node-red-contrib-web-worldmap 5.6.2 → 5.7.1

package/CHANGELOG.md

@@ -1,5 +1,6 @@
 ### Change Log for Node-RED Worldmap
 
+ - v5.7.0 - Add events for openPopup and closePopup actions, small popup fixups. Add showdialog command.
  - v5.6.1 - Also call autoswitch on initial connect to ensure map in view.
  - v5.6.0 - Autoswitch pmtiles basemaps based on zoom and/or coverage.
  - v5.5.8 - Bump qs dep for CVE

package/README.md

@@ -10,6 +10,7 @@ A <a href="https://nodered.org" target="mapinfo">Node-RED</a> node to provide a
 
 ### Updates
 
+- v5.7.0 - Add events for openPopup and closePopup, small popup fixups. Add showdialog command.
 - v5.6.1 - Also call autoswitch on initial connect to ensure map in view.
 - v5.6.0 - Autoswitch pmtiles basemaps based on zoom and/or coverage.
 - v5.5.8 - Bump qs dep for CVE
@@ -404,6 +405,7 @@ Optional properties for **msg.payload.command** include
  - **showmenu** - Show or hide the display of the hamberger menu control in the top right . Values can be "show" or "hide". - `{"command":{"showmenu": "hide"}}`
  - **showlayers** - Show or hide the display of selectable layers. Does not control the display of an individual layer, rather a users ability to interact with them. Values can be "show" or "hide". - `{"command":{"showlayers": "hide"}}`
  - **sidcEdgeIcon** - Show or hide small sidc icons around edge of map for things just outside of view. Values can be true or false (default is true). - `{"command":{"sidcEdgeIcon": false}}`
+  - **showdialog** - Show a dialog style overlay of html to provide information to the user. Send an empty string to close automatically. - `{"command":{"showdialog": "<h1>Title</h1>Hello World"}}`
 
 #### To switch layer, move map and zoom
 
@@ -677,6 +679,9 @@ The **worldmap in** node can be used to receive various events from the map. Exa
 
     { "action": "file", "name": "myfilename", "type":"image/jpeg", "lat":51, "lon":-1, "content":"....."}   // when a file is dropped on the map - see below.
 
+    { "action": "openPopup", "name":"Poptest", "lat":47.59, "lon":18.41, "popped":true } // when a popup is opened
+    { "action":"closePopup", "name":"Poptest", "lat":47.59, "lon":18.41, "popped":false } // when a popup is closed
+
     { "action": "button", "name": "My Fancy Button" } // when a user defined button is clicked
 
     { "action": "feedback", "name": "some name", "value": "some value", "lat":51, "lon":0, "layer":"unknown" } // when a user calls the feedback function - see below

package/node_modules/@turf/bezier-spline/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@turf/bezier-spline",
-  "version": "7.3.4",
+  "version": "7.3.5",
   "description": "Smooths a line into a curve using Bézier splines, great for visualizing routes.",
   "author": "Turf Authors",
   "license": "MIT",
@@ -47,7 +47,6 @@
   "scripts": {
     "bench": "tsx bench.ts",
     "build": "tsup --config ../../tsup.config.ts",
-    "docs": "tsx ../../scripts/generate-readmes.ts",
     "test": "pnpm run /test:.*/",
     "test:tape": "tsx test.ts"
   },
@@ -63,10 +62,10 @@
     "write-json-file": "^6.0.0"
   },
   "dependencies": {
-    "@turf/helpers": "7.3.4",
-    "@turf/invariant": "7.3.4",
+    "@turf/helpers": "7.3.5",
+    "@turf/invariant": "7.3.5",
     "@types/geojson": "^7946.0.10",
     "tslib": "^2.8.1"
   },
-  "gitHead": "a0878648b801443f342aae692c60ab95a1da61a9"
+  "gitHead": "a33ca387405df72847af00cdf689d3209301a2c1"
 }

package/node_modules/@turf/helpers/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@turf/helpers",
-  "version": "7.3.4",
+  "version": "7.3.5",
   "description": "Provides helper functions to create GeoJSON features, like points, lines, or areas on a map.",
   "author": "Turf Authors",
   "contributors": [
@@ -52,7 +52,6 @@
   "scripts": {
     "bench": "tsx bench.ts",
     "build": "tsup --config ../../tsup.config.ts",
-    "docs": "tsx ../../scripts/generate-readmes.ts",
     "test": "pnpm run /test:.*/",
     "test:tape": "tsx test.ts",
     "test:types": "tsc --esModuleInterop --module node16 --moduleResolution node16 --noEmit --strict types.ts"
@@ -70,5 +69,5 @@
     "@types/geojson": "^7946.0.10",
     "tslib": "^2.8.1"
   },
-  "gitHead": "a0878648b801443f342aae692c60ab95a1da61a9"
+  "gitHead": "a33ca387405df72847af00cdf689d3209301a2c1"
 }

