Remove Feature-Policy middleware

CHANGELOG.md

@@ -4,7 +4,8 @@
 
 ### Removed
 
-- `helmet.hpkp`. If you still need it, check out the `hpkp` package on npm.
+- `helmet.hpkp`. If you still need it, use the `hpkp` package on npm.
+- `helmet.featurePolicy`. If you still need it, use the `feature-policy` package on npm.
 
 ## 3.23.0 - 2020-06-12
 

README.md

@@ -65,7 +65,6 @@ Helmet is a collection of 11 smaller middleware functions that set HTTP response
 | [crossdomain](https://helmetjs.github.io/docs/crossdomain/) for handling Adobe products' crossdomain requests |          |
 | [dnsPrefetchControl](https://helmetjs.github.io/docs/dns-prefetch-control) controls browser DNS prefetching   | ✓        |
 | [expectCt](https://helmetjs.github.io/docs/expect-ct/) for handling Certificate Transparency                  |          |
-| [featurePolicy](https://helmetjs.github.io/docs/feature-policy/) to limit your site's features                |          |
 | [frameguard](https://helmetjs.github.io/docs/frameguard/) to prevent clickjacking                             | ✓        |
 | [hidePoweredBy](https://helmetjs.github.io/docs/hide-powered-by) to remove the X-Powered-By header            | ✓        |
 | [hsts](https://helmetjs.github.io/docs/hsts/) for HTTP Strict Transport Security                              | ✓        |

index.ts

@@ -5,7 +5,6 @@ interface HelmetOptions {
   contentSecurityPolicy?: any;
   dnsPrefetchControl?: any;
   expectCt?: any;
-  featurePolicy?: any;
   frameguard?: any;
   hidePoweredBy?: any;
   hsts?: any;
@@ -37,7 +36,6 @@ type MiddlewareName =
   | "contentSecurityPolicy"
   | "dnsPrefetchControl"
   | "expectCt"
-  | "featurePolicy"
   | "frameguard"
   | "hidePoweredBy"
   | "hsts"
@@ -52,7 +50,6 @@ const middlewares: MiddlewareName[] = [
   "contentSecurityPolicy",
   "dnsPrefetchControl",
   "expectCt",
-  "featurePolicy",
   "frameguard",
   "hidePoweredBy",
   "hsts",
@@ -133,10 +130,6 @@ helmet.permittedCrossDomainPolicies = require("helmet-crossdomain");
 helmet.referrerPolicy = require("referrer-policy");
 helmet.xssFilter = require("x-xss-protection");
 
-helmet.featurePolicy = deprecate.function(
-  require("feature-policy"),
-  "helmet.featurePolicy is deprecated (along with the HTTP header) and will be removed in helmet@4. You can use the `feature-policy` module instead."
-);
 helmet.noCache = deprecate.function(
   require("nocache"),
   "helmet.noCache is deprecated and will be removed in helmet@4. You can use the `nocache` module instead. For more, see https://github.com/helmetjs/helmet/issues/215."

package.json

@@ -43,7 +43,6 @@
     "dns-prefetch-control": "0.2.0",
     "dont-sniff-mimetype": "1.1.0",
     "expect-ct": "0.2.0",
-    "feature-policy": "0.3.0",
     "frameguard": "3.1.0",
     "helmet-crossdomain": "0.4.0",
     "helmet-csp": "2.10.0",

test/index.test.ts

@@ -21,37 +21,6 @@ describe("helmet", function () {
       expect(helmet.expectCt).toBe(pkg);
     });
 
-    // This test will be removed in helmet@4.
-    it("calls through to feature-policy but emits a deprecation warning", function () {
-      const deprecationPromise = new Promise((resolve) => {
-        process.once("deprecation", (deprecationError) => {
-          expect(
-            deprecationError.message.indexOf(
-              "You can use the `feature-policy` module instead."
-            ) !== -1
-          ).toBeTruthy();
-          resolve();
-        });
-      });
-
-      const app = connect();
-      app.use(
-        helmet.featurePolicy({
-          features: { vibrate: ["'none'"] },
-        })
-      );
-      app.use((_req: IncomingMessage, res: ServerResponse) => {
-        res.end("Hello world!");
-      });
-      const supertestPromise = request(app)
-        .get("/")
-        .expect(200)
-        .expect("Feature-Policy", "vibrate 'none'")
-        .expect("Hello world!");
-
-      return Promise.all([deprecationPromise, supertestPromise]);
-    });
-
     it('aliases "helmet-crossdomain"', function () {
       const pkg = require("helmet-crossdomain");
       expect(helmet.permittedCrossDomainPolicies).toBe(pkg);