node-red-contrib-web-worldmap 4.6.4 → 4.6.5

package/CHANGELOG.md

@@ -1,5 +1,6 @@
 ### Change Log for Node-RED Worldmap
 
+ - v4.6.5 - Let geojson allow for generic overrides with .icon and .layer.
  - v4.6.4 - Fix deletion of layers logic to actually fully remove points.
  - v4.6.3 - Fix sending of layer events when not wanted. Issue #262
  - v4.6.2 - Fix multiple use of contextmenu feedback. Issue #259

package/README.md

@@ -13,6 +13,7 @@ Feel free to [![](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%
 
 ### Updates
 
+- v4.6.5  - Let geojson allow for generic overrides with .icon and .layer.
 - v4.6.4  - Fix deletion of layers logic to actually fully remove points.
 - v4.6.3  - Fix sending of layer events when not wanted. Issue #262
 - v4.6.2  - Fix multiple use of contextmenu feedback. Issue #259

package/node_modules/cookie/HISTORY.md

@@ -1,16 +1,21 @@
+0.6.0 / 2023-11-06
+==================
+
+  * Add `partitioned` option
+
 0.5.0 / 2022-04-11
 ==================
 
   * Add `priority` option
   * Fix `expires` option to reject invalid dates
-  * pref: improve default decode speed
-  * pref: remove slow string split in parse
+  * perf: improve default decode speed
+  * perf: remove slow string split in parse
 
 0.4.2 / 2022-02-02
 ==================
 
-  * pref: read value only when assigning in parse
-  * pref: remove unnecessary regexp in parse
+  * perf: read value only when assigning in parse
+  * perf: remove unnecessary regexp in parse
 
 0.4.1 / 2020-04-21
 ==================
@@ -41,7 +46,7 @@
 
   * perf: enable strict mode
   * perf: use for loop in parse
-  * perf: use string concatination for serialization
+  * perf: use string concatenation for serialization
 
 0.2.3 / 2015-10-25
 ==================

package/node_modules/cookie/README.md

@@ -2,9 +2,9 @@
 
 [![NPM Version][npm-version-image]][npm-url]
 [![NPM Downloads][npm-downloads-image]][npm-url]
-[![Node.js Version][node-version-image]][node-version-url]
-[![Build Status][github-actions-ci-image]][github-actions-ci-url]
-[![Test Coverage][coveralls-image]][coveralls-url]
+[![Node.js Version][node-image]][node-url]
+[![Build Status][ci-image]][ci-url]
+[![Coverage Status][coveralls-image]][coveralls-url]
 
 Basic HTTP cookie parser and serializer for HTTP servers.
 
@@ -107,6 +107,17 @@ The given number will be converted to an integer by rounding down. By default, n
 `maxAge` are set, then `maxAge` takes precedence, but it is possible not all clients by obey this,
 so if both are set, they should point to the same date and time.
 
+##### partitioned
+
+Specifies the `boolean` value for the [`Partitioned` `Set-Cookie`](rfc-cutler-httpbis-partitioned-cookies)
+attribute. When truthy, the `Partitioned` attribute is set, otherwise it is not. By default, the
+`Partitioned` attribute is not set.
+
+**note** This is an attribute that has not yet been fully standardized, and may change in the future.
+This also means many clients may ignore this attribute until they understand it.
+
+More information about can be found in [the proposal](https://github.com/privacycg/CHIPS).
+
 ##### path
 
