npm - csprefabricate - Versions diffs - 2.0.3 → 2.1.1 - Mend

csprefabricate 2.0.3 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/CHANGELOG.md +36 -0
package/README.md +54 -0
package/dist/helpers.d.ts +1 -0
package/dist/helpers.js +31 -0
package/dist/index.d.ts +4 -3
package/dist/index.js +2 -2
package/dist/test/type-exports.typecheck.d.ts +1 -0
package/dist/test/type-exports.typecheck.js +21 -0
package/dist/types.d.ts +20 -4
package/dist/types.js +6 -0
package/package.json +13 -5

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,41 @@
 # Changelog
+## [2.1.1](https://github.com/JamesToohey/csprefabricate/compare/v2.1.0...v2.1.1) (2026-02-21)
+### Bug Fixes
+* Update npm-publish.yaml to fix OIDC error ([#72](https://github.com/JamesToohey/csprefabricate/issues/72)) ([7f77e3b](https://github.com/JamesToohey/csprefabricate/commit/7f77e3b4d7b8447b79d927d521f8d1042ec83655))
+## [2.1.0](https://github.com/JamesToohey/csprefabricate/compare/v2.0.22...v2.1.0) (2026-02-21)
+### Features
+* Add CSP Level 3 directives and deprecation warnings ([#68](https://github.com/JamesToohey/csprefabricate/issues/68)) ([35e91fa](https://github.com/JamesToohey/csprefabricate/commit/35e91fa51374794dc6a6cb5d661fb39558605ba8))
+* Improve exposed types ([#66](https://github.com/JamesToohey/csprefabricate/issues/66)) ([71028e2](https://github.com/JamesToohey/csprefabricate/commit/71028e293673353b1b966fd9acf0c59c15b54383))
+## [2.0.22](https://github.com/JamesToohey/csprefabricate/compare/v2.0.21...v2.0.22) (2026-01-30)
+### Bug Fixes
+* **ci/cd:** Fix npm publish config (take 3) ([#47](https://github.com/JamesToohey/csprefabricate/issues/47)) ([fc6b7e6](https://github.com/JamesToohey/csprefabricate/commit/fc6b7e60e8dd4612f36ac0f58ab770b48c3ccadc))
+## [2.0.5](https://github.com/JamesToohey/csprefabricate/compare/v2.0.4...v2.0.5) (2026-01-30)
+### Bug Fixes
+* **ci/cd:** fix npm auth ([#45](https://github.com/JamesToohey/csprefabricate/issues/45)) ([69d60f0](https://github.com/JamesToohey/csprefabricate/commit/69d60f07b1a5f8120bf26b8571c41ee668820970))
+## [2.0.4](https://github.com/JamesToohey/csprefabricate/compare/v2.0.3...v2.0.4) (2026-01-30)
+### Bug Fixes
+* **deps:** bump tar from 7.5.6 to 7.5.7 ([#42](https://github.com/JamesToohey/csprefabricate/issues/42)) ([5acbe2a](https://github.com/JamesToohey/csprefabricate/commit/5acbe2a8948934e46df8b2ef630cdacbcb336297))
 ## [2.0.3](https://github.com/JamesToohey/csprefabricate/compare/v2.0.2...v2.0.3) (2026-01-22)

package/README.md CHANGED Viewed

@@ -13,8 +13,11 @@ This project aims to make creating useful and secure CSPs a more pleasant experi
 Currently `csprefabricate`:
 - Validates directive names
+- Supports CSP Level 3 directives (`script-src-elem`, `script-src-attr`, `style-src-elem`, `style-src-attr`, `webrtc`)
+- Supports CSP Level 3 keyword sources (`'wasm-unsafe-eval'`, `'inline-speculation-rules'`, `'unsafe-allow-redirects'`, `'trusted-types-eval'`, `'report-sample'`, `'report-sha256'`, `'report-sha384'`, `'report-sha512'`, `'unsafe-webtransport-hashes'`)
 - Supports providing a list of TLDs for a given domain name
 - Provides warnings for insecure or incomplete CSP configurations, with options to disable specific warnings
+- Warns about deprecated directives (`plugin-types`, `report-uri`, `block-all-mixed-content`)
 ## Common CSP Issues
@@ -25,6 +28,7 @@ By default, `csprefabricate` will warn you about common CSP issues, such as:
