, B?: never} | {A?: never, B?: T} options definitions. Optional settings type can not inferred correctly.
  const consoleSecurityHeaderSettings: HelmetOptions = {
    ...basicSecurityHeaderSettings,
    // Guarded by CSP header bellow
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -276,8 +276,8 @@ importers:
        specifier: ^6.3.0
        version: 6.3.0
      helmet:
-        specifier: ^6.0.1
-        version: 6.0.1
+        specifier: ^7.0.0
+        version: 7.0.0
      http-proxy:
        specifier: ^1.18.1
        version: 1.18.1
@ -3127,8 +3127,8 @@ importers:
        specifier: ^4.9.0
        version: 4.9.0
      helmet:
-        specifier: ^6.0.1
-        version: 6.0.1
+        specifier: ^7.0.0
+        version: 7.0.0
      i18next:
        specifier: ^22.4.15
        version: 22.4.15
@ -9877,16 +9877,16 @@ packages:
  /acorn-globals@7.0.1:
    resolution: {integrity: sha512-umOSDSDrfHbTNPuNpC2NSnnA3LUrqpevPb4T9jRx4MagXNS0rs+gwiTcAvqCRmsD6utzsrzNt+ebm00SNWiC3Q==}
    dependencies:
-      acorn: 8.8.1
+      acorn: 8.8.2
      acorn-walk: 8.2.0
    dev: true

-  /acorn-jsx@5.3.2(acorn@8.8.1):
+  /acorn-jsx@5.3.2(acorn@8.8.2):
    resolution: {integrity: sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ==}
    peerDependencies:
      acorn: ^6.0.0 || ^7.0.0 || ^8.0.0
    dependencies:
-      acorn: 8.8.1
+      acorn: 8.8.2
    dev: true

  /acorn-walk@8.2.0:
@ -10082,16 +10082,6 @@ packages:
    engines: {node: '>=8'}
    dev: true

-  /array.prototype.flat@1.3.0:
-    resolution: {integrity: sha512-12IUEkHsAhA4DY5s0FPgNXIdc8VRSqD9Zp78a5au9abH/SOBrsp082JOWFNTjkMozh8mqcdiKuaLGhPeYztxSw==}
-    engines: {node: '>= 0.4'}
-    dependencies:
-      call-bind: 1.0.2
-      define-properties: 1.1.4
-      es-abstract: 1.20.4
-      es-shim-unscopables: 1.0.0
-    dev: true
-
  /array.prototype.flat@1.3.1:
    resolution: {integrity: sha512-roTU0KWIOmJ4DRLmwKd19Otg0/mT3qPNt0Qb3GWW8iObuZXxrjB/pzn0R3hqpRSWg4HCwqx+0vwOnWnvlOyeIA==}
    engines: {node: '>= 0.4'}
@ -11365,7 +11355,6 @@ packages:
  /deepmerge@4.3.1:
    resolution: {integrity: sha512-3sUqbMEc77XqpdNO7FRyRog+eW3ph+GYCbj+rK+uYyRMuwsVy0rMiVtPn+QJlKFvWP/1PYpapqYn0Me2knFn+A==}
    engines: {node: '>=0.10.0'}
-    dev: true

  /defaults@1.0.4:
    resolution: {integrity: sha512-eFuaLoy/Rxalv2kr+lqMlUnrDWV+3j4pljOIJgLIhI058IQfWJ7vXhyEIHu+HtC738klGALYxOKDO0bQP3tg8A==}
@ -12205,8 +12194,8 @@ packages:
    resolution: {integrity: sha512-XwctdmTO6SIvCzd9810yyNzIrOrqNYV9Koizx4C/mRhf9uq0o4yHoCEU/670pOxOL/MSraektvSAji79kX90Vg==}
    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
    dependencies:
-      acorn: 8.8.1
-      acorn-jsx: 5.3.2(acorn@8.8.1)
+      acorn: 8.8.2
+      acorn-jsx: 5.3.2(acorn@8.8.2)
      eslint-visitor-keys: 3.3.0
    dev: true

@ -12389,7 +12378,7 @@ packages:
    engines: {node: '>= 10.0.0'}
    dependencies:
      ajv: 6.12.6
-      deepmerge: 4.2.2
+      deepmerge: 4.3.1
      rfdc: 1.3.0
      string-similarity: 4.0.4

@ -13079,9 +13068,9 @@ packages:
      space-separated-tokens: 1.1.5
    dev: true

-  /helmet@6.0.1:
-    resolution: {integrity: sha512-8wo+VdQhTMVBMCITYZaGTbE4lvlthelPYSvoyNvk4RECTmrVjMerp9RfUOQXZWLvCcAn1pKj7ZRxK4lI9Alrcw==}
-    engines: {node: '>=14.0.0'}
+  /helmet@7.0.0:
+    resolution: {integrity: sha512-MsIgYmdBh460ZZ8cJC81q4XJknjG567wzEmv46WOBblDb6TUd3z8/GhgmsM9pn8g2B80tAJ4m5/d3Bi1KrSUBQ==}
+    engines: {node: '>=16.0.0'}
    dev: false

  /hexoid@1.0.0:
@ -18477,7 +18466,7 @@ packages:
    engines: {node: '>=6'}
    hasBin: true
    dependencies:
-      array.prototype.flat: 1.3.0
+      array.prototype.flat: 1.3.1
      breakword: 1.0.5
      grapheme-splitter: 1.0.4
      strip-ansi: 6.0.1