WIP: rewrite using classes

[mcansh]

No description provided.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 1279d4a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	packages	1279d4a	Commit Preview URL Branch Preview URL	Jul 29 2025, 07:50 PM

[pkg-pr-new]

More templates

• example-react-router-7
• example-remix-classic-compiler
• example-remix-vite

npm i https://pkg.pr.new/mcansh/packages/@mcansh/http-helmet@47

npm i https://pkg.pr.new/mcansh/packages/@mcansh/url@47

npm i https://pkg.pr.new/mcansh/packages/@mcansh/vitest-response-matchers@47

commit: 1279d4a

[gemini-code-assist]

Summary of Changes

Hello @mcansh, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request initiates a major refactor of the http-helmet package, transitioning its core functionality to a class-based architecture. This rewrite introduces a new, more modular v2 API, alongside significant dependency cleanup and enhancements to the monorepo's build and testing configurations, aiming for improved maintainability and extensibility.

Highlights

• Core Refactor to Class-Based API: The http-helmet package is undergoing a significant rewrite, introducing new ContentSecurityPolicy, StrictTransportSecurity, and SecurityHeaders classes under a v2 module. This shifts the API from a functional approach to an object-oriented one, allowing for more structured and extensible header management.
• Dependency Management & Cleanup: Several unused or outdated dependencies have been removed (e.g., cli-highlight, marked, yargs), and some core utilities like content-security-policy-parser and ts-extras have been added as direct dependencies where needed. Build tooling dependencies like @arethetypeswrong/cli have been updated to @arethetypeswrong/core.
• Build System Enhancements: The tsdown.config.ts files for http-helmet and url packages have been updated to include new v2 entry points, configure attw (Are The Types Wrong) directly, and define import.meta.vitest for better build process and type checking.
• Test Suite Restructuring: The mergeHeaders tests have been moved to a dedicated utils.spec.ts file, and new comprehensive test suites for the v2 class-based APIs (content-security-policy.spec.ts, helmet.ts, strict-transport-security.ts) have been added, ensuring the new architecture is well-covered.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[codecov]

Codecov Report

❌ Patch coverage is 93.49593% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.89%. Comparing base (e9dbb6c) to head (1279d4a).

Files with missing lines	Patch %	Lines
...ages/http-helmet/src/v2/content-security-policy.ts	85.86%	13 Missing ⚠️
packages/http-helmet/src/v2/helmet.ts	96.38%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #47      +/-   ##
==========================================
+ Coverage   93.80%   93.89%   +0.08%     
==========================================
  Files          19       23       +4     
  Lines         872     1114     +242     
  Branches      215      276      +61     
==========================================
+ Hits          818     1046     +228     
- Misses         54       68      +14     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gemini-code-assist]

Code Review

This pull request introduces a significant work-in-progress refactoring to a class-based approach for the http-helmet package, creating a new v2 API. The changes are extensive, touching everything from the core logic to build configurations and dependencies. The new class-based API is a great step towards a more modern, fluent interface.

I've identified a few high-severity correctness issues in the new ContentSecurityPolicy class that could lead to invalid headers or unexpected behavior. I've also found a medium-severity configuration issue that would affect documentation generation and another that could impact tooling. Addressing these points will improve the robustness and maintainability of the new API.

[gemini-code-assist]

The toString() method can produce an invalid Content Security Policy string with extra semicolons (e.g., directive1; ; directive2). This happens when the .map() callback returns undefined for certain directives (like boolean-valued ones parsed from a string), and Array.prototype.join preserves these as empty slots.

To fix this, you should filter out falsy values from the array before joining.

Suggested change

	public toString(): string {
	return Array.from(this.#policy.entries())
	.map(([key, values]) => {
	if (key === "upgrade-insecure-requests") {
	return "upgrade-insecure-requests";
	}
	if (typeof values === "boolean") return;
	return `${key} ${values.join(" ")}`;
	})
	.join("; ");
	}
	public toString(): string {
	return Array.from(this.#policy.entries())
	.map(([key, values]) => {
	if (key === "upgrade-insecure-requests") {
	return "upgrade-insecure-requests";
	}
	if (typeof values === "boolean") return;
	return `${key} ${values.join(" ")}`;
	})
	.filter(Boolean)
	.join("; ");
	}

[gemini-code-assist]

The append method doesn't correctly handle the upgrade-insecure-requests directive. This directive is a boolean flag and doesn't take values, so appending to it is not a valid operation. The current implementation could lead to unexpected behavior.

You should add a check to prevent appending to this specific directive and guide the user to use the upgradeInsecureRequests() method instead.

  append(key: CspDirective, values: CspValueForKey<CspDirective>): this {
    if (key === "upgrade-insecure-requests") {
      throw new ContentSecurityPolicyError(
        "Cannot append to 'upgrade-insecure-requests' directive. Use the `upgradeInsecureRequests()` method instead.",
      );
    }

    let existing = this.#policy.get(key) || [];

    if (typeof existing === "boolean" || typeof values === "boolean") {
      throw new ContentSecurityPolicyError(
        `Cannot append to boolean directive: ${key}`,
      );
    }

    let definedValues = this.#getDefinedValues(values);

    this.#policy.set(key, [...existing, ...definedValues]);

    return this;
  }

[gemini-code-assist]

There appears to be a typo in the entry point for the v2 API. The path is specified as ./src/index.v2.ts, but based on the project structure and tsdown.config.ts, it should be ./src/v2/index.ts.

This will cause typedoc to fail when generating documentation for the new API.

  "entryPoints": ["./src/index.ts", "./src/react.tsx", "./src/v2/index.ts"]

[gemini-code-assist]

The import path "#src/utils.ts" uses a path alias that doesn't seem to be configured for this package in package.json. While this might work in your test environment, it can cause issues with tooling and build processes that don't know how to resolve it.

It's recommended to use a relative path to make the import resolution explicit and robust.

Suggested change

	import { SELF } from "#src/utils.ts";
	import { SELF } from "../utils.ts";