Merge branch 'parse-community:master' into master

Author: sadortun

.github/ISSUE_TEMPLATE/---1-report-an-issue.md

@@ -9,9 +9,9 @@ assignees: ''
 
 ### New Issue Checklist
 <!--
-    Please check the following boxes [x] before submitting your issue.
+    Check every following box [x] before submitting your issue.
     Click the "Preview" tab for better readability.
-    Thanks for contributing to Parse Server!
+    Thanks for contributing to Parse Platform!
 -->
 
 - [ ] I am not disclosing a [vulnerability](https://github.com/parse-community/parse-server/blob/master/SECURITY.md).
@@ -30,18 +30,7 @@ assignees: ''
 
 ### Expected Outcome
 <!-- What outcome, for example query result, did you expect? -->
-
-### Failing Test Case / Pull Request
-<!--
-    Check one of the following boxes [x] if you added a PR and add the link.
-    See the contribution guide for how add a test cases:
-    https://github.com/parse-community/parse-server/blob/master/CONTRIBUTING.md
--->
-
-- [ ] 🤩 I submitted a PR with a fix and a test case.
-- [ ] 🧐 I submitted a PR with a failing test case.
-
-###  Environment
+### Environment
 <!-- Be specific with versions, don't use "latest" or semver ranges like "~x.y.z" or "^x.y.z". -->
 
 Server

.github/ISSUE_TEMPLATE/---2-feature-request.md

@@ -9,9 +9,9 @@ assignees: ''
 
 ### New Feature / Enhancement Checklist
 <!--
-    Please check the following boxes [x] before submitting your issue.
+    Check every following box [x] before submitting your issue.
     Click the "Preview" tab for better readability.
-    Thanks for contributing to Parse Server!
+    Thanks for contributing to Parse Platform!
 -->
 
 - [ ] I am not disclosing a [vulnerability](https://github.com/parse-community/parse-server/blob/master/SECURITY.md).
@@ -31,4 +31,4 @@ assignees: ''
 <!-- Which alternatives or workarounds exist currently? -->
 
 ### 3rd Party References
-<!-- Have you seen a similar functionality provided somewhere else? -->
+<!-- Have you seen a similar functionality provided somewhere else? -->