 - Use of `'unsafe-inline'` in `script-src`, even if nonces or hashes are present
 - Missing nonces or hashes when using `'unsafe-inline'` in `script-src`
 - Allowing `data:` in `img-src` or `media-src`
+- Use of deprecated directives (`plugin-types`, `report-uri`, `block-all-mixed-content`)
 You can control which warnings are shown by passing an optional `WarningOptions` object to the `create` function:
@@ -48,6 +52,7 @@ const warningOptions: WarningOptions = {
     unsafeInline: false,
     missingNonceOrHash: false,
     dataUri: false,
+    deprecatedDirectives: false,
 };
 create(csp, warningOptions);
@@ -118,6 +123,55 @@ const cspString = create(csp);
 // "img-src 'self' *.example.com *.example.co.uk *.example.net;"
 ```
+### Example 4: Using CSP Level 3 Directives and Keywords
+CSP Level 3 introduced more granular control over scripts and styles, plus new keyword sources:
+```typescript
+import {create, Directive, ContentSecurityPolicy} from "csprefabricate";
+const csp: ContentSecurityPolicy = {
+    [Directive.DEFAULT_SRC]: ["self"],
+    // Control <script> elements separately from inline event handlers
+    [Directive.SCRIPT_SRC_ELEM]: ["self", "https://cdn.example.com"],
+    [Directive.SCRIPT_SRC_ATTR]: ["none"],
+    // Control <style> elements separately from inline styles
+    [Directive.STYLE_SRC_ELEM]: ["self"],
+    [Directive.STYLE_SRC_ATTR]: ["unsafe-inline"],
+    // Allow WebAssembly compilation (but not eval)
+    [Directive.SCRIPT_SRC]: ["self", "wasm-unsafe-eval"],
+    // Control WebRTC connections
+    [Directive.WEBRTC]: ["allow"],
+    [Directive.OBJECT_SRC]: ["none"],
+    [Directive.BASE_URI]: ["self"],
+};
+const cspString = create(csp);
+// "default-src 'self'; script-src-elem 'self' https://cdn.example.com; script-src-attr 'none'; style-src-elem 'self'; style-src-attr 'unsafe-inline'; script-src 'self' 'wasm-unsafe-eval'; webrtc 'allow'; object-src 'none'; base-uri 'self';"
+```
+#### CSP Level 3 Keyword Sources
+CSP Level 3 introduces several new keyword sources that are automatically wrapped in single quotes:
+- **`'wasm-unsafe-eval'`** - Allows WebAssembly compilation without allowing JavaScript eval
+- **`'inline-speculation-rules'`** - Allows inline speculation rules for prefetching
+- **`'unsafe-allow-redirects'`** - Allows redirects in navigation (experimental)
+- **`'trusted-types-eval'`** - Allows eval when combined with Trusted Types
+- **`'report-sample'`** - Includes code samples in violation reports
+- **`'report-sha256'`, `'report-sha384'`, `'report-sha512'`** - Generates hash-based reports for subresources
+- **`'unsafe-webtransport-hashes'`** - Allows WebTransport connections with certificate hashes
+## Deprecated Directives
+Some CSP directives have been deprecated in favor of newer alternatives. `csprefabricate` will warn you when using these directives:
+- **`plugin-types`** - Never widely supported, scheduled for removal
+- **`report-uri`** - Use `report-to` instead
+- **`block-all-mixed-content`** - Use `upgrade-insecure-requests` instead
+These directives are still functional but may be removed from future CSP specifications. You can disable these warnings by setting `deprecatedDirectives: false` in your `WarningOptions`.
 ## Baseline Recommended CSPs
 You can quickly generate a recommended Content Security Policy for common use cases using built-in baselines.

