tedkulp/teddit
1
0
Fork 0
mirror of https://codeberg.org/teddit/teddit.git synced 2026-04-17 21:34:44 -04:00
Code Issues Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
teddit
2020-11-17 21:44:32 +01:00
commit fdfcd554f8
2656 changed files with 318683 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

765
node_modules/helmet/CHANGELOG.md generated vendored Normal file
View File

@@ -0,0 +1,765 @@
# Changelog
## 4.2.0 - 2020-11-01
### Added
- `helmet.contentSecurityPolicy`: get the default directives with `contentSecurityPolicy.getDefaultDirectives()`
### Changed
- `helmet()` now supports objects that don't have `Object.prototype` in their chain, such as `Object.create(null)`, as options
- `helmet.expectCt`: `max-age` is now first. See [#264](https://github.com/helmetjs/helmet/pull/264)
## 4.1.1 - 2020-09-10
### Changed
- Fixed a few errors in the README
## 4.1.0 - 2020-08-15
### Added
- `helmet.contentSecurityPolicy`:
- Directive values can now include functions, as they could in Helmet 3. See [#243](https://github.com/helmetjs/helmet/issues/243)
### Changed
- Helmet should now play more nicely with TypeScript
### Removed
- The `HelmetOptions` interface is no longer exported. This only affects TypeScript users. If you need the functionality back, see [this comment](https://github.com/helmetjs/helmet/issues/235#issuecomment-674016883)
## 4.0.0 - 2020-08-02
See the [Helmet 4 upgrade guide](https://github.com/helmetjs/helmet/wiki/Helmet-4-upgrade-guide) for help upgrading from Helmet 3.
### Added
- `helmet.contentSecurityPolicy`:
- If no `default-src` directive is supplied, an error is thrown
- Directive lists can be any iterable, not just arrays
### Changed
- This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time.
- `helmet.contentSecurityPolicy`:
- There is now a default set of directives if none are supplied
- Duplicate keys now throw an error. See [helmetjs/csp#73](https://github.com/helmetjs/csp/issues/73)
- This middleware is more lenient, allowing more directive names or values
- `helmet.xssFilter` now disables the buggy XSS filter by default. See [#230](https://github.com/helmetjs/helmet/issues/230)
### Removed
- Dropped support for old Node versions. Node 10+ is now required
- `helmet.featurePolicy`. If you still need it, use the `feature-policy` package on npm.
- `helmet.hpkp`. If you still need it, use the `hpkp` package on npm.
- `helmet.noCache`. If you still need it, use the `nocache` package on npm.
- `helmet.contentSecurityPolicy`:
- Removed browser sniffing (including the `browserSniff` and `disableAndroid` parameters). See [helmetjs/csp#97](https://github.com/helmetjs/csp/issues/97)
- Removed conditional support. This includes directive functions and support for a function as the `reportOnly`. [Read this if you need help.](https://github.com/helmetjs/helmet/wiki/Conditionally-using-middleware)
- Removed a lot of checks—you should be checking your CSP with a different tool
- Removed support for legacy headers (and therefore the `setAllHeaders` parameter). [Read this if you need help.](https://github.com/helmetjs/helmet/wiki/Setting-legacy-Content-Security-Policy-headers-in-Helmet-4)
- Removed the `loose` option
- Removed support for functions as directive values. You must supply an iterable of strings
- `helmet.frameguard`:
- Dropped support for the `ALLOW-FROM` action. [Read more here.](https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive)
- `helmet.hidePoweredBy` no longer accepts arguments. See [this article](https://github.com/helmetjs/helmet/wiki/How-to-set-a-custom-X%E2%80%93Powered%E2%80%93By-header) to see how to replicate the removed behavior. See [#224](https://github.com/helmetjs/helmet/issues/224).
- `helmet.hsts`:
- Dropped support for `includeSubdomains` with a lowercase D. See [#231](https://github.com/helmetjs/helmet/issues/231)
- Dropped support for `setIf`. [Read this if you need help.](https://github.com/helmetjs/helmet/wiki/Conditionally-using-middleware). See [#232](https://github.com/helmetjs/helmet/issues/232)
- `helmet.xssFilter` no longer accepts options. Read ["How to disable blocking with XXSSProtection"](https://github.com/helmetjs/helmet/wiki/How-to-disable-blocking-with-X%E2%80%93XSS%E2%80%93Protection) and ["How to enable the `report` directive with XXSSProtection"](https://github.com/helmetjs/helmet/wiki/How-to-enable-the-%60report%60-directive-with-X%E2%80%93XSS%E2%80%93Protection) if you need the legacy behavior.
## 3.23.3 - 2020-06-26
### Changed
- `helmet.expectCt` is no longer a separate package. This should have no effect on end users.
- `helmet.frameguard` is no longer a separate package. This should have no effect on end users.
## 3.23.2 - 2020-06-23
### Changed
- `helmet.dnsPrefetchControl` is no longer a separate package. This should have no effect on end users.
## 3.23.1 - 2020-06-16
### Changed
- `helmet.ieNoOpen` is no longer a separate package. This should have no effect on end users.
## 3.23.0 - 2020-06-12
### Deprecated
- `helmet.featurePolicy` is deprecated. Use the `feature-policy` module instead.
## 3.22.1 - 2020-06-10
### Changed
- Rewrote internals in TypeScript. This should have no effect on end users.
## 3.22.0 - 2020-03-24
### Changed
- Updated `helmet-csp` to v2.10.0
- Add support for the `allow-downloads` sandbox directive. See [helmet-csp#103](https://github.com/helmetjs/csp/pull/103)
### Deprecated
- `helmet.noCache` is deprecated. Use the `nocache` module instead. See [#215](https://github.com/helmetjs/helmet/issues/215)
## 3.21.3 - 2020-02-24
### Changed
- Updated `helmet-csp` to v2.9.5
- Updated `bowser` subdependency from 2.7.0 to 2.9.0
- Fixed an issue some people were having when importing the `bowser` subdependency. See [helmet-csp#96](https://github.com/helmetjs/csp/issues/96) and [#101](https://github.com/helmetjs/csp/pull/101)
## 3.21.2 - 2019-10-21
### Changed
- Updated `helmet-csp` to v2.9.4
- Updated `bowser` subdependency from 2.6.1 to 2.7.0. See [helmet-csp#94](https://github.com/helmetjs/csp/pull/94)
## 3.21.1 - 2019-09-20
### Fixed
- Updated `helmet-csp` to v2.9.2
- Fixed a bug where a request from Firefox 4 could delete `default-src` from future responses
- Fixed tablet PC detection by updating `bowser` subdependency to latest version
## 3.21.0 - 2019-09-04
### Added
- Updated `x-xss-protection` to v1.3.0
- Added `mode: null` to disable `mode=block`
### Changed
- Updated `helmet-csp` to v2.9.1
- Updated `bowser` subdependency from 2.5.3 to 2.5.4. See [helmet-csp#88](https://github.com/helmetjs/csp/pull/88)
## 3.20.1 - 2019-08-28
### Changed
- Updated `helmet-csp` to v2.9.0
## 3.20.0 - 2019-07-24
### Changed
- Updated `helmet-csp` to v2.8.0
## 3.19.0 - 2019-07-17
### Changed
- Updated `dns-prefetch-control` to v0.2.0
- Updated `dont-sniff-mimetype` to v1.1.0
- Updated `helmet-crossdomain` to v0.4.0
- Updated `hide-powered-by` to v1.1.0
- Updated `x-xss-protection` to v1.2.0
## 3.18.0 - 2019-05-05
### Added
- `featurePolicy` has 19 new features: `ambientLightSensor`, `documentDomain`, `documentWrite`, `encryptedMedia`, `fontDisplayLateSwap`, `layoutAnimations`, `legacyImageFormats`, `loadingFrameDefaultEager`, `oversizedImages`, `pictureInPicture`, `serial`, `syncScript`, `unoptimizedImages`, `unoptimizedLosslessImages`, `unoptimizedLossyImages`, `unsizedMedia`, `verticalScroll`, `wakeLock`, and `xr`
### Changed
- Updated `expect-ct` to v0.2.0
- Updated `feature-policy` to v0.3.0
- Updated `frameguard` to v3.1.0
- Updated `nocache` to v2.1.0
## 3.17.0 - 2019-05-03
### Added
- `referrerPolicy` now supports multiple values
### Changed
- Updated `referrerPolicy` to v1.2.0
## 3.16.0 - 2019-03-10
### Added
- Add email to `bugs` field in `package.json`
### Changed
- Updated `hsts` to v2.2.0
- Updated `ienoopen` to v1.1.0
- Changelog is now in the [Keep A Changelog](https://keepachangelog.com/) format
- Dropped support for Node <4. See [the commit](https://github.com/helmetjs/helmet/commit/a49cec3ca58cce484d2d05e1f908549caa92ed03) for more information
- Updated Adam Baldwin's contact information
### Deprecated
- `helmet.hsts`'s `setIf` option has been deprecated and will be removed in `hsts@3`. See [helmetjs/hsts#22](https://github.com/helmetjs/hsts/issues/22) for more
* The `includeSubdomains` option (with a lowercase `d`) has been deprecated and will be removed in `hsts@3`. Use the uppercase-D `includeSubDomains` option instead. See [helmetjs/hsts#21](https://github.com/helmetjs/hsts/issues/21) for more
## 3.15.1 - 2019-02-10
### Deprecated
- The `hpkp` middleware has been deprecated. If you still need to use this module, install the standalone `hpkp` module from npm. See [#180](https://github.com/helmetjs/helmet/issues/180) for more.
## 3.15.0 - 2018-11-07
### Added
- `helmet.featurePolicy` now supports four new features
## 3.14.0 - 2018-10-09
### Added
- `helmet.featurePolicy` middleware
## 3.13.0 - 2018-07-22
### Added
- `helmet.permittedCrossDomainPolicies` middleware
## 3.12.2 - 2018-07-20
### Fixed
- Removed `lodash.reduce` dependency from `csp`
## 3.12.1 - 2018-05-16
### Fixed
- `expectCt` should use comma instead of semicolon as delimiter
