yes-https 3.0.1 → 4.0.3

package/.github/workflows/ci.yaml

@@ -4,43 +4,77 @@ on:
       - main
   pull_request:
 name: ci
+permissions:
+  contents: read
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
 jobs:
   test:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     strategy:
       matrix:
-        node: [18, 20]
+        node: [18, 20, 22]
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: ${{ matrix.node }}
+          cache: npm
       - run: node --version
-      - run: npm install
+      - run: npm ci
       - run: npm test
-      - uses: codecov/codecov-action@v4
+  coverage:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          name: actions ${{ matrix.node }}
+          persist-credentials: false
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: 24
+          cache: npm
+      - run: node --version
+      - run: npm ci
+      - run: npm run coverage
+      - if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
+        with:
+          use_oidc: true
+          files: ./lcov.info
+          disable_search: true
+          fail_ci_if_error: true
+          name: actions node 20
   lint:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: 20
-      - run: npm install
+          node-version: 24
+          cache: npm
+      - run: npm ci
       - run: npm run lint
-  release:
-    if: github.ref == 'refs/heads/main'
+  renovate-config:
     runs-on: ubuntu-latest
-    needs: [test, lint]
+    timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-      - run: npm install
-      - run: npx semantic-release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: 24
+          cache: npm
+      - run: npm ci
+      - run: npm run renovate-config

package/.github/workflows/codeql.yml

@@ -0,0 +1,41 @@
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: '20 6 * * 1'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+concurrency:
+  group: codeql-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        with:
+          languages: javascript-typescript
+          build-mode: none
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1

package/.github/workflows/release.yaml

@@ -0,0 +1,51 @@
+on:
+  push:
+    branches:
+      - main
+name: release
+permissions:
+  contents: read
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false
+env:
+  FORCE_COLOR: 2
+  NODE: 24
+jobs:
+  release-please:
+    if: github.repository == 'JustinBeckwith/yes-https'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    timeout-minutes: 15
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+      tag_name: ${{ steps.release.outputs.tag_name }}
+    steps:
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
+        id: release
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+  publish:
+    if: needs.release-please.outputs.release_created
+    runs-on: ubuntu-latest
+    needs: release-please
+    permissions:
+      contents: read
+      id-token: write
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: ${{ env.NODE }}
+          cache: npm
+          registry-url: 'https://registry.npmjs.org'
+      - run: npm ci
+      - run: npm test
+      - run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

package/.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "4.0.3"
+}

package/AGENTS.md

@@ -0,0 +1,36 @@
+# AGENTS.md
+
+## Project overview
+
+- This repository is a small ESM Node.js package that exports a single middleware from `lib/index.js`.
+- Runtime support starts at Node.js 18 (`package.json`), and CI tests the package on Node.js 18, 20, and 22.
+- Linting runs with Biome, and releases are managed through `release-please`.
+
+## Working agreements
+
+- Use `npm` for dependency and script commands.
+- Prefer small, focused changes. Avoid unrelated cleanup in the same PR.
+- Use Conventional Commits for commit messages and PR titles (for example: `fix: ...`, `feat: ...`, `docs: ...`). This repository uses `release-please`, so incorrect commit or PR prefixes can break release automation.
+- Keep the public middleware API and the README example aligned when behavior or options change.
+- Do not edit `CHANGELOG.md` or `.release-please-manifest.json` manually unless the task is explicitly about the release process.
+
+## Commands
+
+- Install dependencies: `npm install`
+- Run tests: `npm test`
+- Run lint: `npm run lint`
+- Auto-fix formatting and lint issues: `npm run fix`
+- Generate coverage report: `npm run coverage`
+
+## Testing notes
+
+- `npm test` runs with `NODE_ENV=production`, which is important because the middleware bypasses redirects outside production mode.
+- HTTPS behavior is covered in `test/test.js` using the certificates under `test/certs/`.
+- If you change request handling or HSTS behavior, update or extend tests in `test/test.js`.
+
+## Files to check during changes
+
+- `lib/index.js`: package implementation and exported middleware.
+- `test/test.js`: behavioral coverage for redirects, HSTS headers, and ignored routes.
+- `README.md`: user-facing API and usage examples.
+- `example/app.js`: example app for manual testing and docs alignment.

