jonaszbigda/menui_backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security upgrades

Browse Source
This commit is contained in:
Jonasz Bigda
2020-07-15 19:54:48 +02:00
parent 59cc6c54cd
commit ad8ed283d2
3164 changed files with 408897 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

693
node_modules/helmet/CHANGELOG.md generated vendored Normal file
View File

@@ -0,0 +1,693 @@
# Changelog
## 3.23.3 - 2020-06-26
### Changed
- `helmet.expectCt` is no longer a separate package. This should have no effect on end users.
- `helmet.frameguard` is no longer a separate package. This should have no effect on end users.
## 3.23.2 - 2020-06-23
### Changed
- `helmet.dnsPrefetchControl` is no longer a separate package. This should have no effect on end users.
## 3.23.1 - 2020-06-16
### Changed
- `helmet.ieNoOpen` is no longer a separate package. This should have no effect on end users.
## 3.23.0 - 2020-06-12
### Deprecated
- `helmet.featurePolicy` is deprecated. Use the `feature-policy` module instead.
## 3.22.1 - 2020-06-10
### Changed
- Rewrote internals in TypeScript. This should have no effect on end users.
## 3.22.0 - 2020-03-24
### Changed
- Updated `helmet-csp` to v2.10.0
- Add support for the `allow-downloads` sandbox directive. See [helmet-csp#103](https://github.com/helmetjs/csp/pull/103)
### Deprecated
- `helmet.noCache` is deprecated. Use the `nocache` module instead. See [#215](https://github.com/helmetjs/helmet/issues/215)
## 3.21.3 - 2020-02-24
### Changed
- Updated `helmet-csp` to v2.9.5
- Updated `bowser` subdependency from 2.7.0 to 2.9.0
- Fixed an issue some people were having when importing the `bowser` subdependency. See [helmet-csp#96](https://github.com/helmetjs/csp/issues/96) and [#101](https://github.com/helmetjs/csp/pull/101)
## 3.21.2 - 2019-10-21
### Changed
- Updated `helmet-csp` to v2.9.4
- Updated `bowser` subdependency from 2.6.1 to 2.7.0. See [helmet-csp#94](https://github.com/helmetjs/csp/pull/94)
## 3.21.1 - 2019-09-20
### Fixed
- Updated `helmet-csp` to v2.9.2
- Fixed a bug where a request from Firefox 4 could delete `default-src` from future responses
- Fixed tablet PC detection by updating `bowser` subdependency to latest version
## 3.21.0 - 2019-09-04
### Added
- Updated `x-xss-protection` to v1.3.0
- Added `mode: null` to disable `mode=block`
### Changed
- Updated `helmet-csp` to v2.9.1
- Updated `bowser` subdependency from 2.5.3 to 2.5.4. See [helmet-csp#88](https://github.com/helmetjs/csp/pull/88)
## 3.20.1 - 2019-08-28
### Changed
- Updated `helmet-csp` to v2.9.0
## 3.20.0 - 2019-07-24
### Changed
- Updated `helmet-csp` to v2.8.0
## 3.19.0 - 2019-07-17
### Changed
- Updated `dns-prefetch-control` to v0.2.0
- Updated `dont-sniff-mimetype` to v1.1.0
- Updated `helmet-crossdomain` to v0.4.0
- Updated `hide-powered-by` to v1.1.0
- Updated `x-xss-protection` to v1.2.0
## 3.18.0 - 2019-05-05
### Added
- `featurePolicy` has 19 new features: `ambientLightSensor`, `documentDomain`, `documentWrite`, `encryptedMedia`, `fontDisplayLateSwap`, `layoutAnimations`, `legacyImageFormats`, `loadingFrameDefaultEager`, `oversizedImages`, `pictureInPicture`, `serial`, `syncScript`, `unoptimizedImages`, `unoptimizedLosslessImages`, `unoptimizedLossyImages`, `unsizedMedia`, `verticalScroll`, `wakeLock`, and `xr`
### Changed
- Updated `expect-ct` to v0.2.0
- Updated `feature-policy` to v0.3.0
- Updated `frameguard` to v3.1.0
- Updated `nocache` to v2.1.0
## 3.17.0 - 2019-05-03
### Added
- `referrerPolicy` now supports multiple values
### Changed
- Updated `referrerPolicy` to v1.2.0
## 3.16.0 - 2019-03-10
### Added
- Add email to `bugs` field in `package.json`
### Changed
- Updated `hsts` to v2.2.0
- Updated `ienoopen` to v1.1.0
- Changelog is now in the [Keep A Changelog](https://keepachangelog.com/) format
- Dropped support for Node <4. See [the commit](https://github.com/helmetjs/helmet/commit/a49cec3ca58cce484d2d05e1f908549caa92ed03) for more information
- Updated Adam Baldwin's contact information
### Deprecated
- `helmet.hsts`'s `setIf` option has been deprecated and will be removed in `hsts@3`. See [helmetjs/hsts#22](https://github.com/helmetjs/hsts/issues/22) for more
* The `includeSubdomains` option (with a lowercase `d`) has been deprecated and will be removed in `hsts@3`. Use the uppercase-D `includeSubDomains` option instead. See [helmetjs/hsts#21](https://github.com/helmetjs/hsts/issues/21) for more
## 3.15.1 - 2019-02-10
### Deprecated
- The `hpkp` middleware has been deprecated. If you still need to use this module, install the standalone `hpkp` module from npm. See [#180](https://github.com/helmetjs/helmet/issues/180) for more.
## 3.15.0 - 2018-11-07
### Added
- `helmet.featurePolicy` now supports four new features
## 3.14.0 - 2018-10-09
### Added
- `helmet.featurePolicy` middleware
## 3.13.0 - 2018-07-22
### Added
- `helmet.permittedCrossDomainPolicies` middleware
## 3.12.2 - 2018-07-20
### Fixed
- Removed `lodash.reduce` dependency from `csp`
## 3.12.1 - 2018-05-16
### Fixed
- `expectCt` should use comma instead of semicolon as delimiter
## 3.12.0 - 2018-03-02
### Added
- `xssFilter` now supports `reportUri` option
## 3.11.0 - 2018-02-09
### Added
- Main Helmet middleware is now named to help with debugging
## 3.10.0 - 2018-01-23
### Added
- `csp` now supports `prefix-src` directive
### Fixed
- `csp` no longer loads JSON files internally, helping some module bundlers
- `false` should be able to disable a CSP directive
## 3.9.0 - 2017-10-13
### Added
- `csp` now supports `strict-dynamic` value
- `csp` now supports `require-sri-for` directive
### Changed
- Removed `connect` dependency
## 3.8.2 - 2017-09-27
### Changed
- Updated `connect` dependency to latest
## 3.8.1 - 2017-07-28
### Fixed
- `csp` does not automatically set `report-to` when setting `report-uri`
## 3.8.0 - 2017-07-21
### Changed
- `hsts` no longer cares whether it's HTTPS and always sets the header
## 3.7.0 - 2017-07-21
### Added
- `csp` now supports `report-to` directive
### Changed
- Throw an error when used incorrectly
- Add a few documentation files to `npmignore`
## 3.6.1 - 2017-05-21
### Changed
- Bump `connect` version
## 3.6.0 - 2017-05-04
### Added
- `expectCt` middleware for setting the `Expect-CT` header
## 3.5.0 - 2017-03-06
### Added
- `csp` now supports the `worker-src` directive
## 3.4.1 - 2017-02-24
### Changed
- Bump `connect` version
## 3.4.0 - 2017-01-13
### Added
- `csp` now supports more `sandbox` directives
## 3.3.0 - 2016-12-31
### Added
- `referrerPolicy` allows `strict-origin` and `strict-origin-when-cross-origin` directives
### Changed
- Bump `connect` version
## 3.2.0 - 2016-12-22
### Added
- `csp` now allows `manifest-src` directive
## 3.1.0 - 2016-11-03
### Added
- `csp` now allows `frame-src` directive
## 3.0.0 - 2016-10-28
### Changed
- `csp` will check your directives for common mistakes and throw errors if it finds them. This can be disabled with `loose: true`.
- Empty arrays are no longer allowed in `csp`. For source lists (like `script-src` or `object-src`), use the standard `scriptSrc: ["'none'"]`. The `sandbox` directive can be `sandbox: true` to block everything.
