Merge branch 'upstream/alpha' into moumouls/update-apollo-upload-client

# Conflicts:
#	package-lock.json
#	package.json

Author: Moumouls

.eslintrc.json

@@ -25,7 +25,9 @@
         "space-infix-ops": "error",
         "no-useless-escape": "off",
         "require-atomic-updates": "off",
-        "object-curly-spacing": ["error", "always"]
+        "object-curly-spacing": ["error", "always"],
+        "curly": ["error", "all"],
+        "block-spacing": ["error", "always"]
     },
     "globals": {
         "Parse": true

.github/ISSUE_TEMPLATE/---1-report-an-issue.md

@@ -8,16 +8,10 @@ assignees: ''
 ---
 
 ### New Issue Checklist
-<!--
-    Check every following box [x] before submitting your issue.
-    Click the "Preview" tab for better readability.
-    Thanks for contributing to Parse Platform!
--->
 
-- [ ] I am not disclosing a [vulnerability](https://github.com/parse-community/parse-server/blob/master/SECURITY.md).
-- [ ] I am not just asking a [question](https://github.com/parse-community/.github/blob/master/SUPPORT.md).
-- [ ] I have searched through [existing issues](https://github.com/parse-community/parse-server/issues?q=is%3Aissue).
-- [ ] I can reproduce the issue with the [latest version of Parse Server](https://github.com/parse-community/parse-server/releases). <!-- We don't investigate issues for outdated releases. -->
+- Report security issues [confidentially](https://github.com/parse-community/parse-server/security/policy).
+- Any contribution is under this [license](https://github.com/parse-community/parse-server/blob/alpha/LICENSE).
+- Before posting search [existing issues](https://github.com/parse-community/parse-server/issues?q=is%3Aissue).
 
 ### Issue Description
 <!-- What is the specific issue with Parse Server? -->
@@ -30,6 +24,7 @@ assignees: ''
 
 ### Expected Outcome
 <!-- What outcome, for example query result, did you expect? -->
+
 ### Environment
 <!-- Be specific with versions, don't use "latest" or semver ranges like "~x.y.z" or "^x.y.z". -->
 

.github/ISSUE_TEMPLATE/---2-feature-request.md

@@ -8,15 +8,10 @@ assignees: ''
 ---
 
 ### New Feature / Enhancement Checklist
-<!--
-    Check every following box [x] before submitting your issue.
-    Click the "Preview" tab for better readability.
-    Thanks for contributing to Parse Platform!
--->
-
-- [ ] I am not disclosing a [vulnerability](https://github.com/parse-community/parse-server/blob/master/SECURITY.md).
-- [ ] I am not just asking a [question](https://github.com/parse-community/.github/blob/master/SUPPORT.md).
-- [ ] I have searched through [existing issues](https://github.com/parse-community/parse-server/issues?q=is%3Aissue).
+
+- Report security issues [confidentially](https://github.com/parse-community/parse-server/security/policy).
+- Any contribution is under this [license](https://github.com/parse-community/parse-server/blob/alpha/LICENSE).
+- Before posting search [existing issues](https://github.com/parse-community/parse-server/issues?q=is%3Aissue).
 
 ### Current Limitation
 <!-- Which current limitation is the feature or enhancement addressing? -->

.github/workflows/ci-automated-check-environment.yml

@@ -17,14 +17,8 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v2
         with:
-          node-version: 14
-      - name: Cache Node.js modules
-        uses: actions/cache@v4
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-node-
+          node-version: 20
+          cache: 'npm'
       - name: Install dependencies
         run: npm ci
       - name: CI Environments Check

