fix(deps): update dependency parse to v7 [security]#326
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.11.0->7.0.0GitHub Vulnerability Alerts
CVE-2025-62374
Summary
Prototype pollution capabilities on various APIs.
Details
Injection of malicious payload allows attacker to remotely execute arbitrary code.
Parse.Objectand internal APIs are affected, specifically:ParseObject.fromJSONParseObject.pinParseObject.registerSubclassObjectStateMutations(internal)encode/decode(internal)PoC
Demonstrative tests added as part of the fix.
References
Release Notes
parse-community/Parse-SDK-JS (parse)
v7.0.0Compare Source
Bug Fixes
SingleInstanceStateController; fixes security vulnerability GHSA-9g8m-v378-pcg3 (#2745) (9e7c1ba)ParseObject.fetchparameteroptions(#2726) (dc78419)Parse.Objectand internal APIs; fixes security vulnerability GHSA-9f2h-7v79-mxw (#2749) (0097398)Parse.Cloud.runwith option valuenull(#2622) (#2623) (2818ed9)Features
Parse.Fileupload and download progress in browser and Node environments (#2503) (d3ca465)Uint8Arraysupport forParse.Filedata (#2548) (6f6bb66)Parse.nodeLoggingto fully logParse.Objectin Node.js environments (#1594) (de9d057)Parse.serverAuthType,Parse.serverAuthTokeninfavor of CoreManagerREQUEST_HEADERSconfig (#2639) (ddc66a1)Performance Improvements
BREAKING CHANGES
Parse.serverAuthType()andParse.serverAuthToken()have been removed; use the CoreManagerREQUEST_HEADERconfig to set authorization headers instead. (ddc66a1)v6.1.1Compare Source
Bug Fixes
sessionTokenfromParse.Query.aggregate(#2547) (c7015ba)v6.1.0Compare Source
Features
Parse.QueryoptionuseMaintenanceKey(#2484) (2ead3f3)Parse.Objectfield names to begin with underscore_to access internal fields of Parse Server (#2475) (08e43ba)v6.0.0Compare Source
Bug Fixes
Parse.Hooksrequests have double forward slash in URL (#2441) (1fc520c)Parse.Query.findAllnot returning all objects with optionjson: true(#2449) (f160b8c)useMasterKey: falsetoParse.Cloud.run(#2431) (abadac9)errorfrom various methods ofParse.Object(#2445) (52ddaee)Features
Parse.Object(#2265) (2b55bdf)BREAKING CHANGES
Parse.Hooksuse a URL that contains a double forward slash, for examplehttp://localhost/parse//hooks/functions. This release changes the double forward slash to a single forward slash. (1fc520c)errorfromParse.Object.set,Parse.Object.setACL,Parse.Object.unset,Parse.Role.setNameand instead throws on validation error. Previously, if theerroroption was set, the handler was invoked if a validation error occurred onParse.Object.set, and if no handler was set, an error was thrown onParse.Object.save. The new behavior is that an error is thrown atParse.Object.set. For example, instead of usingParse.Object.set(key, value, { error: ... })wrapParse.Object.set(key, value)into atry/catchblock. (52ddaee)v5.3.0Compare Source
Bug Fixes
Parse.Object.getreturns array instead of object if key name is number-like (#2201) (5921ba2)Features
v5.2.0Compare Source
Bug Fixes
LiveQueryClient.resubscribewith Parse Server 7 causes many open connections (#2184) (71b4d17)Parse.Installationnot working when installation is deleted on server (#2126) (22360b4)PushStatusoffset fields (#2194) (e0eb6f0)Features
v5.1.0Compare Source
Bug Fixes
Parse.GeoPoint.currentreturnsundefined(#2127) (3860535)access-control-expose-headerswhen calling Cloud Function (#2095) (7b73c03)Parse.Query.notEqualTois set tonull(#2102) (6afd32a)ParseObject.toJSON()to return incorrect object (#1453) (23cc573)Features
Parse.User.verifyPasswordusing master key and optionignoreEmailVerification: true(#2076) (b0adf7e)Parse.ACLfrom json (#2097) (72bc9ac)Parse.EventuallyQueue(#2106) (f92e4d4)Parse.Installation.currentInstallationto support web push notifications (#2119) (4fc62ce)Parse.CoreManagercontrollers to add support for swappableCryptoController,LocalDatastoreController,StorageController,WebSocketController,ParseLiveQuery(#2100) (fbd0ab1)v5.0.0Compare Source
Bug Fixes
Parse.Object.relation.addmultiple times adds only the first object (#2078) (0f98117)Features
Parse.Query.comment(#2088) (a970913)BREAKING CHANGES
v4.3.1Compare Source
Bug Fixes
Parse.Object.saveEventuallyandParse.Object.destroyEventuallynot handled on customParse.Error.CONNECTION_FAILUREmessage (#2032) (4da3ebc)Cannot find module 'taffydb'(#2036) (dc91d0f)window.indexedDBAPI is available but protected (#2039) (360981f)v4.3.0Compare Source
