feat: support cjs and esm both by tshy (#101)

BREAKING CHANGE: drop Node.js < 18.19.0 support

part of eggjs/egg#3644

eggjs/egg#5257

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

Based on the comprehensive changes, here are the updated release notes:

- **New Features**
	- Migrated security plugin to TypeScript.
	- Enhanced type safety for security configurations.
	- Improved middleware and helper utilities.
- Introduced new middleware for handling `Strict-Transport-Security`,
`X-Frame-Options`, and `X-XSS-Protection` headers.
	- Added support for new security configurations and helper functions.

- **Breaking Changes**
	- Renamed package from `egg-security` to `@eggjs/security`.
	- Dropped support for Node.js versions below 18.19.0.
	- Restructured module exports and configurations.
	- Removed several deprecated middleware and utility functions.

- **Security Improvements**
	- Updated CSRF, XSS, and SSRF protection mechanisms.
	- Enhanced middleware for handling security headers.
	- Refined configuration options for various security features.

- **Performance**
	- Modernized codebase with ES module syntax.
	- Improved type definitions and module structure.
- Enhanced test suite with TypeScript support and better resource
management.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

.eslintignore

@@ -1,5 +1,3 @@
 test/fixtures
-test/benchmark
 coverage
-node_modules
-lib/plugins/**/app/proxy
+__snapshots__

.eslintrc

@@ -1,6 +1,6 @@
 {
   "extends": [
-    "eslint-config-egg",
+    "eslint-config-egg/typescript",
     "eslint-config-egg/lib/rules/enforce-node-prefix"
   ]
 }

.github/workflows/nodejs.yml

@@ -11,7 +11,6 @@ jobs:
     name: Node.js
     uses: node-modules/github-actions/.github/workflows/node-test.yml@master
     with:
-      os: 'ubuntu-latest, macos-latest, windows-latest'
-      version: '14.20.0, 14, 16, 18, 20, 22'
+      version: '18.19.0, 20, 22'
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

.gitignore

@@ -1,11 +1,11 @@
-node_modules
-coverage
-test/**/logs
-_book
-.DS_Store
+logs/
 npm-debug.log
-run/
-.vscode
+node_modules/
+coverage/
+test/fixtures/**/run
+.DS_Store
+.tshy*
+.eslintcache
+dist
 package-lock.json
-.travis.yml
-.idea
+.package-lock.json

README.md

@@ -1,28 +1,29 @@
-# egg-security
-
-Security plugin in egg
+# @eggjs/security
 
 [![NPM version][npm-image]][npm-url]
 [![Node.js CI](https://github.com/eggjs/security/actions/workflows/nodejs.yml/badge.svg)](https://github.com/eggjs/security/actions/workflows/nodejs.yml)
 [![Test coverage][codecov-image]][codecov-url]
 [![Known Vulnerabilities][snyk-image]][snyk-url]
 [![npm download][download-image]][download-url]
+[![Node.js Version](https://img.shields.io/node/v/eggjs/security.svg?style=flat)](https://nodejs.org/en/download/)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](https://makeapullrequest.com)
+![CodeRabbit Pull Request Reviews](https://img.shields.io/coderabbit/prs/github/eggjs/security)
 
-[npm-image]: https://img.shields.io/npm/v/egg-security.svg?style=flat-square
-[npm-url]: https://npmjs.org/package/egg-security
+[npm-image]: https://img.shields.io/npm/v/@eggjs/security.svg?style=flat-square
+[npm-url]: https://npmjs.org/package/@eggjs/security
 [codecov-image]: https://codecov.io/gh/eggjs/security/branch/master/graph/badge.svg
 [codecov-url]: https://codecov.io/gh/eggjs/security
-[snyk-image]: https://snyk.io/test/npm/egg-security/badge.svg?style=flat-square
-[snyk-url]: https://snyk.io/test/npm/egg-security
-[download-image]: https://img.shields.io/npm/dm/egg-security.svg?style=flat-square
-[download-url]: https://npmjs.org/package/egg-security
+[snyk-image]: https://snyk.io/test/npm/@eggjs/security/badge.svg?style=flat-square
+[snyk-url]: https://snyk.io/test/npm/@eggjs/security
+[download-image]: https://img.shields.io/npm/dm/@eggjs/security.svg?style=flat-square
+[download-url]: https://npmjs.org/package/@eggjs/security
 
 Egg's default security plugin, generally no need to configure.
 
