Bump helmet from 7.1.0 to 8.0.0 (#3570)

Bumps [helmet](https://github.com/helmetjs/helmet) from 7.1.0 to 8.0.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/helmetjs/helmet/blob/main/CHANGELOG.md">helmet's
changelog</a>.</em></p>
<blockquote>
<h2>8.0.0</h2>
<h3>Changed</h3>
<ul>
<li><strong>Breaking:</strong> <code>Strict-Transport-Security</code>
now has a max-age of 365 days, up from 180</li>
<li><strong>Breaking:</strong> <code>Content-Security-Policy</code>
middleware now throws an error if a directive should have quotes but
does not, such as <code>self</code> instead of <code>'self'</code>. See
<a
href="https://redirect.github.com/helmetjs/helmet/issues/454">#454</a></li>
<li><strong>Breaking:</strong> <code>Content-Security-Policy</code>'s
<code>getDefaultDirectives</code> now returns a deep copy. This only
affects users who were mutating the result</li>
<li><strong>Breaking:</strong> <code>Strict-Transport-Security</code>
now throws an error when &quot;includeSubDomains&quot; option is
misspelled. This was previously a warning</li>
</ul>
<h3>Removed</h3>
<ul>
<li><strong>Breaking:</strong> Drop support for Node 16 and 17. Node 18+
is now required</li>
</ul>
<h2>7.2.0 - 2024-09-28</h2>
<h3>Changed</h3>
<ul>
<li><code>Content-Security-Policy</code> middleware now warns if a
directive should have quotes but does not, such as <code>self</code>
instead of <code>'self'</code>. This will be an error in future
versions. See <a
href="https://redirect.github.com/helmetjs/helmet/issues/454">#454</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="9a8e6d5322"><code>9a8e6d5</code></a>
8.0.0</li>
<li><a
href="6562cd7074"><code>6562cd7</code></a>
CSP: speed up <code>getDefaultDirectives</code></li>
<li><a
href="a8befb3b9d"><code>a8befb3</code></a>
<code>getDefaultDirectives</code> should do a deep copy</li>
<li><a
href="558ef2ce90"><code>558ef2c</code></a>
HSTS: throw when misspelling &quot;includeSubDomains&quot; option</li>
<li><a
href="73e75952fe"><code>73e7595</code></a>
Content-Security-Policy: throw if directive value lacks necessary
quotes</li>
<li><a
href="76410e1093"><code>76410e1</code></a>
Content-Security-Policy can now use Object.hasOwn</li>
<li><a
href="293bd18bf5"><code>293bd18</code></a>
Strict-Transport-Security: increase max-age to 1 year</li>
<li><a
href="898cdc4c61"><code>898cdc4</code></a>
Require Node 18+</li>
<li><a
href="7e2b06947f"><code>7e2b069</code></a>
7.2.0</li>
<li><a
href="7bea9158d4"><code>7bea915</code></a>
Update changelog for 7.2.0 release</li>
<li>Additional commits viewable in <a
href="https://github.com/helmetjs/helmet/compare/v7.1.0...v8.0.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=helmet&package-manager=npm_and_yarn&previous-version=7.1.0&new-version=8.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

package-lock.json

@@ -18,7 +18,7 @@
 				"express": "^4.21.0",
 				"express-ipfilter": "^1.3.2",
 				"feedme": "^2.0.2",
-				"helmet": "^7.1.0",
+				"helmet": "^8.0.0",
 				"html-to-text": "^9.0.5",
 				"iconv-lite": "^0.6.3",
 				"module-alias": "^2.2.3",
@@ -6635,12 +6635,11 @@
 			}
 		},
 		"node_modules/helmet": {
-			"version": "7.1.0",
-			"resolved": "https://registry.npmjs.org/helmet/-/helmet-7.1.0.tgz",
-			"integrity": "sha512-g+HZqgfbpXdCkme/Cd/mZkV0aV3BZZZSugecH03kl38m/Kmdx8jKjBikpDj2cr+Iynv4KpYEviojNdTJActJAg==",
-			"license": "MIT",
+			"version": "8.0.0",
+			"resolved": "https://registry.npmjs.org/helmet/-/helmet-8.0.0.tgz",
+			"integrity": "sha512-VyusHLEIIO5mjQPUI1wpOAEu+wl6Q0998jzTxqUYGE45xCIcAxy3MsbEK/yyJUJ3ADeMoB6MornPH6GMWAf+Pw==",
 			"engines": {
-				"node": ">=16.0.0"
+				"node": ">=18.0.0"
 			}
 		},
 		"node_modules/html-encoding-sniffer": {

package.json

@@ -63,7 +63,7 @@
 		"express": "^4.21.0",
 		"express-ipfilter": "^1.3.2",
 		"feedme": "^2.0.2",
-		"helmet": "^7.1.0",
+		"helmet": "^8.0.0",
 		"html-to-text": "^9.0.5",
 		"iconv-lite": "^0.6.3",
 		"module-alias": "^2.2.3",