## 3.12.0 - 2018-03-02
### Added
- `xssFilter` now supports `reportUri` option
## 3.11.0 - 2018-02-09
### Added
- Main Helmet middleware is now named to help with debugging
## 3.10.0 - 2018-01-23
### Added
- `csp` now supports `prefix-src` directive
### Fixed
- `csp` no longer loads JSON files internally, helping some module bundlers
- `false` should be able to disable a CSP directive
## 3.9.0 - 2017-10-13
### Added
- `csp` now supports `strict-dynamic` value
- `csp` now supports `require-sri-for` directive
### Changed
- Removed `connect` dependency
## 3.8.2 - 2017-09-27
### Changed
- Updated `connect` dependency to latest
## 3.8.1 - 2017-07-28
### Fixed
- `csp` does not automatically set `report-to` when setting `report-uri`
## 3.8.0 - 2017-07-21
### Changed
- `hsts` no longer cares whether it's HTTPS and always sets the header
## 3.7.0 - 2017-07-21
### Added
- `csp` now supports `report-to` directive
### Changed
- Throw an error when used incorrectly
- Add a few documentation files to `npmignore`
## 3.6.1 - 2017-05-21
### Changed
- Bump `connect` version
## 3.6.0 - 2017-05-04
### Added
- `expectCt` middleware for setting the `Expect-CT` header
## 3.5.0 - 2017-03-06
### Added
- `csp` now supports the `worker-src` directive
## 3.4.1 - 2017-02-24
### Changed
- Bump `connect` version
## 3.4.0 - 2017-01-13
### Added
- `csp` now supports more `sandbox` directives
## 3.3.0 - 2016-12-31
### Added
- `referrerPolicy` allows `strict-origin` and `strict-origin-when-cross-origin` directives
### Changed
- Bump `connect` version
## 3.2.0 - 2016-12-22
### Added
- `csp` now allows `manifest-src` directive
## 3.1.0 - 2016-11-03
### Added
- `csp` now allows `frame-src` directive
## 3.0.0 - 2016-10-28
### Changed
- `csp` will check your directives for common mistakes and throw errors if it finds them. This can be disabled with `loose: true`.
- Empty arrays are no longer allowed in `csp`. For source lists (like `script-src` or `object-src`), use the standard `scriptSrc: ["'none'"]`. The `sandbox` directive can be `sandbox: true` to block everything.
- `false` can disable a CSP directive. For example, `scriptSrc: false` is the same as not specifying it.
- In CSP, `reportOnly: true` no longer requires a `report-uri` to be set.
- `hsts`'s `maxAge` now defaults to 180 days (instead of 1 day)
- `hsts`'s `maxAge` parameter is seconds, not milliseconds
- `hsts` includes subdomains by default
- `domain` parameter in `frameguard` cannot be empty
### Removed
- `noEtag` option no longer present in `noCache`
- iOS Chrome `connect-src` workaround in CSP module
## 2.3.0 - 2016-09-30
### Added
- `hpkp` middleware now supports the `includeSubDomains` property with a capital D
### Fixed
- `hpkp` was setting `includeSubdomains` instead of `includeSubDomains`
## 2.2.0 - 2016-09-16
### Added
- `referrerPolicy` middleware
## 2.1.3 - 2016-09-07
### Changed
- Top-level aliases (like `helmet.xssFilter`) are no longer dynamically required
## 2.1.2 - 2016-07-27
### Deprecated
- `nocache`'s `noEtag` option is now deprecated
### Fixed
- `csp` now better handles Firefox on mobile
## 2.1.1 - 2016-06-10
### Changed
- Remove several dependencies from `helmet-csp`
### Fixed
- `frameguard` had a documentation error about its default value
- `frameguard` docs in main Helmet readme said `frameguard`, not `helmet.frameguard`
## 2.1.0 - 2016-05-18
### Added
- `csp` lets you dynamically set `reportOnly`
## 2.0.0 - 2016-04-29
### Added
- Pass configuration to enable/disable default middlewares
### Changed
- `dnsPrefetchControl` middleware is now enabled by default
### Removed
- No more module aliases. There is now just one way to include each middleware
- `frameguard` can no longer be initialized with strings; you must use an object
### Fixed
- Make `hpkp` lowercase in documentation
- Update `hpkp` spec URL in readmes
- Update `frameguard` header name in readme
## 1.3.0 - 2016-03-01
### Added
- `hpkp` has a `setIf` option to conditionally set the header
## 1.2.0 - 2016-02-29
### Added
- `csp` now has a `browserSniff` option to disable all user-agent sniffing
### Changed
- `frameguard` can now be initialized with options
- Add `npmignore` file to speed up installs slightly
## 1.1.0 - 2016-01-12
### Added
- Code of conduct
- `dnsPrefetchControl` middleware
### Fixed
- `csp` readme had syntax errors
## 1.0.2 - 2016-01-08
### Fixed
- `csp` wouldn't recognize `IE Mobile` browsers
- `csp` had some errors in its readme
- Main readme had a syntax error
## 1.0.1 - 2015-12-19
### Fixed
- `csp` with no User Agent would cause errors
## 1.0.0 - 2015-12-18
### Added
- `csp` module supports dynamically-generated values
### Changed
- `csp` directives are now under the `directives` key
- `hpkp`'s `Report-Only` header is now opt-in, not opt-out
- Tweak readmes of every sub-repo
### Removed
- `crossdomain` middleware
- `csp` no longer throws errors when some directives aren't quoted (`'self'`, for example)
- `maxage` option in the `hpkp` middleware
- `safari5` option from `csp` module
### Fixed
- Old Firefox Content-Security-Policy behavior for `unsafe-inline` and `unsafe-eval`
- Dynamic `csp` policies is no longer recursive
## 0.15.0 - 2015-11-26
### Changed
- `hpkp` allows a `report-uri` without the `Report-Only` header
## 0.14.0 - 2015-11-01
### Added
- `nocache` now sends the `Surrogate-Control` header
### Changed
- `nocache` no longer contains the `private` directive in the `Cache-Control` header
## 0.13.0 - 2015-10-23
### Added
- `xssFilter` now has a function name
- Added new CSP docs to readme
### Changed
- HSTS option renamed from `includeSubdomains` to `includeSubDomains`
## 0.11.0 - 2015-09-18
### Added
- `csp` now supports Microsoft Edge
- CSP Level 2 support
### Changed
- Updated `connect` to 3.4.0
- Updated `depd` to 1.1.0
### Fixed
- Added `license` key to `csp`'s `package.json`
- Empty `csp` directives now support every directive, not just `sandbox`
## 0.10.0 - 2015-07-08
### Added
- Add "Handling CSP violations" to `csp` readme
- Add license to `package.json`
### Changed
- `hpkp` had a link to the wrong place in its readme
- `hpkp` requires 2 or more pins
### Fixed
- `hpkp` might have miscalculated `maxAge` slightly wrong
## 0.9.0 - 2015-04-24
### Changed
- `nocache` adds `private` to its `Cache-Control` directive
- Added a description to `package.json`
## 0.8.0 - 2015-04-21
### Changed
- Removed hefty Lodash dependency from HSTS and CSP
- Updated string detection module in Frameguard
- Changed readme slightly to better reflect project's focus
### Deprecated
- Deprecated `crossdomain` middleware
### Removed
- `crossdomain` is no longer a default middleware
## 0.7.1 - 2015-03-23
### Changed
- Updated all outdated dependencies (insofar as possible)
- HSTS now uses Lodash like all the rest of the libraries
## 0.7.0 - 2015-03-05
### Added
- `hpkp` middleware
### Changed
- Travis CI should test 0.10 and 0.12
- Minor code cleanup
## 0.6.2 - 2015-03-01
### Changed
- Improved `xssFilter` performance
- Updated Lodash versions
## 0.6.1 - 2015-02-13
### Added
- "Other recommended modules" in README
### Changed
- Updated Lodash version
### Fixed
- `frameguard` middleware exported a function called `xframe`
## 0.6.0 - 2015-01-21
### Added
- You can disable `csp` for Android
### Fixed
- `csp` on Chrome Mobile on Android and iOS
## 0.5.4 - 2014-12-21
### Changed
- `nocache` should force revalidation
## 0.5.3 - 2014-12-08
### Changed
- `platform` version in CSP and X-XSS-Protection
### Fixed
- Updated bad wording in frameguard docs
## 0.5.2 - 2014-11-16
### Changed
- Updated Connect version
### Fixed
- Fixed minor `csp` bugfixes
## 0.5.1 - 2014-11-09
### Changed
- Updated URLs in `package.json` for new URL
### Fixed
- CSP would set all headers forever after receiving an unknown user agent
## 0.5.0 - 2014-10-28
### Added
- Most middlewares have some aliases now
### Changed
- `xframe` now called `frameguard` (though `xframe` still works)
- `frameguard` chooses sameorigin by default
- `frameguard` understands "SAME-ORIGIN" in addition to "SAMEORIGIN"
- `nocache` removed from default middleware stack
- Middleware split out into their own modules
- Documentation
- Updated supported Node version to at least 0.10.0
- Bumped Connect version
### Removed
- Deprecation warnings
### Fixed
- Readme link was broken
## 0.4.2 - 2014-10-16
### Added
- Support preload in HSTS header
## 0.4.1 - 2014-08-24
### Added
- Use [helmet-crossdomain](https://github.com/helmetjs/crossdomain) to test the waters
- 2 spaces instead of 4 throughout the code
## 0.4.0 - 2014-07-17
### Added
- `nocache` now sets the Expires and Pragma headers
- `nocache` now allows you to crush ETags
### Changed
- Improved the docs for nosniff
- Reverted HSTS behavior of requiring a specified max-age
### Fixed
- Allow HSTS to have a max-age of 0
## 0.3.2 - 2014-06-30
### Added
- All middleware functions are named
- Throw error with non-positive HSTS max-age
### Changed
- Added semicolons in README
- Make some Errors more specific
### Removed
- Removed all comment headers; refer to the readme
### Fixed
- `helmet()` was having issues
- Fixed Syntax errors in README
This changelog was created after the release of 0.3.1.

