Merge pull request #82 from sp3nx0r/main

Upgrade helmet version to 6.0.1, fix types definitions

koa-helmet.d.ts

@@ -28,10 +28,17 @@ declare namespace koaHelmet {
         mediaSrc?: KoaHelmetCspDirectiveValue[];
         objectSrc?: KoaHelmetCspDirectiveValue[];
         pluginTypes?: KoaHelmetCspDirectiveValue[];
+        prefetchSrc?: KoaHelmetCspDirectiveValue[];
+        reportTo?: string;
         reportUri?: string;
         sandbox?: KoaHelmetCspDirectiveValue[];
         scriptSrc?: KoaHelmetCspDirectiveValue[];
+        scriptSrcAttr?: KoahelmetCspDirectiveValue[];
+        scriptSrcElem?: KoaHelmetCspDirectiveValue[];
         styleSrc?: KoaHelmetCspDirectiveValue[];
+        styleSrcAttr?: KoaHelmetCspDirectiveValue[];
+        styleSrcElem?: KoaHelmetCspDirectiveValue[];
+        workerSrc?: KoaHelmetCspDirectiveValue[];
     }
 
     interface KoaHelmetContentSecurityPolicyConfiguration {

package.json

@@ -3,7 +3,7 @@
   "author": "Matt Venables <mattvenables@gmail.com>",
   "description": "Security header middleware collection for koa",
   "license": "MIT",
-  "version": "6.1.0",
+  "version": "7.0.0",
   "main": "lib/koa-helmet.js",
   "typings": "./koa-helmet.d.ts",
   "scripts": {
@@ -24,10 +24,10 @@
     "url": "https://github.com/venables/koa-helmet"
   },
   "engines": {
-    "node": ">= 8.0.0"
+    "node": ">= 14.0.0"
   },
   "dependencies": {
-    "helmet": "^4.4.1"
+    "helmet": "^6.0.1"
   },
   "devDependencies": {
     "ava": "^3.13.0",

test/koa-helmet.spec.js

@@ -17,14 +17,11 @@ test('it works with the default helmet call', t => {
       .get('/')
 
       // contentSecurityPolicy
-      .expect('Content-Security-Policy', 'default-src \'self\';base-uri \'self\';block-all-mixed-content;font-src \'self\' https: data:;frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests')
+      .expect('Content-Security-Policy', 'default-src \'self\';base-uri \'self\';font-src \'self\' https: data:;form-action \'self\';frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests')
 
       // dnsPrefetchControl
       .expect('X-DNS-Prefetch-Control', 'off')
 
-      // expectCt
-      .expect('Expect-CT', 'max-age=0')
-
       // frameguard
       .expect('X-Frame-Options', 'SAMEORIGIN')
 
@@ -48,7 +45,9 @@ test('it works with the default helmet call', t => {
 
       .expect(200)
       .then(() => t.pass())
-      .catch(err => t.fail(err))
+      .catch((err) => {
+        t.fail(err);}
+      )
   );
 });
 
@@ -82,7 +81,7 @@ test('it sets individual headers properly', t => {
       .get('/')
 
       // contentSecurityPolicy
-      .expect('Content-Security-Policy', 'default-src \'self\';base-uri \'self\';block-all-mixed-content;font-src \'self\' https: data:;frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests')
+      .expect('Content-Security-Policy', 'default-src \'self\';base-uri \'self\';font-src \'self\' https: data:;form-action \'self\';frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests')
 
       // dnsPrefetchControl
       .expect('X-DNS-Prefetch-Control', 'off')
@@ -108,9 +107,6 @@ test('it sets individual headers properly', t => {
       // permittedCrossDomainPolicies
       .expect('X-Permitted-Cross-Domain-Policies', 'none')
 
-      // expectCt
-      .expect('Expect-CT', 'max-age=0')
-
       .then(() => t.pass())
       .catch(err => t.fail(err))
   );