windkh/node-red-contrib-telegrambot V17.3.1 on GitHub

V17.3.1 — env.get string-split fix + tough-cookie override

Partial fix for #432: getUserNames / getChatIds now split {env.get("X")} / {flow.get("X")} / {global.get("X")} string results on commas, so a process env var like CHATIDS="123,456" now resolves to [123, 456] instead of the raw string. The token half of #432 remains a Node-RED credential-stripping behaviour and is addressed in the issue thread.
Dependency: tough-cookie pinned to ^4.1.3 via an npm overrides entry to clear GHSA-72xf-g2v4-qvf3 (prototype pollution). The vulnerable copy comes in transitively via legacy request@2.88.2, which is pinned by node-telegram-bot-api → @cypress/request-promise → request-promise-core's peer dependency on request@^2.34. Dependabot could not auto-resolve this without an explicit override.

V17.2.0 and V17.3.0 were committed but never tagged; this release ships everything in master since V17.1.3. Highlights:

Removed eval() from the token / usernames / chatids configuration fields (V17.2.0). Expressions are now parsed safely; only the documented flow.get / global.get / context.get / context.flow.get / context.global.get / env.get / .keys() forms are accepted.
Bot token no longer leaked in the duplicate-token abort, the polling 401 hint, the polling_error verbose util.inspect dump, or the webhook setup error path (V17.3.0).

Long-message chunked sends are now serialised through a single promise chain — the previous code dispatched every chunk in parallel and called nodeDone() / processNext() once per chunk, corrupting the per-chat queue.
Audio send routed through processResult so the queue advances and messagesProcessed updates.
downloadFile gets a 60s hard timeout so a stalled CDN stream cannot leak the captured nodeDone.
Queue manager survives synchronous throws (drain head + deferred advance via setImmediate).
Reply node removes its onReplyToMessage listeners on close and always calls nodeDone.
Receiver / event / command nodes track their own listener references — bot.off(name) without a handler used to remove every listener for the event (eventemitter3 behaviour), so stopping one node deafened the rest.
Control restart no longer double-sends; pending restart timeout is cancellable on close.
abortBot awaits deleteWebHook before closeWebHook; uses stopPolling({cancel:true}) instead of reaching into _polling._lastRequest; restartPolling dropped its delete + null poke on _polling.
start() handles the never-started case so a control "start" on a fresh deploy actually creates the bot.
Webhook setWebHook success now broadcasts the started status so receiver / event / command nodes attach.

new_chat_members user field now comes from the array (singular field has been gone from Telegram for years).
refunded_payment, paid_media, gift subtypes are now emitted.
Empty / missing photo arrays no longer crash the converter.

Bumped engines.node from >=12.0.0 to >=14.0.0 to match socks-proxy-agent@8 (V17.2.0).

Stale upstream-patch notes refreshed against node-telegram-bot-api@0.66.0; obsolete NTBA_FIX_319 removed.
safeStringify lifted into lib/safe-stringify.js and reused by event-node (which previously called raw JSON.stringify and could throw on circular msg payloads).

Full per-commit detail is in CHANGELOG.md.

Polling-restart timer-stacking on rapid polling_error bursts (#442).
SOCKS-proxy agent recovery on prolonged proxy interruption (#440).
out-node default case allows method invocation via msg.payload.type — restrict to an allowlist if external input can reach this field.
Other Dependabot advisories (@cypress/request, request, qs, ip, brace-expansion, ...) all trace back to node-telegram-bot-api still using the deprecated request stack.

Thanks to @gtalusan for PRs #435 and #439.