79
node_modules/helmet/CODE_OF_CONDUCT.md generated vendored Normal file
View File

@@ -0,0 +1,79 @@
# Contributor Covenant Code of Conduct
## Our Pledge
We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
## Our Standards
Examples of behavior that contributes to a positive environment for our community include:
- Demonstrating empathy and kindness toward other people
- Being respectful of differing opinions, viewpoints, and experiences
- Giving and gracefully accepting constructive feedback
- Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
- Focusing on what is best not just for us as individuals, but for the overall community
Examples of unacceptable behavior include:
- The use of sexualized language or imagery, and sexual attention or advances of any kind
- Trolling, insulting or derogatory comments, and personal or political attacks
- Public or private harassment
- Publishing others' private information, such as a physical or email address, without their explicit permission
- Other conduct which could reasonably be considered inappropriate in a professional setting
## Enforcement Responsibilities
Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.
Community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.
## Scope
This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at [evanhahn.com/contact](https://evanhahn.com/contact). All complaints will be reviewed and investigated promptly and fairly.
All community leaders are obligated to respect the privacy and security of the reporter of any incident.
## Enforcement Guidelines
Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct:
### 1. Correction
**Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.
**Consequence**: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested.
### 2. Warning
**Community Impact**: A violation through a single incident or series of actions.
**Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban.
### 3. Temporary Ban
**Community Impact**: A serious violation of community standards, including sustained inappropriate behavior.
**Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
### 4. Permanent Ban
**Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals.
**Consequence**: A permanent ban from any sort of public interaction within the community.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.0, available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder](https://github.com/mozilla/diversity).
[homepage]: https://www.contributor-covenant.org
For answers to common questions about this code of conduct, see the FAQ at <https://www.contributor-covenant.org/faq>. Translations are available at <https://www.contributor-covenant.org/translations>.

15
node_modules/helmet/CONTRIBUTING.md generated vendored Normal file
View File

@@ -0,0 +1,15 @@
# Contributing to Helmet
Helmet welcomes contributors! This guide should help you submit issues and pull requests.
## Got a question, problem, or feature request?
The documentation and [Stack Overflow](http://stackoverflow.com/questions/tagged/helmet.js) are good places to start.
Feel free to [add an issue](https://github.com/helmetjs/helmet/issues) if those don't help!
## Want to submit a change?
If you're not sure whether your change will be welcomed, [add an issue](https://github.com/helmetjs/helmet/issues) to ask.
Once you're ready to make your change, make a pull request. If you're having trouble making a pull request (it's tricky!), check out [GitHub's guide](https://help.github.com/articles/using-pull-requests/) or add an issue. We'll make it work!

22
node_modules/helmet/LICENSE generated vendored Normal file
View File

@@ -0,0 +1,22 @@
The MIT License
Copyright (c) 2012-2020 Evan Hahn, Adam Baldwin
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
'Software'), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