- `false` can disable a CSP directive. For example, `scriptSrc: false` is the same as not specifying it.
- In CSP, `reportOnly: true` no longer requires a `report-uri` to be set.
- `hsts`'s `maxAge` now defaults to 180 days (instead of 1 day)
- `hsts`'s `maxAge` parameter is seconds, not milliseconds
- `hsts` includes subdomains by default
- `domain` parameter in `frameguard` cannot be empty
### Removed
- `noEtag` option no longer present in `noCache`
- iOS Chrome `connect-src` workaround in CSP module
## 2.3.0 - 2016-09-30
### Added
- `hpkp` middleware now supports the `includeSubDomains` property with a capital D
### Fixed
- `hpkp` was setting `includeSubdomains` instead of `includeSubDomains`
## 2.2.0 - 2016-09-16
### Added
- `referrerPolicy` middleware
## 2.1.3 - 2016-09-07
### Changed
- Top-level aliases (like `helmet.xssFilter`) are no longer dynamically required
## 2.1.2 - 2016-07-27
### Deprecated
- `nocache`'s `noEtag` option is now deprecated
### Fixed
- `csp` now better handles Firefox on mobile
## 2.1.1 - 2016-06-10
### Changed
- Remove several dependencies from `helmet-csp`
### Fixed
- `frameguard` had a documentation error about its default value
- `frameguard` docs in main Helmet readme said `frameguard`, not `helmet.frameguard`
## 2.1.0 - 2016-05-18
### Added
- `csp` lets you dynamically set `reportOnly`
## 2.0.0 - 2016-04-29
### Added
- Pass configuration to enable/disable default middlewares
### Changed
- `dnsPrefetchControl` middleware is now enabled by default
### Removed
- No more module aliases. There is now just one way to include each middleware
- `frameguard` can no longer be initialized with strings; you must use an object
### Fixed
- Make `hpkp` lowercase in documentation
- Update `hpkp` spec URL in readmes
- Update `frameguard` header name in readme
## 1.3.0 - 2016-03-01
### Added
- `hpkp` has a `setIf` option to conditionally set the header
## 1.2.0 - 2016-02-29
### Added
- `csp` now has a `browserSniff` option to disable all user-agent sniffing
### Changed
- `frameguard` can now be initialized with options
- Add `npmignore` file to speed up installs slightly
## 1.1.0 - 2016-01-12
### Added
- Code of conduct
- `dnsPrefetchControl` middleware
### Fixed
- `csp` readme had syntax errors
## 1.0.2 - 2016-01-08
### Fixed
- `csp` wouldn't recognize `IE Mobile` browsers
- `csp` had some errors in its readme
- Main readme had a syntax error
## 1.0.1 - 2015-12-19
### Fixed
- `csp` with no User Agent would cause errors
## 1.0.0 - 2015-12-18
### Added
- `csp` module supports dynamically-generated values
### Changed
- `csp` directives are now under the `directives` key
- `hpkp`'s `Report-Only` header is now opt-in, not opt-out
- Tweak readmes of every sub-repo
### Removed
- `crossdomain` middleware
- `csp` no longer throws errors when some directives aren't quoted (`'self'`, for example)
- `maxage` option in the `hpkp` middleware
- `safari5` option from `csp` module
### Fixed
- Old Firefox Content-Security-Policy behavior for `unsafe-inline` and `unsafe-eval`
- Dynamic `csp` policies is no longer recursive
## 0.15.0 - 2015-11-26
### Changed
- `hpkp` allows a `report-uri` without the `Report-Only` header
## 0.14.0 - 2015-11-01
### Added
- `nocache` now sends the `Surrogate-Control` header
### Changed
- `nocache` no longer contains the `private` directive in the `Cache-Control` header
## 0.13.0 - 2015-10-23
### Added
- `xssFilter` now has a function name
- Added new CSP docs to readme
### Changed
- HSTS option renamed from `includeSubdomains` to `includeSubDomains`
## 0.11.0 - 2015-09-18
### Added
- `csp` now supports Microsoft Edge
- CSP Level 2 support
### Changed
- Updated `connect` to 3.4.0
- Updated `depd` to 1.1.0
### Fixed
- Added `license` key to `csp`'s `package.json`
- Empty `csp` directives now support every directive, not just `sandbox`
## 0.10.0 - 2015-07-08
### Added
- Add "Handling CSP violations" to `csp` readme
- Add license to `package.json`
### Changed
- `hpkp` had a link to the wrong place in its readme
- `hpkp` requires 2 or more pins
### Fixed
- `hpkp` might have miscalculated `maxAge` slightly wrong
## 0.9.0 - 2015-04-24
### Changed
- `nocache` adds `private` to its `Cache-Control` directive
- Added a description to `package.json`
## 0.8.0 - 2015-04-21
### Changed
- Removed hefty Lodash dependency from HSTS and CSP
- Updated string detection module in Frameguard
- Changed readme slightly to better reflect project's focus
### Deprecated
- Deprecated `crossdomain` middleware
### Removed
- `crossdomain` is no longer a default middleware
## 0.7.1 - 2015-03-23
### Changed
- Updated all outdated dependencies (insofar as possible)
- HSTS now uses Lodash like all the rest of the libraries
## 0.7.0 - 2015-03-05
### Added
- `hpkp` middleware
### Changed
- Travis CI should test 0.10 and 0.12
- Minor code cleanup
## 0.6.2 - 2015-03-01
### Changed
- Improved `xssFilter` performance
- Updated Lodash versions
## 0.6.1 - 2015-02-13
### Added
- "Other recommended modules" in README
### Changed
- Updated Lodash version
### Fixed
- `frameguard` middleware exported a function called `xframe`
## 0.6.0 - 2015-01-21
### Added
- You can disable `csp` for Android
### Fixed
- `csp` on Chrome Mobile on Android and iOS
## 0.5.4 - 2014-12-21
### Changed
- `nocache` should force revalidation
## 0.5.3 - 2014-12-08
### Changed
- `platform` version in CSP and X-XSS-Protection
### Fixed
- Updated bad wording in frameguard docs
## 0.5.2 - 2014-11-16
### Changed
- Updated Connect version
### Fixed
- Fixed minor `csp` bugfixes
## 0.5.1 - 2014-11-09
### Changed
- Updated URLs in `package.json` for new URL
### Fixed
- CSP would set all headers forever after receiving an unknown user agent
## 0.5.0 - 2014-10-28
### Added
- Most middlewares have some aliases now
### Changed
- `xframe` now called `frameguard` (though `xframe` still works)
- `frameguard` chooses sameorigin by default
- `frameguard` understands "SAME-ORIGIN" in addition to "SAMEORIGIN"
- `nocache` removed from default middleware stack
- Middleware split out into their own modules
- Documentation
- Updated supported Node version to at least 0.10.0
- Bumped Connect version
### Removed
- Deprecation warnings
### Fixed
- Readme link was broken
## 0.4.2 - 2014-10-16
### Added
- Support preload in HSTS header
## 0.4.1 - 2014-08-24
### Added
- Use [helmet-crossdomain](https://github.com/helmetjs/crossdomain) to test the waters
- 2 spaces instead of 4 throughout the code
## 0.4.0 - 2014-07-17
### Added
- `nocache` now sets the Expires and Pragma headers
- `nocache` now allows you to crush ETags
### Changed
- Improved the docs for nosniff
- Reverted HSTS behavior of requiring a specified max-age
### Fixed
- Allow HSTS to have a max-age of 0
## 0.3.2 - 2014-06-30
### Added
- All middleware functions are named
- Throw error with non-positive HSTS max-age
### Changed
- Added semicolons in README
- Make some Errors more specific
### Removed
- Removed all comment headers; refer to the readme
### Fixed
- `helmet()` was having issues
- Fixed Syntax errors in README
This changelog was created after the release of 0.3.1.

