build(deps): bump helmet from 3.23.3 to 4.0.0

[dependabot]

Bumps helmet from 3.23.3 to 4.0.0.

Changelog

Sourced from helmet's changelog.

4.0.0 - 2020-08-02

Added

• helmet.contentSecurityPolicy:
  • If no default-src directive is supplied, an error is thrown
  • Directive lists can be any iterable, not just arrays

Changed

• This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time.
• helmet.contentSecurityPolicy:
  • There is now a default set of directives if none are supplied
  • Duplicate keys now throw an error. See helmetjs/csp#73
  • This middleware is more lenient, allowing more directive names or values
• helmet.xssFilter now disables the buggy XSS filter by default. See #230

Removed

• Dropped support for old Node versions. Node 10+ is now required
• helmet.featurePolicy. If you still need it, use the feature-policy package on npm.
• helmet.hpkp. If you still need it, use the hpkp package on npm.
• helmet.noCache. If you still need it, use the nocache package on npm.
• helmet.contentSecurityPolicy:
  • Removed browser sniffing (including the browserSniff and disableAndroid parameters). See See helmetjs/csp#97
  • Removed conditional support. This includes directive functions and support for a function as the reportOnly. Read this if you need help.
  • Removed a lot of checks—you should be checking your CSP with a different tool
  • Removed support for legacy headers (and therefore the setAllHeaders parameter). Read this if you need help.
  • Removed the loose option
• helmet.frameguard:
  • Dropped support for the ALLOW-FROM action. Read more here.
• helmet.hidePoweredBy no longer accepts arguments. See this article to see how to replicate the removed behavior. See #224.
• helmet.hsts:
  • Dropped support for includeSubdomains with a lowercase D. See #231
  • Dropped support for setIf. Read this if you need help.. See #232
• helmet.xssFilter no longer accepts options. Read "How to disable blocking with X–XSS–Protection" and "How to enable the report directive with X–XSS–Protection" if you need the legacy behavior.

Commits

• bdb0934 4.0.0
• 926ef63 Prepare 4.0.0 release
• 6d3f028 Update changelog for 4.0.0 release
• 4fbf5bd Update devDependencies to latest versions
• c9926db Remove homepage field from middleware package.jsons
• 83508e8 4.0.0-rc.2
• 54525e5 Export HelmetOptions type
• c813f91 4.0.0-rc.1
• fc2f745 Use angle brackets around links in error messages
• e657b0b Move "simple" middleware functions inline
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[LoneRifle]

This change will disable X-XSS-Protection. This is a non-standard header supported only by IE and Safari. Content-Security-Policy is the standard equivalent, and most modern browsers have disabled their XSS auditor given that there are known ways to bypass them.

Justification for the change can be found at helmetjs/helmet#230 - tl;dr - enabling this is ineffective

[liangyuanruo]

lgtm, please test extensively if you haven't, especially on the more obscure features like GA on the transition page. the changelog is long; but i didn't identify anything obvious that would break.

Testing revealed helmet overriding custom CSP