4.10.7

4.10.7 (2022-03-11)

Bug Fixes

• security vulnerability that allows remote code execution (GHSA-p6h4-93qp-jhcm) (#7841) (886bfd7)

  Note that as part of the fix a new security feature scans for sensitive keywords in request data to prevent JavaScript prototype pollution. If such a keyword is found, the request is rejected with HTTP response code 400 and Parse Error 105 (INVALID_KEY_NAME). By default these keywords are: {_bsontype: "Code"}, constructor, __proto__. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server option requestKeywordDenylist to [] and specify your own keywords as needed.

5.0.0-alpha.26

5.0.0-alpha.26 (2022-02-25)

Bug Fixes

• package.json & package-lock.json to reduce vulnerabilities (#7823) (5ca2288)

5.0.0-alpha.25

5.0.0-alpha.25 (2022-02-23)

Bug Fixes

• upgrade winston from 3.5.0 to 3.5.1 (#7820) (4af253d)

4.10.6

4.10.6 (2022-02-12)

Bug Fixes

• update graphql dependencies to work with Parse Dashboard (#7658) (350ecde)

4.10.5

4.10.5 (2022-02-12)

Bug Fixes

• security upgrade follow-redirects from 1.13.0 to 1.14.8 (#7803) (611332e)

5.0.0-beta.7

5.0.0-beta.7 (2022-02-10)

Bug Fixes

• security upgrade follow-redirects from 1.14.7 to 1.14.8 (#7802) (7029b27)

5.0.0-alpha.24

5.0.0-alpha.24 (2022-02-10)

Bug Fixes

• security upgrade follow-redirects from 1.14.7 to 1.14.8 (#7801) (70088a9)

5.0.0-alpha.23

5.0.0-alpha.23 (2022-02-06)

Bug Fixes

• server crash using GraphQL due to missing @apollo/client peer dependency (#7787) (08089d6)

5.0.0-alpha.22

5.0.0-alpha.22 (2022-02-06)

Features

• upgrade to MongoDB Node.js driver 4.x for MongoDB 5.0 support (#7794) (f88aa2a)

BREAKING CHANGES

• The MongoDB GridStore adapter has been removed. By default, Parse Server already uses GridFS, so if you do not manually use the GridStore adapter, you can ignore this change. (f88aa2a)

5.0.0-alpha.21

5.0.0-alpha.21 (2022-01-25)

Features

• add Cloud Code context to ParseObject.fetch (#7779) (315290d)