chore: merge dev into main

.github/workflows/prepare_dev_for_next_release.yml

@@ -1,9 +1,9 @@
 name: Prepare dev branch for next release
 
 on:
-  push:
-    tags:
-      - 'v*'
+  workflow_run:
+    workflows: ['Release Package']
+    types: [completed]
 
 permissions:
   contents: write
@@ -12,7 +12,7 @@ jobs:
   update-pods:
     name: Update Podfile.lock after release
     runs-on: macos-latest
-    if: ${{ !contains(github.ref_name, '-') }}
+    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main' && startsWith(github.event.workflow_run.head_commit.message, 'release:') }}
     env:
       XCODE_VERSION: latest-stable
 
@@ -50,7 +50,6 @@ jobs:
     name: Merge main into dev
     runs-on: ubuntu-latest
     needs: update-pods
-    if: ${{ !contains(github.ref_name, '-') }}
     steps:
       - name: Checkout
         uses: actions/checkout@v5.0.0

.github/workflows/validate_pr_source.yml

@@ -6,20 +6,26 @@ on:
     types: [opened, reopened, synchronize]
 
 permissions:
-  pull-requests: write
   contents: read
+  pull-requests: write
+  issues: write
 
 jobs:
-  close:
-    if: ${{ github.event.pull_request.head.ref != 'dev' }}
+  validate-pr-source:
+    if: ${{ github.event.pull_request.head.ref != 'dev' || github.event.pull_request.head.repo.full_name != github.repository }}
     runs-on: ubuntu-latest
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - name: Close PR
+      - name: Comment and close PR
         run: |
-          echo "Closing PR from invalid source branch: ${{ github.event.pull_request.head.ref }}"
+          HEAD_REF="${{ github.event.pull_request.head.ref }}"
+          HEAD_REPO="${{ github.event.pull_request.head.repo.full_name }}"
+          PR_NUMBER="${{ github.event.pull_request.number }}"
+
+          echo "Closing PR #$PR_NUMBER from invalid source: $HEAD_REPO / $HEAD_REF"
+
+          gh pr comment "$PR_NUMBER" \
+            --body "This PR targets **main**, but only PRs from **dev** in this repository are allowed. Detected source: **$HEAD_REPO:$HEAD_REF**."
 
-          gh pr comment ${{ github.event.pull_request.number }} \
-            --body "This PR targets **main**, but it was created from **${{ github.event.pull_request.head.ref }}**. Only PRs from **dev** are allowed."
-          gh pr close ${{ github.event.pull_request.number }}
+          gh pr close "$PR_NUMBER"

.gitignore

@@ -92,6 +92,8 @@ example/android/secrets.properties
 # Kotlin
 android/.kotlin/
 android/.kotlinc/
+example/android/.kotlin/
+example/android/.kotlinc/
 
 tsconfig.tsbuildinfo
 expoConfig/build

.yarnrc.yml

@@ -1,10 +1,10 @@
-nodeLinker: node-modules
+compressionLevel: mixed
+
+enableGlobalCache: false
+
 nmHoistingLimits: workspaces
 
-plugins:
-  - path: .yarn/plugins/@yarnpkg/plugin-interactive-tools.cjs
-    spec: '@yarnpkg/plugin-interactive-tools'
-  - path: .yarn/plugins/@yarnpkg/plugin-workspace-tools.cjs
-    spec: '@yarnpkg/plugin-workspace-tools'
+nodeLinker: node-modules
+npmMinimalAgeGate: 2880 # 2 days in minutes
 
-yarnPath: .yarn/releases/yarn-3.6.1.cjs
+yarnPath: .yarn/releases/yarn-4.10.3.cjs

RNGoogleMapsPlus.podspec

@@ -24,7 +24,7 @@ Pod::Spec.new do |s|
   s.dependency 'React-jsi'
   s.dependency 'React-callinvoker'
 
-  s.dependency 'GoogleMaps', '10.10.0'
+  s.dependency 'GoogleMaps', '10.12.0'
   s.dependency 'Google-Maps-iOS-Utils', '7.0.0'
   s.dependency 'SVGKit', '3.0.0'
 

