Sourced from helmet's changelog.

8.1.0 - 2025-03-17

Changed

• Content-Security-Policy gives a better error when a directive value, like self, should be quoted. See #482

8.0.0 - 2024-09-28

Changed

• Breaking: Strict-Transport-Security now has a max-age of 365 days, up from 180
• Breaking: Content-Security-Policy middleware now throws an error if a directive should have quotes but does not, such as self instead of 'self'. See #454
• Breaking: Content-Security-Policy's getDefaultDirectives now returns a deep copy. This only affects users who were mutating the result
• Breaking: Strict-Transport-Security now throws an error when "includeSubDomains" option is misspelled. This was previously a warning

Removed

• Breaking: Drop support for Node 16 and 17. Node 18+ is now required

7.2.0 - 2024-09-28

Changed

• Content-Security-Policy middleware now warns if a directive should have quotes but does not, such as self instead of 'self'. This will be an error in future versions. See #454

7.1.0 - 2023-11-07

Added

• helmet.crossOriginEmbedderPolicy now supports the unsafe-none directive. See #477

7.0.0 - 2023-05-06

Changed

• Breaking: Cross-Origin-Embedder-Policy middleware is now disabled by default. See #411

Removed

• Breaking: Drop support for Node 14 and 15. Node 16+ is now required
• Breaking: Expect-CT is no longer part of Helmet. If you still need it, you can use the expect-ct package. See #378

6.2.0 - 2023-05-06

• Expose header names (e.g., strictTransportSecurity for the Strict-Transport-Security header, instead of hsts)
• Rework documentation

6.1.5 - 2023-04-11

Fixed

... (truncated)

• 57e1b39 8.1.0
• c8efbe3 Update changelog for 8.1.0 release
• 3396804 Add 8.0.0 release date to changelog
• 52dd8eb Content-Security-Policy: better error when value should be quoted
• 4af4777 Use built-in test runner (instead of Jest)
• ba10272 Organize imports
• e0f1387 Update devDependencies to latest versions
• 842393c Check types during npm test, run in parallel
• 77fbe3a Strict-Transport-Security: fix documentation for default max-age
• 632e629 Update license year for 2025
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)