472
node_modules/helmet/README.md generated vendored Normal file
View File

@@ -0,0 +1,472 @@
# Helmet
[![npm version](https://badge.fury.io/js/helmet.svg)](http://badge.fury.io/js/helmet)
[![npm dependency status](https://david-dm.org/helmetjs/helmet.svg)](https://david-dm.org/helmetjs/helmet)
[![Build Status](https://travis-ci.org/helmetjs/helmet.svg?branch=master)](https://travis-ci.org/helmetjs/helmet)
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet.svg?type=shield)](https://app.fossa.io/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet?ref=badge_shield)
Helmet helps you secure your Express apps by setting various HTTP headers. _It's not a silver bullet_, but it can help!
## Quick start
First, run `npm install helmet --save` for your app. Then, in an Express app:
```js
const express = require("express");
const helmet = require("helmet");
const app = express();
app.use(helmet());
// ...
```
## How it works
Helmet is [Connect](https://github.com/senchalabs/connect)-style middleware, which is compatible with frameworks like [Express](https://expressjs.com/). (If you need support for Koa, see [`koa-helmet`](https://github.com/venables/koa-helmet).)
The top-level `helmet` function is a wrapper around 11 smaller middlewares.
In other words, these two things are equivalent:
```js
// This...
app.use(helmet());
// ...is equivalent to this:
app.use(helmet.contentSecurityPolicy());
app.use(helmet.dnsPrefetchControl());
app.use(helmet.expectCt());
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
app.use(helmet.hsts());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.permittedCrossDomainPolicies());
app.use(helmet.referrerPolicy());
app.use(helmet.xssFilter());
```
To set custom options for one of the middleware, add options like this:
```js
// This sets custom options for the `referrerPolicy` middleware.
app.use(
helmet({
referrerPolicy: { policy: "no-referrer" },
})
);
```
You can also disable a middleware:
```js
// This disables the `contentSecurityPolicy` middleware but keeps the rest.
app.use(
helmet({
contentSecurityPolicy: false,
})
);
```
## Reference
<details>
<summary><code>helmet(options)</code></summary>
Helmet is the top-level middleware for this module, including all 11 others.
All 11 middlewares are enabled by default.
```js
// Includes all 11 middlewares
app.use(helmet());
```
If you want to disable one, pass options to `helmet`. For example, to disable `frameguard`:
```js
// Includes 10 middlewares, skipping `helmet.frameguard`
app.use(
helmet({
frameguard: false,
})
);
```
Most of the middlewares have options, which are documented in more detail below. For example, to pass `{ action: "deny" }` to `frameguard`:
```js
// Includes all 11 middlewares, setting an option for `helmet.frameguard`
app.use(
helmet({
frameguard: {
action: "deny",
},
})
);
```
Each middleware's name is listed below.
</details>
<details>
<summary><code>helmet.contentSecurityPolicy(options)</code></summary>
`helmet.contentSecurityPolicy` sets the `Content-Security-Policy` header which helps mitigate cross-site scripting attacks, among other things. See [MDN's introductory article on Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).
This middleware performs very little validation. You should rely on CSP checkers like [CSP Evaluator](https://csp-evaluator.withgoogle.com/) instead.
`options.directives` is an object. Each key is a directive name in camel case (such as `defaultSrc`) or kebab case (such as `default-src`). Each value is an iterable (usually an array) of strings or functions for that directive. If a function appears in the iterable, it will be called with the request and response.
`options.reportOnly` is a boolean, defaulting to `false`. If `true`, [the `Content-Security-Policy-Report-Only` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) will be set instead.
If no directives are supplied, the following policy is set (whitespace added for readability):
default-src 'self';
base-uri 'self';
block-all-mixed-content;
font-src 'self' https: data:;
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests
You can fetch this default with `helmet.contentSecurityPolicy.getDefaultDirectives()`.
Examples:
```js
// Sets "Content-Security-Policy: default-src 'self';script-src 'self' example.com;object-src 'none';upgrade-insecure-requests"
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "example.com"],
objectSrc: ["'none'"],
upgradeInsecureRequests: [],
},
})
);
// Sets "Content-Security-Policy: default-src 'self';script-src 'self' example.com;object-src 'none'"
app.use(
helmet.contentSecurityPolicy({
directives: {
"default-src": ["'self'"],
"script-src": ["'self'", "example.com"],
"object-src": ["'none'"],
},
})
);
// Sets all of the defaults, but overrides script-src
app.use(
helmet.contentSecurityPolicy({
directives: {
...helmet.contentSecurityPolicy.getDefaultDirectives(),
"script-src": ["'self'", "example.com"],
},
})
);
// Sets the "Content-Security-Policy-Report-Only" header instead
app.use(
helmet.contentSecurityPolicy({
directives: {
/* ... */
},
reportOnly: true,
})
);
// Sets "Content-Security-Policy: default-src 'self';script-src 'self' 'nonce-e33ccde670f149c1789b1e1e113b0916'"
app.use((req, res, next) => {
res.locals.cspNonce = crypto.randomBytes(16).toString("hex");
next();
});
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
},
})
);
```
You can install this module separately as `helmet-csp`.
</details>
<details>
<summary><code>helmet.expectCt(options)</code></summary>
`helmet.expectCt` sets the `Expect-CT` header which helps mitigate misissued SSL certificates. See [MDN's article on Certificate Transparency](https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency) and the [`Expect-CT` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT) for more.
`options.maxAge` is the number of seconds to expect Certificate Transparency. It defaults to `0`.
`options.enforce` is a boolean. If `true`, the user agent (usually a browser) should refuse future connections that violate its Certificate Transparency policy. Defaults to `false`.
`options.reportUri` is a string. If set, complying user agents will report Certificate Transparency failures to this URL. Unset by default.
Examples:
```js
// Sets "Expect-CT: max-age=86400"
app.use(
helmet.expectCt({
maxAge: 86400,
})
);
// Sets "Expect-CT: max-age=86400, enforce, report-uri="https://example.com/report"
app.use(
helmet.expectCt({
maxAge: 86400,
enforce: true,
reportUri: "https://example.com/report",
})
);
```
You can install this module separately as `expect-ct`.
</details>
<details>
<summary><code>helmet.referrerPolicy(options)</code></summary>
`helmet.referrerPolicy` sets the `Referrer-Policy` header which controls what information is set in [the `Referer` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer). See ["Referer header: privacy and security concerns"](https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns) and [the header's documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) on MDN for more.
`options.policy` is a string or array of strings representing the policy. If passed as an array, it will be joined with commas, which is useful when setting [a fallback policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#Specifying_a_fallback_policy). It defaults to `no-referrer`.
Examples:
```js
// Sets "Referrer-Policy: no-referrer"
app.use(
helmet.referrerPolicy({
policy: "no-referrer",
})
);
// Sets "Referrer-Policy: origin,unsafe-url"
app.use(
helmet.referrerPolicy({
policy: ["origin", "unsafe-url"],
})
);
```
You can install this module separately as `referrer-policy`.
</details>
<details>
<summary><code>helmet.hsts(options)</code></summary>
`helmet.hsts` sets the `Strict-Transport-Security` header which tells browsers to prefer HTTPS over insecure HTTP. See [the documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) for more.
`options.maxAge` is the number of seconds browsers should remember to prefer HTTPS. If passed a non-integer, the value is rounded down. It defaults to `15552000`, which is 180 days.
`options.includeSubDomains` is a boolean which dictates whether to include the `includeSubDomains` directive, which makes this policy extend to subdomains. It defaults to `true`.
`options.preload` is a boolean. If true, it adds the `preload` directive, expressing intent to add your HSTS policy to browsers. See [the "Preloading Strict Transport Security" section on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security) for more. It defaults to `false`.
Examples:
```js
// Sets "Strict-Transport-Security: max-age=123456; includeSubDomains"
app.use(
helmet.hsts({
maxAge: 123456,
})
);
// Sets "Strict-Transport-Security: max-age=123456"
app.use(
helmet.hsts({
maxAge: 123456,
includeSubDomains: false,
})
);
// Sets "Strict-Transport-Security: max-age=123456; includeSubDomains; preload"
app.use(
helmet.hsts({
maxAge: 63072000,
preload: true,
})
);
```
You can install this module separately as `hsts`.
</details>
<details>
<summary><code>helmet.noSniff()</code></summary>
`helmet.noSniff` sets the `X-Content-Type-Options` header to `nosniff`. This mitigates [MIME type sniffing](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#MIME_sniffing) which can cause security vulnerabilities. See [documentation for this header on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) for more.
This middleware takes no options.
Example:
```js
// Sets "X-Content-Type-Options: nosniff"
app.use(helmet.noSniff());
```
You can install this module separately as `dont-sniff-mimetype`.
</details>
<details>
<summary><code>helmet.dnsPrefetchControl(options)</code></summary>
`helmet.dnsPrefetchControl` sets the `X-DNS-Prefetch-Control` header to help control DNS prefetching, which can improve user privacy at the expense of performance. See [documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control) for more.
`options.allow` is a boolean dictating whether to enable DNS prefetching. It defaults to `false`.
Examples:
```js
// Sets "X-DNS-Prefetch-Control: off"
app.use(
helmet.dnsPrefetchControl({
allow: false,
})
);
// Sets "X-DNS-Prefetch-Control: on"
app.use(
helmet.dnsPrefetchControl({
allow: true,
})
);
```
You can install this module separately as `dns-prefetch-control`.
</details>
<details>
<summary><code>helmet.ieNoOpen()</code></summary>
`helmet.ieNoOpen` sets the `X-Download-Options` header, which is specific to Internet Explorer 8. It forces potentially-unsafe downloads to be saved, mitigating execution of HTML in your site's context. For more, see [this old post on MSDN](https://docs.microsoft.com/en-us/archive/blogs/ie/ie8-security-part-v-comprehensive-protection).
This middleware takes no options.
Examples:
```js
// Sets "X-Download-Options: noopen"
app.use(helmet.ieNoOpen());
```
You can install this module separately as `ienoopen`.
</details>
<details>
<summary><code>helmet.frameguard(options)</code></summary>
`helmet.frameguard` sets the `X-Frame-Options` header to help you mitigate [clickjacking attacks](https://en.wikipedia.org/wiki/Clickjacking). This header is superseded by [the `frame-ancestors` Content Security Policy directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) but is still useful on old browsers. For more, see [the documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).
`options.action` is a string that specifies which directive to use—either `DENY` or `SAMEORIGIN`. (A legacy directive, `ALLOW-FROM`, is not supported by this middleware. [Read more here.](https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive)) It defaults to `SAMEORIGIN`.
Examples:
```js
// Sets "X-Frame-Options: DENY"
app.use(
helmet.frameguard({
action: "deny",
})
);
// Sets "X-Frame-Options: SAMEORIGIN"
app.use(
helmet.frameguard({
action: "sameorigin",
})
);
```
You can install this module separately as `frameguard`.
</details>
<details>
<summary><code>helmet.permittedCrossDomainPolicies(options)</code></summary>
`helmet.permittedCrossDomainPolicies` sets the `X-Permitted-Cross-Domain-Policies` header, which tells some clients (mostly Adobe products) your domain's policy for loading cross-domain content. See [the description on OWASP](https://owasp.org/www-project-secure-headers/) for more.
`options.permittedPolicies` is a string that must be `"none"`, `"master-only"`, `"by-content-type"`, or `"all"`. It defaults to `"none"`.
Examples:
```js
// Sets "X-Permitted-Cross-Domain-Policies: none"
app.use(
helmet.permittedCrossDomainPolicies({
permittedPolicies: "none",
})
);
// Sets "X-Permitted-Cross-Domain-Policies: by-content-type"
app.use(
helmet.permittedCrossDomainPolicies({
permittedPolicies: "by-content-type",
})
);
```
You can install this module separately as `helmet-crossdomain`.
</details>
<details>
<summary><code>helmet.hidePoweredBy()</code></summary>
`helmet.hidePoweredBy` removes the `X-Powered-By` header, which is set by default in some frameworks (like Express). Removing the header offers very limited security benefits (see [this discussion](https://github.com/expressjs/express/pull/2813#issuecomment-159270428)) and is mostly removed to save bandwidth.
This middleware takes no options.
If you're using Express, this middleware will work, but you should use `app.disable("x-powered-by")` instead.
Examples:
```js
// Removes the X-Powered-By header if it was set.
app.use(helmet.hidePoweredBy());
```
You can install this module separately as `hide-powered-by`.
</details>
<details>
<summary><code>helmet.xssFilter()</code></summary>
`helmet.xssFilter` disables browsers' buggy cross-site scripting filter by setting the `X-XSS-Protection` header to `0`. See [discussion about disabling the header here](https://github.com/helmetjs/helmet/issues/230) and [documentation on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).
This middleware takes no options.
Examples:
```js
// Sets "X-XSS-Protection: 0"
app.use(helmet.xssFilter());
```
You can install this module separately as `x-xss-protection`.
</details>

