diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml index 45d1e39..c295a50 100644 --- a/.github/workflows/auto-tag.yml +++ b/.github/workflows/auto-tag.yml @@ -24,7 +24,7 @@ jobs: with: node-version: '20' - - name: Tag HEAD with next patch version + - name: Tag, then bump package.json and commit run: | git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" @@ -38,6 +38,18 @@ jobs: IFS='.' read -r MAJOR MINOR PATCH <<< "$CURRENT" NEW_VERSION="$MAJOR.$MINOR.$((PATCH + 1))" + # Tag HEAD *before* bumping package.json. publish.yml's workflow_run + # trigger checks out this workflow's github.event.workflow_run.head_sha, + # which is fixed to the commit that triggered this run — if we committed + # the version bump first, the tag would move onto a commit publish.yml + # never sees, and it would silently build/publish the wrong (stale) version. git tag "v$NEW_VERSION" git push origin "v$NEW_VERSION" - echo "Tagged HEAD as v$NEW_VERSION" + + # Keep package.json/package-lock.json in sync with the tag for the next + # cycle's baseline. [skip ci] keeps this from re-triggering CI (and + # therefore this workflow) on the release commit itself. + npm version "$NEW_VERSION" --no-git-tag-version --allow-same-version + git commit -am "chore: release v$NEW_VERSION [skip ci]" + git push origin HEAD:main + echo "Released v$NEW_VERSION" diff --git a/CHANGELOG.md b/CHANGELOG.md index 9cef251..f3489d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,30 @@ ### Security - `fetchHeaders`/`analyze(url)` now reject non-`http(s)` schemes and, by default, refuse to fetch hostnames that resolve to loopback, link-local (including the cloud metadata endpoint `169.254.169.254`), or private (RFC1918) addresses. Redirects are validated hop-by-hop instead of only checking the initial URL, and bounded to 5 hops. Opt out with `{ allowPrivateNetworks: true }` or CLI `--allow-private` for local/staging targets. +## [1.0.3] - 2026-06-11 + +### Fixed +- CSP: bare-scheme sources (e.g. `https:`) in `script-src`, `connect-src`, `form-action`, `frame-src`, `worker-src`, and `default-src` are now flagged as permissive, since they match any host just like a wildcard (#68) + +## [1.0.2] - 2026-05-26 + +### Added +- Dependabot configuration for automated dependency updates +- Full README with badges, quick start, grading scale, and headers-checked table +- npm publish and auto-tag CI workflows, gated on full CI success (#69) +- CLI `--help` and `--version` flags, plus a configurable fetch timeout + +### Changed +- **Grading is stricter and can lower previously-A/A+ scores:** + - Permissions-Policy now requires `camera=()`, `microphone=()`, and `geolocation=()` to score full marks — any other value previously scored "good" regardless of what it restricted (#4) + - CSP and Cross-Origin-* header checks tightened (#50) + - CSP now flags a missing `base-uri` directive (#51) + +### Fixed +- CLI `--version` now loads the package version correctly under ESM (#47) +- Test files are excluded from the build `tsconfig` so they no longer get compiled into `dist` (#48) +- High-severity `vite` vulnerability patched; `npm audit --audit-level=high` is now enforced in CI (#71) + ## [1.0.1] - 2025-05-19 ### Added diff --git a/package-lock.json b/package-lock.json index b5e4a5e..b889b41 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@hailbytes/security-headers", - "version": "1.0.1", + "version": "1.0.3", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@hailbytes/security-headers", - "version": "1.0.1", + "version": "1.0.3", "license": "MIT", "bin": { "security-headers": "dist/cli.js" diff --git a/package.json b/package.json index bd1362e..e6aac5d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@hailbytes/security-headers", - "version": "1.0.1", + "version": "1.0.3", "description": "Analyze HTTP security headers for your web application. A-F grading, per-header findings, and remediation steps — as a library or CLI.", "type": "module", "license": "MIT",