{"name": "FilterMate", "package_name": "filter_mate", "version": "4.7.1", "experimental": false, "qgis_min": "3.22.0", "qgis_max": "4.99.0", "downloads": 433, "uploaded_by": "imagodata", "upload_datetime": "2026-04-29T09:41:00.490354", "changelog": "v4.7.1 (2026-04-29): Hardening + audit follow-through release. Export \u2014 V3 API migration, streaming CRS plumbing, SHP pre-flight checks, normcase UI paths, GPKG bypass of qgis:package on path-detect, CSV WKT injection guard, SpatiaLite extension fixes, ZIP path-traversal leak (CRITICAL), batch collision detection, validator drivers list, GPKG path detection \u2014 12 fixes total + 24 tests. SpatiaLite cascade \u2014 drop GeomFromGPB wrap (use ST_* prefix), preserve ST_* spatial predicates in sanitizer (was wiping standalone calls), fix SQLite lock + OGR queue routing, route apply_filter through subset queue for Qt thread safety, restore SpatialitePersistentCache f-string interpolation (silent cache no-op for 100+ days). Sanitizer \u2014 preserve EXISTS(...)/NOT(...)/ST_* predicates (3 cascade no-op regressions fixed), collapse whitespace runs before top-level marker scan. REST API \u2014 refuse insecure default api_key (S1), warn on plaintext JSON load (S4 hardening), hash-at-rest for api_key, 503 when favorites service unavailable, no input echo, 1 MiB body cap, marshall qgis_accessor mutations to Qt main thread (P0-B). Security \u2014 defense-in-depth PostgreSQL SQL guards (S2), reject non-http(s) URLs in PortableGit downloader (B310), refuse PortableGit install without SHA-256 digest (S6), favorites-sharing legacy auth header tripwire (EXT6). Favorites deep audit (2026-04-29, 37 findings) \u2014 FavoritesSpatialHandler extraction (5 stages, ~927 LOC), FavoritesError exception family (FavoritesNotInitialized + FavoritePersistenceError), FavoritesExtensionBridge + FavoritesMenuBuilder + FavoriteImportHandler + LayerSignature, drop dead second FavoritesService instance (XCUT-1), drop bridge fallback paths in dialog (XCUT-2), pin DockwidgetSurface Protocol (XCUT-3), drop dead-defensive hasattr guards (CORE-1a), rename _favorites_manager \u2192 _favorites_service (CORE-1b), route global INSERTs through add_favorite (CORE-2), drop orphan Service methods + dead signals (CORE-3), drop orphan load/reload + count/get_by_id aliases (CORE-4/6), drop unused TABLE_FAVORITES/TABLE_PROJECTS constants (CORE-8), drop orphan ensure_global_project_exists (CORE-11), drop spatial-handler delegations from controller (UI-5), plug favoriteApplied signal leak (UI-6), pin BuilderContext Protocol for menu builder (UI-8), factor migration_service bootstrap (UI-9), drop _show_global_favorites_dialog placeholder (UI-13), extract SharedFavoritesQuery + FavoritesForkService + BundlePublisher + publish_model helpers (EXT-1/EXT-2 stages 1-4), factor worker close lifecycle (EXT-7), validator version-tolerance contract test (EXT-9). Domain \u2014 wire IFeedback adapter to remove iface from core (A1), drop QgsProject.instance() fallback in LayerSignatureIndex (A2), merge filter_parameter_builder + layer_filter_builder (A3 paire 4). Auto-zoom \u2014 zoom on filtered layers union after filter or favorite, subset-change token blocks stale post-task zoom. QFieldCloud \u2014 park orphan PushWorker on terminate timeout (C1). UI \u2014 favorites manager dialog leak fix, refresh() preserves active search and scope filters, F11 feedback policy alignment (4 rules, 5 callsites), shared QSS + icon registry. Config \u2014 refresh schema-owned metadata on existing keys, mutate-in-place CONFIG_DATA, preserve EXTENSIONS panel label across migrations. Tests \u2014 1493 \u2705 (+200 since v4.7.0): T1 FavoritesSpatialHandler.restore_spatial_config, T2 auto-zoom helpers + e2e flows, T3 