Releases: parse-community/parse-server
Releases · parse-community/parse-server
6.0.0-beta.1
6.0.0-beta.1 (2023-01-31)
Bug Fixes
ParseServer.verifyServerUrlmay fail if server response headers are missing; remove unnecessary logging (#8391) (1c37a7c)- Cloud Code trigger
beforeSavedoes not work withParse.Role(#8320) (f29d972) - ES6 modules do not await the import of Cloud Code files (#8368) (a7bd180)
- Nested objects are encoded incorrectly for MongoDB (#8209) (1412666)
- Parse Server option
masterKeyIpsdoes not include localhost by default for IPv6 (#8322) (ab82635) - Rate limiter may reject requests that contain a session token (#8399) (c114dc8)
- Remove Node 12 and Node 17 support (#8279) (2546cc8)
- Schema without class level permissions may cause error (#8409) (aa2cd51)
- The client IP address may be determined incorrectly in some cases; this fixes a security vulnerability in which the Parse Server option
masterKeyIpsmay be circumvented, see GHSA-vm5r-c87r-pf6x (#8372) (892040d) - Throwing error in Cloud Code Triggers
afterLogin,afterLogoutcrashes server (#8280) (130d290)
Features
- Access the internal scope of Parse Server using the new
maintenanceKey; the internal scope contains unofficial and undocumented fields (prefixed with underscore_) which are used internally by Parse Server; you may want to manipulate these fields for out-of-band changes such as data migration or correction tasks; changes within the internal scope of Parse Server may happen at any time without notice or changelog entry, it is therefore recommended to look at the source code of Parse Server to understand the effects of manipulating internal fields before using the key; it is discouraged to use themaintenanceKeyfor routine operations in a production environment; see access scopes (#8212) (f3bcc93) - Adapt
verifyServerUrlfor new asynchronous Parse Server start-up states (#8366) (ffa4974) - Add
ParseQuery.watchto trigger LiveQuery only on update of specific fields (#8028) (fc92faa) - Add Node 19 support (#8363) (a4990dc)
- Add option to change the log level of the logs emitted by triggers (#8328) (8f3b694)
- Add request rate limiter based on IP address (#8174) (6c79f6a)
- Asynchronous initialization of Parse Server (#8232) (99fcf45)
- Improve authentication adapter interface to support multi-factor authentication (MFA), authentication challenges, and provide a more powerful interface for writing custom authentication adapters (#8156) (5bbf9ca)
- Reduce Docker image size by improving stages (#8359) (40810b4)
- Remove deprecation
DEPPS1: Native MongoDB syntax in aggregation pipeline (#8362) (d0d30c4) - Remove deprecation
DEPPS2: Config optiondirectAccessdefaults to true (#8284) (f535ee6) - Remove deprecation
DEPPS3: Config optionenforcePrivateUsersdefaults totrue(#8283) (ed499e3) - Remove deprecation
DEPPS4: Remove convenience method for http requestParse.Cloud.httpRequest(#8287) (2d79c08) - Remove support for MongoDB 4.0 (#8292) (37245f6)
- Restrict use of
masterKeyto localhost by default (#8281) (6c16021) - Upgrade Node Package Manager lock file
package-lock.jsonto version 2 (#8285) (ee72467) - Upgrade Redis 3 to 4 (#8293) (7d622f0)
- Upgrade Redis 3 to 4 for LiveQuery (#8333) (b2761fb)
- Upgrade to Parse JavaScript SDK 4 (#8332) (9092874)
- Write log entry when request with master key is rejected as outside of
masterKeyIps(#8350) (e22b73d)
BREAKING CHANGES
- The Docker image does not contain the git dependency anymore; if you have been using git as a transitive dependency it now needs to be explicitly installed in your Docker file, for example with
RUN apk --no-cache add git(#8359) (40810b4) - Fields in the internal scope of Parse Server (prefixed with underscore
_) are only returned using the newmaintenanceKey; previously themasterKeyallowed reading of internal fields; see access scopes for a comparison of the keys' access permissions (#8212) (f3bcc93) - The method
ParseServer.verifyServerUrlnow returns a promise instead of a callback. (ffa4974) - The MongoDB aggregation pipeline requires native MongoDB syntax instead of the custom Parse Server syntax; for example pipeline stage names require a leading dollar sign like
$matchand the MongoDB document ID is referenced using_idinstead ofobjectId(#8362) (d0d30c4) - The mechanism to determine the client IP address has been rewritten; to correctly determine the IP address it is now required to set the Parse Server option
trustProxyaccordingly if Parse Server runs behind a proxy server, see the express framework's trust proxy setting (#8372) (892040d) - The Node Package Manager lock file
package-lock.jsonis upgraded to version 2; while it is backwards with version 1 for the npm instal...
6.0.0-alpha.31
6.0.0-alpha.31 (2023-01-31)
Bug Fixes
- Parse Server option
requestKeywordDenylistcan be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability GHSA-xprv-wvh7-qqqx (#8302) (6728da1) - Prototype pollution via Cloud Code Webhooks; fixes security vulnerability GHSA-93vw-8fm5-p2jf (#8305) (60c5a73)
- Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability GHSA-prm5-8g2m-24gg (#8295) (50eed3c)
5.4.1
5.4.1 (2023-01-31)
Bug Fixes
- The client IP address may be determined incorrectly in some cases; it is now required to set the Parse Server option
trustProxyaccordingly if Parse Server runs behind a proxy server, see the express framework's trust proxy setting; this fixes a security vulnerability in which the Parse Server optionmasterKeyIpsmay be circumvented, see GHSA-vm5r-c87r-pf6x (#8369) (e016d81)