Skip to content

Releases: parse-community/parse-server

4.10.4

30 Sep 02:56
@mtrezza mtrezza
4.10.4
4ac4b7f
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
4.10.4

Full Changelog

Security Fixes

  • Strip out sessionToken when LiveQuery is used on Parse.User (Daniel Blyth) GHSA-7pr3-p5fm-8r9x
Loading

4.10.3

02 Sep 11:10
@mtrezza mtrezza
4.10.3
c71ae7d
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
4.10.3

Full Changelog

Security Fixes

Loading

4.10.2

23 Aug 22:49
@mtrezza mtrezza
4.10.2
0bfa6b7
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
4.10.2

Full Changelog

Fixes

  • Move graphql-tag from devDependencies to dependencies (Antonio Davi Macedo Coelho de Castro) #7183
Loading

4.10.1

23 Aug 12:01
@mtrezza mtrezza
4.10.1
0be0b87
Compare
Choose a tag to compare
4.10.1

Full Changelog

  • Updated to Parse JS SDK 3.3.0 and other security fixes (Manuel Trezza) #7508

⚠️ This includes a security fix of the Parse JS SDK where logIn will default to POST instead of GET method. This may require changes in your deployment before you upgrade to this release, see the Parse JS SDK 3.0.0 release notes.

Loading

4.10.0

20 Aug 18:34
@mtrezza mtrezza
4.10.0
7e1da90
Compare
Choose a tag to compare
4.10.0

Full Changelog

Versions >4.5.2 and <4.10.0 are skipped.

⚠️ A security incident caused a number of incorrect version tags to be pushed to the Parse Server repository. These version tags linked to a personal fork of a contributor who had write access to the repository. The code to which these tags linked has not been reviewed or approved by Parse Platform. Even though no releases were published with these incorrect versions, it was possible to define a Parse Server dependency that pointed to these version tags, for example if you defined this dependency:

"parse-server": "[email protected]:parse-community/parse-server.git#4.9.3"

We have since deleted the incorrect version tags, but they may still show up in your personal fork on GitHub or locally. We do not know when these tags have been pushed to the Parse Server repository, but we first became aware of this issue on July 21, 2021. We are not aware of any malicious code or concerns related to privacy, security or legality (e.g. proprietary code). However, it has been reported that some functionality does not work as expected and the introduction of security vulnerabilities cannot be ruled out.

You may be also affected if you used the Bitnami image for Parse Server. Bitnami picked up the incorrect version tag 4.9.3 and published a new Bitnami image for Parse Server.

If you are using any of the affected versions, we urgently recommend to upgrade to version 4.10.0.
GHSA-593v-wcqx-hq2w

Loading

4.5.2

18 Aug 21:26
@mtrezza mtrezza
4.5.2
a3483d8
Compare
Choose a tag to compare
4.5.2

Full Changelog

  • SECURITY FIX: Fixes incorrect session property authProvider: password of anonymous users. When signing up an anonymous user, the session field createdWith indicates incorrectly that the session has been created using username and password with authProvider: password, instead of an anonymous sign-up with authProvider: anonymous. This fixes the issue by setting the correct authProvider: anonymous for future sign-ups of anonymous users. This fix does not fix incorrect authProvider: password for existing sessions of anonymous users. Consider this if your app logic depends on the authProvider field. (Corey Baker) GHSA-23r4-5mxp-c7g5
Loading

4.5.0

15 Dec 03:34
@davimacedo davimacedo
4.5.0
3c00bcd
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
4.5.0

Full Changelog

BREAKING CHANGES:

  • FIX: Consistent casing for afterLiveQueryEvent. The afterLiveQueryEvent was introduced in 4.4.0 with inconsistent casing for the event names, which was fixed in 4.5.0. #7023. Thanks to dblythy.
  • FIX: Properly handle serverURL and publicServerUrl in Batch requests. #7049. Thanks to Zach Goldberg.
  • IMPROVE: Prevent invalid column names (className and length). #7053. Thanks to Diamond Lewis.
  • IMPROVE: GraphQL: Remove viewer from logout mutation. #7029. Thanks to Antoine Cormouls.
  • IMPROVE: GraphQL: Optimize on Relation. #7044. Thanks to Antoine Cormouls.
  • NEW: Include sessionToken in onLiveQueryEvent. #7043. Thanks to dblythy.
  • FIX: Definitions for accountLockout and passwordPolicy. #7040. Thanks to dblythy.
  • FIX: Fix typo in server definitions for emailVerifyTokenReuseIfValid. #7037. Thanks to dblythy.
  • SECURITY FIX: LDAP auth stores password in plain text. See GHSA-4w46-w44m-3jq3 for more details about the vulnerability and da905a3 for the fix. Thanks to Fabian Strachanski.
  • NEW: Reuse tokens if they haven't expired. #7017. Thanks to dblythy.
  • NEW: Add LDAPS-support to LDAP-Authcontroller. #7014. Thanks to Fabian Strachanski.
  • FIX: (beforeSave/afterSave): Return value instead of Parse.Op for nested fields. #7005. Thanks to Diamond Lewis.
  • FIX: (beforeSave): Skip Sanitizing Database results. #7003. Thanks to Diamond Lewis.
  • FIX: Fix includeAll for querying a Pointer and Pointer array. #7002. Thanks to Corey Baker.
  • FIX: Add encryptionKey to src/options/index.js. #6999. Thanks to dblythy.
  • IMPROVE: Update PostgresStorageAdapter.js. #6989. Thanks to Vitaly Tomilov.
Loading