package/node_modules/@turf/invariant/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@turf/invariant",
-  "version": "7.3.4",
+  "version": "7.3.5",
   "description": "Lightweight utility for input validation and data extraction in Turf.js. Ensures GeoJSON inputs are in the correct format and extracts specific components like coordinates or geometries.",
   "author": "Turf Authors",
   "contributors": [
@@ -49,7 +49,6 @@
   "scripts": {
     "bench": "tsx bench.ts",
     "build": "tsup --config ../../tsup.config.ts",
-    "docs": "tsx ../../scripts/generate-readmes.ts",
     "test": "pnpm run /test:.*/",
     "test:tape": "tsx test.ts",
     "test:types": "tsc --esModuleInterop --module node16 --moduleResolution node16 --noEmit --strict types.ts"
@@ -64,9 +63,9 @@
     "typescript": "^5.8.3"
   },
   "dependencies": {
-    "@turf/helpers": "7.3.4",
+    "@turf/helpers": "7.3.5",
     "@types/geojson": "^7946.0.10",
     "tslib": "^2.8.1"
   },
-  "gitHead": "a0878648b801443f342aae692c60ab95a1da61a9"
+  "gitHead": "a33ca387405df72847af00cdf689d3209301a2c1"
 }

package/node_modules/body-parser/HISTORY.md

@@ -1,3 +1,9 @@
+1.20.5 / 2026-04-24
+===================
+* refactor(json): simplify strict mode error string construction 
+* fix: extended urlencoded parsing of arrays with >100 elements (#716)
+* deps: qs@~6.15.1
+
 1.20.4 / 2025-12-01
 ===================
 

package/node_modules/body-parser/lib/types/json.js

@@ -158,11 +158,7 @@ function createStrictSyntaxError (str, char) {
   var partial = ''
 
   if (index !== -1) {
-    partial = str.substring(0, index) + JSON_SYNTAX_CHAR
-
-    for (var i = index + 1; i < str.length; i++) {
-      partial += JSON_SYNTAX_CHAR
-    }
+    partial = str.substring(0, index) + new Array(str.length - index + 1).join(JSON_SYNTAX_CHAR)
   }
 
   try {

package/node_modules/body-parser/lib/types/urlencoded.js

@@ -206,16 +206,15 @@ function getCharset (req) {
 
 function parameterCount (body, limit) {
   var count = 0
-  var index = 0
+  var index = -1
 
-  while ((index = body.indexOf('&', index)) !== -1) {
+  do {
     count++
-    index++
-
-    if (count === limit) {
+    if (count > limit) {
       return undefined
     }
-  }
+    index = body.indexOf('&', index + 1)
+  } while (index !== -1)
 
   return count
 }

package/node_modules/body-parser/node_modules/qs/.editorconfig

@@ -0,0 +1,46 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 4
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+max_line_length = 180
+quote_type = single
+
+[test/*]
+max_line_length = off
+
+[LICENSE.md]
+indent_size = off
+
+[*.md]
+max_line_length = off
+
+[*.json]
+max_line_length = off
+
+[Makefile]
+max_line_length = off
+
+[CHANGELOG.md]
+indent_style = space
+indent_size = 2
+
+[LICENSE]
+indent_size = 2
+max_line_length = off
+
+[coverage/**/*]
+indent_size = off
+indent_style = off
+indent = off
+max_line_length = off
+
+[.nycrc]
+indent_style = tab
+
+[tea.yaml]
+indent_size = 2

package/node_modules/body-parser/node_modules/qs/.github/FUNDING.yml

@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: [ljharb]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: npm/qs
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: # Replace with a single custom sponsorship URL

package/node_modules/body-parser/node_modules/qs/.github/SECURITY.md

@@ -0,0 +1,11 @@
+# Security
+
+Please file a private vulnerability report via GitHub, email [@ljharb](https://github.com/ljharb), or see https://tidelift.com/security if you have a potential security vulnerability to report.
+
+## Incident Response Plan
+
+Please see our [Incident Response Plan](https://github.com/ljharb/.github/blob/main/INCIDENT_RESPONSE_PLAN.md).
+
+## Threat Model
+
+Please see [THREAT_MODEL.md](./THREAT_MODEL.md).

