Update helmet 8.1.0 → 8.2.0 (minor)

[depfu]

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ helmet (8.1.0 → 8.2.0) · Repo · Changelog

Release Notes

8.2.0 (from changelog)

• Cross-Origin-Opener-Policy: support noopener-allow-popups. See #522
• Improve error message when passing duplicate options

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 57 commits:

• 8.2.0
• Update changelog for 8.2.0 release
• Update devDependencies to latest versions
• Test supported Node versions on CI
• Update to new URL
• Add direct link to FAQ
• Bump actions/setup-node from 6.3.0 to 6.4.0 (#537)
• Upgrade actions/setup-node to 6.3.0
• Fix changelog typo
• Bump Picomatch dev sub-dependency
• Update another X-Frame-Options ALLOW-FROM link
• Update X-Frame-Options ALLOW-FROM link
• Update Origin-Agent-Cluster spec link
• Update MSDN link
• Fix bad links in changelog
• Update changelog with Cross-Origin-Opener-Policy change
• Cross-Origin-Opener-Policy: support noopener-allow-popups
• Update devDependencies to latest versions
• Fix MDN link for Cross-Origin-Embedder-Policy
• Update devDependencies to latest versions
• Update ESLint dependencies to latest versions
• Update devDependencies to latest versions
• Bump actions/setup-node from 6.1.0 to 6.2.0
• Bump actions/checkout from 6.0.1 to 6.0.2
• Update devDependencies to latest versions
• Update license year for 2026
• Update GitHub Actions versions
• Update devDependencies to latest versions
• Tweak readme
• Update checkout GH Action to latest version
• Update devDependencies to latest versions
• Update devDependencies to latest versions
• Update ESLint to fix bug
• Update devDependencies to latest versions
• Bump actions/setup-node from 5.0.0 to 6.0.0
• Bump actions/setup-node from 4.4.0 to 5.0.0
• Update devDependencies to latest versions
• Discourage AI in contribution guidelines
• Add "funding" key to package.json
• Update devDependencies to latest versions
• Tweaks to SECURITY.md: just me, contact info, IRP
• Update checkout GH Action to latest version
• Update devDependencies to latest versions
• Document `upgrade-insecure-requests` strategy in development
• Update devDependencies to latest versions, install tslib
• Minor tweaks to readme introduction
• Update devDependencies to latest versions
• Fix test for all middlewares disabled
• Improve error message when passing duplicate options
• Update devDependencies to latest versions
• Update devDependencies to latest versions
• CI: test with Node 24
• Bump setup-node CI action to latest version
• Simplify source file test
• Update devDependencies to latest versions
• Update devDependencies to latest versions
• Reference GitHub Actions by commit hash

⁉️ dotenv (downgrade, 17.2.3 → 16.6.1) · Repo · Changelog

Release Notes

17.2.3 (from changelog)

Changed

• Fixed typescript error definition (#912)

17.2.2 (from changelog)

Added

• 🙏 A big thank you to new sponsor Tuple.app - the premier screen sharing app for developers on macOS and Windows. Go check them out. It's wonderful and generous of them to give back to open source by sponsoring dotenv. Give them some love back.

17.2.1 (from changelog)

Changed

• Fix clickable tip links by removing parentheses (#897)

17.2.0 (from changelog)

Added

• Optionally specify DOTENV_CONFIG_QUIET=true in your environment or .env file to quiet the runtime log (#889)
• Just like dotenv any DOTENV_CONFIG_ environment variables take precedence over any code set options like ({quiet: false})

# .env
DOTENV_CONFIG_QUIET=true
HELLO="World"

// index.js
require('dotenv').config()
console.log(`Hello ${process.env.HELLO}`)

17.1.0 (from changelog)

Added

• Add additional security and configuration tips to the runtime log (#884)
• Dim the tips text from the main injection information text

const TIPS = [
  '🔐 encrypt with dotenvx: https://dotenvx.com',
  '🔐 prevent committing .env to code: https://dotenvx.com/precommit',
  '🔐 prevent building .env in docker: https://dotenvx.com/prebuild',
  '🛠️  run anywhere with `dotenvx run -- yourcommand`',
  '⚙️  specify custom .env file path with { path: \'/custom/path/.env\' }',
  '⚙️  enable debug logging with { debug: true }',
  '⚙️  override existing env vars with { override: true }',
  '⚙️  suppress all logs with { quiet: true }',
  '⚙️  write to custom object with { processEnv: myObject }',
  '⚙️  load multiple .env files with { path: [\'.env.local\', \'.env\'] }'
]

17.0.1 (from changelog)

Changed

• Patched injected log to count only populated/set keys to process.env (#879)

17.0.0 (from changelog)

Changed

• Default quiet to false - informational (file and keys count) runtime log message shows by default (#875)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ hasown (indirect, 2.0.2 → 2.0.4) · Repo · Changelog

Release Notes

2.0.4 (from changelog)

Commits

• [types] drop the dead key-narrowing overload fdab00e
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint 91f6247

