chore(deps): update dependency helmet to v3

[joshn-whitesource-app]

This PR contains the following updates:

Package	Type	Update	Change
helmet (source)	dependencies	major	^2.0.0 -> ^3.0.0

By merging this PR, the issue #23 will be automatically resolved and closed:

Severity	CVSS Score	CVE
High	7.5	CVE-2017-20165
Medium	6.1	WS-2019-0289
Medium	5.3	CVE-2017-16137
Medium	5.3	CVE-2017-20162

---

Release Notes

helmetjs/helmet (helmet)

v3.21.0

Compare Source

Added

• Updated x-xss-protection to v1.3.0
  • Added mode: null to disable mode=block

Changed

• Updated helmet-csp to v2.9.1
  • Updated bowser subdependency from 2.5.3 to 2.5.4. See helmet-csp#88

v3.20.1

Compare Source

Changed

• Updated helmet-csp to v2.9.0

v3.20.0

Compare Source

Changed

• Updated helmet-csp to v2.8.0

v3.19.0

Compare Source

Changed

• Updated dns-prefetch-control to v0.2.0
• Updated dont-sniff-mimetype to v1.1.0
• Updated helmet-crossdomain to v0.4.0
• Updated hide-powered-by to v1.1.0
• Updated x-xss-protection to v1.2.0

v3.18.0

Compare Source

Added

• featurePolicy has 19 new features: ambientLightSensor, documentDomain, documentWrite, encryptedMedia, fontDisplayLateSwap, layoutAnimations, legacyImageFormats, loadingFrameDefaultEager, oversizedImages, pictureInPicture, serial, syncScript, unoptimizedImages, unoptimizedLosslessImages, unoptimizedLossyImages, unsizedMedia, verticalScroll, wakeLock, and xr

Changed

• Updated expect-ct to v0.2.0
• Updated feature-policy to v0.3.0
• Updated frameguard to v3.1.0
• Updated nocache to v2.1.0

v3.17.0

Compare Source

Added

• referrerPolicy now supports multiple values

Changed

• Updated referrerPolicy to v1.2.0

v3.16.0

Compare Source

Added

• Add email to bugs field in package.json

Changed

• Updated hsts to v2.2.0
• Updated ienoopen to v1.1.0
• Changelog is now in the Keep A Changelog format
• Dropped support for Node <4. See the commit for more information
• Updated Adam Baldwin's contact information

Deprecated

• helmet.hsts's setIf option has been deprecated and will be removed in hsts@3. See helmetjs/hsts#22 for more

• The includeSubdomains option (with a lowercase d) has been deprecated and will be removed in hsts@3. Use the uppercase-D includeSubDomains option instead. See helmetjs/hsts#21 for more

v3.15.1

Compare Source

Deprecated

• The hpkp middleware has been deprecated. If you still need to use this module, install the standalone hpkp module from npm. See #​180 for more.

v3.15.0

Compare Source

Added

• helmet.featurePolicy now supports four new features

v3.14.0

Compare Source

Added

• helmet.featurePolicy middleware

v3.13.0

Compare Source

Added

• helmet.permittedCrossDomainPolicies middleware

v3.12.2

Compare Source

Fixed

• Removed lodash.reduce dependency from csp

v3.12.1

Compare Source

Fixed

• expectCt should use comma instead of semicolon as delimiter

v3.12.0

Compare Source

Added

• xssFilter now supports reportUri option

v3.11.0

Compare Source

Added

• Main Helmet middleware is now named to help with debugging

v3.10.0

Compare Source

Added

• csp now supports prefix-src directive

Fixed

• csp no longer loads JSON files internally, helping some module bundlers
• false should be able to disable a CSP directive

v3.9.0

Compare Source

Added

• csp now supports strict-dynamic value
• csp now supports require-sri-for directive

Changed

• Removed connect dependency

v3.8.2

Compare Source

Changed

• Updated connect dependency to latest

v3.8.1

Compare Source

Fixed

• csp does not automatically set report-to when setting report-uri

v3.8.0

Compare Source

Changed

• hsts no longer cares whether it's HTTPS and always sets the header

v3.7.0

Compare Source

Added

• csp now supports report-to directive

Changed

• Throw an error when used incorrectly
• Add a few documentation files to npmignore

v3.6.1

Compare Source

Changed

• Bump connect version

v3.6.0

Compare Source

Added

• expectCt middleware for setting the Expect-CT header

v3.5.0

Compare Source

Added

• csp now supports the worker-src directive

v3.4.1

Compare Source

Changed

• Bump connect version

v3.4.0

Compare Source

Added

• csp now supports more sandbox directives

v3.3.0

Compare Source

Added

• referrerPolicy allows strict-origin and strict-origin-when-cross-origin directives

Changed

• Bump connect version

v3.2.0

Compare Source

Added

• csp now allows manifest-src directive

v3.1.0

Compare Source

Added

• csp now allows frame-src directive

v3.0.0

Compare Source

Changed

• csp will check your directives for common mistakes and throw errors if it finds them. This can be disabled with loose: true.
• Empty arrays are no longer allowed in csp. For source lists (like script-src or object-src), use the standard scriptSrc: ["'none'"]. The sandbox directive can be sandbox: true to block everything.
• false can disable a CSP directive. For example, scriptSrc: false is the same as not specifying it.
• In CSP, reportOnly: true no longer requires a report-uri to be set.
• hsts's maxAge now defaults to 180 days (instead of 1 day)
• hsts's maxAge parameter is seconds, not milliseconds
• hsts includes subdomains by default
• domain parameter in frameguard cannot be empty

Removed

• noEtag option no longer present in noCache
• iOS Chrome connect-src workaround in CSP module

---

• If you want to rebase/retry this PR, check this box