SECURITY.md

@@ -0,0 +1,49 @@
+# Security Policy
+
+## Supported Versions
+
+Security updates are provided for the latest released version of this package. Older versions are unlikely to receive fixes, so please upgrade first before reporting — unless the issue only affects an older release.
+
+## Reporting a Vulnerability
+
+Please don't report security issues through public GitHub issues, discussions, pull requests, Reddit, or anywhere else public.
+
+Use GitHub's private vulnerability reporting feature instead. If that's not available, reach out to the maintainer directly through the repository contact details.
+
+## What to Include
+
+The more detail you can provide, the better:
+
+- affected package version
+- platform and environment
+  - React Native version
+  - Android and/or iOS version
+  - device or simulator
+- a clear description of the issue
+- steps to reproduce
+- proof of concept or sample project if you have one
+- your assessment of the impact
+- whether the issue requires special configuration, permissions, or malformed input
+
+## Scope
+
+This covers vulnerabilities in the package itself:
+
+- JavaScript or TypeScript source
+- Android native code
+- iOS native code
+- example or demo code, if it poses a realistic risk
+
+A few things worth noting:
+
+- a Google Maps API key leaking from your app is almost always an integration issue on the app side, not a bug in this package
+- misconfigurations or insecure usage in downstream apps are generally out of scope, unless the package actively makes that misuse easy or unsafe by default
+- if the issue is in a third-party dependency, it may need to be reported upstream too
+
+## Disclosure
+
+Once a report comes in, I'll review it, figure out the impact, and work on a fix if needed. Please hold off on going public until a fix is out and people have had time to update.
+
+## Security Updates
+
+Fixes ship as a new package version and get noted in the releases or changelog.

android/src/main/java/com/rngooglemapsplus/GoogleMapsViewImpl.kt

@@ -10,6 +10,7 @@ import android.content.res.Configuration
 import android.graphics.Bitmap
 import android.location.Location
 import android.util.Size
+import android.view.MotionEvent
 import android.view.View
 import android.widget.FrameLayout
 import androidx.lifecycle.Lifecycle
@@ -106,6 +107,7 @@ class GoogleMapsViewImpl(
   private val kmlLayersById = mutableMapOf<String, KmlLayer>()
   private val urlTileOverlaysById = mutableMapOf<String, TileOverlay>()
 
+  private var parentTouchInterceptDisallowed = false
   private var cameraMoveReason = -1
 
   val componentCallbacks =
@@ -123,6 +125,54 @@ class GoogleMapsViewImpl(
       }
     }
 
+  private fun setParentTouchInterceptDisallowed(blocked: Boolean) {
+    if (parentTouchInterceptDisallowed == blocked) return
+    parentTouchInterceptDisallowed = blocked
+    var p = parent
+    while (p != null) {
+      p.requestDisallowInterceptTouchEvent(blocked)
+      p = p.parent
+    }
+  }
+
+  override fun dispatchTouchEvent(ev: MotionEvent): Boolean {
+    if (googleMapsOptions.liteMode == true) return super.dispatchTouchEvent(ev)
+
+    val panEnabled = uiSettings?.scrollEnabled == true
+    val zoomEnabled = uiSettings?.zoomGesturesEnabled == true
+    val rotateEnabled = uiSettings?.rotateEnabled == true
+    val tiltEnabled = uiSettings?.tiltEnabled == true
+
+    val multiTouchEnabled = zoomEnabled || rotateEnabled || tiltEnabled
+    val anyMapGestureEnabled = panEnabled || multiTouchEnabled
+    if (!anyMapGestureEnabled) return super.dispatchTouchEvent(ev)
+
+    when (ev.actionMasked) {
+      MotionEvent.ACTION_DOWN,
+      MotionEvent.ACTION_MOVE,
+      MotionEvent.ACTION_POINTER_DOWN,
+      -> {
+        val pointers = ev.pointerCount
+        val shouldBlockParent = pointers >= (if (panEnabled) 1 else 2)
+        setParentTouchInterceptDisallowed(shouldBlockParent)
+      }
+
+      MotionEvent.ACTION_POINTER_UP -> {
+        val pointers = ev.pointerCount - 1
+        val shouldBlockParent = pointers >= (if (panEnabled) 1 else 2)
+        setParentTouchInterceptDisallowed(shouldBlockParent)
+      }
+
+      MotionEvent.ACTION_UP,
+      MotionEvent.ACTION_CANCEL,
+      -> {
+        setParentTouchInterceptDisallowed(false)
+      }
+    }
+
+    return super.dispatchTouchEvent(ev)
+  }
+
   init {
     MapsInitializer.initialize(reactContext)
     reactContext.registerComponentCallbacks(componentCallbacks)
@@ -876,6 +926,7 @@ class GoogleMapsViewImpl(
   }
 