79
node_modules/helmet/CODE_OF_CONDUCT.md generated vendored Normal file
View File

@@ -0,0 +1,79 @@
# Contributor Covenant Code of Conduct
## Our Pledge
We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
## Our Standards
Examples of behavior that contributes to a positive environment for our community include:
- Demonstrating empathy and kindness toward other people
- Being respectful of differing opinions, viewpoints, and experiences
- Giving and gracefully accepting constructive feedback
- Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
- Focusing on what is best not just for us as individuals, but for the overall community
Examples of unacceptable behavior include:
- The use of sexualized language or imagery, and sexual attention or advances of any kind
- Trolling, insulting or derogatory comments, and personal or political attacks
- Public or private harassment
- Publishing others' private information, such as a physical or email address, without their explicit permission
- Other conduct which could reasonably be considered inappropriate in a professional setting
## Enforcement Responsibilities
Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.
Community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.
## Scope
This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at [evanhahn.com/contact](https://evanhahn.com/contact). All complaints will be reviewed and investigated promptly and fairly.
All community leaders are obligated to respect the privacy and security of the reporter of any incident.
## Enforcement Guidelines
Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct:
### 1. Correction
**Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.
**Consequence**: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested.
### 2. Warning
**Community Impact**: A violation through a single incident or series of actions.
**Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban.
### 3. Temporary Ban
**Community Impact**: A serious violation of community standards, including sustained inappropriate behavior.
**Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
### 4. Permanent Ban
**Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals.
**Consequence**: A permanent ban from any sort of public interaction within the community.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.0, available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder](https://github.com/mozilla/diversity).
[homepage]: https://www.contributor-covenant.org
For answers to common questions about this code of conduct, see the FAQ at <https://www.contributor-covenant.org/faq>. Translations are available at <https://www.contributor-covenant.org/translations>.

15
node_modules/helmet/CONTRIBUTING.md generated vendored Normal file
View File

@@ -0,0 +1,15 @@
# Contributing to Helmet
Helmet welcomes contributors! This guide should help you submit issues and pull requests.
## Got a question, problem, or feature request?
The documentation and [Stack Overflow](http://stackoverflow.com/questions/tagged/helmet.js) are good places to start.
Feel free to [add an issue](https://github.com/helmetjs/helmet/issues) if those don't help!
## Want to submit a change?
If you're not sure whether your change will be welcomed, [add an issue](https://github.com/helmetjs/helmet/issues) to ask.
Once you're ready to make your change, make a pull request. If you're having trouble making a pull request (it's tricky!), check out [GitHub's guide](https://help.github.com/articles/using-pull-requests/) or add an issue. We'll make it work!

22
node_modules/helmet/LICENSE generated vendored Normal file
View File

@@ -0,0 +1,22 @@
The MIT License
Copyright (c) 2012-2020 Evan Hahn, Adam Baldwin
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
'Software'), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

78
node_modules/helmet/README.md generated vendored Normal file
View File

@@ -0,0 +1,78 @@
# Helmet
[![npm version](https://badge.fury.io/js/helmet.svg)](http://badge.fury.io/js/helmet)
[![npm dependency status](https://david-dm.org/helmetjs/helmet.svg)](https://david-dm.org/helmetjs/helmet)
[![Build Status](https://travis-ci.org/helmetjs/helmet.svg?branch=master)](https://travis-ci.org/helmetjs/helmet)
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet.svg?type=shield)](https://app.fossa.io/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fhelmetjs%2Fhelmet?ref=badge_shield)
Helmet helps you secure your Express apps by setting various HTTP headers. _It's not a silver bullet_, but it can help!
[Looking for a version of Helmet that supports the Koa framework?](https://github.com/venables/koa-helmet)
## Quick start
First, run `npm install helmet --save` for your app. Then, in an Express (or Connect) app:
```js
const express = require("express");
const helmet = require("helmet");
const app = express();
app.use(helmet());
// ...
```
It's best to `use` Helmet early in your middleware stack so that its headers are sure to be set.
You can also use its pieces individually:
```js
app.use(helmet.xssFilter());
app.use(helmet.frameguard());
```
You can disable a middleware that's normally enabled by default. This will disable `frameguard` but include the other defaults.
```js
app.use(
helmet({
frameguard: false,
})
);
```
You can also set options for a middleware. Setting options like this will _always_ include the middleware, whether or not it's a default.
```js
app.use(
helmet({
frameguard: {
action: "deny",
},
})
);
```
_If you're using Express 3, make sure these middlewares are listed before `app.router`._
## How it works
Helmet is a collection of 11 smaller middleware functions that set HTTP response headers. Running `app.use(helmet())` will not include all of these middleware functions by default.
| Module | Default? |
| ------------------------------------------------------------------------------------------------------------- | -------- |
| [contentSecurityPolicy](https://helmetjs.github.io/docs/csp/) for setting Content Security Policy | |
| [crossdomain](https://helmetjs.github.io/docs/crossdomain/) for handling Adobe products' crossdomain requests | |
| [dnsPrefetchControl](https://helmetjs.github.io/docs/dns-prefetch-control) controls browser DNS prefetching | ✓ |
| [expectCt](https://helmetjs.github.io/docs/expect-ct/) for handling Certificate Transparency | |
| [frameguard](https://helmetjs.github.io/docs/frameguard/) to prevent clickjacking | ✓ |
| [hidePoweredBy](https://helmetjs.github.io/docs/hide-powered-by) to remove the X-Powered-By header | ✓ |
| [hsts](https://helmetjs.github.io/docs/hsts/) for HTTP Strict Transport Security | ✓ |
| [ieNoOpen](https://helmetjs.github.io/docs/ienoopen) sets X-Download-Options for IE8+ | ✓ |
| [noSniff](https://helmetjs.github.io/docs/dont-sniff-mimetype) to keep clients from sniffing the MIME type | ✓ |
| [referrerPolicy](https://helmetjs.github.io/docs/referrer-policy) to hide the Referer header | |
| [xssFilter](https://helmetjs.github.io/docs/xss-filter) adds some small XSS protections | ✓ |
You can see more in [the documentation](https://helmetjs.github.io/docs/).