package/CHANGELOG.md

@@ -0,0 +1,49 @@
+# Changelog
+
+## [4.0.3](https://github.com/JustinBeckwith/yes-https/compare/yes-https-v4.0.2...yes-https-v4.0.3) (2026-04-12)
+
+
+### Bug Fixes
+
+* normalize repository metadata for npm publishing ([#154](https://github.com/JustinBeckwith/yes-https/issues/154)) ([0382f21](https://github.com/JustinBeckwith/yes-https/commit/0382f21792bc2cf5b96de5e7ef3c369e57ca1c75))
+* use node 24 for release publishing ([#156](https://github.com/JustinBeckwith/yes-https/issues/156)) ([3c0c7a1](https://github.com/JustinBeckwith/yes-https/commit/3c0c7a15acc65d709b0b48f3f131bc5f6fc61214))
+
+## [4.0.2](https://github.com/JustinBeckwith/yes-https/compare/yes-https-v4.0.1...yes-https-v4.0.2) (2026-04-12)
+
+
+### Bug Fixes
+
+* pass GitHub token to npm publish ([#152](https://github.com/JustinBeckwith/yes-https/issues/152)) ([cefe9a5](https://github.com/JustinBeckwith/yes-https/commit/cefe9a50109ea2602cf39fa255432593e62febe8))
+
+## [4.0.1](https://github.com/JustinBeckwith/yes-https/compare/yes-https-v4.0.0...yes-https-v4.0.1) (2026-04-12)
+
+
+### Bug Fixes
+
+* normalize includeSubDomains option handling ([#134](https://github.com/JustinBeckwith/yes-https/issues/134)) ([61f7c77](https://github.com/JustinBeckwith/yes-https/commit/61f7c77af5520475b6f29371c7fcb60a852f4b31))
+
+## [4.0.0](https://github.com/JustinBeckwith/yes-https/compare/yes-https-v3.0.1...yes-https-v4.0.0) (2025-10-14)
+
+
+### ⚠ BREAKING CHANGES
+
+* support node.js 18 and up ([#107](https://github.com/JustinBeckwith/yes-https/issues/107))
+* This drops support for node.js 10.x, and converts the module to es modules. Upgrade with care.
+* Drops support for node.js 6 and node.js 8.
+
+### Features
+
+* convert to es modules ([#56](https://github.com/JustinBeckwith/yes-https/issues/56)) ([0381d86](https://github.com/JustinBeckwith/yes-https/commit/0381d86984e552a58655a4f03862b7ff7791ee5d))
+
+
+### Bug Fixes
+
+* **deps:** update dependency express to v4.19.2 [security] ([#111](https://github.com/JustinBeckwith/yes-https/issues/111)) ([09cf4c4](https://github.com/JustinBeckwith/yes-https/commit/09cf4c437ee5ab4301b2a0b770f6f118efb0ef8b))
+* **deps:** update dependency express to v5 ([#119](https://github.com/JustinBeckwith/yes-https/issues/119)) ([cbac5ef](https://github.com/JustinBeckwith/yes-https/commit/cbac5efe5e1d900093c2b5dc16fdd553957f9d89))
+* fix the release pipeline ([#30](https://github.com/JustinBeckwith/yes-https/issues/30)) ([9e6d1df](https://github.com/JustinBeckwith/yes-https/commit/9e6d1dffbe5e9561ba6e288f156a508e6fc39fe1))
+
+
+### Build System
+
+* require node.js 10x and up ([#37](https://github.com/JustinBeckwith/yes-https/issues/37)) ([5ccbe34](https://github.com/JustinBeckwith/yes-https/commit/5ccbe34347dfc9b296eef2723b63f13c98aa3f80))
+* support node.js 18 and up ([#107](https://github.com/JustinBeckwith/yes-https/issues/107)) ([e9cb7f8](https://github.com/JustinBeckwith/yes-https/commit/e9cb7f840cdb7011f29bb12500ac69fd94eddebe))

package/README.md

@@ -1,9 +1,12 @@
 # YES HTTPS!
 