package/dist/helpers.d.ts CHANGED Viewed

@@ -5,6 +5,7 @@ export interface WarningOptions {
     unsafeInline?: boolean;
     missingNonceOrHash?: boolean;
     dataUri?: boolean;
+    deprecatedDirectives?: boolean;
 }
 export declare function warnOnCspIssues(csp: ContentSecurityPolicy, overrides?: WarningOptions): void;
 export declare const isValidDirective: (directive: string) => boolean;

package/dist/helpers.js CHANGED Viewed

@@ -9,6 +9,7 @@ const DEFAULT_WARNINGS = {
     unsafeInline: true,
     missingNonceOrHash: true,
     dataUri: true,
+    deprecatedDirectives: true,
 };
 const validDirectives = [
     "default-src",
@@ -36,6 +37,12 @@ const validDirectives = [
     "trusted-types",
     "upgrade-insecure-requests",
     "block-all-mixed-content",
+    "script-src-elem",
+    "script-src-attr",
+    "style-src-elem",
+    "style-src-attr",
+    "webrtc",
+    "fenced-frame-src",
 ];
 const specialRules = [
     "none",
@@ -44,6 +51,18 @@ const specialRules = [
     "unsafe-eval",
     "strict-dynamic",
     "unsafe-hashes",
+    "wasm-unsafe-eval",
+    "inline-speculation-rules",
+    "unsafe-allow-redirects",
+    "trusted-types-eval",
+    "report-sample",
+    "report-sha256",
+    "report-sha384",
+    "report-sha512",
+    "unsafe-webtransport-hashes",
+    "allow",
+    "block",
+    "script",
 ];
 function warnOnCspIssues(csp, overrides = {}) {
     const options = { ...DEFAULT_WARNINGS, ...overrides };
@@ -102,6 +121,18 @@ function warnOnCspIssues(csp, overrides = {}) {
             }
         });
     }
+    // 6. Deprecated directives
+    if (options.deprecatedDirectives) {
+        if (types_1.Directive.PLUGIN_TYPES in csp) {
+            console.warn(`[CSPrefabricate] Directive 'plugin-types' is deprecated and may be removed in future CSP versions. This directive was never widely supported.`);
+        }
+        if (types_1.Directive.REPORT_URI in csp) {
+            console.warn(`[CSPrefabricate] Directive 'report-uri' is deprecated and may be removed in future CSP versions. Use 'report-to' instead.`);
+        }
+        if (types_1.Directive.BLOCK_ALL_MIXED_CONTENT in csp) {
+            console.warn(`[CSPrefabricate] Directive 'block-all-mixed-content' is deprecated and may be removed in future CSP versions. Use 'upgrade-insecure-requests' instead.`);
+        }
+    }
 }
 const isValidDirective = (directive) => validDirectives.includes(directive);
 exports.isValidDirective = isValidDirective;

package/dist/index.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
-import { Directive } from "./types";
 import { create } from "./utils";
 import * as Baseline from "./baseline";
 export { Baseline };
-export { create, Directive };
-export type { ContentSecurityPolicy } from "./types";
+export { create };
+export { Directive } from "./types";
+export type { ContentSecurityPolicy, Rules, BasicDirectiveRule, BlankDirectiveRule, AllowBlockRule, RequireTrustedTypesForRule, CSPDirective, CSP, } from "./types";
+export type { WarningOptions } from "./helpers";

package/dist/index.js CHANGED Viewed

@@ -34,9 +34,9 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Directive = exports.create = exports.Baseline = void 0;
-const types_1 = require("./types");
-Object.defineProperty(exports, "Directive", { enumerable: true, get: function () { return types_1.Directive; } });
 const utils_1 = require("./utils");
 Object.defineProperty(exports, "create", { enumerable: true, get: function () { return utils_1.create; } });
 const Baseline = __importStar(require("./baseline"));
 exports.Baseline = Baseline;
+var types_1 = require("./types");
+Object.defineProperty(exports, "Directive", { enumerable: true, get: function () { return types_1.Directive; } });

package/dist/test/type-exports.typecheck.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/test/type-exports.typecheck.js ADDED Viewed

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const index_1 = require("../index");
+const rules = ["self", "example.com"];
+const basicRule = ["self", "example.com"];
+const blankRule = null;
+const allowBlockRule = ["allow"];
+const requireTrustedTypesForRule = ["script"];
+const directive = index_1.Directive.DEFAULT_SRC;
+const csp = { [directive]: rules };
+const cspByName = { [index_1.Directive.SCRIPT_SRC]: basicRule };
+const options = { overlyPermissive: false };
+void rules;
+void basicRule;
+void blankRule;
+void allowBlockRule;
+void requireTrustedTypesForRule;
+void directive;