 Specifies the value for the [`Path` `Set-Cookie` attribute][rfc-6265-5.2.4]. By default, the path
@@ -212,49 +223,52 @@ $ npm test
 ```
 $ npm run bench
 
-> cookie@0.4.2 bench
+> cookie@0.5.0 bench
 > node benchmark/index.js
 
-  node@16.14.0
-  v8@9.4.146.24-node.20
-  uv@1.43.0
-  zlib@1.2.11
+  node@18.18.2
+  acorn@8.10.0
+  ada@2.6.0
+  ares@1.19.1
   brotli@1.0.9
-  ares@1.18.1
-  modules@93
-  nghttp2@1.45.1
-  napi@8
-  llhttp@6.0.4
-  openssl@1.1.1m+quic
-  cldr@40.0
-  icu@70.1
-  tz@2021a3
-  unicode@14.0
-  ngtcp2@0.1.0-DEV
-  nghttp3@0.1.0-DEV
+  cldr@43.1
+  icu@73.2
+  llhttp@6.0.11
+  modules@108
+  napi@9
+  nghttp2@1.57.0
+  nghttp3@0.7.0
+  ngtcp2@0.8.1
+  openssl@3.0.10+quic
+  simdutf@3.2.14
+  tz@2023c
+  undici@5.26.3
+  unicode@15.0
+  uv@1.44.2
+  uvwasi@0.0.18
+  v8@10.2.154.26-node.26
+  zlib@1.2.13.1-motley
 
 > node benchmark/parse-top.js
 
   cookie.parse - top sites
 
-  15 tests completed.
-
-  parse accounts.google.com x 2,421,245 ops/sec ±0.80% (188 runs sampled)
-  parse apple.com           x 2,684,710 ops/sec ±0.59% (189 runs sampled)
-  parse cloudflare.com      x 2,231,418 ops/sec ±0.76% (186 runs sampled)
-  parse docs.google.com     x 2,316,357 ops/sec ±1.28% (187 runs sampled)
-  parse drive.google.com    x 2,363,543 ops/sec ±0.49% (189 runs sampled)
-  parse en.wikipedia.org    x   839,414 ops/sec ±0.53% (189 runs sampled)
-  parse linkedin.com        x   553,797 ops/sec ±0.63% (190 runs sampled)
-  parse maps.google.com     x 1,314,779 ops/sec ±0.72% (189 runs sampled)
-  parse microsoft.com       x   153,783 ops/sec ±0.53% (190 runs sampled)
-  parse play.google.com     x 2,249,574 ops/sec ±0.59% (187 runs sampled)
-  parse plus.google.com     x 2,258,682 ops/sec ±0.60% (188 runs sampled)
-  parse sites.google.com    x 2,247,069 ops/sec ±0.68% (189 runs sampled)
-  parse support.google.com  x 1,456,840 ops/sec ±0.70% (187 runs sampled)
-  parse www.google.com      x 1,046,028 ops/sec ±0.58% (188 runs sampled)
-  parse youtu.be            x   937,428 ops/sec ±1.47% (190 runs sampled)
-  parse youtube.com         x   963,878 ops/sec ±0.59% (190 runs sampled)
+  14 tests completed.
+
+  parse accounts.google.com x 2,588,913 ops/sec ±0.74% (186 runs sampled)
+  parse apple.com           x 2,370,002 ops/sec ±0.69% (186 runs sampled)
+  parse cloudflare.com      x 2,213,102 ops/sec ±0.88% (188 runs sampled)
+  parse docs.google.com     x 2,194,157 ops/sec ±1.03% (184 runs sampled)
+  parse drive.google.com    x 2,265,084 ops/sec ±0.79% (187 runs sampled)
+  parse en.wikipedia.org    x   457,099 ops/sec ±0.81% (186 runs sampled)
+  parse linkedin.com        x   504,407 ops/sec ±0.89% (186 runs sampled)
+  parse maps.google.com     x 1,230,959 ops/sec ±0.98% (186 runs sampled)
+  parse microsoft.com       x   926,294 ops/sec ±0.88% (184 runs sampled)
+  parse play.google.com     x 2,311,338 ops/sec ±0.83% (185 runs sampled)
+  parse support.google.com  x 1,508,850 ops/sec ±0.86% (186 runs sampled)
+  parse www.google.com      x 1,022,582 ops/sec ±1.32% (182 runs sampled)
+  parse youtu.be            x   332,136 ops/sec ±1.02% (185 runs sampled)
+  parse youtube.com         x   323,833 ops/sec ±0.77% (183 runs sampled)
 
 > node benchmark/parse.js
 
@@ -262,12 +276,12 @@ $ npm run bench
 
   6 tests completed.
 
-  simple      x 2,745,604 ops/sec ±0.77% (185 runs sampled)
-  decode      x   557,287 ops/sec ±0.60% (188 runs sampled)
-  unquote     x 2,498,475 ops/sec ±0.55% (189 runs sampled)
-  duplicates  x   868,591 ops/sec ±0.89% (187 runs sampled)
-  10 cookies  x   306,745 ops/sec ±0.49% (190 runs sampled)
-  100 cookies x    22,414 ops/sec ±2.38% (182 runs sampled)
+  simple      x 3,214,032 ops/sec ±1.61% (183 runs sampled)
+  decode      x   587,237 ops/sec ±1.16% (187 runs sampled)
+  unquote     x 2,954,618 ops/sec ±1.35% (183 runs sampled)
+  duplicates  x   857,008 ops/sec ±0.89% (187 runs sampled)
+  10 cookies  x   292,133 ops/sec ±0.89% (187 runs sampled)
+  100 cookies x    22,610 ops/sec ±0.68% (187 runs sampled)
 ```
 