7
node_modules/helmet/SECURITY.md generated vendored Normal file
View File

@@ -0,0 +1,7 @@
# Security issue reporting & disclosure process
If you feel you have found a security issue or concern with Helmet please reach out to the maintainers.
Email Evan Hahn at <me@evanhahn.com> or Adam Baldwin at <adam@npmjs.com>.
We will try to communicate in a timely manner and address your concerns.

44
node_modules/helmet/dist/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,44 @@
import { IncomingMessage, ServerResponse } from "http";
import { ContentSecurityPolicyOptions } from "./middlewares/content-security-policy";
import { ExpectCtOptions } from "./middlewares/expect-ct";
import { ReferrerPolicyOptions } from "./middlewares/referrer-policy";
import strictTransportSecurity, { StrictTransportSecurityOptions } from "./middlewares/strict-transport-security";
import xContentTypeOptions from "./middlewares/x-content-type-options";
import xDnsPrefetchControl, { XDnsPrefetchControlOptions } from "./middlewares/x-dns-prefetch-control";
import xDownloadOptions from "./middlewares/x-download-options";
import xFrameOptions, { XFrameOptionsOptions } from "./middlewares/x-frame-options";
import xPermittedCrossDomainPolicies, { XPermittedCrossDomainPoliciesOptions } from "./middlewares/x-permitted-cross-domain-policies";
import xPoweredBy from "./middlewares/x-powered-by";
import xXssProtection from "./middlewares/x-xss-protection";
interface HelmetOptions {
contentSecurityPolicy?: MiddlewareOption<ContentSecurityPolicyOptions>;
dnsPrefetchControl?: MiddlewareOption<XDnsPrefetchControlOptions>;
expectCt?: MiddlewareOption<ExpectCtOptions>;
frameguard?: MiddlewareOption<XFrameOptionsOptions>;
hidePoweredBy?: MiddlewareOption<never>;
hsts?: MiddlewareOption<StrictTransportSecurityOptions>;
ieNoOpen?: MiddlewareOption<never>;
noSniff?: MiddlewareOption<never>;
permittedCrossDomainPolicies?: MiddlewareOption<XPermittedCrossDomainPoliciesOptions>;
referrerPolicy?: MiddlewareOption<ReferrerPolicyOptions>;
xssFilter?: MiddlewareOption<never>;
}
declare type MiddlewareOption<T> = false | T;
declare function helmet(options?: Readonly<HelmetOptions>): (req: IncomingMessage, res: ServerResponse, next: (err?: unknown) => void) => void;
declare namespace helmet {
var contentSecurityPolicy: typeof import("./middlewares/content-security-policy").default;
var dnsPrefetchControl: typeof xDnsPrefetchControl;
var expectCt: typeof import("./middlewares/expect-ct").default;
var frameguard: typeof xFrameOptions;
var hidePoweredBy: typeof xPoweredBy;
var hsts: typeof strictTransportSecurity;
var ieNoOpen: typeof xDownloadOptions;
var noSniff: typeof xContentTypeOptions;
var permittedCrossDomainPolicies: typeof xPermittedCrossDomainPolicies;
var referrerPolicy: typeof import("./middlewares/referrer-policy").default;
var xssFilter: typeof xXssProtection;
var featurePolicy: () => never;
var hpkp: () => never;
var noCache: () => never;
}
export = helmet;