+void csp;
+void cspByName;
+void options;

package/dist/types.d.ts CHANGED Viewed

@@ -23,11 +23,19 @@ declare enum Directive {
     REQUIRE_TRUSTED_TYPES_FOR = "require-trusted-types-for",
     TRUSTED_TYPES = "trusted-types",
     UPGRADE_INSECURE_REQUESTS = "upgrade-insecure-requests",
-    BLOCK_ALL_MIXED_CONTENT = "block-all-mixed-content"
+    BLOCK_ALL_MIXED_CONTENT = "block-all-mixed-content",
+    SCRIPT_SRC_ELEM = "script-src-elem",
+    SCRIPT_SRC_ATTR = "script-src-attr",
+    STYLE_SRC_ELEM = "style-src-elem",
+    STYLE_SRC_ATTR = "style-src-attr",
+    WEBRTC = "webrtc",
+    FENCED_FRAME_SRC = "fenced-frame-src"
 }
 type BasicDirectiveRule = Array<string | Record<string, Array<string>>>;
 type BlankDirectiveRule = null;
-type Rules = BasicDirectiveRule | BlankDirectiveRule;
+type AllowBlockRule = Array<"allow" | "block">;
+type RequireTrustedTypesForRule = ["script"];
+type Rules = BasicDirectiveRule | BlankDirectiveRule | AllowBlockRule | RequireTrustedTypesForRule;
 interface ContentSecurityPolicy {
     [Directive.DEFAULT_SRC]?: BasicDirectiveRule;
     [Directive.SCRIPT_SRC]?: BasicDirectiveRule;
@@ -50,9 +58,17 @@ interface ContentSecurityPolicy {
     [Directive.MANIFEST_SRC]?: BasicDirectiveRule;
     [Directive.PREFETCH_SRC]?: BasicDirectiveRule;
     [Directive.NAVIGATE_TO]?: BasicDirectiveRule;
-    [Directive.REQUIRE_TRUSTED_TYPES_FOR]?: BasicDirectiveRule;
+    [Directive.REQUIRE_TRUSTED_TYPES_FOR]?: RequireTrustedTypesForRule;
     [Directive.TRUSTED_TYPES]?: BasicDirectiveRule;
     [Directive.UPGRADE_INSECURE_REQUESTS]?: BlankDirectiveRule;
     [Directive.BLOCK_ALL_MIXED_CONTENT]?: BlankDirectiveRule;
+    [Directive.SCRIPT_SRC_ELEM]?: BasicDirectiveRule;
+    [Directive.SCRIPT_SRC_ATTR]?: BasicDirectiveRule;
+    [Directive.STYLE_SRC_ELEM]?: BasicDirectiveRule;
+    [Directive.STYLE_SRC_ATTR]?: BasicDirectiveRule;
+    [Directive.WEBRTC]?: AllowBlockRule;
+    [Directive.FENCED_FRAME_SRC]?: BasicDirectiveRule;
 }
-export { ContentSecurityPolicy, Rules, Directive, BasicDirectiveRule };
+type CSPDirective = Directive;
+type CSP = ContentSecurityPolicy;
+export { ContentSecurityPolicy, Rules, Directive, BasicDirectiveRule, BlankDirectiveRule, AllowBlockRule, RequireTrustedTypesForRule, CSPDirective, CSP, };

package/dist/types.js CHANGED Viewed

@@ -28,4 +28,10 @@ var Directive;
     Directive["TRUSTED_TYPES"] = "trusted-types";
     Directive["UPGRADE_INSECURE_REQUESTS"] = "upgrade-insecure-requests";
     Directive["BLOCK_ALL_MIXED_CONTENT"] = "block-all-mixed-content";
+    Directive["SCRIPT_SRC_ELEM"] = "script-src-elem";
+    Directive["SCRIPT_SRC_ATTR"] = "script-src-attr";
+    Directive["STYLE_SRC_ELEM"] = "style-src-elem";
+    Directive["STYLE_SRC_ATTR"] = "style-src-attr";
+    Directive["WEBRTC"] = "webrtc";
+    Directive["FENCED_FRAME_SRC"] = "fenced-frame-src";
 })(Directive || (exports.Directive = Directive = {}));

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "csprefabricate",
-    "version": "2.0.3",
+    "version": "2.1.1",
     "description": "Generate valid and secure Content Security Policies (CSP) with TypeScript.",
     "keywords": [
         "csp",
@@ -10,19 +10,25 @@
         "xss-protection",
         "typescript"
     ],
-    "homepage": "https://github.com/jamestoohey/csprefabricate#readme",
+    "homepage": "https://github.com/JamesToohey/csprefabricate#readme",
     "bugs": {
-        "url": "https://github.com/jamestoohey/csprefabricate/issues"
+        "url": "https://github.com/JamesToohey/csprefabricate/issues"
     },
     "repository": {
         "type": "git",
-        "url": "git+https://github.com/jamestoohey/csprefabricate.git"
+        "url": "git+https://github.com/JamesToohey/csprefabricate.git"
     },
     "license": "MIT",
     "author": {
         "name": "James Toohey",
-        "url": "https://github.com/jamestoohey"
+        "url": "https://github.com/JamesToohey"
     },
+    "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/JamesToohey"
+    },
+    "type": "commonjs",
+    "sideEffects": false,
     "packageManager": "yarn@4.12.0",
     "exports": {
         ".": {
@@ -41,6 +47,8 @@
     ],
     "scripts": {
         "build": "tsc --project tsconfig.build.json",
+        "format": "prettier --write .",
+        "format:check": "prettier --check .",
         "functional-test": "yarn build && tsx --test src/test/functional/functional.test.js",
         "lint": "eslint .",
         "pack": "npm pack",