Security upgrades

node_modules/helmet/dist/index.js

@@ -0,0 +1,94 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+var expect_ct_1 = __importDefault(require("./middlewares/expect-ct"));
+var x_dns_prefetch_control_1 = __importDefault(require("./middlewares/x-dns-prefetch-control"));
+var x_download_options_1 = __importDefault(require("./middlewares/x-download-options"));
+var x_frame_options_1 = __importDefault(require("./middlewares/x-frame-options"));
+var depd = require("depd");
+var deprecate = depd("helmet");
+var DEFAULT_MIDDLEWARE = [
+    "dnsPrefetchControl",
+    "frameguard",
+    "hidePoweredBy",
+    "hsts",
+    "ieNoOpen",
+    "noSniff",
+    "xssFilter",
+];
+var middlewares = [
+    "contentSecurityPolicy",
+    "dnsPrefetchControl",
+    "expectCt",
+    "featurePolicy",
+    "frameguard",
+    "hidePoweredBy",
+    "hsts",
+    "ieNoOpen",
+    "noSniff",
+    "permittedCrossDomainPolicies",
+    "referrerPolicy",
+    "xssFilter",
+    "hpkp",
+    "noCache",
+];
+function helmet(options) {
+    if (options === void 0) { options = {}; }
+    if (options.constructor.name === "IncomingMessage") {
+        throw new Error("It appears you have done something like `app.use(helmet)`, but it should be `app.use(helmet())`.");
+    }
+    var stack = middlewares.reduce(function (result, middlewareName) {
+        var middleware = helmet[middlewareName];
+        var middlewareOptions = options[middlewareName];
+        var isDefault = DEFAULT_MIDDLEWARE.indexOf(middlewareName) !== -1;
+        if (middlewareOptions === false) {
+            return result;
+        }
+        else if (middlewareOptions === true) {
+            middlewareOptions = {};
+        }
+        if (middlewareOptions != null) {
+            return result.concat(middleware(middlewareOptions));
+        }
+        else if (isDefault) {
+            return result.concat(middleware({}));
+        }
+        return result;
+    }, []);
+    return function helmet(req, res, next) {
+        var index = 0;
+        function internalNext() {
+            var args = [];
+            for (var _i = 0; _i < arguments.length; _i++) {
+                args[_i] = arguments[_i];
+            }
+            if (args.length > 0) {
+                next.apply(void 0, args);
+                return;
+            }
+            var middleware = stack[index];
+            if (!middleware) {
+                return next();
+            }
+            index++;
+            middleware(req, res, internalNext);
+        }
+        internalNext();
+    };
+}
+helmet.contentSecurityPolicy = require("helmet-csp");
+helmet.dnsPrefetchControl = x_dns_prefetch_control_1.default;
+helmet.expectCt = expect_ct_1.default;
+helmet.frameguard = x_frame_options_1.default;
+helmet.hidePoweredBy = require("hide-powered-by");
+helmet.hsts = require("hsts");
+helmet.ieNoOpen = x_download_options_1.default;
+helmet.noSniff = require("dont-sniff-mimetype");
+helmet.permittedCrossDomainPolicies = require("helmet-crossdomain");
+helmet.referrerPolicy = require("referrer-policy");
+helmet.xssFilter = require("x-xss-protection");
+helmet.featurePolicy = deprecate.function(require("feature-policy"), "helmet.featurePolicy is deprecated (along with the HTTP header) and will be removed in helmet@4. You can use the `feature-policy` module instead.");
+helmet.hpkp = deprecate.function(require("hpkp"), "helmet.hpkp is deprecated and will be removed in helmet@4. You can use the `hpkp` module instead. For more, see https://github.com/helmetjs/helmet/issues/180.");
+helmet.noCache = deprecate.function(require("nocache"), "helmet.noCache is deprecated and will be removed in helmet@4. You can use the `nocache` module instead. For more, see https://github.com/helmetjs/helmet/issues/215.");
+module.exports = helmet;