130
node_modules/helmet/dist/index.js generated vendored Normal file
View File

@@ -0,0 +1,130 @@
"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
const content_security_policy_1 = __importDefault(require("./middlewares/content-security-policy"));
const expect_ct_1 = __importDefault(require("./middlewares/expect-ct"));
const referrer_policy_1 = __importDefault(require("./middlewares/referrer-policy"));
const strict_transport_security_1 = __importDefault(require("./middlewares/strict-transport-security"));
const x_content_type_options_1 = __importDefault(require("./middlewares/x-content-type-options"));
const x_dns_prefetch_control_1 = __importDefault(require("./middlewares/x-dns-prefetch-control"));
const x_download_options_1 = __importDefault(require("./middlewares/x-download-options"));
const x_frame_options_1 = __importDefault(require("./middlewares/x-frame-options"));
const x_permitted_cross_domain_policies_1 = __importDefault(require("./middlewares/x-permitted-cross-domain-policies"));
const x_powered_by_1 = __importDefault(require("./middlewares/x-powered-by"));
const x_xss_protection_1 = __importDefault(require("./middlewares/x-xss-protection"));
function helmet(options = {}) {
var _a;
if (((_a = options.constructor) === null || _a === void 0 ? void 0 : _a.name) === "IncomingMessage") {
throw new Error("It appears you have done something like `app.use(helmet)`, but it should be `app.use(helmet())`.");
}
// This is overly verbose. It'd be nice to condense this while still being type-safe.
if (Object.values(options).some((option) => option === true)) {
throw new Error("Helmet no longer supports `true` as a middleware option. Remove the property from your options to fix this error.");
}
const middlewareFunctions = [];
if (options.contentSecurityPolicy === undefined) {
middlewareFunctions.push(content_security_policy_1.default());
}
else if (options.contentSecurityPolicy !== false) {
middlewareFunctions.push(content_security_policy_1.default(options.contentSecurityPolicy));
}
if (options.dnsPrefetchControl === undefined) {
middlewareFunctions.push(x_dns_prefetch_control_1.default());
}
else if (options.dnsPrefetchControl !== false) {
middlewareFunctions.push(x_dns_prefetch_control_1.default(options.dnsPrefetchControl));
}
if (options.expectCt === undefined) {
middlewareFunctions.push(expect_ct_1.default());
}
else if (options.expectCt !== false) {
middlewareFunctions.push(expect_ct_1.default(options.expectCt));
}
if (options.frameguard === undefined) {
middlewareFunctions.push(x_frame_options_1.default());
}
else if (options.frameguard !== false) {
middlewareFunctions.push(x_frame_options_1.default(options.frameguard));
}
if (options.hidePoweredBy !== false) {
if (options.hidePoweredBy !== undefined) {
console.warn("hidePoweredBy does not take options. Remove the property to silence this warning.");
}
middlewareFunctions.push(x_powered_by_1.default());
}
if (options.hsts === undefined) {
middlewareFunctions.push(strict_transport_security_1.default());
}
else if (options.hsts !== false) {
middlewareFunctions.push(strict_transport_security_1.default(options.hsts));
}
if (options.ieNoOpen !== false) {
if (options.ieNoOpen !== undefined) {
console.warn("ieNoOpen does not take options. Remove the property to silence this warning.");
}
middlewareFunctions.push(x_download_options_1.default());
}
if (options.noSniff !== false) {
if (options.noSniff !== undefined) {
console.warn("noSniff does not take options. Remove the property to silence this warning.");
}
middlewareFunctions.push(x_content_type_options_1.default());
}
if (options.permittedCrossDomainPolicies === undefined) {
middlewareFunctions.push(x_permitted_cross_domain_policies_1.default());
}
else if (options.permittedCrossDomainPolicies !== false) {
middlewareFunctions.push(x_permitted_cross_domain_policies_1.default(options.permittedCrossDomainPolicies));
}
if (options.referrerPolicy === undefined) {
middlewareFunctions.push(referrer_policy_1.default());
}
else if (options.referrerPolicy !== false) {
middlewareFunctions.push(referrer_policy_1.default(options.referrerPolicy));
}
if (options.xssFilter !== false) {
if (options.xssFilter !== undefined) {
console.warn("xssFilter does not take options. Remove the property to silence this warning.");
}
middlewareFunctions.push(x_xss_protection_1.default());
}
return function helmetMiddleware(req, res, next) {
const iterator = middlewareFunctions[Symbol.iterator]();
(function internalNext(err) {
if (err) {
next(err);
return;
}
const iteration = iterator.next();
if (iteration.done) {
next();
}
else {
const middlewareFunction = iteration.value;
middlewareFunction(req, res, internalNext);
}
})();
};
}
helmet.contentSecurityPolicy = content_security_policy_1.default;
helmet.dnsPrefetchControl = x_dns_prefetch_control_1.default;
helmet.expectCt = expect_ct_1.default;
helmet.frameguard = x_frame_options_1.default;
helmet.hidePoweredBy = x_powered_by_1.default;
helmet.hsts = strict_transport_security_1.default;
helmet.ieNoOpen = x_download_options_1.default;
helmet.noSniff = x_content_type_options_1.default;
helmet.permittedCrossDomainPolicies = x_permitted_cross_domain_policies_1.default;
helmet.referrerPolicy = referrer_policy_1.default;
helmet.xssFilter = x_xss_protection_1.default;
helmet.featurePolicy = () => {
throw new Error("helmet.featurePolicy was removed because the Feature-Policy header is deprecated. If you still need this header, you can use the `feature-policy` module.");
};
helmet.hpkp = () => {
throw new Error("helmet.hpkp was removed because the header has been deprecated. If you still need this header, you can use the `hpkp` module. For more, see <https://github.com/helmetjs/helmet/issues/180>.");
};
helmet.noCache = () => {
throw new Error("helmet.noCache was removed. You can use the `nocache` module instead. For more, see <https://github.com/helmetjs/helmet/issues/215>.");
};
module.exports = helmet;

24
node_modules/helmet/dist/middlewares/content-security-policy/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,24 @@
/// <reference types="node" />
import { IncomingMessage, ServerResponse } from "http";
interface ContentSecurityPolicyDirectiveValueFunction {
(req: IncomingMessage, res: ServerResponse): string;
}
declare type ContentSecurityPolicyDirectiveValue = string | ContentSecurityPolicyDirectiveValueFunction;
interface ContentSecurityPolicyDirectives {
[directiveName: string]: Iterable<ContentSecurityPolicyDirectiveValue>;
}
export interface ContentSecurityPolicyOptions {
directives?: ContentSecurityPolicyDirectives;
reportOnly?: boolean;
}
declare const getDefaultDirectives: () => {
[x: string]: Iterable<ContentSecurityPolicyDirectiveValue>;
};
declare function contentSecurityPolicy(options?: Readonly<ContentSecurityPolicyOptions>): (req: IncomingMessage, res: ServerResponse, next: (err?: Error) => void) => void;
declare namespace contentSecurityPolicy {
var getDefaultDirectives: () => {
[x: string]: Iterable<ContentSecurityPolicyDirectiveValue>;
};
}
export default contentSecurityPolicy;
export { getDefaultDirectives };

120
node_modules/helmet/dist/middlewares/content-security-policy/index.js generated vendored Normal file
View File

@@ -0,0 +1,120 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.getDefaultDirectives = void 0;
const DEFAULT_DIRECTIVES = {
"default-src": ["'self'"],
"base-uri": ["'self'"],
"block-all-mixed-content": [],
"font-src": ["'self'", "https:", "data:"],
"frame-ancestors": ["'self'"],
"img-src": ["'self'", "data:"],
"object-src": ["'none'"],
"script-src": ["'self'"],
"script-src-attr": ["'none'"],
"style-src": ["'self'", "https:", "'unsafe-inline'"],
"upgrade-insecure-requests": [],
};
const getDefaultDirectives = () => (Object.assign({}, DEFAULT_DIRECTIVES));
exports.getDefaultDirectives = getDefaultDirectives;
const isRawPolicyDirectiveNameInvalid = (rawDirectiveName) => rawDirectiveName.length === 0 || /[^a-zA-Z0-9-]/.test(rawDirectiveName);
const dashify = (str) => str.replace(/[A-Z]/g, (capitalLetter) => "-" + capitalLetter.toLowerCase());
const isDirectiveValueInvalid = (directiveValue) => /;|,/.test(directiveValue);
const has = (obj, key) => Object.prototype.hasOwnProperty.call(obj, key);
function getHeaderName({ reportOnly, }) {
if (reportOnly) {
return "Content-Security-Policy-Report-Only";
}
else {
return "Content-Security-Policy";
}
}
function normalizeDirectives(options) {
const result = {};
const { directives: rawDirectives = getDefaultDirectives() } = options;
for (const rawDirectiveName in rawDirectives) {
if (!has(rawDirectives, rawDirectiveName)) {
continue;
}
if (isRawPolicyDirectiveNameInvalid(rawDirectiveName)) {
throw new Error(`Content-Security-Policy received an invalid directive name ${JSON.stringify(rawDirectiveName)}`);
}
const directiveName = dashify(rawDirectiveName);
if (has(result, directiveName)) {
throw new Error(`Content-Security-Policy received a duplicate directive ${JSON.stringify(directiveName)}`);
}
const rawDirectiveValue = rawDirectives[rawDirectiveName];
let directiveValue;
if (typeof rawDirectiveValue === "string") {
directiveValue = [rawDirectiveValue];
}
else {
directiveValue = rawDirectiveValue;
}
for (const element of directiveValue) {
if (typeof element === "string" && isDirectiveValueInvalid(element)) {
throw new Error(`Content-Security-Policy received an invalid directive value for ${JSON.stringify(directiveName)}`);
}
}
result[directiveName] = directiveValue;
}
if (!("default-src" in result)) {
throw new Error("Content-Security-Policy needs a default-src but none was provided");
}
return result;
}
function getHeaderValue(req, res, directives) {
const result = [];
for (const directiveName in directives) {
if (!has(directives, directiveName)) {
continue;
}
const rawDirectiveValue = directives[directiveName];
let directiveValue = "";
for (const element of rawDirectiveValue) {
if (element instanceof Function) {
directiveValue += " " + element(req, res);
}
else {
directiveValue += " " + element;
}
}
if (!directiveValue) {
result.push(directiveName);
}
else if (isDirectiveValueInvalid(directiveValue)) {
return new Error(`Content-Security-Policy received an invalid directive value for ${JSON.stringify(directiveName)}`);
}
else {
result.push(`${directiveName}${directiveValue}`);
}
}
return result.join(";");
}
function contentSecurityPolicy(options = {}) {
if ("loose" in options) {
console.warn("Content-Security-Policy middleware no longer needs the `loose` parameter. You should remove it.");
}
if ("setAllHeaders" in options) {
console.warn("Content-Security-Policy middleware no longer supports the `setAllHeaders` parameter. See <https://github.com/helmetjs/helmet/wiki/Setting-legacy-Content-Security-Policy-headers-in-Helmet-4>.");
}
["disableAndroid", "browserSniff"].forEach((deprecatedOption) => {
if (deprecatedOption in options) {
console.warn(`Content-Security-Policy middleware no longer does browser sniffing, so you can remove the \`${deprecatedOption}\` option. See <https://github.com/helmetjs/csp/issues/97> for discussion.`);
}
});
const headerName = getHeaderName(options);
const directives = normalizeDirectives(options);
return function contentSecurityPolicyMiddleware(req, res, next) {
const result = getHeaderValue(req, res, directives);
if (result instanceof Error) {
next(result);
}
else {
res.setHeader(headerName, result);
next();
}
};
}
contentSecurityPolicy.getDefaultDirectives = getDefaultDirectives;
module.exports = contentSecurityPolicy;
exports.default = contentSecurityPolicy;

