5.0.0-alpha.5

5.0.0-alpha.5 (2021-11-01)

Features

• add user-defined schema and migrations (#7418) (25d5c30)

5.0.0-alpha.4

5.0.0-alpha.4 (2021-10-31)

Features

• add support for Postgres 14 (#7644) (090350a)

5.0.0-alpha.3

5.0.0-alpha.3 (2021-10-29)

Bug Fixes

• combined and query with relational query condition returns incorrect results (#7593) (174886e)

5.0.0-alpha.2

5.0.0-alpha.2 (2021-10-27)

Bug Fixes

• setting a field to null does not delete it via GraphQL API (#7649) (626fad2)

BREAKING CHANGES

• To delete a field via the GraphQL API, the field value has to be set to null. Previously, setting a field value to null would save a null value in the database, which was not according to the GraphQL specs. To delete a file field use file: null, the previous way of using file: { file: null } has become obsolete. (626fad2)

5.0.0-alpha.1

5.0.0-alpha.1 (2021-10-12)

Breaking Changes

• Improved schema caching through database real-time hooks. Reduces DB queries, decreases Parse Query execution time and fixes a potential schema memory leak. If multiple Parse Server instances connect to the same DB (for example behind a load balancer), set the Parse Server Option databaseOptions.enableSchemaHooks: true to enable this feature and keep the schema in sync across all instances. Failing to do so will cause a schema change to not propagate to other instances and re-syncing will only happen when these instances restart. The options enableSingleSchemaCache and schemaCacheTTL have been removed. To use this feature with MongoDB, a replica set cluster with change stream support is required. (Diamond Lewis, SebC) #7214
• Added file upload restriction. File upload is now only allowed for authenticated users by default for improved security. To allow file upload also for Anonymous Users or Public, set the fileUpload parameter in the Parse Server Options (dblythy, Manuel Trezza) #7071
• Removed parse-server-simple-mailgun-adapter dependency; to continue using the adapter it has to be explicitly installed (Manuel Trezza) #7321
• Remove support for MongoDB 3.6 which has reached its End-of-Life date and PostgreSQL 10 (Manuel Trezza) #7315
• Remove support for Node 10 which has reached its End-of-Life date (Manuel Trezza) #7314
• Remove S3 Files Adapter from Parse Server, instead install separately as @parse/s3-files-adapter (Manuel Trezza) #7324
• Remove Session field restricted; the field was a code artifact from a feature that never existed in Open Source Parse Server; if you have been using this field for custom purposes, consider that for new Parse Server installations the field does not exist anymore in the schema, and for existing installations the field default value false will not be set anymore when creating a new session (Manuel Trezza) #7543

Notable Changes

• Alphabetical ordered GraphQL API, improved GraphQL Schema cache system and fix GraphQL input reassign issue (Moumouls) #7344
• Added Parse Server Security Check to report weak security settings (Manuel Trezza, dblythy) #7247
• EXPERIMENTAL: Added new page router with placeholder rendering and localization of custom and feature pages such as password reset and email verification (Manuel Trezza) #7128
• EXPERIMENTAL: Added custom routes to easily customize flows for password reset, email verification or build entirely new flows (Manuel Trezza) #7231
• Added Deprecation Policy to govern the introduction of breaking changes in a phased pattern that is more predictable for developers (Manuel Trezza) #7199
• Add REST API endpoint /loginAs to create session of any user with master key; allows to impersonate another user. (GormanFletcher) #7406
• Add official support for MongoDB 5.0 (Manuel Trezza) #7469
• Added Parse Server Configuration enforcePrivateUsers, which will remove public access by default on new Parse.Users (dblythy) #7319
• ci: add node engine version check (Manuel Trezza) #7574