-[![Build Status](https://github.com/JustinBeckwith/yes-https/workflows/ci/badge.svg)](https://github.com/JustinBeckwith/yes-https/actions/)
+[![Build Status](https://github.com/JustinBeckwith/yes-https/actions/workflows/ci.yaml/badge.svg?branch=main)](https://github.com/JustinBeckwith/yes-https/actions/workflows/ci.yaml?query=branch%3Amain)
+[![codecov](https://codecov.io/gh/JustinBeckwith/yes-https/branch/main/graph/badge.svg)](https://codecov.io/gh/JustinBeckwith/yes-https)
 [![npm version](https://badge.fury.io/js/yes-https.svg)](https://badge.fury.io/js/yes-https)
-[![XO code style](https://img.shields.io/badge/code_style-XO-5ed9c7.svg)](https://github.com/xojs/xo)
-[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
+[![Checked with Biome](https://img.shields.io/badge/Checked_with-Biome-60a5fa?style=flat&logo=biome)](https://biomejs.dev)
+[![Release Please](https://img.shields.io/badge/%E2%9A%99%EF%B8%8F-release--please-4285f4?style=flat)](https://github.com/googleapis/release-please)
+
+![An armored bear holding a shield in a forest](./docs/assets/yes-https.png)
 
 `yes-https` is a happy little npm module that makes it easy to require `https` for your connect based application.
 
@@ -41,11 +44,15 @@ You can also set a few settings with the middleware to control the header:
 ```js
 app.use(yes({
   maxAge: 86400,            // defaults `86400`
-  includeSubdomains: true,  // defaults `true`
+  includeSubDomains: true,  // defaults `true`
   preload: true             // defaults `true`
 }));
 ```
 
+`includeSubDomains` is the canonical option name. For backwards
+compatibility, `includeSubdomains` is also accepted, and both spellings
+default to `true`.
+
 ### Ignoring specific requests
 
 In some cases, you may want to ignore a request and not force the redirect.  You can use the `ignoreFilter` option to opt out of redirects on a case by case basis.  This is useful if you want to ignore a specific route:

package/SECURITY.md

@@ -0,0 +1,39 @@
+# Security Policy
+
+## Supported Versions
+
+Security fixes are generally limited to the latest published release in the
+current major version line.
+
+| Version | Supported |
+| ------- | --------- |
+| 4.x     | Yes       |
+| < 4.0   | No        |
+
+This package supports Node.js 18 and later.
+
+## Reporting a Vulnerability
+
+Please do not report security vulnerabilities through public GitHub issues,
+pull requests, or discussions.
+
+Instead, report them privately by email to
+`justin.beckwith@gmail.com` with:
+
+- A clear description of the issue and its security impact
+- Steps to reproduce, proof of concept, or example requests
+- Affected package version, Node.js version, and deployment details
+- Any suggested mitigations or fixes, if you have them
+
+You can expect an initial response within 5 business days. After the report is
+reviewed, the maintainer will work with you on validation, remediation, and a
+coordinated disclosure timeline.
+
+Please keep vulnerability details private until a fix is available and users
+have had a reasonable opportunity to update.
+
+## Scope
+
+This policy applies to the `yes-https` package in this repository, including
+the published npm package and the source under active maintenance on the default
+branch.

package/biome.json

@@ -0,0 +1,30 @@
+{
+  "$schema": "https://biomejs.dev/schemas/2.2.6/schema.json",
+  "files": {
+    "includes": [
+      "**/lib/**/*.js",
+      "**/test/**/*.js",
+      "**/example/**/*.js",
+      "!**/node_modules/**/*",
+      "!**/coverage/**/*"
+    ]
+  },
+  "assist": { "actions": { "source": { "organizeImports": "on" } } },
+  "linter": {
+    "enabled": true,
+    "rules": {
+      "recommended": true
+    }
+  },
+  "formatter": {
+    "enabled": true,
+    "indentStyle": "space",
+    "indentWidth": 2,
+    "lineWidth": 80
+  },
+  "javascript": {
+    "formatter": {
+      "quoteStyle": "single"
+    }
+  }
+}

package/example/app.js

@@ -7,11 +7,11 @@ const app = express();
 // Use the yes-https connect middleware.  Note - this will only work if NODE_ENV is set to production.
 app.use(yes());
 
-app.get('/', (request, response) => {
-	response.end('Thanks for checking it out!');
+app.get('/', (_request, response) => {
+  response.end('Thanks for checking it out!');
 });
 
 const server = app.listen(process.env.PORT || 3000, () => {
-	console.log('App listening on port %s', server.address().port);
-	console.log('Press Ctrl+C to quit.');
+  console.log('App listening on port %s', server.address().port);
+  console.log('Press Ctrl+C to quit.');
 });