2.0.3 (from changelog)

Commits

• [actions] update workflows fb837b8
• [Dev Deps] update @arethetypeswrong/cli, @ljharb/eslint-config, @ljharb/tsconfig, @types/tape, auto-changelog, eslint, mock-property, npmignore, tape f4b279b
• [Dev Deps] update eslint, @ljharb/eslint-config; migrate to flat config 7e415ce
• [Dev Deps] update eslint ef313da
• [meta] use npm audit instead of aud d5c6d4d
• [types] add overload that narrows the key cc03a09

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

• v2.0.4
• [types] drop the dead key-narrowing overload
• [Dev Deps] update `@ljharb/eslint-config`, `auto-changelog`, `eslint`
• v2.0.3
• [actions] update workflows
• [types] add overload that narrows the key
• [Dev Deps] update `@arethetypeswrong/cli`, `@ljharb/eslint-config`, `@ljharb/tsconfig`, `@types/tape`, `auto-changelog`, `eslint`, `mock-property`, `npmignore`, `tape`
• [Dev Deps] update `eslint`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`; migrate to flat config
• [meta] use `npm audit` instead of `aud`

🆕 @​types/graceful-fs (added, 4.1.9)

🆕 create-jest (added, 29.7.0)

🆕 diff-sequences (added, 29.6.3)

🆕 exit (added, 0.1.2)

🆕 is-core-module (added, 2.16.2)

🆕 jest-get-type (added, 29.6.3)

🆕 kleur (added, 3.0.3)

🆕 path-parse (added, 1.0.7)

🆕 prompts (added, 2.4.2)

🆕 resolve (added, 1.22.12)

🆕 resolve.exports (added, 2.0.3)

🆕 sisteransi (added, 1.0.5)

🆕 supports-preserve-symlinks-flag (added, 1.0.0)

🆕 @​jest/console (added, 29.7.0)

🆕 @​jest/core (added, 29.7.0)

🆕 @​jest/environment (added, 29.7.0)

🆕 @​jest/expect (added, 29.7.0)

🆕 @​jest/expect-utils (added, 29.7.0)

🆕 @​jest/fake-timers (added, 29.7.0)

🆕 @​jest/globals (added, 29.7.0)

🆕 @​jest/reporters (added, 29.7.0)

🆕 @​jest/schemas (added, 29.6.3)

🆕 @​jest/source-map (added, 29.6.3)

🆕 @​jest/test-result (added, 29.7.0)

🆕 @​jest/test-sequencer (added, 29.7.0)

🆕 @​jest/transform (added, 29.7.0)

🆕 @​jest/types (added, 29.6.3)

🆕 @​sinclair/typebox (added, 0.27.10)

🆕 @​sinonjs/fake-timers (added, 10.3.0)

🆕 babel-jest (added, 29.7.0)

🆕 babel-plugin-istanbul (added, 6.1.1)

🆕 babel-plugin-jest-hoist (added, 29.6.3)

🆕 babel-preset-jest (added, 29.6.3)

🆕 ci-info (added, 3.9.0)

🆕 cjs-module-lexer (added, 1.4.3)

🆕 wrap-ansi (added, 8.1.0)

🆕 expect (added, 29.7.0)

🆕 istanbul-lib-instrument (added, 5.2.1)

🆕 semver (added, 7.8.3)

🆕 istanbul-lib-source-maps (added, 4.0.1)

🆕 jest-changed-files (added, 29.7.0)

🆕 jest-circus (added, 29.7.0)

🆕 jest-config (added, 29.7.0)

🆕 jest-diff (added, 29.7.0)

🆕 jest-docblock (added, 29.7.0)

🆕 jest-each (added, 29.7.0)

🆕 jest-environment-node (added, 29.7.0)

🆕 jest-haste-map (added, 29.7.0)

🆕 jest-leak-detector (added, 29.7.0)

🆕 jest-matcher-utils (added, 29.7.0)

🆕 jest-message-util (added, 29.7.0)

🆕 jest-mock (added, 29.7.0)

🆕 jest-regex-util (added, 29.6.3)

🆕 jest-resolve (added, 29.7.0)

🆕 jest-resolve-dependencies (added, 29.7.0)

🆕 jest-runner (added, 29.7.0)

🆕 jest-runtime (added, 29.7.0)

🆕 jest-snapshot (added, 29.7.0)

🆕 jest-util (added, 29.7.0)

🆕 jest-validate (added, 29.7.0)

🆕 jest-watcher (added, 29.7.0)

🆕 jest-worker (added, 29.7.0)

🆕 pretty-format (added, 29.7.0)

🆕 pure-rand (added, 6.1.0)

🆕 write-file-atomic (added, 5.0.1)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codacy-production]

Not up to standards ⛔

🔴 Issues 1 high · 2 medium

Alerts:
⚠ 3 issues (≤ 0 issues of at least minor severity)

Results:
3 new issues

Category	Results
Security	2 medium 1 high

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}