Skip to content

chore(deps): bump bepsvpt/secure-headers from 7.5.0 to 9.1.0#1021

Merged
dsebastien merged 2 commits into
mainfrom
dependabot/composer/bepsvpt/secure-headers-8.0.0
Jun 17, 2026
Merged

chore(deps): bump bepsvpt/secure-headers from 7.5.0 to 9.1.0#1021
dsebastien merged 2 commits into
mainfrom
dependabot/composer/bepsvpt/secure-headers-8.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Oct 14, 2024

Copy link
Copy Markdown
Contributor

Bumps bepsvpt/secure-headers from 7.5.0 to 9.1.0.

Changelog

Sourced from bepsvpt/secure-headers's changelog.

  • 9.1.0 (2026-03-18)

    • Support Laravel 13
  • 9.0.0 (2025-01-18)

    • BREAKING CHANGE
      • PHP 7.0 is no longer supported.
    • Fix PHP 8.4 deprecation warning.

8.x

  • 8.0.0 (2024-10-13)
    • Support X-DNS-Prefetch-Control header.
    • Support clientHints for Clear-Site-Data header.
    • Support Reporting-Endpoints and NEL headers. (#49)
    • Update directives for Content-Security-Policy header.
      • The following directives were updated:
        • sandbox
        • trusted-types
      • The following directives were added:
        • fenced-frame-src
      • The following directives were removed:
        • navigate-to
        • plugin-types
    • Update directives for Permissions-Policy header.
      • The following directives were added:
        • attribution-reporting
        • bluetooth
        • browsing-topics
        • compute-pressure
        • gamepad
        • hid
        • identity-credentials-get
        • idle-detection
        • local-fonts
        • otp-credentials
        • publickey-credentials-create
        • serial
        • speaker-selection
        • storage-access
        • window-management
      • The following directives were removed:
        • battery
        • execution-while-not-rendered
        • execution-while-out-of-viewport
        • navigation-override
        • sync-xhr

7.x

Upgrade guide

Sourced from bepsvpt/secure-headers's upgrade guide.

7.5.0 to 8.0.0

  • Please refer to the changelog of version 8.0.0 to make corresponding adjustments based on your existing settings.

7.x.x to 7.3.0

  • The following new headers are added, you can find it here and copy to your config file.
    • Cross-Origin-Embedder-Policy
    • Cross-Origin-Opener-Policy
    • Cross-Origin-Resource-Policy

6.2.0 to 7.0.0

  • feature-policy was replaced with permissions-policy, make sure you add permissions-policy config to the config file, you can find it here.

6.1.x to 6.2.0

  • Add use-permissions-policy-header config key for feature-policy, you can find it here.

6.0.x to 6.1.0

  • X-Power-By header renamed to X-Powered-By.

5.x.x to 6.0.0

  • Lumen user need to add SecureHeadersMiddleware manually.
  • HSTS preload is disabled by default now, if your HSTS config does not contain preload key and you want to preserve previous behavior, add preload to HSTS section and set to true.
  • Update csp config structure from config file.

5.4.0 to 5.5.0

  • The following new headers are added, you can find it here and copy to your config file.
    • X-Power-By

5.3.x to 5.4.0

  • HSTS preload field can be disabled now, you can find it here and copy to your config file.
  • display-capture and document-domain are added to Feature-Policy, you can find it here and here.

5.2.x to 5.3.0

  • The following new headers are added, you can find it here and copy to your config file.
    • Feature-Policy

5.1.0 to 5.2.0

  • The following new headers are added, you can find it here and here and copy to your config file.
    • Clear-Site-Data
    • Server

... (truncated)

Commits
  • 92499bf chore: release 9.1.0
  • e572e87 docs: update changelog and testing table for Laravel 13
  • 864af11 ci: run tests on Laravel 13
  • 6c0e4b8 test: remove xdebug mode from phpunit config
  • b9ab6e2 ci: upgrade actions/cache from v4 to v5, add coverage xdebug config
  • 43db36f docs: update ci status badge
  • a5cb7ac ci: use multiple restore-keys
  • 8b1c76e ci: use bash shell
  • e20c979 ci: upgrade checkout from v4 to v6, update cache key
  • c2a3e82 ci: run test on PHP 8.5
  • Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Related to the dependencies php Pull requests that update Php code labels Oct 14, 2024
@dependabot dependabot Bot force-pushed the dependabot/composer/bepsvpt/secure-headers-8.0.0 branch 2 times, most recently from 23d3aba to 4ac75b7 Compare October 23, 2024 12:10
@dsebastien

Copy link
Copy Markdown
Member

@dependabot rebase

Bumps [bepsvpt/secure-headers](https://github.com/bepsvpt/secure-headers) from 7.5.0 to 9.1.0.
- [Changelog](https://github.com/bepsvpt/secure-headers/blob/main/CHANGELOG.md)
- [Upgrade guide](https://github.com/bepsvpt/secure-headers/blob/main/UPGRADE.md)
- [Commits](bepsvpt/secure-headers@7.5.0...9.1.0)

---
updated-dependencies:
- dependency-name: bepsvpt/secure-headers
  dependency-version: 8.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump bepsvpt/secure-headers from 7.5.0 to 8.0.0 chore(deps): bump bepsvpt/secure-headers from 7.5.0 to 9.1.0 Jun 17, 2026
@dependabot dependabot Bot force-pushed the dependabot/composer/bepsvpt/secure-headers-8.0.0 branch from 4ac75b7 to eb9ed70 Compare June 17, 2026 12:39
bepsvpt/secure-headers 7.5 -> 9.1 restructures the config:
- drop removed Permissions-Policy directives (battery, execution-while-*,
  navigation-override, sync-xhr) and non-standard ones no longer shipped
- add new Permissions-Policy directives, locked down (=()) to preserve
  Knowii's deny-by-default posture
- drop CSP navigate-to/plugin-types (no longer whitelisted; were no-ops)
- restructure CSP sandbox and trusted-types to the v8+ shape
- add X-DNS-Prefetch-Control, Reporting-Endpoints, NEL, clear-site-data clientHints

Verified: generated CSP header is byte-identical; Permissions-Policy curated
self allow-list unchanged.
@dsebastien

Copy link
Copy Markdown
Member

Note: after rebases, Dependabot retargeted this bump to 9.1.0 (the branch name still says 8.0.0). Added a commit migrating config/secure-headers.php to the v8+/v9 structure:

  • Dropped Permissions-Policy directives removed in 8.0 (battery, execution-while-not-rendered, execution-while-out-of-viewport, navigation-override, sync-xhr) plus non-standard ones no longer shipped.
  • Added the new Permissions-Policy directives, all locked down (=()) to preserve the deny-by-default posture.
  • Dropped CSP navigate-to/plugin-types (no longer whitelisted; they emitted nothing before).
  • Restructured CSP sandbox (allow-downloads, allow-top-navigation-to-custom-protocols) and trusted-types (none replaces default).
  • Added X-DNS-Prefetch-Control, Reporting-Endpoints, NEL, and clear-site-data clientHints.

Verified against the 7.5.0 vs 9.1.0 builders: the generated CSP header is byte-identical, and the curated Permissions-Policy (self) allow-list is unchanged.

@dsebastien dsebastien merged commit 859b916 into main Jun 17, 2026
3 of 4 checks passed
@dependabot dependabot Bot deleted the dependabot/composer/bepsvpt/secure-headers-8.0.0 branch June 17, 2026 12:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Related to the dependencies php Pull requests that update Php code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant