Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 11 additions & 2 deletions .github/workflows/auto-tag.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
with:
node-version: '20'

- name: Tag HEAD with next patch version
- name: Bump package.json, tag, and push
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
Expand All @@ -38,6 +38,15 @@ jobs:
IFS='.' read -r MAJOR MINOR PATCH <<< "$CURRENT"
NEW_VERSION="$MAJOR.$MINOR.$((PATCH + 1))"

# Keep package.json/package-lock.json in sync with the tag being cut —
# previously only the ephemeral publish job saw the bumped version, so
# main permanently drifted behind what was actually tagged and published.
npm version "$NEW_VERSION" --no-git-tag-version --allow-same-version
git commit -am "chore: release v$NEW_VERSION [skip ci]"
git tag "v$NEW_VERSION"

# [skip ci] keeps this push from re-triggering CI (and therefore this
# workflow) on the release commit itself.
git push origin HEAD:main
git push origin "v$NEW_VERSION"
echo "Tagged HEAD as v$NEW_VERSION"
echo "Released v$NEW_VERSION"
24 changes: 24 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,29 @@
# Changelog

## [1.0.3] - 2026-06-11

### Fixed
- CSP: bare-scheme sources (e.g. `https:`) in `script-src`, `connect-src`, `form-action`, `frame-src`, `worker-src`, and `default-src` are now flagged as permissive, since they match any host just like a wildcard (#68)

## [1.0.2] - 2026-05-26

### Added
- Dependabot configuration for automated dependency updates
- Full README with badges, quick start, grading scale, and headers-checked table
- npm publish and auto-tag CI workflows, gated on full CI success (#69)
- CLI `--help` and `--version` flags, plus a configurable fetch timeout

### Changed
- **Grading is stricter and can lower previously-A/A+ scores:**
- Permissions-Policy now requires `camera=()`, `microphone=()`, and `geolocation=()` to score full marks — any other value previously scored "good" regardless of what it restricted (#4)
- CSP and Cross-Origin-* header checks tightened (#50)
- CSP now flags a missing `base-uri` directive (#51)

### Fixed
- CLI `--version` now loads the package version correctly under ESM (#47)
- Test files are excluded from the build `tsconfig` so they no longer get compiled into `dist` (#48)
- High-severity `vite` vulnerability patched; `npm audit --audit-level=high` is now enforced in CI (#71)

## [1.0.1] - 2025-05-19

### Added
Expand Down
4 changes: 2 additions & 2 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@hailbytes/security-headers",
"version": "1.0.1",
"version": "1.0.3",
"description": "Analyze HTTP security headers for your web application. A-F grading, per-header findings, and remediation steps — as a library or CLI.",
"type": "module",
"license": "MIT",
Expand Down