 ## References
@@ -275,6 +289,7 @@ $ npm run bench
 - [RFC 6265: HTTP State Management Mechanism][rfc-6265]
 - [Same-site Cookies][rfc-6265bis-09-5.4.7]
 
+[rfc-cutler-httpbis-partitioned-cookies]: https://tools.ietf.org/html/draft-cutler-httpbis-partitioned-cookies/
 [rfc-west-cookie-priority-00-4.1]: https://tools.ietf.org/html/draft-west-cookie-priority-00#section-4.1
 [rfc-6265bis-09-5.4.7]: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-09#section-5.4.7
 [rfc-6265]: https://tools.ietf.org/html/rfc6265
@@ -291,12 +306,12 @@ $ npm run bench
 
 [MIT](LICENSE)
 
+[ci-image]: https://badgen.net/github/checks/jshttp/cookie/master?label=ci
+[ci-url]: https://github.com/jshttp/cookie/actions/workflows/ci.yml
 [coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/cookie/master
 [coveralls-url]: https://coveralls.io/r/jshttp/cookie?branch=master
-[github-actions-ci-image]: https://img.shields.io/github/workflow/status/jshttp/cookie/ci/master?label=ci
-[github-actions-ci-url]: https://github.com/jshttp/cookie/actions/workflows/ci.yml
-[node-version-image]: https://badgen.net/npm/node/cookie
-[node-version-url]: https://nodejs.org/en/download
+[node-image]: https://badgen.net/npm/node/cookie
+[node-url]: https://nodejs.org/en/download
 [npm-downloads-image]: https://badgen.net/npm/dm/cookie
 [npm-url]: https://npmjs.org/package/cookie
 [npm-version-image]: https://badgen.net/npm/v/cookie

package/node_modules/cookie/index.js

@@ -172,6 +172,10 @@ function serialize(name, val, options) {
     str += '; Secure';
   }
 
+  if (opt.partitioned) {
+    str += '; Partitioned'
+  }
+
   if (opt.priority) {
     var priority = typeof opt.priority === 'string'
       ? opt.priority.toLowerCase()
@@ -233,7 +237,7 @@ function decode (str) {
 /**
  * URL-encode value.
  *
- * @param {string} str
+ * @param {string} val
  * @returns {string}
  */
 