.github/workflows/ci.yml

@@ -8,7 +8,7 @@ on:
     paths-ignore:
       - '**/**.md'
 env:
-  NODE_VERSION: 20.11.1
+  NODE_VERSION: 22.4.1
   PARSE_SERVER_TEST_TIMEOUT: 20000
 jobs:
   check-code-analysis:
@@ -42,15 +42,10 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
-      - name: Cache Node.js modules
-        uses: actions/cache@v4
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ matrix.NODE_VERSION }}-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-node-${{ matrix.NODE_VERSION }}-
-      - name: Install dependencies
+      - name: Install prod dependencies
         run: npm ci
+      - name: Remove dev dependencies
+        run: ./ci/uninstallDevDeps.sh @actions/core
       - name: CI Node Engine Check
         run: npm run ci:checkNodeEngine
   check-lint:
@@ -146,37 +141,45 @@ jobs:
       matrix:
         include:
           - name: MongoDB 4.2, ReplicaSet
-            MONGODB_VERSION: 4.2.19
+            MONGODB_VERSION: 4.2.25
             MONGODB_TOPOLOGY: replset
-            NODE_VERSION: 20.11.1
+            NODE_VERSION: 22.4.1
           - name: MongoDB 4.4, ReplicaSet
-            MONGODB_VERSION: 4.4.13
+            MONGODB_VERSION: 4.4.29
             MONGODB_TOPOLOGY: replset
-            NODE_VERSION: 20.11.1
+            NODE_VERSION: 22.4.1
           - name: MongoDB 5, ReplicaSet
-            MONGODB_VERSION: 5.3.2
+            MONGODB_VERSION: 5.0.26
             MONGODB_TOPOLOGY: replset
-            NODE_VERSION: 20.11.1
+            NODE_VERSION: 22.4.1
           - name: MongoDB 6, ReplicaSet
-            MONGODB_VERSION: 6.0.2
+            MONGODB_VERSION: 6.0.14
             MONGODB_TOPOLOGY: replset
-            NODE_VERSION: 20.11.1
+            NODE_VERSION: 22.4.1
           - name: MongoDB 7, ReplicaSet
-            MONGODB_VERSION: 7.0.1
+            MONGODB_VERSION: 7.0.8
             MONGODB_TOPOLOGY: replset
-            NODE_VERSION: 20.11.1
+            NODE_VERSION: 22.4.1
+          - name: MongoDB 8, ReplicaSet
+            MONGODB_VERSION: 8.0.0
+            MONGODB_TOPOLOGY: replset
+            NODE_VERSION: 22.4.1
           - name: Redis Cache
             PARSE_SERVER_TEST_CACHE: redis
-            MONGODB_VERSION: 4.4.13
+            MONGODB_VERSION: 8.0.0
+            MONGODB_TOPOLOGY: standalone
+            NODE_VERSION: 22.4.1
+          - name: Node 20
+            MONGODB_VERSION: 8.0.0
             MONGODB_TOPOLOGY: standalone
-            NODE_VERSION: 20.11.1
+            NODE_VERSION: 20.15.1
           - name: Node 18
-            MONGODB_VERSION: 4.4.13
+            MONGODB_VERSION: 8.0.0
             MONGODB_TOPOLOGY: standalone
-            NODE_VERSION: 18.19.1
+            NODE_VERSION: 18.20.4
       fail-fast: false
     name: ${{ matrix.name }}
-    timeout-minutes: 15
+    timeout-minutes: 20
     runs-on: ubuntu-latest
     services:
       redis:
@@ -210,35 +213,46 @@ jobs:
       - run: npm run coverage
         env:
           CI: true
-      - run: bash <(curl -s https://codecov.io/bash)
+      - name: Upload code coverage
+        uses: codecov/codecov-action@v4
+        with:
+          # Set to `true` once codecov token bug is fixed; https://github.com/parse-community/parse-server/issues/9129
+          fail_ci_if_error: false
+          token: ${{ secrets.CODECOV_TOKEN }}
   check-postgres:
     strategy:
       matrix:
         include:
           - name: PostgreSQL 13, PostGIS 3.1
             POSTGRES_IMAGE: postgis/postgis:13-3.1
-            NODE_VERSION: 20.11.1
+            NODE_VERSION: 22.4.1
           - name: PostgreSQL 13, PostGIS 3.2
             POSTGRES_IMAGE: postgis/postgis:13-3.2
-            NODE_VERSION: 20.11.1
+            NODE_VERSION: 22.4.1
           - name: PostgreSQL 13, PostGIS 3.3
             POSTGRES_IMAGE: postgis/postgis:13-3.3
-            NODE_VERSION: 20.11.1
+            NODE_VERSION: 22.4.1
           - name: PostgreSQL 13, PostGIS 3.4
             POSTGRES_IMAGE: postgis/postgis:13-3.4
-            NODE_VERSION: 20.11.1
-          - name: PostgreSQL 14, PostGIS 3.4
-            POSTGRES_IMAGE: postgis/postgis:14-3.4
-            NODE_VERSION: 20.11.1
-          - name: PostgreSQL 15, PostGIS 3.4
-            POSTGRES_IMAGE: postgis/postgis:15-3.4
-            NODE_VERSION: 20.11.1
-          - name: PostgreSQL 16, PostGIS 3.4
-            POSTGRES_IMAGE: postgis/postgis:15-3.4
-            NODE_VERSION: 20.11.1
+            NODE_VERSION: 22.4.1
+          - name: PostgreSQL 13, PostGIS 3.5
+            POSTGRES_IMAGE: postgis/postgis:13-3.5
+            NODE_VERSION: 22.4.1
+          - name: PostgreSQL 14, PostGIS 3.5
+            POSTGRES_IMAGE: postgis/postgis:14-3.5
+            NODE_VERSION: 22.4.1
+          - name: PostgreSQL 15, PostGIS 3.5
+            POSTGRES_IMAGE: postgis/postgis:15-3.5
+            NODE_VERSION: 22.4.1
+          - name: PostgreSQL 16, PostGIS 3.5
+            POSTGRES_IMAGE: postgis/postgis:16-3.5
+            NODE_VERSION: 22.4.1
+          - name: PostgreSQL 17, PostGIS 3.5
+            POSTGRES_IMAGE: postgis/postgis:17-3.5
+            NODE_VERSION: 22.4.1
       fail-fast: false
     name: ${{ matrix.name }}
-    timeout-minutes: 15
+    timeout-minutes: 20
     runs-on: ubuntu-latest
     services:
       redis:
@@ -281,7 +295,13 @@ jobs:
       - run: npm run coverage
         env:
           CI: true
-      - run: bash <(curl -s https://codecov.io/bash)
+      - name: Upload code coverage
+        uses: codecov/codecov-action@v4
+        with:
+          fail_ci_if_error: false
+          token: ${{ secrets.CODECOV_TOKEN }}
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true

