Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 14 additions & 2 deletions .github/workflows/auto-tag.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
with:
node-version: '20'

- name: Tag HEAD with next patch version
- name: Tag, then bump package.json and commit
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
Expand All @@ -38,6 +38,18 @@ jobs:
IFS='.' read -r MAJOR MINOR PATCH <<< "$CURRENT"
NEW_VERSION="$MAJOR.$MINOR.$((PATCH + 1))"

# Tag HEAD *before* bumping package.json. publish.yml's workflow_run
# trigger checks out this workflow's github.event.workflow_run.head_sha,
# which is fixed to the commit that triggered this run — if we committed
# the version bump first, the tag would move onto a commit publish.yml
# never sees, and it would silently build/publish the wrong (stale) version.
git tag "v$NEW_VERSION"
git push origin "v$NEW_VERSION"
echo "Tagged HEAD as v$NEW_VERSION"

# Keep package.json/package-lock.json in sync with the tag for the next
# cycle's baseline. [skip ci] keeps this from re-triggering CI (and
# therefore this workflow) on the release commit itself.
npm version "$NEW_VERSION" --no-git-tag-version --allow-same-version
git commit -am "chore: release v$NEW_VERSION [skip ci]"
git push origin HEAD:main
echo "Released v$NEW_VERSION"
24 changes: 24 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,30 @@
### Security
- `fetchHeaders`/`analyze(url)` now reject non-`http(s)` schemes and, by default, refuse to fetch hostnames that resolve to loopback, link-local (including the cloud metadata endpoint `169.254.169.254`), or private (RFC1918) addresses. Redirects are validated hop-by-hop instead of only checking the initial URL, and bounded to 5 hops. Opt out with `{ allowPrivateNetworks: true }` or CLI `--allow-private` for local/staging targets.

## [1.0.3] - 2026-06-11

### Fixed
- CSP: bare-scheme sources (e.g. `https:`) in `script-src`, `connect-src`, `form-action`, `frame-src`, `worker-src`, and `default-src` are now flagged as permissive, since they match any host just like a wildcard (#68)

## [1.0.2] - 2026-05-26

### Added
- Dependabot configuration for automated dependency updates
- Full README with badges, quick start, grading scale, and headers-checked table
- npm publish and auto-tag CI workflows, gated on full CI success (#69)
- CLI `--help` and `--version` flags, plus a configurable fetch timeout

### Changed
- **Grading is stricter and can lower previously-A/A+ scores:**
- Permissions-Policy now requires `camera=()`, `microphone=()`, and `geolocation=()` to score full marks — any other value previously scored "good" regardless of what it restricted (#4)
- CSP and Cross-Origin-* header checks tightened (#50)
- CSP now flags a missing `base-uri` directive (#51)

### Fixed
- CLI `--version` now loads the package version correctly under ESM (#47)
- Test files are excluded from the build `tsconfig` so they no longer get compiled into `dist` (#48)
- High-severity `vite` vulnerability patched; `npm audit --audit-level=high` is now enforced in CI (#71)

## [1.0.1] - 2025-05-19

### Added
Expand Down
4 changes: 2 additions & 2 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@hailbytes/security-headers",
"version": "1.0.1",
"version": "1.0.3",
"description": "Analyze HTTP security headers for your web application. A-F grading, per-header findings, and remediation steps — as a library or CLI.",
"type": "module",
"license": "MIT",
Expand Down
Loading