.github/workflows/ci.yml

@@ -7,7 +7,7 @@ on:
     branches:
       - '**'
 env:
-  NODE_VERSION: 14.17.5
+  NODE_VERSION: 14.17.6
   PARSE_SERVER_TEST_TIMEOUT: 20000
 jobs:
   check-ci:
@@ -31,6 +31,13 @@ jobs:
         run: npm ci
       - name: CI Self-Check
         run: npm run ci:check
+  check-changelog:
+    name: Changelog
+    timeout-minutes: 5
+    runs-on: ubuntu-18.04
+    steps:
+    - uses: actions/checkout@v2
+    - uses: dangoslen/changelog-enforcer@v2
   check-lint:
      name: Lint
      timeout-minutes: 15
@@ -97,38 +104,38 @@ jobs:
             MONGODB_VERSION: 5.0.2
             MONGODB_TOPOLOGY: replicaset
             MONGODB_STORAGE_ENGINE: wiredTiger
-            NODE_VERSION: 14.17.5
+            NODE_VERSION: 14.17.6
           - name: MongoDB 4.4, ReplicaSet, WiredTiger
             MONGODB_VERSION: 4.4.8
             MONGODB_TOPOLOGY: replicaset
             MONGODB_STORAGE_ENGINE: wiredTiger
-            NODE_VERSION: 14.17.5
+            NODE_VERSION: 14.17.6
           - name: MongoDB 4.2, ReplicaSet, WiredTiger
             MONGODB_VERSION: 4.2.15
             MONGODB_TOPOLOGY: replicaset
             MONGODB_STORAGE_ENGINE: wiredTiger
-            NODE_VERSION: 14.17.5
+            NODE_VERSION: 14.17.6
           - name: MongoDB 4.0, ReplicaSet, WiredTiger
             MONGODB_VERSION: 4.0.25
             MONGODB_TOPOLOGY: replicaset
             MONGODB_STORAGE_ENGINE: wiredTiger
-            NODE_VERSION: 14.17.5
+            NODE_VERSION: 14.17.6
           - name: MongoDB 4.0, Standalone, MMAPv1
             MONGODB_VERSION: 4.0.25
             MONGODB_TOPOLOGY: standalone
             MONGODB_STORAGE_ENGINE: mmapv1
-            NODE_VERSION: 14.17.5
+            NODE_VERSION: 14.17.6
           - name: Redis Cache
             PARSE_SERVER_TEST_CACHE: redis
             MONGODB_VERSION: 4.4.8
             MONGODB_TOPOLOGY: standalone
             MONGODB_STORAGE_ENGINE: wiredTiger
-            NODE_VERSION: 14.17.5
+            NODE_VERSION: 14.17.6
           - name: Node 12
             MONGODB_VERSION: 4.4.8
             MONGODB_TOPOLOGY: standalone
             MONGODB_STORAGE_ENGINE: wiredTiger
-            NODE_VERSION: 12.22.5
+            NODE_VERSION: 12.22.6
           - name: Node 15
             MONGODB_VERSION: 4.4.8
             MONGODB_TOPOLOGY: standalone
@@ -175,16 +182,16 @@ jobs:
         include:
           - name: PostgreSQL 11, PostGIS 3.0
             POSTGRES_IMAGE: postgis/postgis:11-3.0
-            NODE_VERSION: 14.17.5
+            NODE_VERSION: 14.17.6
           - name: PostgreSQL 11, PostGIS 3.1
             POSTGRES_IMAGE: postgis/postgis:11-3.1
-            NODE_VERSION: 14.17.5
+            NODE_VERSION: 14.17.6
           - name: PostgreSQL 12, PostGIS 3.1
             POSTGRES_IMAGE: postgis/postgis:12-3.1
-            NODE_VERSION: 14.17.5
+            NODE_VERSION: 14.17.6
           - name: PostgreSQL 13, PostGIS 3.1
             POSTGRES_IMAGE: postgis/postgis:13-3.1
-            NODE_VERSION: 14.17.5
+            NODE_VERSION: 14.17.6
       fail-fast: false
     name: ${{ matrix.name }}
     timeout-minutes: 15

.github/workflows/issue-bot.yml

@@ -0,0 +1,12 @@
+name: Issue Bot
+on:
+  issues:
+    types: [opened, reopened, edited]
+jobs:
+  issue-bot:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Inspect Issue
+      uses: parse-community/parse-issue-bot@main
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}

CHANGELOG.md

@@ -2,16 +2,22 @@
 
 Jump directly to a version:
 
-| 4.x               |
-|-------------------|
-| [**4.5.0 (latest release)**](#450) |
-| [4.4.0](#440)     |
-| [4.3.0](#430)     |
-| [4.2.0](#420)     |
-| [4.1.0](#410)     |
-| [4.0.2](#402)     |
-| [4.0.1](#401)     |
-| [4.0.0](#400)     |
+| 4.x                                  |
+|--------------------------------------|
+| [**4.10.3 (latest release)**](#4103) |
+| [4.10.2](#4102)                      |
+| [4.10.1](#4101)                      |
+| [4.10.0](#4100)                      |
+| [4.5.2](#452)                        |
+| [4.5.1](#451)                        |
+| [4.5.0](#450)                        |
+| [4.4.0](#440)                        |
+| [4.3.0](#430)                        |
+| [4.2.0](#420)                        |
+| [4.1.0](#410)                        |
+| [4.0.2](#402)                        |
+| [4.0.1](#401)                        |
+| [4.0.0](#400)                        |
 
 <details>
 <summary>Previous Versions</summary>
@@ -88,28 +94,30 @@ Jump directly to a version:
 ___
 