.github/workflows/release-automated.yml

@@ -17,7 +17,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@v4
         with:
-          node-version: 18.19.1
+          node-version: 20
           registry-url: https://registry.npmjs.org/
       - name: Cache Node.js modules
         uses: actions/cache@v4
@@ -93,7 +93,7 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 18.19.1
+          node-version: 18.20.0
       - name: Cache Node.js modules
         uses: actions/cache@v4
         with:

.nvmrc

@@ -1,2 +1 @@
-10.14.2
-
+20.15.0

release.config.js renamed to .releaserc.js

@@ -2,8 +2,13 @@
  * Semantic Release Config
  */
 
-const fs = require('fs').promises;
-const path = require('path');
+const { readFile } = require('fs').promises;
+const { resolve } = require('path');
+
+// For ES6 modules use:
+// import { readFile } from 'fs/promises';
+// import { resolve, dirname } from 'path';
+// import { fileURLToPath } from 'url';
 
 // Get env vars
 const ref = process.env.GITHUB_REF;
@@ -24,7 +29,7 @@ const templates = {
 async function config() {
 
   // Get branch
-  const branch = ref.split('/').pop().split('-')[0];
+  const branch = ref?.split('/')?.pop()?.split('-')[0] || '(current branch could not be determined)';
   console.log(`Running on branch: ${branch}`);
 
