+6 -5

server/package-lock.json

reviewed

··· 66 66 "graphql-depth-limit": "^1.1.0", 67 67 "graphql-passport": "^0.6.4", 68 68 "graphql-scalars": "^1.19.0", 69 69 - "helmet": "^4.6.0", 69 69 + "helmet": "^8.1.0", 70 70 "ioredis": "^5.2.4", 71 71 "jsonwebtoken": "^9.0.3", 72 72 "kysely": "^0.28.16", ··· 15810 15810 "integrity": "sha512-2bsegYkkHO+h/9MGbn6KWcE45cHZgPANo5LXF7EvWdT0yT2EguSVO1nDgU5c8+ZOPwp2vMNa7YFsJhVcDR9Sdg==" 15811 15811 }, 15812 15812 "node_modules/helmet": { 15813 15813 - "version": "4.6.0", 15814 15814 - "resolved": "https://registry.npmjs.org/helmet/-/helmet-4.6.0.tgz", 15815 15815 - "integrity": "sha512-HVqALKZlR95ROkrnesdhbbZJFi/rIVSoNq6f3jA/9u6MIbTsPh3xZwihjeI5+DO/2sOV6HMHooXcEOuwskHpTg==", 15813 15813 + "version": "8.1.0", 15814 15814 + "resolved": "https://registry.npmjs.org/helmet/-/helmet-8.1.0.tgz", 15815 15815 + "integrity": "sha512-jOiHyAZsmnr8LqoPGmCjYAaiuWwjAPLgY8ZX2XrmHawt99/u1y6RgrZMTeoPfpUbV96HOalYgz1qzkRbw54Pmg==", 15816 15816 + "license": "MIT", 15816 15817 "engines": { 15817 15817 - "node": ">=10.0.0" 15818 15818 + "node": ">=18.0.0" 15818 15819 } 15819 15820 }, 15820 15821 "node_modules/html-entities": {

+1 -1

server/package.json

reviewed

··· 80 80 "graphql-depth-limit": "^1.1.0", 81 81 "graphql-passport": "^0.6.4", 82 82 "graphql-scalars": "^1.19.0", 83 83 - "helmet": "^4.6.0", 83 83 + "helmet": "^8.1.0", 84 84 "ioredis": "^5.2.4", 85 85 "jsonwebtoken": "^9.0.3", 86 86 "kysely": "^0.28.16",

+4

server/routes/integration_logos/serveIntegrationLogo.ts

reviewed

··· 31 31 } 32 32 // Path was validated at plugin load (under package root); safe to send. 33 33 res.setHeader('Cache-Control', 'public, max-age=86400'); 34 34 + // Public plugin asset; opt out of helmet's strict same-origin CORP default 35 35 + // so the SPA can load it via <img src> when deployed on a different origin 36 36 + // than the API. 37 37 + res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin'); 34 38 res.sendFile(filePath, (err) => { 35 39 if (err != null && !res.headersSent) { 36 40

+4

server/routes/integration_logos/serveIntegrationLogoWithBackground.ts

reviewed

··· 31 31 ); 32 32 } 33 33 res.setHeader('Cache-Control', 'public, max-age=86400'); 34 34 + // Public plugin asset; opt out of helmet's strict same-origin CORP default 35 35 + // so the SPA can load it via <img src> when deployed on a different origin 36 36 + // than the API. 37 37 + res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin'); 34 38 res.sendFile(filePath, (err) => { 35 39 if (err != null && !res.headersSent) { 36 40