node_modules/helmet/dist/middlewares/expect-ct/index.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+function parseMaxAge(value) {
+    if (value === undefined) {
+        return 0;
+    }
+    else if (typeof value === "number" && value >= 0) {
+        return Math.floor(value);
+    }
+    else {
+        throw new Error(value + " is not a valid value for maxAge. Please choose a positive integer.");
+    }
+}
+function getHeaderValueFromOptions(options) {
+    var directives = [];
+    if (options.enforce) {
+        directives.push("enforce");
+    }
+    directives.push("max-age=" + parseMaxAge(options.maxAge));
+    if (options.reportUri) {
+        directives.push("report-uri=\"" + options.reportUri + "\"");
+    }
+    return directives.join(", ");
+}
+function expectCt(options) {
+    if (options === void 0) { options = {}; }
+    var headerValue = getHeaderValueFromOptions(options);
+    return function expectCtMiddleware(_req, res, next) {
+        res.setHeader("Expect-CT", headerValue);
+        next();
+    };
+}
+module.exports = expectCt;
+exports.default = expectCt;

node_modules/helmet/dist/middlewares/x-dns-prefetch-control/index.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+function xDnsPrefetchControl(options) {
+    if (options === void 0) { options = {}; }
+    var headerValue = options.allow ? "on" : "off";
+    return function xDnsPrefetchControlMiddleware(_req, res, next) {
+        res.setHeader("X-DNS-Prefetch-Control", headerValue);
+        next();
+    };
+}
+module.exports = xDnsPrefetchControl;
+exports.default = xDnsPrefetchControl;

node_modules/helmet/dist/middlewares/x-download-options/index.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+function xDownloadOptionsMiddleware(_req, res, next) {
+    res.setHeader("X-Download-Options", "noopen");
+    next();
+}
+function xDownloadOptions() {
+    return xDownloadOptionsMiddleware;
+}
+module.exports = xDownloadOptions;
+exports.default = xDownloadOptions;

node_modules/helmet/dist/middlewares/x-frame-options/index.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+function parseActionOption(actionOption) {
+    var invalidActionErr = new Error('action must be undefined, "DENY", "ALLOW-FROM", or "SAMEORIGIN".');
+    if (actionOption === undefined) {
+        actionOption = "SAMEORIGIN";
+    }
+    else if (actionOption instanceof String) {
+        actionOption = actionOption.valueOf();
+    }
+    var result;
+    if (typeof actionOption === "string") {
+        result = actionOption.toUpperCase();
+    }
+    else {
+        throw invalidActionErr;
+    }
+    if (result === "ALLOWFROM") {
+        result = "ALLOW-FROM";
+    }
+    else if (result === "SAME-ORIGIN") {
+        result = "SAMEORIGIN";
+    }
+    if (["DENY", "ALLOW-FROM", "SAMEORIGIN"].indexOf(result) === -1) {
+        throw invalidActionErr;
+    }
+    return result;
+}
+function parseDomainOption(domainOption) {
+    if (domainOption instanceof String) {
+        domainOption = domainOption.valueOf();
+    }
+    if (typeof domainOption !== "string") {
+        throw new Error("ALLOW-FROM action requires a string domain parameter.");
+    }
+    else if (!domainOption.length) {
+        throw new Error("domain parameter must not be empty.");
+    }
+    return domainOption;
+}
+function getHeaderValueFromOptions(options) {
+    var action = parseActionOption(options.action);
+    if (action === "ALLOW-FROM") {
+        var domain = parseDomainOption(options.domain);
+        return action + " " + domain;
+    }
+    else {
+        return action;
+    }
+}
+function xFrameOptions(options) {
+    if (options === void 0) { options = {}; }
+    var headerValue = getHeaderValueFromOptions(options);
+    return function xFrameOptionsMiddleware(_req, res, next) {
+        res.setHeader("X-Frame-Options", headerValue);
+        next();
+    };
+}
+module.exports = xFrameOptions;
+exports.default = xFrameOptions;