package/node_modules/cookie/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cookie",
   "description": "HTTP server cookie parsing and serialization",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "author": "Roman Shtylman <shtylman@gmail.com>",
   "contributors": [
     "Douglas Christopher Wilson <doug@somethingdoug.com>"
@@ -15,12 +15,12 @@
   "devDependencies": {
     "beautify-benchmark": "0.2.4",
     "benchmark": "2.1.4",
-    "eslint": "7.32.0",
-    "eslint-plugin-markdown": "2.2.1",
-    "mocha": "9.2.2",
+    "eslint": "8.53.0",
+    "eslint-plugin-markdown": "3.0.1",
+    "mocha": "10.2.0",
     "nyc": "15.1.0",
     "safe-buffer": "5.2.1",
-    "top-sites": "1.1.97"
+    "top-sites": "1.1.194"
   },
   "files": [
     "HISTORY.md",

package/node_modules/express/History.md

@@ -1,4 +1,20 @@
-4.18.3 / 2024-02-26
+4.19.2 / 2024-03-25
+==========
+
+  * Improved fix for open redirect allow list bypass
+
+4.19.1 / 2024-03-20
+==========
+
+  * Allow passing non-strings to res.location with new encoding handling checks
+
+4.19.0 / 2024-03-20
+==========
+
+  * Prevent open redirect allow list bypass due to encodeurl
+  * deps: cookie@0.6.0
+
+4.18.3 / 2024-02-29
 ==========
 
   * Fix routing requests without method
@@ -6,6 +22,8 @@
     - Fix strict json error message on Node.js 19+
     - deps: content-type@~1.0.5
     - deps: raw-body@2.5.2
+  * deps: cookie@0.6.0
+    - Add `partitioned` option
 
 4.18.2 / 2022-10-08
 ===================

package/node_modules/express/lib/response.js

@@ -55,6 +55,7 @@ module.exports = res
  */
 
 var charsetRegExp = /;\s*charset\s*=/;
+var schemaAndHostRegExp = /^(?:[a-zA-Z][a-zA-Z0-9+.-]*:)?\/\/[^\\\/\?]+/;
 
 /**
  * Set status `code`.
@@ -904,15 +905,23 @@ res.cookie = function (name, value, options) {
  */
 
 res.location = function location(url) {
-  var loc = url;
+  var loc;
 
   // "back" is an alias for the referrer
   if (url === 'back') {
     loc = this.req.get('Referrer') || '/';
+  } else {
+    loc = String(url);
   }
 
-  // set location
-  return this.set('Location', encodeUrl(loc));
+  var m = schemaAndHostRegExp.exec(loc);
+  var pos = m ? m[0].length + 1 : 0;
+
+  // Only encode after host to avoid invalid encoding which can introduce
+  // vulnerabilities (e.g. `\\` to `%5C`).
+  loc = loc.slice(0, pos) + encodeUrl(loc.slice(pos));
+
+  return this.set('Location', loc);
 };
 
 /**

package/node_modules/express/package.json

@@ -1,7 +1,7 @@
 {
   "name": "express",
   "description": "Fast, unopinionated, minimalist web framework",
-  "version": "4.18.3",
+  "version": "4.19.2",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [
     "Aaron Heckmann <aaron.heckmann+github@gmail.com>",
@@ -33,7 +33,7 @@
     "body-parser": "1.20.2",
     "content-disposition": "0.5.4",
     "content-type": "~1.0.4",
-    "cookie": "0.5.0",
+    "cookie": "0.6.0",
     "cookie-signature": "1.0.6",
     "debug": "2.6.9",
     "depd": "2.0.0",

package/package.json

@@ -1,12 +1,12 @@
 {
     "name": "node-red-contrib-web-worldmap",
-    "version": "4.6.4",
+    "version": "4.6.5",
     "description": "A Node-RED node to provide a web page of a world map for plotting things on.",
     "dependencies": {
         "@turf/bezier-spline": "~6.5.0",
         "cgi": "0.3.1",
         "compression": "^1.7.4",
-        "express": "^4.18.2",
+        "express": "^4.19.2",
         "sockjs": "~0.3.24"
     },
     "bundledDependencies": [