Bug Fixes
ParseUser.linkWithdoesn't remove anonymous auth data (#2007) (7e2585c)react-nativepath does not work for workspace builds (#1930) (8222f3c)Features
Parse.Schema(#2001) (343d0d7)ParseUser.logIn(#2010) (2446007)ParseQuery.findAll(#2000) (012ba4c)installationIdviaParse.Cloud.run(#1939) (eb70b93)Parse.Errormessage with custom message via new Core Manager optionPARSE_ERRORS(#2014) (be0c8a6)ParseUser.logInWithAdditionalAuth(#1955) (2bad411)v4.2.0Compare Source
Bug Fixes
Parse.File.cancelstarts new attempt to save file (#1781) (b755e42)Features
Parse.User.loginAs(#1875) (381fcfc)ParseQuery.watchto trigger LiveQuery only on update of specific fields (#1839) (7479343)v4.1.0Compare Source
Bug Fixes
LiveQuerySubscription.unsubscriberesolves promise before unsubscribing completes (#1727) (1c96205)Parse.Objectwith an unsavedParse.Filefails (#1662) (16535a4)Features
LiveQueryClient.closereturns promise when WebSocket closes (#1735) (979d660)package-lock.jsonto version 2 (#1729) (e993786)v4.0.1Compare Source
Bug Fixes
containedInnot working when field is an array (#1666) (2391bff)Parse.Object.extend(#1682) (f555c43)v4.0.0Compare Source
Bug Fixes
Parse.Query.subscribe()does not return a rejected promise on error in Cloud Code TriggersbeforeConnectorbeforeSubscribe(#1490) (96d7174)Features
Performance Improvements
BREAKING CHANGES
Parse.Query.subscribe()will now return a rejected promise if an error is thrown in Cloud Code TriggersbeforeConnectorbeforeSubscribe; in previous releases a resolved promise was returned, even if subscribing failed and it was necessary to create anerror.onlistener to handle these errors (#1490) (96d7174)v3.5.1Compare Source
Bug Fixes
v3.5.0Compare Source
Warning
Bug Fixes
Parse.User.signUp()does not pass context to Cloud Code (#1527) (53edcfd)Schema.addFielddoes not correctly add value of typeDate(#1544) (15111f7)indexedDB(#1569) (3560a5e)Features
jsonoption toParse.Query.each()(#1539) (89fd5ec)Parse.Object.objectIdautomatically whenallowCustomObjectIdis enabled and noobjectIdis passed (#1540) (68f3ff5)v3.4.4Compare Source
Bug Fixes
ParseQuery.selectoverrides properties (#1488) (b80eee4)v3.4.3Compare Source
Bug Fixes
Parse.Filewith base64 string fails for some file types (#1467) (c07d6c9)Parse.Rolethrows incorrect error (#1481) (8326a6f)v3.4.2Compare Source
Bug Fixes
v3.4.1Compare Source
Bug Fixes
v3.4.0Compare Source
Bug Fixes
Features
v3.3.1Compare Source
3.3.1
Full Changelog
Fixes
v3.3.0Compare Source
Improvements
Fixes
v3.2.0Compare Source
Breaking Changes
See https://community.parseplatform.org/t/anonymous-user-destroyed-on-logout/1425
Improvements
Parse.Object.registerSubclass(#1315)Fixes
v3.1.0Compare Source
Breaking Changes
Parse.Push.sendwill now return the pushStatusId instead of{ result: true }Features
Parse.getServerHealth()(#1307)Parse.allowCustomObjectId = true(#1309)Parse.Push.sendnow returns pushStatusId (#1302)Parse.Push.getPushStatus(#1302)Improvements
query.startsWith(#1306)query.endsWith(#1306)Fixes
/healthendpoint, caused 403 forbidden side effect (#1305)v3.0.0Compare Source
Breaking Changes
For security purposes, logIn will default to
POSTinstead ofGETmethod. (#1284)If you need to use
GETset theusePostoption to false.Parse.User.logIn('username', 'password', { usePost: false })Features
{ json: true }on queries (#1294)Improvements
Fixes
Date(#1293)v2.19.0Compare Source
Features
Improvements
Fixes
v2.18.0Compare Source
Features
Improvements
Fixes
v2.17.0Compare Source
Improvements
v2.16.0Compare Source
Idempotency enforcement for client requests. This deduplicates requests where the client intends to send one request to Parse Server but due to network issues the server receives the request multiple times.
(Parse-Server 4.3.0+)
Caution, this is an experimental feature that may not be appropriate for production.
To enable use either of the following:
Parse.CoreManager.set('IDEMPOTENCY', true)Parse.idempotency = trueFeatures
Improvements
Fixes
v2.15.0Compare Source
Features
Fixes
v2.14.0Compare Source
New Features
Improvements
Fixes
v2.13.0Compare Source
New Features
Improvements
Fixes
v2.12.0Compare Source
New Features
Improvements
Fixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.