8
node_modules/helmet/dist/middlewares/expect-ct/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,8 @@
import { IncomingMessage, ServerResponse } from "http";
export interface ExpectCtOptions {
maxAge?: number;
enforce?: boolean;
reportUri?: string;
}
declare function expectCt(options?: Readonly<ExpectCtOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void;
export default expectCt;

35
node_modules/helmet/dist/middlewares/expect-ct/index.js generated vendored Normal file
View File

@@ -0,0 +1,35 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
function parseMaxAge(value) {
if (value === undefined) {
return 0;
}
else if (typeof value === "number" &&
value >= 0 &&
Number.isFinite(value)) {
return Math.floor(value);
}
else {
throw new Error(`Expect-CT: ${JSON.stringify(value)} is not a valid value for maxAge. Please choose a positive integer.`);
}
}
function getHeaderValueFromOptions(options) {
const directives = [];
directives.push(`max-age=${parseMaxAge(options.maxAge)}`);
if (options.enforce) {
directives.push("enforce");
}
if (options.reportUri) {
directives.push(`report-uri="${options.reportUri}"`);
}
return directives.join(", ");
}
function expectCt(options = {}) {
const headerValue = getHeaderValueFromOptions(options);
return function expectCtMiddleware(_req, res, next) {
res.setHeader("Expect-CT", headerValue);
next();
};
}
module.exports = expectCt;
exports.default = expectCt;

6
node_modules/helmet/dist/middlewares/referrer-policy/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,6 @@
import { IncomingMessage, ServerResponse } from "http";
export interface ReferrerPolicyOptions {
policy?: string | string[];
}
declare function referrerPolicy(options?: Readonly<ReferrerPolicyOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void;
export default referrerPolicy;

39
node_modules/helmet/dist/middlewares/referrer-policy/index.js generated vendored Normal file
View File

@@ -0,0 +1,39 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
const ALLOWED_TOKENS = new Set([
"no-referrer",
"no-referrer-when-downgrade",
"same-origin",
"origin",
"strict-origin",
"origin-when-cross-origin",
"strict-origin-when-cross-origin",
"unsafe-url",
"",
]);
function getHeaderValueFromOptions({ policy = ["no-referrer"], }) {
const tokens = typeof policy === "string" ? [policy] : policy;
if (tokens.length === 0) {
throw new Error("Referrer-Policy received no policy tokens");
}
const tokensSeen = new Set();
tokens.forEach((token) => {
if (!ALLOWED_TOKENS.has(token)) {
throw new Error(`Referrer-Policy received an unexpected policy token ${JSON.stringify(token)}`);
}
else if (tokensSeen.has(token)) {
throw new Error(`Referrer-Policy received a duplicate policy token ${JSON.stringify(token)}`);
}
tokensSeen.add(token);
});
return tokens.join(",");
}
function referrerPolicy(options = {}) {
const headerValue = getHeaderValueFromOptions(options);
return function referrerPolicyMiddleware(_req, res, next) {
res.setHeader("Referrer-Policy", headerValue);
next();
};
}
module.exports = referrerPolicy;
exports.default = referrerPolicy;

8
node_modules/helmet/dist/middlewares/strict-transport-security/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,8 @@
import { IncomingMessage, ServerResponse } from "http";
export interface StrictTransportSecurityOptions {
maxAge?: number;
includeSubDomains?: boolean;
preload?: boolean;
}
declare function strictTransportSecurity(options?: Readonly<StrictTransportSecurityOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void;
export default strictTransportSecurity;

44
node_modules/helmet/dist/middlewares/strict-transport-security/index.js generated vendored Normal file
View File

@@ -0,0 +1,44 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
const DEFAULT_MAX_AGE = 180 * 24 * 60 * 60;
function parseMaxAge(value) {
if (value === undefined) {
return DEFAULT_MAX_AGE;
}
else if (typeof value === "number" &&
value >= 0 &&
Number.isFinite(value)) {
return Math.floor(value);
}
else {
throw new Error(`Strict-Transport-Security: ${JSON.stringify(value)} is not a valid value for maxAge. Please choose a positive integer.`);
}
}
function getHeaderValueFromOptions(options) {
if ("maxage" in options) {
throw new Error("Strict-Transport-Security received an unsupported property, `maxage`. Did you mean to pass `maxAge`?");
}
if ("includeSubdomains" in options) {
console.warn('Strict-Transport-Security middleware should use `includeSubDomains` instead of `includeSubdomains`. (The correct one has an uppercase "D".)');
}
if ("setIf" in options) {
console.warn("Strict-Transport-Security middleware no longer supports the `setIf` parameter. See the documentation and <https://github.com/helmetjs/helmet/wiki/Conditionally-using-middleware> if you need help replicating this behavior.");
}
const directives = [`max-age=${parseMaxAge(options.maxAge)}`];
if (options.includeSubDomains === undefined || options.includeSubDomains) {
directives.push("includeSubDomains");
}
if (options.preload) {
directives.push("preload");
}
return directives.join("; ");
}
function strictTransportSecurity(options = {}) {
const headerValue = getHeaderValueFromOptions(options);
return function strictTransportSecurityMiddleware(_req, res, next) {
res.setHeader("Strict-Transport-Security", headerValue);
next();
};
}
module.exports = strictTransportSecurity;
exports.default = strictTransportSecurity;

3
node_modules/helmet/dist/middlewares/x-content-type-options/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,3 @@
import { IncomingMessage, ServerResponse } from "http";
declare function xContentTypeOptions(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void;
export default xContentTypeOptions;

10
node_modules/helmet/dist/middlewares/x-content-type-options/index.js generated vendored Normal file
View File

@@ -0,0 +1,10 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
function xContentTypeOptions() {
return function xContentTypeOptionsMiddleware(_req, res, next) {
res.setHeader("X-Content-Type-Options", "nosniff");
next();
};
}
module.exports = xContentTypeOptions;
exports.default = xContentTypeOptions;

6
node_modules/helmet/dist/middlewares/x-dns-prefetch-control/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,6 @@
import { IncomingMessage, ServerResponse } from "http";
export interface XDnsPrefetchControlOptions {
allow?: boolean;
}
declare function xDnsPrefetchControl(options?: Readonly<XDnsPrefetchControlOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void;
export default xDnsPrefetchControl;

11
node_modules/helmet/dist/middlewares/x-dns-prefetch-control/index.js generated vendored Normal file
View File

@@ -0,0 +1,11 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
function xDnsPrefetchControl(options = {}) {
const headerValue = options.allow ? "on" : "off";
return function xDnsPrefetchControlMiddleware(_req, res, next) {
res.setHeader("X-DNS-Prefetch-Control", headerValue);
next();
};
}
module.exports = xDnsPrefetchControl;
exports.default = xDnsPrefetchControl;

3
node_modules/helmet/dist/middlewares/x-download-options/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,3 @@
import { IncomingMessage, ServerResponse } from "http";
declare function xDownloadOptions(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void;
export default xDownloadOptions;

10
node_modules/helmet/dist/middlewares/x-download-options/index.js generated vendored Normal file
View File

@@ -0,0 +1,10 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
function xDownloadOptions() {
return function xDownloadOptionsMiddleware(_req, res, next) {
res.setHeader("X-Download-Options", "noopen");
next();
};
}
module.exports = xDownloadOptions;
exports.default = xDownloadOptions;