package/worldmap/worldmap.js

@@ -150,10 +150,10 @@ var handleData = function(data) {
 
         // handle raw geojson type msg
         if (data.hasOwnProperty("type") && data.type.indexOf("Feature") === 0) {
-            if (data.hasOwnProperty('properties') && data.properties.hasOwnProperty('title')) {
-                doGeojson(data.properties.title,data)
+            if (data?.properties?.title) {
+                doGeojson(data.properties.title,data,data?.layer,data?.options,data?.icon) // name, geojson, layer, options, icon
             }
-            else { doGeojson("geojson",data); }
+            else { doGeojson("geojson",data,data?.layer,data?.options,data?.icon); }
         }
         // handle TAK json (from tak-ingest node or fastxml node)
         else if (data.hasOwnProperty("event") && data.event.hasOwnProperty("point")) {
@@ -3084,7 +3084,7 @@ function doCommand(cmd) {
 }
 
 // handle any incoming GEOJSON directly - may style badly
-function doGeojson(n,g,l,o) {  // name, geojson, layer, options
+function doGeojson(n,g,l,o,i) {  // name, geojson, layer, options, icon
     var lay = l ?? g.name ?? "unknown";
     // if (!basemaps[lay]) {
     var opt = { style: function(feature) {
@@ -3132,13 +3132,14 @@ function doGeojson(n,g,l,o) {  // name, geojson, layer, options
                 additionalInformation:feature.properties.modifier,
                 size:25
             });
+            var anc = myMarker.getAnchor();
             if (myMarker.hasOwnProperty("metadata") && myMarker.metadata.hasOwnProperty("echelon")) {
                 var sz = iconSz[myMarker.metadata.echelon];
                 myMarker.setOptions({size:sz});
             }
             myMarker = L.icon({
                 iconUrl: myMarker.toDataURL(),
-                iconAnchor: [myMarker.getAnchor().x, myMarker.getAnchor().y],
+                iconAnchor: [anc.x, anc.y],
                 className: "natoicon",
             });
         }
@@ -3156,7 +3157,7 @@ function doGeojson(n,g,l,o) {  // name, geojson, layer, options
         }
         else {
             myMarker = L.VectorMarkers.icon({
-                icon: feature.properties["marker-symbol"] ?? "circle",
+                icon: feature.properties["marker-symbol"] ?? i ?? "circle",
                 markerColor: (feature.properties["marker-color"] ?? "#910000"),
                 prefix: 'fa',
                 iconColor: 'white'

package/worldmap.js

@@ -129,7 +129,7 @@ module.exports = function(RED) {
                     if (node.name) { c.toptitle = node.name; }
                     //console.log("INIT",c)
                     client.write(JSON.stringify({command:c}));
-                    for (var p=0; p<pmtiles.length; p++) {
+                    for (var p=0; p < pmtiles.length; p++) {
                         fs.symlink(RED.settings.userDir+'/'+pmtiles[p], __dirname+'/worldmap/'+pmtiles[p], 'file', (err) => {
                             if (err) {
                                 if (err.code !== "EEXIST") { console.log(err); }
@@ -200,7 +200,6 @@ module.exports = function(RED) {
                 if (msg.payload.ttl && msg.payload.ttl < t) { t = msg.payload.ttl; }
                 allPoints[msg.payload.name].tout = setTimeout( function() { delete allPoints[msg.payload.name] }, t * 1000 );
             }
-
             if (msg?.payload?.command?.map?.delete) {
                 var ddd = msg.payload.command.map.delete;
                 if (!Array.isArray(ddd)) { ddd = [cmd.map.delete]; }
@@ -214,8 +213,8 @@ module.exports = function(RED) {
                     }
                 }
             }
-
         });
+
         node.on("close", function() {
             for (var c in clients) {
                 if (clients.hasOwnProperty(c)) {
@@ -232,6 +231,7 @@ module.exports = function(RED) {
             }
             node.status({});
         });
+
         sockets[node.path].on('connection', callback);
     }
     var WorldMap = function(n) {