Other Changes

• Support native mongodb syntax in aggregation pipelines (Raschid JF Rafeally) #7339
• Fix error when a not yet inserted job is updated (Antonio Davi Macedo Coelho de Castro) #7196
• request.context for afterFind triggers (dblythy) #7078
• Winston Logger interpolating stdout to console (dplewis) #7114
• Added convenience method Parse.Cloud.sendEmail(...) to send email via email adapter in Cloud Code (dblythy) #7089
• LiveQuery support for $and, $nor, $containedBy, $geoWithin, $geoIntersects queries (dplewis) #7113
• Supporting patterns in LiveQuery server's config parameter classNames (Nes-si) #7131
• Added requireAnyUserRoles and requireAllUserRoles for Parse Cloud validator (dblythy) #7097
• Support Facebook Limited Login (miguel-s) #7219
• Removed Stage name check on aggregate pipelines (BRETT71) #7237
• Retry transactions on MongoDB when it fails due to transient error (Antonio Davi Macedo Coelho de Castro) #7187
• Bump tests to use Mongo 4.4.4 (Antonio Davi Macedo Coelho de Castro) #7184
• Added new account lockout policy option accountLockout.unlockOnPasswordReset to automatically unlock account on password reset (Manuel Trezza) #7146
• Test Parse Server continuously against all recent MongoDB versions that have not reached their end-of-life support date, added MongoDB compatibility table to Parse Server docs (Manuel Trezza) #7161
• Test Parse Server continuously against all recent Node.js versions that have not reached their end-of-life support date, added Node.js compatibility table to Parse Server docs (Manuel Trezza) 7161
• Throw error on invalid Cloud Function validation configuration (dblythy) #7154
• Allow Cloud Validator options to be async (dblythy) #7155
• Optimize queries on classes with pointer permissions (Pedro Diaz) #7061
• Test Parse Server continuously against all relevant Postgres versions (minor versions), added Postgres compatibility table to Parse Server docs (Corey Baker) #7176
• Randomize test suite (Diamond Lewis) #7265
• LDAP: Properly unbind client on group search error (Diamond Lewis) #7265
• Improve data consistency in Push and Job Status update (Diamond Lewis) #7267
• Excluding keys that have trailing edges.node when performing GraphQL resolver (Chris Bland) #7273
• Added centralized feature deprecation with standardized warning logs (Manuel Trezza) #7303
• Use Node.js 15.13.0 in CI (Olle Jonsson) #7312
• Fix file upload issue for S3 compatible storage (Linode, DigitalOcean) by avoiding empty tags property when creating a file (Ali Oguzhan Yildiz) #7300
• Add building Docker image as CI check (Manuel Trezza) #7332
• Add NPM package-lock version check to CI (Manuel Trezza) #7333
• Fix incorrect LiveQuery events triggered for multiple subscriptions on the same class with different events #7341
• Fix select and excludeKey queries to properly accept JSON string arrays. Also allow nested fields in exclude (Corey Baker) #7242
• Fix LiveQuery server crash when using $all query operator on a missing object key (Jason Posthuma) #7421
• Added runtime deprecation warnings (Manuel Trezza) #7451
• Add ability to pass context of an object via a header, X-Parse-Cloud-Context, for Cloud Code triggers. The header addition allows client SDK's to add context without injecting _context in the body of JSON objects (Corey Baker) #7437
• Add CI check to add changelog entry (Manuel Trezza) #7512
• Refactor: uniform issue templates...

4.10.4

Full Changelog

Security Fixes

• Strip out sessionToken when LiveQuery is used on Parse.User (Daniel Blyth) GHSA-7pr3-p5fm-8r9x

4.10.3

Full Changelog

Security Fixes

• Validate explain query parameter to avoid a server crash due to MongoDB bug NODE-3463 (Kartal Kaan Bozdogan) GHSA-xqp8-w826-hh6x

4.10.2

Full Changelog

Fixes

• Move graphql-tag from devDependencies to dependencies (Antonio Davi Macedo Coelho de Castro) #7183

4.10.1

Full Changelog

• Updated to Parse JS SDK 3.3.0 and other security fixes (Manuel Trezza) #7508

⚠️ This includes a security fix of the Parse JS SDK where logIn will default to POST instead of GET method. This may require changes in your deployment before you upgrade to this release, see the Parse JS SDK 3.0.0 release notes.

4.10.0

Full Changelog

Versions >4.5.2 and <4.10.0 are skipped.

⚠️ A security incident caused a number of incorrect version tags to be pushed to the Parse Server repository. These version tags linked to a personal fork of a contributor who had write access to the repository. The code to which these tags linked has not been reviewed or approved by Parse Platform. Even though no releases were published with these incorrect versions, it was possible to define a Parse Server dependency that pointed to these version tags, for example if you defined this dependency:

"parse-server": "[email protected]:parse-community/parse-server.git#4.9.3"

We have since deleted the incorrect version tags, but they may still show up in your personal fork on GitHub or locally. We do not know when these tags have been pushed to the Parse Server repository, but we first became aware of this issue on July 21, 2021. We are not aware of any malicious code or concerns related to privacy, security or legality (e.g. proprietary code). However, it has been reported that some functionality does not work as expected and the introduction of security vulnerabilities cannot be ruled out.

You may be also affected if you used the Bitnami image for Parse Server. Bitnami picked up the incorrect version tag 4.9.3 and published a new Bitnami image for Parse Server.

If you are using any of the affected versions, we urgently recommend to upgrade to version 4.10.0.
GHSA-593v-wcqx-hq2w