HistoryService + LayerHistory wrapper, FCB-TESTS 10 edge cases for filter_config_builder. v4.7.0 (2026-04-27): Favorites sharing \u2014 git-backed publish to remote repos with authcfg credentials (QgsAuthManager), repo manager dialog, quick 1-click publish, picker disambiguation when (name, author) collide, optional Resource Sharing extension, JSON Schema v3, per-user scope + profile-dir local_clone. REST API (filtermate_api) \u2014 GET /layers, POST /filters/apply, /filters/status, /undo, /redo, /favorites with X-API-Key auth middleware. QFieldCloud \u2014 harden PushWorker teardown (disconnect before terminate), fix signal leaks + broken menu removal on unload, gate favorites-sharing activation on resource_sharing plugin. Performance \u2014 stream feature IDs instead of materializing full list, cache parsed QgsExpression in evaluation task, collapse double getFeatures() in buffer simplification, limit QgsProperty buffer-distance fetch to first feature. Audit hardening \u2014 path traversal + argv injection guards, M2 sanitizer + M7 git stderr scrubbing, single HistoryService consolidation, deprecation registry adoption, PostgreSQL QgsDataSourceUri table parsing. Favorites deep audit (2026-04-23) \u2014 CRIT/HIGH/MED/LOW regressions, v3 round-trip, capture geometric predicates from live widgets, propagate predicates to combobox + canonical PROJECT_LAYERS keys, sanitize at setSubsetString chokepoint, strip stale COALESCE display expressions from subset chain, exact filtered feature_count + refresh on apply. UI fixes \u2014 exploring sidebar visibility + HIDPI profile + QSS cascade cleanup, custom selection layout, harmonize SINGLE/MULTIPLE groupbox display with CUSTOM, restore groupbox mode on apply. Filter \u2014 use pointOnSurface instead of centroid for spatial filtering. Export \u2014 sidecar style naming, LIBKML groups, case-preserved OGR drivers. i18n \u2014 full 34-locale coverage for favorites-sharing + datasource manager. v4.6.6 (2026-04-08): Security fixes \u2014 use defusedxml for XML parsing in GPKG/KML exporters, replace insecure tempfile.mktemp with mkstemp in F5-TTS narrator. v4.6.5 (2026-04-08): Config tree restructure with live save and auto-migration from flat to tree format. Fix live language switching: resolve NameError, stale reentrant guard, spurious currentIndexChanged on editor open, use item's own model for setModelData. Defer language retranslate to next event loop tick. Add 79 missing translations + QFieldCloud i18n + cleanup obsolete entries. v4.6.3 (2026-04-07): i18n expanded from 22 to 34 languages (+Korean, Japanese, Arabic, Thai, Ukrainian, Czech, Romanian, Greek, Hungarian, Bulgarian, Malay, Catalan). Fix live language switching: full UI retranslation (retranslateUi + dynamic tooltips + indicators). Handle QEvent.LanguageChange for QGIS locale changes. v4.6.2 (2026-03-17): Feature picker fixes: debounce with FID storage, refresh on display field change, next/prev browser buttons initialization, always-enabled identify/zoom buttons. v4.6.1 (2026-03-09): QGIS 4 / Qt6 compatibility. Edit mode popup before filter/unfilter operations. i18n 22 languages at 100%. Config harmonization with single source of truth. v4.6.0 (2026-02-18): GPKG export now embeds a full QGIS project preserving layer group hierarchy, styles and CRS. Fix action buttons not disabled when switching to exporting tab. v4.5.3 (2026-02-18): Fix GPKG export crash caused by GUI calls from background thread. v4.5.2 (2026-02-12): Fix square key buttons sizing, exploring sidebar layout alignment. v4.5.1 (2026-02-11): Website launch, org migration, 600 tests, quality score 9.0/10.", "external_deps": "", "download_url": "https://plugins.qgis.org/plugins/filter_mate/version/4.7.1/download/"}