4.4.0

02 Nov 16:02
@davimacedo davimacedo
4.4.0
c983202
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
4.4.0

Full Changelog

Loading

4.3.0

19 Jul 17:41
@davimacedo davimacedo
4.3.0
6f060e0
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
4.3.0

Full Changelog

  • PERFORMANCE: Optimizing pointer CLP query decoration done by DatabaseController#addPointerPermissions #6747. Thanks to mess-lelouch.
  • SECURITY: Fix security breach on GraphQL viewer 78239ac, secuity advisory. Thanks to Antoine Cormouls.
  • FIX: Save context not present if direct access enabled #6764. Thanks to Omair Vaiyani.
  • NEW: Before Connect + Before Subscribe #6793. Thanks to dblythy.
  • FIX: Add version to playground to fix CDN #6804. Thanks to Antoine Cormouls.
  • NEW (EXPERIMENTAL): Idempotency enforcement for client requests. This deduplicates requests where the client intends to send one request to Parse Server but due to network issues the server receives the request multiple times. Caution, this is an experimental feature that may not be appropriate for production. #6748. Thanks to Manuel Trezza.
  • FIX: Add production Google Auth Adapter instead of using the development url #6734. Thanks to SebC..
  • IMPROVE: Run Prettier JS Again Without requiring () on arrow functions #6796. Thanks to Diamond Lewis.
  • IMPROVE: Run Prettier JS #6795. Thanks to Diamond Lewis.
  • IMPROVE: Replace bcrypt with @node-rs/bcrypt #6794. Thanks to LongYinan.
  • IMPROVE: Make clear description of anonymous user #6655. Thanks to Jerome De Leon.
  • IMPROVE: Simplify GraphQL merge system to avoid js ref bugs #6791. Thanks to Antoine Cormouls.
  • NEW: Pass context in beforeDelete, afterDelete, beforeFind and Parse.Cloud.run #6666. Thanks to yog27ray.
  • NEW: Allow passing custom gql schema function to ParseServer#start options #6762. Thanks to Luca.
  • NEW: Allow custom cors origin header #6772. Thanks to Kevin Yao.
  • FIX: Fix context for cascade-saving and saving existing object #6735. Thanks to Manuel.
  • NEW: Add file bucket encryption using fileKey #6765. Thanks to Corey Baker.
  • FIX: Removed gaze from dev dependencies and removed not working dev script #6745. Thanks to Vincent Semrau.
  • IMPROVE: Upgrade graphql-tools to v6 #6701. Thanks to Yaacov Rydzinski.
  • NEW: Support Metadata in GridFSAdapter #6660. Thanks to Diamond Lewis.
  • NEW: Allow to unset file from graphql #6651. Thanks to Antoine Cormouls.
  • NEW: Handle shutdown for RedisCacheAdapter #6658. Thanks to promisenxu.
  • FIX: Fix explain on user class #6650. Thanks to Manuel.
  • FIX: Fix read preference for aggregate #6585. Thanks to Manuel.
  • NEW: Add context to Parse.Object.save #6626. Thanks to Manuel.
  • NEW: Adding ssl config params to Postgres URI #6580. Thanks to Corey Baker.
  • FIX: Travis postgres update: removing unnecessary start of mongo-runner #6594. Thanks to Corey Baker.
  • FIX: ObjectId size for Pointer in Postgres #6619. Thanks to Corey Baker.
  • IMPROVE: Improve a test case #6629. Thanks to Gordon Sun.
  • NEW: Allow to resolve automatically Parse Type fields from Custom Schema #6562. Thanks to Antoine Cormouls.
  • FIX: Remove wrong console log in test #6627. Thanks to Gordon Sun.
  • IMPROVE: Graphql tools v5 #6611. Thanks to Yaacov Rydzinski.
  • FIX: Catch JSON.parse and return 403 properly #6589. Thanks to Gordon Sun.
  • PERFORMANCE: Allow covering relation queries with minimal index #6581. Thanks to Noah Silas.
  • FIX: Fix Postgres group aggregation #6522. Thanks to Siddharth Ramesh.
  • NEW: Allow set user mapped from JWT directly on request #6411. Thanks to Gordon Sun.
Loading

4.2.0

03 Apr 16:54
@acinader acinader
4.2.0
1045eeb
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
4.2.0

Full Changelog

Loading