7
node_modules/helmet/SECURITY.md generated vendored Normal file
View File

@@ -0,0 +1,7 @@
# Security issue reporting & disclosure process
If you feel you have found a security issue or concern with Helmet please reach out to the maintainers.
Email Evan Hahn at <me@evanhahn.com> or Adam Baldwin at <adam@npmjs.com>.
We will try to communicate in a timely manner and address your concerns.

94
node_modules/helmet/dist/index.js generated vendored Normal file
View File

@@ -0,0 +1,94 @@
"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
var expect_ct_1 = __importDefault(require("./middlewares/expect-ct"));
var x_dns_prefetch_control_1 = __importDefault(require("./middlewares/x-dns-prefetch-control"));
var x_download_options_1 = __importDefault(require("./middlewares/x-download-options"));
var x_frame_options_1 = __importDefault(require("./middlewares/x-frame-options"));
var depd = require("depd");
var deprecate = depd("helmet");
var DEFAULT_MIDDLEWARE = [
"dnsPrefetchControl",
"frameguard",
"hidePoweredBy",
"hsts",
"ieNoOpen",
"noSniff",
"xssFilter",
];
var middlewares = [
"contentSecurityPolicy",
"dnsPrefetchControl",
"expectCt",
"featurePolicy",
"frameguard",
"hidePoweredBy",
"hsts",
"ieNoOpen",
"noSniff",
"permittedCrossDomainPolicies",
"referrerPolicy",
"xssFilter",
"hpkp",
"noCache",
];
function helmet(options) {
if (options === void 0) { options = {}; }
if (options.constructor.name === "IncomingMessage") {
throw new Error("It appears you have done something like `app.use(helmet)`, but it should be `app.use(helmet())`.");
}
var stack = middlewares.reduce(function (result, middlewareName) {
var middleware = helmet[middlewareName];
var middlewareOptions = options[middlewareName];
var isDefault = DEFAULT_MIDDLEWARE.indexOf(middlewareName) !== -1;
if (middlewareOptions === false) {
return result;
}
else if (middlewareOptions === true) {
middlewareOptions = {};
}
if (middlewareOptions != null) {
return result.concat(middleware(middlewareOptions));
}
else if (isDefault) {
return result.concat(middleware({}));
}
return result;
}, []);
return function helmet(req, res, next) {
var index = 0;
function internalNext() {
var args = [];
for (var _i = 0; _i < arguments.length; _i++) {
args[_i] = arguments[_i];
}
if (args.length > 0) {
next.apply(void 0, args);
return;
}
var middleware = stack[index];
if (!middleware) {
return next();
}
index++;
middleware(req, res, internalNext);
}
internalNext();
};
}
helmet.contentSecurityPolicy = require("helmet-csp");
helmet.dnsPrefetchControl = x_dns_prefetch_control_1.default;
helmet.expectCt = expect_ct_1.default;
helmet.frameguard = x_frame_options_1.default;
helmet.hidePoweredBy = require("hide-powered-by");
helmet.hsts = require("hsts");
helmet.ieNoOpen = x_download_options_1.default;
helmet.noSniff = require("dont-sniff-mimetype");
helmet.permittedCrossDomainPolicies = require("helmet-crossdomain");
helmet.referrerPolicy = require("referrer-policy");
helmet.xssFilter = require("x-xss-protection");
helmet.featurePolicy = deprecate.function(require("feature-policy"), "helmet.featurePolicy is deprecated (along with the HTTP header) and will be removed in helmet@4. You can use the `feature-policy` module instead.");
helmet.hpkp = deprecate.function(require("hpkp"), "helmet.hpkp is deprecated and will be removed in helmet@4. You can use the `hpkp` module instead. For more, see https://github.com/helmetjs/helmet/issues/180.");
helmet.noCache = deprecate.function(require("nocache"), "helmet.noCache is deprecated and will be removed in helmet@4. You can use the `nocache` module instead. For more, see https://github.com/helmetjs/helmet/issues/215.");
module.exports = helmet;

34
node_modules/helmet/dist/middlewares/expect-ct/index.js generated vendored Normal file
View File

@@ -0,0 +1,34 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
function parseMaxAge(value) {
if (value === undefined) {
return 0;
}
else if (typeof value === "number" && value >= 0) {
return Math.floor(value);
}
else {
throw new Error(value + " is not a valid value for maxAge. Please choose a positive integer.");
}
}
function getHeaderValueFromOptions(options) {
var directives = [];
if (options.enforce) {
directives.push("enforce");
}
directives.push("max-age=" + parseMaxAge(options.maxAge));
if (options.reportUri) {
directives.push("report-uri=\"" + options.reportUri + "\"");
}
return directives.join(", ");
}
function expectCt(options) {
if (options === void 0) { options = {}; }
var headerValue = getHeaderValueFromOptions(options);
return function expectCtMiddleware(_req, res, next) {
res.setHeader("Expect-CT", headerValue);
next();
};
}
module.exports = expectCt;
exports.default = expectCt;

12
node_modules/helmet/dist/middlewares/x-dns-prefetch-control/index.js generated vendored Normal file
View File

@@ -0,0 +1,12 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
function xDnsPrefetchControl(options) {
if (options === void 0) { options = {}; }
var headerValue = options.allow ? "on" : "off";
return function xDnsPrefetchControlMiddleware(_req, res, next) {
res.setHeader("X-DNS-Prefetch-Control", headerValue);
next();
};
}
module.exports = xDnsPrefetchControl;
exports.default = xDnsPrefetchControl;

11
node_modules/helmet/dist/middlewares/x-download-options/index.js generated vendored Normal file
View File

@@ -0,0 +1,11 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
function xDownloadOptionsMiddleware(_req, res, next) {
res.setHeader("X-Download-Options", "noopen");
next();
}
function xDownloadOptions() {
return xDownloadOptionsMiddleware;
}
module.exports = xDownloadOptions;
exports.default = xDownloadOptions;

60
node_modules/helmet/dist/middlewares/x-frame-options/index.js generated vendored Normal file
View File

@@ -0,0 +1,60 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
function parseActionOption(actionOption) {
var invalidActionErr = new Error('action must be undefined, "DENY", "ALLOW-FROM", or "SAMEORIGIN".');
if (actionOption === undefined) {
actionOption = "SAMEORIGIN";
}
else if (actionOption instanceof String) {
actionOption = actionOption.valueOf();
}
var result;
if (typeof actionOption === "string") {
result = actionOption.toUpperCase();
}
else {
throw invalidActionErr;
}
if (result === "ALLOWFROM") {
result = "ALLOW-FROM";
}
else if (result === "SAME-ORIGIN") {
result = "SAMEORIGIN";
}
if (["DENY", "ALLOW-FROM", "SAMEORIGIN"].indexOf(result) === -1) {
throw invalidActionErr;
}
return result;
}
function parseDomainOption(domainOption) {
if (domainOption instanceof String) {
domainOption = domainOption.valueOf();
}
if (typeof domainOption !== "string") {
throw new Error("ALLOW-FROM action requires a string domain parameter.");
}
else if (!domainOption.length) {
throw new Error("domain parameter must not be empty.");
}
return domainOption;
}
function getHeaderValueFromOptions(options) {
var action = parseActionOption(options.action);
if (action === "ALLOW-FROM") {
var domain = parseDomainOption(options.domain);
return action + " " + domain;
}
else {
return action;
}
}
function xFrameOptions(options) {
if (options === void 0) { options = {}; }
var headerValue = getHeaderValueFromOptions(options);
return function xFrameOptionsMiddleware(_req, res, next) {
res.setHeader("X-Frame-Options", headerValue);
next();
};
}
module.exports = xFrameOptions;
exports.default = xFrameOptions;