   // Set changelog file
@@ -89,7 +94,7 @@ async function config() {
       [
         "@saithodev/semantic-release-backmerge",
         {
-          "branches": [
+          "backmergeBranches": [
             { from: "beta", to: "alpha" },
             { from: "release", to: "beta" },
           ]
@@ -103,15 +108,17 @@ async function config() {
 
 async function loadTemplates() {
   for (const template of Object.keys(templates)) {
-    const text = await readFile(path.resolve(__dirname, resourcePath, templates[template].file));
+    
+    // For ES6 modules use:
+    // const fileUrl = import.meta.url;
+    // const __dirname = dirname(fileURLToPath(fileUrl));
+
+    const filePath = resolve(__dirname, resourcePath, templates[template].file);
+    const text = await readFile(filePath, 'utf-8');
     templates[template].text = text;
   }
 }
 
-async function readFile(filePath) {
-  return await fs.readFile(filePath, 'utf-8');
-}
-
 function getReleaseComment() {
   const url = repositoryUrl + '/releases/tag/${nextRelease.gitTag}';
   const comment = '🎉 This change has been released in version [${nextRelease.version}](' + url + ')';

CONTRIBUTING.md

@@ -39,6 +39,7 @@
   - [Reverting](#reverting)
   - [Security Vulnerability](#security-vulnerability)
     - [Local Testing](#local-testing)
+    - [Environment](#environment)
     - [Merging](#merging-1)
 - [Releasing](#releasing)
   - [General Considerations](#general-considerations)
@@ -271,15 +272,15 @@ If your pull request introduces a change that may affect the storage or retrieva
 [PostGIS images (select one with v2.2 or higher) on docker hub](https://hub.docker.com/r/postgis/postgis) is based off of the official [postgres](https://hub.docker.com/_/postgres) image and will work out-of-the-box (as long as you create a user with the necessary extensions for each of your Parse databases; see below). To launch the compatible Postgres instance, copy and paste the following line into your shell:
 
 ```
-docker run -d --name parse-postgres -p 5432:5432 -e POSTGRES_PASSWORD=password --rm postgis/postgis:16-3.4-alpine && sleep 20 && docker exec -it parse-postgres psql -U postgres -c 'CREATE DATABASE parse_server_postgres_adapter_test_database;' && docker exec -it parse-postgres psql -U postgres -c 'CREATE EXTENSION pgcrypto; CREATE EXTENSION postgis;' -d parse_server_postgres_adapter_test_database && docker exec -it parse-postgres psql -U postgres -c 'CREATE EXTENSION postgis_topology;' -d parse_server_postgres_adapter_test_database
+docker run -d --name parse-postgres -p 5432:5432 -e POSTGRES_PASSWORD=password --rm postgis/postgis:17-3.5-alpine && sleep 20 && docker exec -it parse-postgres psql -U postgres -c 'CREATE DATABASE parse_server_postgres_adapter_test_database;' && docker exec -it parse-postgres psql -U postgres -c 'CREATE EXTENSION pgcrypto; CREATE EXTENSION postgis;' -d parse_server_postgres_adapter_test_database && docker exec -it parse-postgres psql -U postgres -c 'CREATE EXTENSION postgis_topology;' -d parse_server_postgres_adapter_test_database
 ```
 To stop the Postgres instance:
 
 ```
 docker stop parse-postgres
 ```
 