   override fun onDetachedFromWindow() {
+    setParentTouchInterceptDisallowed(false)
     lifecycleObserver?.let { lifecycle?.removeObserver(it) }
     lifecycle = null
     super.onDetachedFromWindow()

android/src/main/java/com/rngooglemapsplus/RNGoogleMapsPlusView.kt

@@ -451,7 +451,7 @@ class RNGoogleMapsPlusView(
     val current = view.currentCamera
     view.setCamera(
       camera.toCameraPosition(current),
-      animated == true,
+      animated ?: false,
       durationMs?.toInt() ?: 3000,
     )
   }
@@ -465,7 +465,7 @@ class RNGoogleMapsPlusView(
     view.setCameraToCoordinates(
       coordinates,
       padding = padding ?: RNMapPadding(0.0, 0.0, 0.0, 0.0),
-      animated == true,
+      animated ?: false,
       durationMs?.toInt() ?: 3000,
     )
   }

example/Gemfile.lock

@@ -14,15 +14,15 @@ GEM
       minitest (>= 5.1, < 6)
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
-    addressable (2.8.9)
+    addressable (2.9.0)
       public_suffix (>= 2.0.2, < 8.0)
     algoliasearch (1.27.5)
       httpclient (~> 2.8, >= 2.8.3)
       json (>= 1.5.1)
     atomos (0.1.3)
     base64 (0.3.0)
     benchmark (0.5.0)
-    bigdecimal (4.1.0)
+    bigdecimal (4.1.1)
     claide (1.1.0)
     cocoapods (1.15.2)
       addressable (~> 2.8)
@@ -121,12 +121,12 @@ DEPENDENCIES
 CHECKSUMS
   CFPropertyList (3.0.8) sha256=2c99d0d980536d3d7ab252f7bd59ac8be50fbdd1ff487c98c949bb66bb114261
   activesupport (7.2.3.1) sha256=11ebed516a43a0bb47346227a35ebae4d9427465a7c9eb197a03d5c8d283cb34
-  addressable (2.8.9) sha256=cc154fcbe689711808a43601dee7b980238ce54368d23e127421753e46895485
+  addressable (2.9.0) sha256=7fdf6ac3660f7f4e867a0838be3f6cf722ace541dd97767fa42bc6cfa980c7af
   algoliasearch (1.27.5) sha256=26c1cddf3c2ec4bd60c148389e42702c98fdac862881dc6b07a4c0b89ffec853
   atomos (0.1.3) sha256=7d43b22f2454a36bace5532d30785b06de3711399cb1c6bf932573eda536789f
   base64 (0.3.0) sha256=27337aeabad6ffae05c265c450490628ef3ebd4b67be58257393227588f5a97b
   benchmark (0.5.0) sha256=465df122341aedcb81a2a24b4d3bd19b6c67c1530713fd533f3ff034e419236c
-  bigdecimal (4.1.0) sha256=6dc07767aa3dc456ccd48e7ae70a07b474e9afd7c5bc576f80bd6da5c8dd6cae
+  bigdecimal (4.1.1) sha256=1c09efab961da45203c8316b0cdaec0ff391dfadb952dd459584b63ebf8054ca
   claide (1.1.0) sha256=6d3c5c089dde904d96aa30e73306d0d4bd444b1accb9b3125ce14a3c0183f82e
   cocoapods (1.15.2) sha256=f0f5153de8d028d133b96f423e04f37fb97a1da0d11dda581a9f46c0cba4090a
   cocoapods-core (1.15.2) sha256=322650d97fe1ad4c0831a09669764b888bd91c6d79d0f6bb07281a17667a2136

example/android/gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-9.0.0-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-9.3.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME