refactor: Bump parse-server from 9.2.0 to 9.6.1

[dependabot]

Bumps parse-server from 9.2.0 to 9.6.1.

Release notes

Sourced from parse-server's releases.

9.6.1

9.6.1 (2026-03-22)

Bug Fixes

• User cannot retrieve own email with protectedFieldsOwnerExempt: false despite email not in protectedFields (#10284) (4a65d77)

9.6.1-alpha.1

9.6.1-alpha.1 (2026-03-22)

Bug Fixes

• User cannot retrieve own email with protectedFieldsOwnerExempt: false despite email not in protectedFields (#10284) (4a65d77)

9.6.0

9.6.0 (2026-03-22)

Bug Fixes

• LiveQuery regexTimeout default value not applied (#10156) (416cfbc)
• Account lockout race condition allows bypassing threshold via concurrent requests (#10266) (ff70fee)
• Account takeover via operator injection in authentication data identifier (GHSA-5fw2-8jcv-xh87) (#10185) (0d0a554)
• Add configurable batch request sub-request limit via option requestComplexity.batchRequestLimit (#10265) (164ed0d)
• Auth data exposed via /users/me endpoint (GHSA-37mj-c2wf-cx96) (#10278) (875cf10)
• Auth provider validation bypass on login via partial authData (GHSA-pfj7-wv7c-22pr) (#10246) (98f4ba5)
• Block dot-notation updates to authData sub-fields and harden login provider checks (#10223) (12c24c6)
• Bypass of class-level permissions in LiveQuery (GHSA-7ch5-98q2-7289) (#10133) (98188d9)
• Classes _GraphQLConfig and _Audience master key bypass via generic class routes (GHSA-7xg7-rqf6-pw6c) (#10151) (1de4e43)
• Cloud function dispatch crashes server via prototype chain traversal (GHSA-4263-jgmp-7pf4) (#10210) (286373d)
• Concurrent signup with same authentication creates duplicate users (#10149) (853bfe1)
• Create CLP not enforced before user field validation on signup (#10268) (a0530c2)
• Denial of service via unindexed database query for unconfigured auth providers (GHSA-g4cf-xj29-wqqr) (#10270) (fbac847)
• Denial-of-service via unbounded query complexity in REST and GraphQL API (GHSA-cmj3-wx7h-ffvg) (#10130) (0ae9c25)
• Email verification resend page leaks user existence (GHSA-h29g-q5c2-9h4f) (#10238) (fbda4cb)
• Empty authData bypasses credential requirement on signup (GHSA-wjqw-r9x4-j59v) (#10219) (5dcbf41)
• GraphQL WebSocket endpoint bypasses security middleware (GHSA-p2x3-8689-cwpg) (#10189) (3ffba75)
• Incomplete JSON key escaping in PostgreSQL Increment on nested Object fields (#10261) (a692873)
• Input type validation for query operators and batch path (#10230) (a628911)
• Instance comparison with instanceof is not realm-safe (#10225) (51efb1e)
• LDAP injection via unsanitized user input in DN and group filter construction (GHSA-7m6r-fhh7-r47c) (#10154) (5bbca7b)
• LiveQuery bypasses CLP pointer permission enforcement (GHSA-fph2-r4qg-9576) (#10250) (6c3317a)
• LiveQuery subscription query depth bypass (GHSA-6qh5-m6g3-xhq6) (#10259) (2126fe4)
• LiveQuery subscription with invalid regular expression crashes server (GHSA-827p-g5x5-h86c) (#10197) (0ae0eee)
• Locale parameter path traversal in pages router (#10242) (01fb6a9)
• MFA recovery code single-use bypass via concurrent requests (GHSA-2299-ghjr-6vjp) (#10275) (5e70094)
• MFA recovery codes not consumed after use (GHSA-4hf6-3x24-c9m8) (#10170) (18abdd9)
• Missing audience validation in Keycloak authentication adapter (GHSA-48mh-j4p5-7j9v) (#10137) (78ef1a1)

... (truncated)

Commits

• d14374b chore(release): 9.6.1 [skip ci]
• 7fed5d3 build: Release (#10285)
• fe14de8 empty commit to trigger CI
• 2e22aae chore(release): 9.6.1-alpha.1 [skip ci]
• 4a65d77 fix: User cannot retrieve own email with protectedFieldsOwnerExempt: false ...
• cb062a6 chore(release): 9.6.0 [skip ci]
• 4cd939c build: Release (#10283)
• f1bfd10 empty commit to trigger CI
• cc04fb1 test: Reject non-ASCII characters in PagesRouter locale parameter (#10281)
• e9591eb chore(release): 9.6.0-alpha.56 [skip ci]
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.