103
node_modules/helmet/node_modules/depd/History.md generated vendored Normal file
View File

@@ -0,0 +1,103 @@
2.0.0 / 2018-10-26
==================
* Drop support for Node.js 0.6
* Replace internal `eval` usage with `Function` constructor
* Use instance methods on `process` to check for listeners
1.1.2 / 2018-01-11
==================
* perf: remove argument reassignment
* Support Node.js 0.6 to 9.x
1.1.1 / 2017-07-27
==================
* Remove unnecessary `Buffer` loading
* Support Node.js 0.6 to 8.x
1.1.0 / 2015-09-14
==================
* Enable strict mode in more places
* Support io.js 3.x
* Support io.js 2.x
* Support web browser loading
- Requires bundler like Browserify or webpack
1.0.1 / 2015-04-07
==================
* Fix `TypeError`s when under `'use strict'` code
* Fix useless type name on auto-generated messages
* Support io.js 1.x
* Support Node.js 0.12
1.0.0 / 2014-09-17
==================
* No changes
0.4.5 / 2014-09-09
==================
* Improve call speed to functions using the function wrapper
* Support Node.js 0.6
0.4.4 / 2014-07-27
==================
* Work-around v8 generating empty stack traces
0.4.3 / 2014-07-26
==================
* Fix exception when global `Error.stackTraceLimit` is too low
0.4.2 / 2014-07-19
==================
* Correct call site for wrapped functions and properties
0.4.1 / 2014-07-19
==================
* Improve automatic message generation for function properties
0.4.0 / 2014-07-19
==================
* Add `TRACE_DEPRECATION` environment variable
* Remove non-standard grey color from color output
* Support `--no-deprecation` argument
* Support `--trace-deprecation` argument
* Support `deprecate.property(fn, prop, message)`
0.3.0 / 2014-06-16
==================
* Add `NO_DEPRECATION` environment variable
0.2.0 / 2014-06-15
==================
* Add `deprecate.property(obj, prop, message)`
* Remove `supports-color` dependency for node.js 0.8
0.1.0 / 2014-06-15
==================
* Add `deprecate.function(fn, message)`
* Add `process.on('deprecation', fn)` emitter
* Automatically generate message when omitted from `deprecate()`
0.0.1 / 2014-06-15
==================
* Fix warning for dynamic calls at singe call site
0.0.0 / 2014-06-15
==================
* Initial implementation

22
node_modules/helmet/node_modules/depd/LICENSE generated vendored Normal file
View File

@@ -0,0 +1,22 @@
(The MIT License)
Copyright (c) 2014-2018 Douglas Christopher Wilson
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
'Software'), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

280
node_modules/helmet/node_modules/depd/Readme.md generated vendored Normal file
View File

@@ -0,0 +1,280 @@
# depd
[![NPM Version][npm-version-image]][npm-url]
[![NPM Downloads][npm-downloads-image]][npm-url]
[![Node.js Version][node-image]][node-url]
[![Linux Build][travis-image]][travis-url]
[![Windows Build][appveyor-image]][appveyor-url]
[![Coverage Status][coveralls-image]][coveralls-url]
Deprecate all the things
> With great modules comes great responsibility; mark things deprecated!
## Install
This module is installed directly using `npm`:
```sh
$ npm install depd
```
This module can also be bundled with systems like
[Browserify](http://browserify.org/) or [webpack](https://webpack.github.io/),
though by default this module will alter it's API to no longer display or
track deprecations.
## API
<!-- eslint-disable no-unused-vars -->
```js
var deprecate = require('depd')('my-module')
```
This library allows you to display deprecation messages to your users.
This library goes above and beyond with deprecation warnings by
introspection of the call stack (but only the bits that it is interested
in).
Instead of just warning on the first invocation of a deprecated
function and never again, this module will warn on the first invocation
of a deprecated function per unique call site, making it ideal to alert
users of all deprecated uses across the code base, rather than just
whatever happens to execute first.
The deprecation warnings from this module also include the file and line
information for the call into the module that the deprecated function was
in.
**NOTE** this library has a similar interface to the `debug` module, and
this module uses the calling file to get the boundary for the call stacks,
so you should always create a new `deprecate` object in each file and not
within some central file.
### depd(namespace)
Create a new deprecate function that uses the given namespace name in the
messages and will display the call site prior to the stack entering the
file this function was called from. It is highly suggested you use the
name of your module as the namespace.
### deprecate(message)
Call this function from deprecated code to display a deprecation message.
This message will appear once per unique caller site. Caller site is the
first call site in the stack in a different file from the caller of this
function.
If the message is omitted, a message is generated for you based on the site
of the `deprecate()` call and will display the name of the function called,
similar to the name displayed in a stack trace.
### deprecate.function(fn, message)
Call this function to wrap a given function in a deprecation message on any
call to the function. An optional message can be supplied to provide a custom
message.
### deprecate.property(obj, prop, message)
Call this function to wrap a given property on object in a deprecation message
on any accessing or setting of the property. An optional message can be supplied
to provide a custom message.
The method must be called on the object where the property belongs (not
inherited from the prototype).
If the property is a data descriptor, it will be converted to an accessor
descriptor in order to display the deprecation message.
### process.on('deprecation', fn)
This module will allow easy capturing of deprecation errors by emitting the
errors as the type "deprecation" on the global `process`. If there are no
listeners for this type, the errors are written to STDERR as normal, but if