package/node_modules/body-parser/node_modules/qs/.github/THREAT_MODEL.md

@@ -0,0 +1,78 @@
+## Threat Model for qs (querystring parsing library)
+
+### 1. Library Overview
+
+- **Library Name:** qs
+- **Brief Description:** A JavaScript library for parsing and stringifying URL query strings, supporting nested objects and arrays. It is widely used in Node.js and web applications for processing query parameters[2][6][8].
+- **Key Public APIs/Functions:** `qs.parse()`, `qs.stringify()`
+
+### 2. Define Scope
+
+This threat model focuses on the core parsing and stringifying functionality, specifically the handling of nested objects and arrays, option validation, and cycle management in stringification.
+
+### 3. Conceptual System Diagram
+
+```
+Caller Application → qs.parse(input, options) → Parsing Engine → Output Object
+                           │
+                           └→ Options Handling
+
+Caller Application → qs.stringify(obj, options) → Stringifying Engine → Output String
+                           │
+                           └→ Options Handling
+                           └→ Cycle Tracking
+```
+
+**Trust Boundaries:**
+- **Input string (parse):** May come from untrusted sources (e.g., user input, network requests)
+- **Input object (stringify):** May contain cycles, which can lead to infinite loops during stringification
+- **Options:** Provided by the caller
+- **Cycle Tracking:** Used only during stringification to detect and handle circular references
+
+### 4. Identify Assets
+
+- **Integrity of parsed output:** Prevent malicious manipulation of the output object structure, especially ensuring builtins/globals are not modified as a result of parse[3][4][8].
+- **Confidentiality of processed data:** Avoid leaking sensitive information through errors or output.
+- **Availability/performance for host application:** Prevent crashes or resource exhaustion in the consuming application.
+- **Security of host application:** Prevent the library from being a vector for attacks (e.g., prototype pollution, DoS).
+- **Reputation of library:** Maintain trust by avoiding supply chain attacks and vulnerabilities[1].
+
+### 5. Identify Threats
+
+| Component / API / Interaction         | S  | T  | R  | I  | D  | E  |
+|---------------------------------------|----|----|----|----|----|----|
+| Public API Call (`parse`)             | –  | ✓  | –  | ✓  | ✓  | ✓  |
+| Public API Call (`stringify`)         | –  | ✓  | –  | ✓  | ✓  | –  |
+| Options Handling                      | ✓  | ✓  | –  | ✓  | –  | ✓  |
+| Dependency Interaction                | –  | –  | –  | –  | ✓  | –  |
+
+**Key Threats:**
+- **Tampering:** Malicious input can, if not prevented, alter parsed output (e.g., prototype pollution via `__proto__`, modification of builtins/globals)[3][4][8].
+- **Information Disclosure:** Error messages may expose internal details or sensitive data.
+- **Denial of Service:** Large or malformed input can exhaust memory or CPU.
+- **Elevation of Privilege:** Prototype pollution can lead to unintended privilege escalation in the host application[3][4][8].
+
+### 6. Mitigation/Countermeasures
+
+| Threat Identified                                 | Proposed Mitigation |
+|---------------------------------------------------|---------------------|
+| Tampering (malicious input, prototype pollution)  | Strict input validation; keep `allowPrototypes: false` by default; use `plainObjects` for output; ensure builtins/globals are never modified by parse[4][8]. |
+| Information Disclosure (error messages)           | Generic error messages without stack traces or internal paths. |
+| Denial of Service (memory/CPU exhaustion)         | Enforce `arrayLimit` and `parameterLimit` with safe defaults; enable `throwOnLimitExceeded`; limit nesting depth[7]. |
+| Elevation of Privilege (prototype pollution)      | Keep `allowPrototypes: false`; validate options against allowlist; use `plainObjects` to avoid prototype pollution[4][8]. |
+
+### 7. Risk Ranking
+
+- **High:** Denial of Service via array parsing or malformed input (historical vulnerability)
+- **Medium:** Prototype pollution via options or input (if `allowPrototypes` enabled)
+- **Low:** Information disclosure in errors
+
+### 8. Next Steps & Review
+
+1. **Audit option validation logic.**
+2. **Add depth limiting to nested parsing and stringification.**
+3. **Implement fuzz testing for parser and stringifier edge cases.**
+4. **Regularly review dependencies for vulnerabilities.**
+5. **Keep documentation and threat model up to date.**
+6. **Ensure builtins/globals are never modified as a result of parse.**
+7. **Support round-trip consistency between parse and stringify as a non-security goal, with the right options[5][9].**

package/node_modules/body-parser/node_modules/qs/.nycrc

@@ -0,0 +1,13 @@
+{
+	"all": true,
+	"check-coverage": false,
+	"reporter": ["text-summary", "text", "html", "json"],
+	"lines": 86,
+	"statements": 85.93,
+	"functions": 82.43,
+	"branches": 76.06,
+	"exclude": [
+		"coverage",
+		"dist"
+	]
+}