Merge branch 'main' into proj4leaflet

Author: na9da

CHANGES.md

@@ -1,5 +1,20 @@
 # Change Log
 
+#### 0.4.4
+
+**2025-12-04**
+
+- **Security fixes**
+
+  - Fixed a security bug in `/proxy` endpoint that allowed requests to a variation of domains in the `allowProxyFor` list. If `example.com` is in `allowProxyFor` setting, this allowed requests to a domain with a different prefix, like `badexample.com` to pass through. [#212](https://github.com/TerriaJS/terriajs-server/pull/212)
+
+- **Deprecations**
+
+  - Deprecates most of the proxy domains in the [default serverconfig.json](https://github.com/TerriaJS/TerriaMap/blob/d126a10a0625926762351b1b44b918fb03737836/serverconfig.json#L7-L25) file. These will be removed in a future release, so please add them through a [custom serverconfig.json](https://docs.terria.io/guide/getting-started/#customizing-terriamap) if you rely on terria proxying to any of these servers.
+
+- Upgrades TerriaJS to
+  [8.11.1](https://github.com/TerriaJS/terriajs/blob/main/CHANGES.md#8111---2025-12-04)
+
 #### 0.4.3
 
 **2025-10-09**

package.json

@@ -13,7 +13,7 @@
     ]
   },
   "name": "terriajs-map",
-  "version": "0.4.3",
+  "version": "0.4.4",
   "description": "Geospatial catalog explorer based on TerriaJS.",
   "license": "Apache-2.0",
   "engines": {
@@ -24,8 +24,8 @@
     "url": "http://github.com/TerriaJS/TerriaMap"
   },
   "dependencies": {
-    "terriajs-plugin-proj4leaflet": "^0.0.1-alpha.6",
-    "terriajs-server": "^4.0.2"
+    "terriajs-plugin-proj4leaflet": "^0.0.2",
+    "terriajs-server": "^4.0.3"
   },
   "config": {
     "docker": {
@@ -72,8 +72,8 @@
     "sass": "^1.81.0",
     "sass-loader": "^16.0.3",
     "style-loader": "^4.0.0",
-    "terriajs": "8.11.0",
-    "terriajs-cesium": "21.0.0",
+    "terriajs": "8.11.1",
+    "terriajs-cesium": "21.0.1",
     "svg-sprite": "^2.0.4",
     "terriajs-plugin-api": "0.0.1-alpha.17",
     "terriajs-plugin-sample": "0.0.1-alpha.7",

serverconfig.json

@@ -2,6 +2,9 @@
   "port": 3001,
 
   "allowProxyFor": [
+    "githubusercontent.com",
+
+    // NOTE: The following default entries are deprecated and will be removed in a future release. If you rely ony terria proxying to any of these servers, please add them through a custom serverconfig.json. See https://docs.terria.io/guide/getting-started/#customizing-terriamap
     "nicta.com.au",
     "gov.au",
     "csiro.au",
@@ -16,7 +19,6 @@
     "geoserver.imos.org.au",
     "nci.org.au",
     "static.nationalmap.nicta.com.au",
-    "githubusercontent.com",
     "gov",
     "gov.uk",
     "gov.nz",