 ## Install
 
 ```bash
-npm i egg-security
+npm i @eggjs/security
 ```
 
 ## Usage & configuration

README.zh-CN.md

@@ -1,21 +1,24 @@
-# egg-security
-
-egg 内置的安全插件
+# @eggjs/security
 
 [![NPM version][npm-image]][npm-url]
 [![Node.js CI](https://github.com/eggjs/security/actions/workflows/nodejs.yml/badge.svg)](https://github.com/eggjs/security/actions/workflows/nodejs.yml)
 [![Test coverage][codecov-image]][codecov-url]
 [![Known Vulnerabilities][snyk-image]][snyk-url]
 [![npm download][download-image]][download-url]
+[![Node.js Version](https://img.shields.io/node/v/eggjs/security.svg?style=flat)](https://nodejs.org/en/download/)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](https://makeapullrequest.com)
+![CodeRabbit Pull Request Reviews](https://img.shields.io/coderabbit/prs/github/eggjs/security)
 
-[npm-image]: https://img.shields.io/npm/v/egg-security.svg?style=flat-square
-[npm-url]: https://npmjs.org/package/egg-security
+[npm-image]: https://img.shields.io/npm/v/@eggjs/security.svg?style=flat-square
+[npm-url]: https://npmjs.org/package/@eggjs/security
 [codecov-image]: https://codecov.io/gh/eggjs/security/branch/master/graph/badge.svg
 [codecov-url]: https://codecov.io/gh/eggjs/security
-[snyk-image]: https://snyk.io/test/npm/egg-security/badge.svg?style=flat-square
-[snyk-url]: https://snyk.io/test/npm/egg-security
-[download-image]: https://img.shields.io/npm/dm/egg-security.svg?style=flat-square
-[download-url]: https://npmjs.org/package/egg-security
+[snyk-image]: https://snyk.io/test/npm/@eggjs/security/badge.svg?style=flat-square
+[snyk-url]: https://snyk.io/test/npm/@eggjs/security
+[download-image]: https://img.shields.io/npm/dm/@eggjs/security.svg?style=flat-square
+[download-url]: https://npmjs.org/package/@eggjs/security
+
+egg 内置的安全插件
 
 ## 使用方式
 

__snapshots__/config.default.test.ts.js

@@ -0,0 +1,84 @@
+exports['test/config/config.default.test.ts should config default values keep stable 1'] = {
+  "security": {
+    "domainWhiteList": [],
+    "protocolWhiteList": [],
+    "defaultMiddleware": [
+      "csrf",
+      "hsts",
+      "methodnoallow",
+      "noopen",
+      "nosniff",
+      "csp",
+      "xssProtection",
+      "xframe",
+      "dta"
+    ],
+    "csrf": {
+      "enable": true,
+      "type": "ctoken",
+      "ignoreJSON": false,
+      "cookieName": "csrfToken",
+      "sessionName": "csrfToken",
+      "headerName": "x-csrf-token",
+      "bodyName": "_csrf",
+      "queryName": "_csrf",
+      "rotateWhenInvalid": false,
+      "useSession": false,
+      "supportedRequests": [
+        {
+          "path": {},
+          "methods": [
+            "POST",
+            "PATCH",
+            "DELETE",
+            "PUT",
+            "CONNECT"
+          ]
+        }
+      ],
+      "refererWhiteList": [],
+      "cookieOptions": {
+        "signed": false,
+        "httpOnly": false,
+        "overwrite": true
+      }
+    },
+    "xframe": {
+      "enable": true,
+      "value": "SAMEORIGIN"
+    },
+    "hsts": {
+      "enable": false,
+      "maxAge": 31536000,
+      "includeSubdomains": false
+    },
+    "methodnoallow": {
+      "enable": true
+    },
+    "noopen": {
+      "enable": true
+    },
+    "nosniff": {
+      "enable": true
+    },
+    "xssProtection": {
+      "enable": true,
+      "value": "1; mode=block"
+    },
+    "csp": {
+      "enable": false,
+      "policy": {}
+    },
+    "referrerPolicy": {
+      "enable": false,
+      "value": "no-referrer-when-downgrade"
+    },
+    "dta": {
+      "enable": true
+    },
+    "ssrf": {}
+  },
+  "helper": {
+    "shtml": {}
+  }
+}