 ## Unreleased (Master Branch)
-[Full Changelog](https://github.com/parse-community/parse-server/compare/4.5.0...master)
+[Full Changelog](https://github.com/parse-community/parse-server/compare/4.10.3...master)
+
 ### Breaking Changes
 - Improved schema caching through database real-time hooks. Reduces DB queries, decreases Parse Query execution time and fixes a potential schema memory leak. If multiple Parse Server instances connect to the same DB (for example behind a load balancer), set the [Parse Server Option](https://parseplatform.org/parse-server/api/master/ParseServerOptions.html) `databaseOptions.enableSchemaHooks: true` to enable this feature and keep the schema in sync across all instances. Failing to do so will cause a schema change to not propagate to other instances and re-syncing will only happen when these instances restart. The options `enableSingleSchemaCache` and `schemaCacheTTL` have been removed. To use this feature with MongoDB, a replica set cluster with [change stream](https://docs.mongodb.com/manual/changeStreams/#availability) support is required. (Diamond Lewis, SebC) [#7214](https://github.com/parse-community/parse-server/issues/7214)
 - Added file upload restriction. File upload is now only allowed for authenticated users by default for improved security. To allow file upload also for Anonymous Users or Public, set the `fileUpload` parameter in the [Parse Server Options](https://parseplatform.org/parse-server/api/master/ParseServerOptions.html) (dblythy, Manuel Trezza) [#7071](https://github.com/parse-community/parse-server/pull/7071)
 - Removed [parse-server-simple-mailgun-adapter](https://github.com/parse-community/parse-server-simple-mailgun-adapter) dependency; to continue using the adapter it has to be explicitly installed (Manuel Trezza) [#7321](https://github.com/parse-community/parse-server/pull/7321)
 - Remove support for MongoDB 3.6 which has reached its End-of-Life date and PostgreSQL 10 (Manuel Trezza) [#7315](https://github.com/parse-community/parse-server/pull/7315)
 - Remove support for Node 10 which has reached its End-of-Life date (Manuel Trezza) [#7314](https://github.com/parse-community/parse-server/pull/7314)
 - Remove S3 Files Adapter from Parse Server, instead install separately as `@parse/s3-files-adapter` (Manuel Trezza) [#7324](https://github.com/parse-community/parse-server/pull/7324)
+
 ### Notable Changes
 - Added Parse Server Security Check to report weak security settings (Manuel Trezza, dblythy) [#7247](https://github.com/parse-community/parse-server/issues/7247)
 - EXPERIMENTAL: Added new page router with placeholder rendering and localization of custom and feature pages such as password reset and email verification (Manuel Trezza) [#7128](https://github.com/parse-community/parse-server/pull/7128)
 - EXPERIMENTAL: Added custom routes to easily customize flows for password reset, email verification or build entirely new flows (Manuel Trezza) [#7231](https://github.com/parse-community/parse-server/pull/7231)
 - Added Deprecation Policy to govern the introduction of breaking changes in a phased pattern that is more predictable for developers (Manuel Trezza) [#7199](https://github.com/parse-community/parse-server/pull/7199)
 - Add REST API endpoint `/loginAs` to create session of any user with master key; allows to impersonate another user. (GormanFletcher) [#7406](https://github.com/parse-community/parse-server/pull/7406)
 - Add official support for MongoDB 5.0 (Manuel Trezza) [#7469](https://github.com/parse-community/parse-server/pull/7469)
+- Add issue bot (Manuel Trezza) [#7523](https://github.com/parse-community/parse-server/pull/7523)
 