-You can also use the [postgis/postgis:16-3.4-alpine](https://hub.docker.com/r/postgis/postgis) image in a Dockerfile and copy this [script](https://github.com/parse-community/parse-server/blob/master/scripts/before_script_postgres.sh) to the image by adding the following lines:
+You can also use the [postgis/postgis:17-3.5-alpine](https://hub.docker.com/r/postgis/postgis) image in a Dockerfile and copy this [script](https://github.com/parse-community/parse-server/blob/master/scripts/before_script_postgres.sh) to the image by adding the following lines:
 
 ```
 #Install additional scripts. These are run in abc order during initial start
@@ -499,19 +500,33 @@ If the commit reverts a previous commit, use the prefix `revert:`, followed by t
 
 #### Local Testing
 
-Fixes for securify vulnerabilities are developed in private forks with a closed audience, inaccessible to the public. A current GitHub limitation does not allow to run CI tests on pull requests in private forks. Whether a pull requests fully passes all CI tests can only be determined by publishing the fix as a public pull request and running the CI. This means the fix and implicitly information about the vulnerabilty are made accessible to the public. This increases the risk that a vulnerability fix is published, but then cannot be merged immediately due to a CI issue. To mitigate that risk, before publishing a vulnerability fix, the following tests needs to be run locally and pass:
+Fixes for security vulnerabilities are developed in private forks with a closed audience, inaccessible to the public. A current GitHub limitation does not allow to run CI tests on pull requests in private forks. Whether a pull requests fully passes all CI tests can only be determined by publishing the fix as a public pull request and running the CI. This means the fix and implicitly information about the vulnerability are made accessible to the public. This increases the risk that a vulnerability fix is published, but then cannot be merged immediately due to a CI issue. To mitigate that risk, before publishing a vulnerability fix, the following tests needs to be run locally and pass:
 
 - `npm run test` (MongoDB)
 - `npm run test` (Postgres)
 - `npm run madge:circular` (circular dependencies)
 - `npm run lint` (Lint)
 - `npm run definitions` (Parse Server options definitions)
 
+#### Environment
+
+A reported vulnerability may have already been fixed since it was reported, either due to a targeted fix or as side-effect of other code changed. To verify that a vulnerability exists, tests need to be run in an environment that uses the latest commit of the development branch of Parse Server.
+
+> [!NOTE]
+> Do not use the latest alpha version for testing as it may be behind the latest commit of the development branch.
+
+Vulnerability test must only be conducted in environments for which the tester can ensure that no unauthorized 3rd party has potentially access to. This is to ensure a vulnerability stays confidential and is not exposed prematurely to the public.
+
+You must not test a vulnerability using any 3rd party APIs that provide Parse Server as a hosted service (SaaS) as this may expose the vulnerability to an unauthorized 3rd party and the effects of the vulnerability may cause issues on the provider's side. 
+
+> [!CAUTION]
+> Utilizing a vulnerability in a third-party service, even for testing or development purposes, can result in legal repercussions. You are solely accountable for any damage arising from such actions and agree to indemnify Parse Platform against any liabilities or claims resulting from your actions.
+
 #### Merging
 
-A current GitHub limitation does not allow to customize the commit message when merging pull requests of a private fork that was created to fix a security vulnerabilty. Our release automation framework demands a specific commit message syntax which therefore cannot be met. This prohibits to follow the process that GitHub suggest, which is to merge a pull request from a private fork directly to a public branch. Instead, after [local testing](#local-testing), a public pull request needs to be created with the code fix copied over from the private pull request.
+A current GitHub limitation does not allow to customize the commit message when merging pull requests of a private fork that was created to fix a security vulnerability. Our release automation framework demands a specific commit message syntax which therefore cannot be met. This prohibits to follow the process that GitHub suggest, which is to merge a pull request from a private fork directly to a public branch. Instead, after [local testing](#local-testing), a public pull request needs to be created with the code fix copied over from the private pull request.
 
-This creates a risk that a vulnerability is indirectly disclosed by publishing a pull request with the fix, but the fix cannot be merged due to a CI issue. To mitigate that risk, the pull request title and description should be kept marginal or generic, not hiting to a vulnerabilty or giving any details about the vulnerabilty, until the pull request has been successfully merged.
+This creates a risk that a vulnerability is indirectly disclosed by publishing a pull request with the fix, but the fix cannot be merged due to a CI issue. To mitigate that risk, the pull request title and description should be kept marginal or generic, not hinting to a vulnerability or giving any details about the vulnerability, until the pull request has been successfully merged.
 
 ## Releasing