__snapshots__/context.test.ts.js

@@ -0,0 +1,74 @@
+exports['test/context.test.ts context.isSafeDomain should return false when domains are not safe 1'] = {
+  "domainWhiteList": [
+    ".domain.com",
+    "http://www.baidu.com",
+    "192.*.0.*",
+    "*.alibaba.com"
+  ],
+  "protocolWhiteList": [],
+  "defaultMiddleware": "xframe",
+  "csrf": {
+    "enable": true,
+    "type": "ctoken",
+    "ignoreJSON": false,
+    "cookieName": "csrfToken",
+    "sessionName": "csrfToken",
+    "headerName": "x-csrf-token",
+    "bodyName": "_csrf",
+    "queryName": "_csrf",
+    "rotateWhenInvalid": false,
+    "useSession": false,
+    "supportedRequests": [
+      {
+        "path": {},
+        "methods": [
+          "POST",
+          "PATCH",
+          "DELETE",
+          "PUT",
+          "CONNECT"
+        ]
+      }
+    ],
+    "refererWhiteList": [],
+    "cookieOptions": {
+      "signed": false,
+      "httpOnly": false,
+      "overwrite": true
+    }
+  },
+  "xframe": {
+    "enable": true,
+    "value": "SAMEORIGIN"
+  },
+  "hsts": {
+    "enable": false,
+    "maxAge": 31536000,
+    "includeSubdomains": false
+  },
+  "methodnoallow": {
+    "enable": true
+  },
+  "noopen": {
+    "enable": true
+  },
+  "nosniff": {
+    "enable": true
+  },
+  "xssProtection": {
+    "enable": true,
+    "value": "1; mode=block"
+  },
+  "csp": {
+    "enable": false,
+    "policy": {}
+  },
+  "referrerPolicy": {
+    "enable": false,
+    "value": "no-referrer-when-downgrade"
+  },
+  "dta": {
+    "enable": true
+  },
+  "ssrf": {}
+}

__snapshots__/csp.test.ts.js

@@ -0,0 +1,93 @@
+exports['test/csp.test.ts should ignore path 1'] = {
+  "domainWhiteList": [],
+  "protocolWhiteList": [],
+  "defaultMiddleware": "csp",
+  "csrf": {
+    "enable": true,
+    "type": "ctoken",
+    "ignoreJSON": false,
+    "cookieName": "csrfToken",
+    "sessionName": "csrfToken",
+    "headerName": "x-csrf-token",
+    "bodyName": "_csrf",
+    "queryName": "_csrf",
+    "rotateWhenInvalid": false,
+    "useSession": false,
+    "supportedRequests": [
+      {
+        "path": {},
+        "methods": [
+          "POST",
+          "PATCH",
+          "DELETE",
+          "PUT",
+          "CONNECT"
+        ]
+      }
+    ],
+    "refererWhiteList": [],
+    "cookieOptions": {
+      "signed": false,
+      "httpOnly": false,
+      "overwrite": true
+    }
+  },
+  "xframe": {
+    "enable": true,
+    "value": "SAMEORIGIN"
+  },
+  "hsts": {
+    "enable": false,
+    "maxAge": 31536000,
+    "includeSubdomains": false
+  },
+  "methodnoallow": {
+    "enable": true
+  },
+  "noopen": {
+    "enable": true
+  },
+  "nosniff": {
+    "enable": true
+  },
+  "xssProtection": {
+    "enable": true,
+    "value": "1; mode=block"
+  },
+  "csp": {
+    "enable": true,
+    "policy": {
+      "script-src": [
+        "'self'",
+        "'unsafe-inline'",
+        "'unsafe-eval'",
+        "www.google-analytics.com"
+      ],
+      "style-src": [
+        "'unsafe-inline'",
+        "www.google-analytics.com"
+      ],
+      "img-src": [
+        "'self'",
+        "data:",
+        "www.google-analytics.com"
+      ],
+      "frame-ancestors": [
+        "'self'"
+      ],
+      "report-uri": "http://pointman.domain.com/csp?app=csp"
+    },
+    "ignore": [
+      "/api/",
+      {}
+    ]
+  },
+  "referrerPolicy": {
+    "enable": false,
+    "value": "no-referrer-when-downgrade"
+  },
+  "dta": {
+    "enable": true
+  },
+  "ssrf": {}
+}