 ### Other Changes
 - Support native mongodb syntax in aggregation pipelines (Raschid JF Rafeally) [#7339](https://github.com/parse-community/parse-server/pull/7339)
 - Fix error when a not yet inserted job is updated (Antonio Davi Macedo Coelho de Castro) [#7196](https://github.com/parse-community/parse-server/pull/7196)
 - request.context for afterFind triggers (dblythy) [#7078](https://github.com/parse-community/parse-server/pull/7078)
 - Winston Logger interpolating stdout to console (dplewis) [#7114](https://github.com/parse-community/parse-server/pull/7114)
-- Move graphql-tag from devDependencies to dependencies (Antonio Davi Macedo Coelho de Castro) [#7183](https://github.com/parse-community/parse-server/pull/7183)
 - Added convenience method `Parse.Cloud.sendEmail(...)` to send email via email adapter in Cloud Code (dblythy) [#7089](https://github.com/parse-community/parse-server/pull/7089)
 - LiveQuery support for $and, $nor, $containedBy, $geoWithin, $geoIntersects queries (dplewis) [#7113](https://github.com/parse-community/parse-server/pull/7113)
 - Supporting patterns in LiveQuery server's config parameter `classNames` (Nes-si) [#7131](https://github.com/parse-community/parse-server/pull/7131)
@@ -139,8 +147,55 @@ ___
 - Fix LiveQuery server crash when using $all query operator on a missing object key (Jason Posthuma) [#7421](https://github.com/parse-community/parse-server/pull/7421)
 - Added runtime deprecation warnings (Manuel Trezza) [#7451](https://github.com/parse-community/parse-server/pull/7451)
 - Add ability to pass context of an object via a header, X-Parse-Cloud-Context, for Cloud Code triggers. The header addition allows client SDK's to add context without injecting _context in the body of JSON objects (Corey Baker) [#7437](https://github.com/parse-community/parse-server/pull/7437)
+- Add CI check to add changelog entry (Manuel Trezza) [#7512](https://github.com/parse-community/parse-server/pull/7512)
+- Refactor: uniform issue templates across repos (Manuel Trezza) [#7528](https://github.com/parse-community/parse-server/pull/7528)
+- ci: bump ci environment (Manuel Trezza) [#7539](https://github.com/parse-community/parse-server/pull/7539)
+
+## 4.10.3
+[Full Changelog](https://github.com/parse-community/parse-server/compare/4.10.2...4.10.3)
+
+### Security Fixes
+- Validate `explain` query parameter to avoid a server crash due to MongoDB bug [NODE-3463](https://jira.mongodb.org/browse/NODE-3463) (Kartal Kaan Bozdogan) [GHSA-xqp8-w826-hh6x](https://github.com/parse-community/parse-server/security/advisories/GHSA-xqp8-w826-hh6x)
+
+## 4.10.2
+[Full Changelog](https://github.com/parse-community/parse-server/compare/4.10.1...4.10.2)
+
+### Other Changes
+- Move graphql-tag from devDependencies to dependencies (Antonio Davi Macedo Coelho de Castro) [#7183](https://github.com/parse-community/parse-server/pull/7183)
+
+## 4.10.1
+[Full Changelog](https://github.com/parse-community/parse-server/compare/4.10.0...4.10.1)
+
+### Security Fixes
+- Updated to Parse JS SDK 3.3.0 and other security fixes (Manuel Trezza) [#7508](https://github.com/parse-community/parse-server/pull/7508)
+
+> ⚠️ This includes a security fix of the Parse JS SDK where `logIn` will default to `POST` instead of `GET` method. This may require changes in your deployment before you upgrade to this release, see the Parse JS SDK 3.0.0 [release notes](https://github.com/parse-community/Parse-SDK-JS/releases/tag/3.0.0).
+
+## 4.10.0
+[Full Changelog](https://github.com/parse-community/parse-server/compare/4.5.2...4.10.0)
+
+*Versions >4.5.2 and <4.10.0 are skipped.*
+
+> ⚠️ A security incident caused a number of incorrect version tags to be pushed to the Parse Server repository. These version tags linked to a personal fork of a contributor who had write access to the repository. The code to which these tags linked has not been reviewed or approved by Parse Platform. Even though no releases were published with these incorrect versions, it was possible to define a Parse Server dependency that pointed to these version tags, for example if you defined this dependency: 
+> ```js
+> "parse-server": "[email protected]:parse-community/parse-server.git#4.9.3"
+> ```
+> 
+> We have since deleted the incorrect version tags, but they may still show up if your personal fork on GitHub or locally. We do not know when these tags have been pushed to the Parse Server repository, but we first became aware of this issue on July 21, 2021. We are not aware of any malicious code or concerns related to privacy, security or legality (e.g. proprietary code). However, it has been reported that some functionality does not work as expected and the introduction of security vulnerabilities cannot be ruled out.
+>
+> You may be also affected if you used the Bitnami image for Parse Server. Bitnami picked up the incorrect version tag `4.9.3` and published a new Bitnami image for Parse Server. 
+> 
+>**If you are using any of the affected versions, we urgently recommend to upgrade to version `4.10.0`.**
+
+## 4.5.2
+[Full Changelog](https://github.com/parse-community/parse-server/compare/4.5.0...4.5.2)
+
+### Security Fixes
+- SECURITY FIX: Fixes incorrect session property `authProvider: password` of anonymous users. When signing up an anonymous user, the session field `createdWith` indicates incorrectly that the session has been created using username and password with `authProvider: password`, instead of an anonymous sign-up with `authProvider: anonymous`. This fixes the issue by setting the correct `authProvider: anonymous` for future sign-ups of anonymous users. This fix does not fix incorrect `authProvider: password` for existing sessions of anonymous users. Consider this if your app logic depends on the `authProvider` field. (Corey Baker) [GHSA-23r4-5mxp-c7g5](https://github.com/parse-community/parse-server/security/advisories/GHSA-23r4-5mxp-c7g5)
+
+## 4.5.1
+*This version was published by mistake and was deprecated.*
 
