Update server dependencies

package.json

@@ -79,7 +79,7 @@
     "sass-lint": "sass-lint"
   },
   "resolutions": {
-    "oauth2-server": "^3.1.0-beta.1",
+    "oauth2-server": "3.1.0-beta.1",
     "http-signature": "1.3.4"
   },
   "dependencies": {
@@ -92,7 +92,7 @@
     "body-parser": "^1.12.4",
     "bull": "^3.4.2",
     "bytes": "^3.0.0",
-    "commander": "^5.0.0",
+    "commander": "^6.0.0",
     "config": "^3.0.0",
     "cookie-parser": "^1.4.3",
     "cors": "^2.8.1",
@@ -106,17 +106,17 @@
     "flat": "^5.0.0",
     "fluent-ffmpeg": "^2.1.0",
     "fs-extra": "^9.0.0",
-    "helmet": "^3.12.1",
+    "helmet": "^4.1.0",
     "http-signature": "1.3.4",
     "ip-anonymize": "^0.1.0",
-    "ipaddr.js": "1.9.1",
+    "ipaddr.js": "2.0.0",
     "is-cidr": "^4.0.0",
     "iso-639-3": "^2.0.0",
-    "jimp": "^0.13.0",
+    "jimp": "^0.16.0",
     "js-yaml": "^3.5.4",
     "jsonld": "~3.1.1",
     "lodash": "^4.17.10",
-    "lru-cache": "^5.1.1",
+    "lru-cache": "^6.0.0",
     "magnet-uri": "^5.1.4",
     "memoizee": "^0.4.14",
     "morgan": "^1.5.3",
@@ -146,19 +146,19 @@
     "validator": "^13.0.0",
     "webfinger.js": "^2.6.6",
     "webtorrent": "^0.108.6",
-    "winston": "3.2.1",
+    "winston": "3.3.3",
     "ws": "^7.0.0",
     "youtube-dl": "^3.0.2"
   },
   "devDependencies": {
-    "@openapitools/openapi-generator-cli": "^1.0.13-4.3.1",
+    "@openapitools/openapi-generator-cli": "^1.0.15-4.3.1",
     "@types/apicache": "^1.2.0",
     "@types/async": "^3.0.0",
     "@types/async-lock": "^1.1.0",
     "@types/bcrypt": "^3.0.0",
     "@types/bluebird": "3.5.32",
     "@types/body-parser": "^1.16.3",
-    "@types/bull": "3.14.0",
+    "@types/bull": "3.14.2",
     "@types/bytes": "^3.0.0",
     "@types/chai": "^4.0.4",
     "@types/chai-json-schema": "^1.4.3",
@@ -175,7 +175,7 @@
     "@types/maildev": "^0.0.1",
     "@types/memoizee": "^0.4.2",
     "@types/mkdirp": "^1.0.0",
-    "@types/mocha": "^7.0.1",
+    "@types/mocha": "^8.0.3",
     "@types/morgan": "^1.7.32",
     "@types/multer": "^1.3.3",
     "@types/node": "^14.0.13",
@@ -210,7 +210,7 @@
     "source-map-support": "^0.5.0",
     "supertest": "^4.0.2",
     "swagger-cli": "^4.0.2",
-    "ts-node": "8.10.2",
+    "ts-node": "9.0.0",
     "typescript": "^3.7.2"
   },
   "scripty": {

server/initializers/config.ts

@@ -125,7 +125,7 @@ const CONFIG = {
   CSP: {
     ENABLED: config.get<boolean>('csp.enabled'),
     REPORT_ONLY: config.get<boolean>('csp.report_only'),
-    REPORT_URI: config.get<boolean>('csp.report_uri')
+    REPORT_URI: config.get<string>('csp.report_uri')
   },
   TRACKER: {
     ENABLED: config.get<boolean>('tracker.enabled'),

server/middlewares/csp.ts

@@ -19,18 +19,16 @@ const baseDirectives = Object.assign({},
     workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src
   },
   CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {},
-  CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {}
+  CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: [] } : {}
 )
 
 const baseCSP = helmet.contentSecurityPolicy({
   directives: baseDirectives,
-  browserSniff: false,
   reportOnly: CONFIG.CSP.REPORT_ONLY
 })
 
 const embedCSP = helmet.contentSecurityPolicy({
   directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }),
-  browserSniff: false, // assumes a modern browser, but allows CDN in front
   reportOnly: CONFIG.CSP.REPORT_ONLY
 })