there are any listeners, nothing will be written to STDERR and instead only
emitted. From there, you can write the errors in a different format or to a
logging source.
The error represents the deprecation and is emitted only once with the same
rules as writing to STDERR. The error has the following properties:
- `message` - This is the message given by the library
- `name` - This is always `'DeprecationError'`
- `namespace` - This is the namespace the deprecation came from
- `stack` - This is the stack of the call to the deprecated thing
Example `error.stack` output:
```
DeprecationError: my-cool-module deprecated oldfunction
at Object.<anonymous> ([eval]-wrapper:6:22)
at Module._compile (module.js:456:26)
at evalScript (node.js:532:25)
at startup (node.js:80:7)
at node.js:902:3
```
### process.env.NO_DEPRECATION
As a user of modules that are deprecated, the environment variable `NO_DEPRECATION`
is provided as a quick solution to silencing deprecation warnings from being
output. The format of this is similar to that of `DEBUG`:
```sh
$ NO_DEPRECATION=my-module,othermod node app.js
```
This will suppress deprecations from being output for "my-module" and "othermod".
The value is a list of comma-separated namespaces. To suppress every warning
across all namespaces, use the value `*` for a namespace.
Providing the argument `--no-deprecation` to the `node` executable will suppress
all deprecations (only available in Node.js 0.8 or higher).
**NOTE** This will not suppress the deperecations given to any "deprecation"
event listeners, just the output to STDERR.
### process.env.TRACE_DEPRECATION
As a user of modules that are deprecated, the environment variable `TRACE_DEPRECATION`
is provided as a solution to getting more detailed location information in deprecation
warnings by including the entire stack trace. The format of this is the same as
`NO_DEPRECATION`:
```sh
$ TRACE_DEPRECATION=my-module,othermod node app.js
```
This will include stack traces for deprecations being output for "my-module" and
"othermod". The value is a list of comma-separated namespaces. To trace every
warning across all namespaces, use the value `*` for a namespace.
Providing the argument `--trace-deprecation` to the `node` executable will trace
all deprecations (only available in Node.js 0.8 or higher).
**NOTE** This will not trace the deperecations silenced by `NO_DEPRECATION`.
## Display
![message](files/message.png)
When a user calls a function in your library that you mark deprecated, they
will see the following written to STDERR (in the given colors, similar colors
and layout to the `debug` module):
```
bright cyan bright yellow
| | reset cyan
| | | |
▼ ▼ ▼ ▼
my-cool-module deprecated oldfunction [eval]-wrapper:6:22
▲ ▲ ▲ ▲
| | | |
namespace | | location of mycoolmod.oldfunction() call
| deprecation message
the word "deprecated"
```
If the user redirects their STDERR to a file or somewhere that does not support
colors, they see (similar layout to the `debug` module):
```
Sun, 15 Jun 2014 05:21:37 GMT my-cool-module deprecated oldfunction at [eval]-wrapper:6:22
▲ ▲ ▲ ▲ ▲
| | | | |
timestamp of message namespace | | location of mycoolmod.oldfunction() call
| deprecation message
the word "deprecated"
```
## Examples
### Deprecating all calls to a function
This will display a deprecated message about "oldfunction" being deprecated
from "my-module" on STDERR.
```js
var deprecate = require('depd')('my-cool-module')
// message automatically derived from function name
// Object.oldfunction
exports.oldfunction = deprecate.function(function oldfunction () {
// all calls to function are deprecated
})
// specific message
exports.oldfunction = deprecate.function(function () {
// all calls to function are deprecated
}, 'oldfunction')
```
### Conditionally deprecating a function call
This will display a deprecated message about "weirdfunction" being deprecated
from "my-module" on STDERR when called with less than 2 arguments.
```js
var deprecate = require('depd')('my-cool-module')
exports.weirdfunction = function () {
if (arguments.length < 2) {
// calls with 0 or 1 args are deprecated
deprecate('weirdfunction args < 2')
}
}
```
When calling `deprecate` as a function, the warning is counted per call site
within your own module, so you can display different deprecations depending
on different situations and the users will still get all the warnings:
```js
var deprecate = require('depd')('my-cool-module')
exports.weirdfunction = function () {
if (arguments.length < 2) {
// calls with 0 or 1 args are deprecated
deprecate('weirdfunction args < 2')
} else if (typeof arguments[0] !== 'string') {
// calls with non-string first argument are deprecated
deprecate('weirdfunction non-string first arg')
}
}
```
### Deprecating property access
This will display a deprecated message about "oldprop" being deprecated
from "my-module" on STDERR when accessed. A deprecation will be displayed
when setting the value and when getting the value.
```js
var deprecate = require('depd')('my-cool-module')
exports.oldprop = 'something'
// message automatically derives from property name
deprecate.property(exports, 'oldprop')
// explicit message
deprecate.property(exports, 'oldprop', 'oldprop >= 0.10')
```
## License
[MIT](LICENSE)
[appveyor-image]: https://badgen.net/appveyor/ci/dougwilson/nodejs-depd/master?label=windows
[appveyor-url]: https://ci.appveyor.com/project/dougwilson/nodejs-depd
[coveralls-image]: https://badgen.net/coveralls/c/github/dougwilson/nodejs-depd/master
[coveralls-url]: https://coveralls.io/r/dougwilson/nodejs-depd?branch=master
[node-image]: https://badgen.net/npm/node/depd
[node-url]: https://nodejs.org/en/download/
[npm-downloads-image]: https://badgen.net/npm/dm/depd
[npm-url]: https://npmjs.org/package/depd
[npm-version-image]: https://badgen.net/npm/v/depd
[travis-image]: https://badgen.net/travis/dougwilson/nodejs-depd/master?label=linux
[travis-url]: https://travis-ci.org/dougwilson/nodejs-depd