6
node_modules/helmet/dist/middlewares/x-frame-options/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,6 @@
import { IncomingMessage, ServerResponse } from "http";
export interface XFrameOptionsOptions {
action?: string;
}
declare function xFrameOptions(options?: Readonly<XFrameOptionsOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void;
export default xFrameOptions;

26
node_modules/helmet/dist/middlewares/x-frame-options/index.js generated vendored Normal file
View File

@@ -0,0 +1,26 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
function getHeaderValueFromOptions({ action = "SAMEORIGIN", }) {
action = String(action).toUpperCase();
if (action === "SAME-ORIGIN") {
return "SAMEORIGIN";
}
else if (action === "DENY" || action === "SAMEORIGIN") {
return action;
}
else if (action === "ALLOW-FROM") {
throw new Error("X-Frame-Options no longer supports `ALLOW-FROM` due to poor browser support. See <https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive> for more info.");
}
else {
throw new Error(`X-Frame-Options received an invalid action ${JSON.stringify(action)}`);
}
}
function xFrameOptions(options = {}) {
const headerValue = getHeaderValueFromOptions(options);
return function xFrameOptionsMiddleware(_req, res, next) {
res.setHeader("X-Frame-Options", headerValue);
next();
};
}
module.exports = xFrameOptions;
exports.default = xFrameOptions;

6
node_modules/helmet/dist/middlewares/x-permitted-cross-domain-policies/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,6 @@
import { IncomingMessage, ServerResponse } from "http";
export interface XPermittedCrossDomainPoliciesOptions {
permittedPolicies?: string;
}
declare function xPermittedCrossDomainPolicies(options?: Readonly<XPermittedCrossDomainPoliciesOptions>): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void;
export default xPermittedCrossDomainPolicies;

25
node_modules/helmet/dist/middlewares/x-permitted-cross-domain-policies/index.js generated vendored Normal file
View File

@@ -0,0 +1,25 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
const ALLOWED_PERMITTED_POLICIES = new Set([
"none",
"master-only",
"by-content-type",
"all",
]);
function getHeaderValueFromOptions({ permittedPolicies = "none", }) {
if (ALLOWED_PERMITTED_POLICIES.has(permittedPolicies)) {
return permittedPolicies;
}
else {
throw new Error(`X-Permitted-Cross-Domain-Policies does not support ${JSON.stringify(permittedPolicies)}`);
}
}
function xPermittedCrossDomainPolicies(options = {}) {
const headerValue = getHeaderValueFromOptions(options);
return function xPermittedCrossDomainPoliciesMiddleware(_req, res, next) {
res.setHeader("X-Permitted-Cross-Domain-Policies", headerValue);
next();
};
}
module.exports = xPermittedCrossDomainPolicies;
exports.default = xPermittedCrossDomainPolicies;

3
node_modules/helmet/dist/middlewares/x-powered-by/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,3 @@
import { IncomingMessage, ServerResponse } from "http";
declare function xPoweredBy(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void;
export default xPoweredBy;

10
node_modules/helmet/dist/middlewares/x-powered-by/index.js generated vendored Normal file
View File

@@ -0,0 +1,10 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
function xPoweredBy() {
return function xPoweredByMiddleware(_req, res, next) {
res.removeHeader("X-Powered-By");
next();
};
}
module.exports = xPoweredBy;
exports.default = xPoweredBy;

3
node_modules/helmet/dist/middlewares/x-xss-protection/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,3 @@
import { IncomingMessage, ServerResponse } from "http";
declare function xXssProtection(): (_req: IncomingMessage, res: ServerResponse, next: () => void) => void;
export default xXssProtection;

10
node_modules/helmet/dist/middlewares/x-xss-protection/index.js generated vendored Normal file
View File

@@ -0,0 +1,10 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
function xXssProtection() {
return function xXssProtectionMiddleware(_req, res, next) {
res.setHeader("X-XSS-Protection", "0");
next();
};
}
module.exports = xXssProtection;
exports.default = xXssProtection;

125
node_modules/helmet/package.json generated vendored Normal file
View File

@@ -0,0 +1,125 @@
{
"_from": "helmet",
"_id": "helmet@4.2.0",
"_inBundle": false,
"_integrity": "sha512-aoiSxXMd0ks1ojYpSCFoCRzgv4rY/uB9jKStaw8PkXwsdLYa/Gq+Nc5l0soH0cwBIsLAlujPnx4HLQs+LaXCrQ==",
"_location": "/helmet",
"_phantomChildren": {},
"_requested": {
"type": "tag",
"registry": true,
"raw": "helmet",
"name": "helmet",
"escapedName": "helmet",
"rawSpec": "",
"saveSpec": null,
"fetchSpec": "latest"
},
"_requiredBy": [
"#USER",
"/"
],
"_resolved": "https://registry.npmjs.org/helmet/-/helmet-4.2.0.tgz",
"_shasum": "e81f5613cc1c90402af581794dc9878ad078b237",
"_spec": "helmet",
"_where": "/home/teddit/site",
"author": {
"name": "Adam Baldwin",
"email": "adam@npmjs.com",
"url": "https://evilpacket.net"
},
"bugs": {
"url": "https://github.com/helmetjs/helmet/issues",
"email": "me@evanhahn.com"
},
"bundleDependencies": false,
"contributors": [
{
"name": "Evan Hahn",
"email": "me@evanhahn.com",
"url": "https://evanhahn.com"
},
{
"name": "Ameen Abdeen",
"email": "ameen.abdeen.se@gmail.com"
}
],
"dependencies": {},
"deprecated": false,
"description": "help secure Express/Connect apps with various HTTP headers",
"devDependencies": {
"@types/connect": "^3.4.33",
"@types/jest": "^26.0.15",
"@types/supertest": "^2.0.10",
"@typescript-eslint/eslint-plugin": "^4.6.0",
"@typescript-eslint/parser": "^4.6.0",
"connect": "^3.7.0",
"eslint": "^7.12.1",
"jest": "^26.6.1",
"prettier": "^2.1.2",
"supertest": "^6.0.0",
"ts-jest": "^26.4.3",
"typescript": "^4.0.5"
},
"engines": {
"node": ">=10.0.0"
},
"files": [
"CHANGELOG.md",
"CODE_OF_CONDUCT.md",
"CONTRIBUTING.md",
"LICENSE",
"README.md",
"SECURITY.md",
"dist/index.js",
"dist/index.d.ts",
"dist/middlewares/content-security-policy/index.js",
"dist/middlewares/content-security-policy/index.d.ts",
"dist/middlewares/expect-ct/index.js",
"dist/middlewares/expect-ct/index.d.ts",
"dist/middlewares/referrer-policy/index.js",
"dist/middlewares/referrer-policy/index.d.ts",
"dist/middlewares/strict-transport-security/index.js",
"dist/middlewares/strict-transport-security/index.d.ts",
"dist/middlewares/x-content-type-options/index.js",
"dist/middlewares/x-content-type-options/index.d.ts",
"dist/middlewares/x-dns-prefetch-control/index.js",
"dist/middlewares/x-dns-prefetch-control/index.d.ts",
"dist/middlewares/x-download-options/index.js",
"dist/middlewares/x-download-options/index.d.ts",
"dist/middlewares/x-frame-options/index.js",
"dist/middlewares/x-frame-options/index.d.ts",
"dist/middlewares/x-permitted-cross-domain-policies/index.js",
"dist/middlewares/x-permitted-cross-domain-policies/index.d.ts",
"dist/middlewares/x-powered-by/index.js",
"dist/middlewares/x-powered-by/index.d.ts",
"dist/middlewares/x-xss-protection/index.js",
"dist/middlewares/x-xss-protection/index.d.ts"
],
"homepage": "https://helmetjs.github.io/",
"keywords": [
"express",
"security",
"headers"
],
"license": "MIT",
"main": "dist/index",
"name": "helmet",
"repository": {
"type": "git",
"url": "git://github.com/helmetjs/helmet.git"
},
"scripts": {
"build": "npm run clean && tsc",
"build-middleware-package": "npm run build && node ./bin/build-middleware-package.js",
"clean": "node ./bin/clean.js",
"format": "prettier --write \"**/*{md,js,json,ts}\"",
"lint": "npm run lint:eslint && npm run lint:prettier",
"lint:eslint": "eslint \"**/*.ts\"",
"lint:prettier": "prettier --check \"**/*{md,js,json,ts}\"",
"prepublishOnly": "npm run build",
"pretest": "npm run lint",
"test": "jest"
},
"version": "4.2.0"
}