-___
 ## 4.5.0
 [Full Changelog](https://github.com/parse-community/parse-server/compare/4.4.0...4.5.0)
 ### Breaking Changes

CONTRIBUTING.md

@@ -191,7 +191,7 @@ Deprecations become breaking changes after notifying developers through deprecat
   - `5.0.0` marks the beginning of logging the deprecation warning for one entire major release
   - `6.0.0` makes the breaking change by removing the deprecation warning and making the new feature replace the existing feature
 
-Developer feedback during the deprecation period may further postpone the introduction of a breaking change. The [Deprecation Plan](https://github.com/parse-community/parse-server/blob/master/DEPRECATIONS.md) gives an overview of deprecations and planned breaking changes.
+See the [Deprecation Plan](https://github.com/parse-community/parse-server/blob/master/DEPRECATIONS.md) for an overview of deprecations and planned breaking changes.
 
 ## Feature Considerations
 ### Security Checks

DEPRECATIONS.md

@@ -1,10 +1,11 @@
 # Deprecation Plan <!-- omit in toc -->
 
-The following is a list of deprecations, according to the [Deprecation Policy](https://github.com/parse-community/parse-server/blob/master/CONTRIBUTING.md#deprecation-policy). After a feature becomes deprecated, and giving developers time to adapt to the change, the deprecated feature will eventually be removed, leading to a breaking change. Developer feedback during the deprecation period may postpone the introduction of the breaking change.
+The following is a list of deprecations, according to the [Deprecation Policy](https://github.com/parse-community/parse-server/blob/master/CONTRIBUTING.md#deprecation-policy). After a feature becomes deprecated, and giving developers time to adapt to the change, the deprecated feature will eventually be removed, leading to a breaking change. Developer feedback during the deprecation period may postpone or even revoke the introduction of the breaking change.
 
-| Feature                                       | Issue                                                                | Deprecation [ℹ️][i_deprecation] | Planned Removal [ℹ️][i_removal] | Status [ℹ️][i_status] | Notes |
-|-----------------------------------------------|----------------------------------------------------------------------|---------------------------------|---------------------------------|-----------------------|-------|
-| Native MongoDB syntax in aggregation pipeline | [#7338](https://github.com/parse-community/parse-server/issues/7338) | 5.0.0 (2022)                    | 6.0.0 (2023)                    | deprecated            | -     |
+| Change                                          | Issue                                                                | Deprecation [ℹ️][i_deprecation] | Planned Removal [ℹ️][i_removal] | Status [ℹ️][i_status] | Notes |
+|-------------------------------------------------|----------------------------------------------------------------------|---------------------------------|---------------------------------|-----------------------|-------|
+| Native MongoDB syntax in aggregation pipeline   | [#7338](https://github.com/parse-community/parse-server/issues/7338) | 5.0.0 (2022)                    | 6.0.0 (2023)                    | deprecated            | -     |
+| Config option `directAccess` defaults to `true` | [#6636](https://github.com/parse-community/parse-server/pull/6636)   | 5.0.0 (2022)                    | 6.0.0 (2023)                    | deprecated            | -     |
 
 [i_deprecation]: ## "The version and date of the deprecation."
 [i_removal]: ## "The version and date of the planned removal."