538
node_modules/helmet/node_modules/depd/index.js generated vendored Normal file
View File

@@ -0,0 +1,538 @@
/*!
* depd
* Copyright(c) 2014-2018 Douglas Christopher Wilson
* MIT Licensed
*/
/**
* Module dependencies.
*/
var relative = require('path').relative
/**
* Module exports.
*/
module.exports = depd
/**
* Get the path to base files on.
*/
var basePath = process.cwd()
/**
* Determine if namespace is contained in the string.
*/
function containsNamespace (str, namespace) {
var vals = str.split(/[ ,]+/)
var ns = String(namespace).toLowerCase()
for (var i = 0; i < vals.length; i++) {
var val = vals[i]
// namespace contained
if (val && (val === '*' || val.toLowerCase() === ns)) {
return true
}
}
return false
}
/**
* Convert a data descriptor to accessor descriptor.
*/
function convertDataDescriptorToAccessor (obj, prop, message) {
var descriptor = Object.getOwnPropertyDescriptor(obj, prop)
var value = descriptor.value
descriptor.get = function getter () { return value }
if (descriptor.writable) {
descriptor.set = function setter (val) { return (value = val) }
}
delete descriptor.value
delete descriptor.writable
Object.defineProperty(obj, prop, descriptor)
return descriptor
}
/**
* Create arguments string to keep arity.
*/
function createArgumentsString (arity) {
var str = ''
for (var i = 0; i < arity; i++) {
str += ', arg' + i
}
return str.substr(2)
}
/**
* Create stack string from stack.
*/
function createStackString (stack) {
var str = this.name + ': ' + this.namespace
if (this.message) {
str += ' deprecated ' + this.message
}
for (var i = 0; i < stack.length; i++) {
str += '\n at ' + stack[i].toString()
}
return str
}
/**
* Create deprecate for namespace in caller.
*/
function depd (namespace) {
if (!namespace) {
throw new TypeError('argument namespace is required')
}
var stack = getStack()
var site = callSiteLocation(stack[1])
var file = site[0]
function deprecate (message) {
// call to self as log
log.call(deprecate, message)
}
deprecate._file = file
deprecate._ignored = isignored(namespace)
deprecate._namespace = namespace
deprecate._traced = istraced(namespace)
deprecate._warned = Object.create(null)
deprecate.function = wrapfunction
deprecate.property = wrapproperty
return deprecate
}
/**
* Determine if event emitter has listeners of a given type.
*
* The way to do this check is done three different ways in Node.js >= 0.8
* so this consolidates them into a minimal set using instance methods.
*
* @param {EventEmitter} emitter
* @param {string} type
* @returns {boolean}
* @private
*/
function eehaslisteners (emitter, type) {
var count = typeof emitter.listenerCount !== 'function'
? emitter.listeners(type).length
: emitter.listenerCount(type)
return count > 0
}
/**
* Determine if namespace is ignored.
*/
function isignored (namespace) {
if (process.noDeprecation) {
// --no-deprecation support
return true
}
var str = process.env.NO_DEPRECATION || ''
// namespace ignored
return containsNamespace(str, namespace)
}
/**
* Determine if namespace is traced.
*/
function istraced (namespace) {
if (process.traceDeprecation) {
// --trace-deprecation support
return true
}
var str = process.env.TRACE_DEPRECATION || ''
// namespace traced
return containsNamespace(str, namespace)
}
/**
* Display deprecation message.
*/
function log (message, site) {
var haslisteners = eehaslisteners(process, 'deprecation')
// abort early if no destination
if (!haslisteners && this._ignored) {
return
}
var caller
var callFile
var callSite
var depSite
var i = 0
var seen = false
var stack = getStack()
var file = this._file
if (site) {
// provided site
depSite = site
callSite = callSiteLocation(stack[1])
callSite.name = depSite.name
file = callSite[0]
} else {
// get call site
i = 2
depSite = callSiteLocation(stack[i])
callSite = depSite
}
// get caller of deprecated thing in relation to file
for (; i < stack.length; i++) {
caller = callSiteLocation(stack[i])
callFile = caller[0]
if (callFile === file) {
seen = true
} else if (callFile === this._file) {
file = this._file
} else if (seen) {
break
}
}
var key = caller
? depSite.join(':') + '__' + caller.join(':')
: undefined
if (key !== undefined && key in this._warned) {
// already warned
return
}
this._warned[key] = true
// generate automatic message from call site
var msg = message
if (!msg) {
msg = callSite === depSite || !callSite.name
? defaultMessage(depSite)
: defaultMessage(callSite)
}
// emit deprecation if listeners exist
if (haslisteners) {
var err = DeprecationError(this._namespace, msg, stack.slice(i))
process.emit('deprecation', err)
return
}
// format and write message
var format = process.stderr.isTTY
? formatColor
: formatPlain
var output = format.call(this, msg, caller, stack.slice(i))
process.stderr.write(output + '\n', 'utf8')
}
/**
* Get call site location as array.
*/
function callSiteLocation (callSite) {
var file = callSite.getFileName() || '<anonymous>'
var line = callSite.getLineNumber()
var colm = callSite.getColumnNumber()
if (callSite.isEval()) {
file = callSite.getEvalOrigin() + ', ' + file
}
var site = [file, line, colm]
site.callSite = callSite
site.name = callSite.getFunctionName()
return site
}
/**
* Generate a default message from the site.
*/
function defaultMessage (site) {
var callSite = site.callSite
var funcName = site.name
// make useful anonymous name
if (!funcName) {
funcName = '<anonymous@' + formatLocation(site) + '>'
}
var context = callSite.getThis()
var typeName = context && callSite.getTypeName()
// ignore useless type name
if (typeName === 'Object') {
typeName = undefined
}
// make useful type name
if (typeName === 'Function') {
typeName = context.name || typeName
}
return typeName && callSite.getMethodName()
? typeName + '.' + funcName
: funcName
}
/**
* Format deprecation message without color.
*/
function formatPlain (msg, caller, stack) {
var timestamp = new Date().toUTCString()
var formatted = timestamp +
' ' + this._namespace +
' deprecated ' + msg
// add stack trace
if (this._traced) {
for (var i = 0; i < stack.length; i++) {
formatted += '\n at ' + stack[i].toString()
}
return formatted
}
if (caller) {
formatted += ' at ' + formatLocation(caller)
}
return formatted
}
/**
* Format deprecation message with color.
*/
function formatColor (msg, caller, stack) {
var formatted = '\x1b[36;1m' + this._namespace + '\x1b[22;39m' + // bold cyan
' \x1b[33;1mdeprecated\x1b[22;39m' + // bold yellow
' \x1b[0m' + msg + '\x1b[39m' // reset
// add stack trace
if (this._traced) {
for (var i = 0; i < stack.length; i++) {
formatted += '\n \x1b[36mat ' + stack[i].toString() + '\x1b[39m' // cyan
}
return formatted
}
if (caller) {
formatted += ' \x1b[36m' + formatLocation(caller) + '\x1b[39m' // cyan
}
return formatted
}
/**
* Format call site location.
*/
function formatLocation (callSite) {
return relative(basePath, callSite[0]) +
':' + callSite[1] +
':' + callSite[2]
}
/**
* Get the stack as array of call sites.
*/
function getStack () {
var limit = Error.stackTraceLimit
var obj = {}
var prep = Error.prepareStackTrace
Error.prepareStackTrace = prepareObjectStackTrace
Error.stackTraceLimit = Math.max(10, limit)
// capture the stack
Error.captureStackTrace(obj)
// slice this function off the top
var stack = obj.stack.slice(1)
Error.prepareStackTrace = prep
Error.stackTraceLimit = limit
return stack
}
/**
* Capture call site stack from v8.
*/
function prepareObjectStackTrace (obj, stack) {
return stack
}
/**
* Return a wrapped function in a deprecation message.
*/
function wrapfunction (fn, message) {
if (typeof fn !== 'function') {
throw new TypeError('argument fn must be a function')
}
var args = createArgumentsString(fn.length)
var stack = getStack()
var site = callSiteLocation(stack[1])
site.name = fn.name
// eslint-disable-next-line no-new-func
var deprecatedfn = new Function('fn', 'log', 'deprecate', 'message', 'site',
'"use strict"\n' +
'return function (' + args + ') {' +
'log.call(deprecate, message, site)\n' +
'return fn.apply(this, arguments)\n' +
'}')(fn, log, this, message, site)
return deprecatedfn
}
/**
* Wrap property in a deprecation message.
*/
function wrapproperty (obj, prop, message) {
if (!obj || (typeof obj !== 'object' && typeof obj !== 'function')) {
throw new TypeError('argument obj must be object')
}
var descriptor = Object.getOwnPropertyDescriptor(obj, prop)
if (!descriptor) {
throw new TypeError('must call property on owner object')
}
if (!descriptor.configurable) {
throw new TypeError('property must be configurable')
}
var deprecate = this
var stack = getStack()
var site = callSiteLocation(stack[1])
// set site name
site.name = prop
// convert data descriptor
if ('value' in descriptor) {
descriptor = convertDataDescriptorToAccessor(obj, prop, message)
}
var get = descriptor.get
var set = descriptor.set
// wrap getter
if (typeof get === 'function') {
descriptor.get = function getter () {
log.call(deprecate, message, site)
return get.apply(this, arguments)
}
}
// wrap setter
if (typeof set === 'function') {
descriptor.set = function setter () {
log.call(deprecate, message, site)
return set.apply(this, arguments)
}
}
Object.defineProperty(obj, prop, descriptor)
}
/**
* Create DeprecationError for deprecation
*/
function DeprecationError (namespace, message, stack) {
var error = new Error()
var stackString
Object.defineProperty(error, 'constructor', {
value: DeprecationError
})
Object.defineProperty(error, 'message', {
configurable: true,
enumerable: false,
value: message,
writable: true
})
Object.defineProperty(error, 'name', {
enumerable: false,
configurable: true,
value: 'DeprecationError',
writable: true
})
Object.defineProperty(error, 'namespace', {
configurable: true,
enumerable: false,
value: namespace,
writable: true
})
Object.defineProperty(error, 'stack', {
configurable: true,
enumerable: false,
get: function () {
if (stackString !== undefined) {
return stackString
}
// prepare stack trace
return (stackString = createStackString.call(this, stack))
},
set: function setter (val) {
stackString = val
}
})
return error
}

77
node_modules/helmet/node_modules/depd/lib/browser/index.js generated vendored Normal file
View File

@@ -0,0 +1,77 @@
/*!
* depd
* Copyright(c) 2015 Douglas Christopher Wilson
* MIT Licensed
*/
'use strict'
/**
* Module exports.
* @public
*/
module.exports = depd
/**
* Create deprecate for namespace in caller.
*/
function depd (namespace) {
if (!namespace) {
throw new TypeError('argument namespace is required')
}
function deprecate (message) {
// no-op in browser
}
deprecate._file = undefined
deprecate._ignored = true
deprecate._namespace = namespace
deprecate._traced = false
deprecate._warned = Object.create(null)
deprecate.function = wrapfunction
deprecate.property = wrapproperty
return deprecate
}
/**
* Return a wrapped function in a deprecation message.
*
* This is a no-op version of the wrapper, which does nothing but call
* validation.
*/
function wrapfunction (fn, message) {
if (typeof fn !== 'function') {
throw new TypeError('argument fn must be a function')
}
return fn
}
/**
* Wrap property in a deprecation message.
*
* This is a no-op version of the wrapper, which does nothing but call
* validation.
*/
function wrapproperty (obj, prop, message) {
if (!obj || (typeof obj !== 'object' && typeof obj !== 'function')) {
throw new TypeError('argument obj must be object')
}
var descriptor = Object.getOwnPropertyDescriptor(obj, prop)
if (!descriptor) {
throw new TypeError('must call property on owner object')
}
if (!descriptor.configurable) {
throw new TypeError('property must be configurable')
}
}

80
node_modules/helmet/node_modules/depd/package.json generated vendored Normal file
View File

@@ -0,0 +1,80 @@
{
"_from": "depd@2.0.0",
"_id": "depd@2.0.0",
"_inBundle": false,
"_integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==",
"_location": "/helmet/depd",
"_phantomChildren": {},
"_requested": {
"type": "version",
"registry": true,
"raw": "depd@2.0.0",
"name": "depd",
"escapedName": "depd",
"rawSpec": "2.0.0",
"saveSpec": null,
"fetchSpec": "2.0.0"
},
"_requiredBy": [
"/helmet"
],
"_resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz",
"_shasum": "b696163cc757560d09cf22cc8fad1571b79e76df",
"_spec": "depd@2.0.0",
"_where": "D:\\WORK\\Menui\\menui_backend\\node_modules\\helmet",
"author": {
"name": "Douglas Christopher Wilson",
"email": "doug@somethingdoug.com"
},
"browser": "lib/browser/index.js",
"bugs": {
"url": "https://github.com/dougwilson/nodejs-depd/issues"
},
"bundleDependencies": false,
"deprecated": false,
"description": "Deprecate all the things",
"devDependencies": {
"beautify-benchmark": "0.2.4",
"benchmark": "2.1.4",
"eslint": "5.7.0",
"eslint-config-standard": "12.0.0",
"eslint-plugin-import": "2.14.0",
"eslint-plugin-markdown": "1.0.0-beta.7",
"eslint-plugin-node": "7.0.1",
"eslint-plugin-promise": "4.0.1",
"eslint-plugin-standard": "4.0.0",
"istanbul": "0.4.5",
"mocha": "5.2.0",
"safe-buffer": "5.1.2",
"uid-safe": "2.1.5"
},
"engines": {
"node": ">= 0.8"
},
"files": [
"lib/",
"History.md",
"LICENSE",
"index.js",
"Readme.md"
],
"homepage": "https://github.com/dougwilson/nodejs-depd#readme",
"keywords": [
"deprecate",
"deprecated"
],
"license": "MIT",
"name": "depd",
"repository": {
"type": "git",
"url": "git+https://github.com/dougwilson/nodejs-depd.git"
},
"scripts": {
"bench": "node benchmark/index.js",
"lint": "eslint --plugin markdown --ext js,md .",
"test": "mocha --reporter spec --bail test/",
"test-ci": "istanbul cover --print=none node_modules/mocha/bin/_mocha -- --reporter spec test/ && istanbul report lcovonly text-summary",
"test-cov": "istanbul cover --print=none node_modules/mocha/bin/_mocha -- --reporter dot test/ && istanbul report lcov text-summary"
},
"version": "2.0.0"
}

121
node_modules/helmet/package.json generated vendored Normal file
View File

@@ -0,0 +1,121 @@
{
"_from": "helmet",
"_id": "helmet@3.23.3",
"_inBundle": false,
"_integrity": "sha512-U3MeYdzPJQhtvqAVBPntVgAvNSOJyagwZwyKsFdyRa8TV3pOKVFljalPOCxbw5Wwf2kncGhmP0qHjyazIdNdSA==",
"_location": "/helmet",
"_phantomChildren": {},
"_requested": {
"type": "tag",
"registry": true,
"raw": "helmet",
"name": "helmet",
"escapedName": "helmet",
"rawSpec": "",
"saveSpec": null,
"fetchSpec": "latest"
},
"_requiredBy": [
"#USER",
"/"
],
"_resolved": "https://registry.npmjs.org/helmet/-/helmet-3.23.3.tgz",
"_shasum": "5ba30209c5f73ded4ab65746a3a11bedd4579ab7",
"_spec": "helmet",
"_where": "D:\\WORK\\Menui\\menui_backend",
"author": {
"name": "Adam Baldwin",
"email": "adam@npmjs.com",
"url": "https://evilpacket.net"
},
"bugs": {
"url": "https://github.com/helmetjs/helmet/issues",
"email": "me@evanhahn.com"
},
"bundleDependencies": false,
"contributors": [
{
"name": "Evan Hahn",
"email": "me@evanhahn.com",
"url": "https://evanhahn.com"
}
],
"dependencies": {
"depd": "2.0.0",
"dont-sniff-mimetype": "1.1.0",
"feature-policy": "0.3.0",
"helmet-crossdomain": "0.4.0",
"helmet-csp": "2.10.0",
"hide-powered-by": "1.1.0",
"hpkp": "2.0.0",
"hsts": "2.2.0",
"nocache": "2.1.0",
"referrer-policy": "1.2.0",
"x-xss-protection": "1.3.0"
},
"deprecated": false,
"description": "help secure Express/Connect apps with various HTTP headers",
"devDependencies": {
"@types/connect": "^3.4.33",
"@types/depd": "^1.1.32",
"@types/jest": "^26.0.3",
"@types/supertest": "^2.0.9",
"@typescript-eslint/eslint-plugin": "^3.4.0",
"@typescript-eslint/parser": "^3.4.0",
"connect": "^3.7.0",
"eslint": "^7.3.1",
"jest": "^26.1.0",
"prettier": "^2.0.5",
"supertest": "^4.0.2",
"ts-jest": "^26.1.1",
"typescript": "^3.9.5"
},
"engines": {
"node": ">=4.0.0"
},
"files": [
"CHANGELOG.md",
"CODE_OF_CONDUCT.md",
"CONTRIBUTING.md",
"LICENSE",
"README.md",
"SECURITY.md",
"dist/index.js",
"dist/middlewares/expect-ct/index.js",
"dist/middlewares/x-dns-prefetch-control/index.js",
"dist/middlewares/x-download-options/index.js",
"dist/middlewares/x-frame-options/index.js"
],
"homepage": "https://helmetjs.github.io/",
"keywords": [
"security",
"headers",
"express",
"connect",
"x-frame-options",
"x-powered-by",
"csp",
"hsts",
"clickjack"
],
"license": "MIT",
"main": "dist/index",
"name": "helmet",
"repository": {
"type": "git",
"url": "git://github.com/helmetjs/helmet.git"
},
"scripts": {
"build": "npm run clean && tsc",
"build-middleware-package": "npm run build && ./bin/build-middleware-package.js",
"clean": "rm -rf dist",
"format": "prettier --write '**/*{md,js,json,ts}'",
"lint": "npm run lint:eslint && npm run lint:prettier",
"lint:eslint": "eslint '**/*.ts'",
"lint:prettier": "prettier --check '**/*{md,js,json,ts}'",
"prepublishOnly": "npm run build",
"pretest": "npm run lint",
"test": "jest"
},
"version": "3.23.3"
}