refactor: Bump express-rate-limit and parse-server

[dependabot]

Bumps express-rate-limit to 8.3.0 and updates ancestor dependency parse-server. These dependencies need to be updated together.

Updates express-rate-limit from 8.2.1 to 8.3.0

Release notes

Sourced from express-rate-limit's releases.

v8.3.0

You can view the changelog here.

Commits

• 9c90752 ci: setup oidc connect with npm for automatatic publish
• e4477fa 8.3.0
• 06d7340 docs: add changelog for 8.3.0
• 14e5388 fix: handle ipv4 mapped to ipv6 (GHSA-46wh-pxpv-q5gq)
• 2767a95 chore(deps-dev): bump the development-dependencies group across 1 directory w...
• f400c7f chore(deps-dev): bump the development-dependencies group with 2 updates (#603)
• 4e4884c chore(deps-dev): bump the development-dependencies group across 1 directory w...
• fadbccb formatting
• 7b57b95 biome migration
• 88a1f7f docs: typo fix
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by gamemaker1, a new releaser for express-rate-limit since your current version.

Attestation changes

This version has no provenance attestation, while the previous version (8.2.1) was attested. Review the package versions before updating.

Updates parse-server from 9.6.1 to 9.7.0

Release notes

Sourced from parse-server's releases.

9.7.0

9.7.0 (2026-03-30)

Bug Fixes

• Auth data exposed via verify password endpoint (GHSA-wp76-gg32-8258) (#10323) (770be86)
• Batch login sub-request rate limit uses IP-based keying (#10349) (63c37c4)
• Cloud Code trigger context vulnerable to prototype pollution (#10352) (d5f5128)
• Cloud function validator bypass via prototype chain traversal (GHSA-vpj2-qq7w-5qq6) (#10342) (dc59e27)
• Duplicate session destruction can cause unhandled promise rejection (#10319) (92791c1)
• GraphQL API endpoint ignores CORS origin restriction (GHSA-q3p6-g7c4-829c) (#10334) (4dd0d3d)
• GraphQL complexity validator exponential fragment traversal DoS (GHSA-mfj6-6p54-m98c) (#10344) (f759bda)
• LiveQuery protected field leak via shared mutable state across concurrent subscribers (GHSA-m983-v2ff-wq65) (#10330) (776c71c)
• LiveQuery protected-field guard bypass via array-like logical operator value (GHSA-mmg8-87c5-jrc2) (#10350) (f63fd1a)
• Maintenance key blocked from querying protected fields (#10290) (7c8b213)
• MFA single-use token bypass via concurrent authData login requests (GHSA-w73w-g5xw-rwhf) (#10326) (e7efbeb)
• Missing error messages in Parse errors (#10304) (f128048)
• Postgres query on non-existent column throws internal server error (#10308) (c5c4325)
• Session field immutability bypass via falsy-value guard (GHSA-f6j3-w9v3-cq22) (#10347) (9080296)

Features

• Add protectedFieldsSaveResponseExempt option to strip protected fields from save responses (#10289) (4f7cb53)
• Add protectedFieldsTriggerExempt option to exempt Cloud Code triggers from protectedFields (#10288) (1610f98)
• Add support for partialFilterExpression in MongoDB storage adapter (#10346) (8dd7bf2)
• Extend storage adapter interface to optionally return matchedCount and modifiedCount from DatabaseController.update with many: true (#10353) (aea7596)

9.7.0-alpha.18

9.7.0-alpha.18 (2026-03-30)

Features

• Extend storage adapter interface to optionally return matchedCount and modifiedCount from DatabaseController.update with many: true (#10353) (aea7596)

9.7.0-alpha.17

9.7.0-alpha.17 (2026-03-29)

Bug Fixes

• Cloud Code trigger context vulnerable to prototype pollution (#10352) (d5f5128)

9.7.0-alpha.16

9.7.0-alpha.16 (2026-03-29)

Bug Fixes

... (truncated)

Commits

• 84ca533 chore(release): 9.7.0 [skip ci]
• 6d0bd1e build: Release (#10354)
• d01675b empty commit to trigger CI
• 99fc339 chore(release): 9.7.0-alpha.18 [skip ci]
• aea7596 feat: Extend storage adapter interface to optionally return matchedCount an...
• 6183d4b chore(release): 9.7.0-alpha.17 [skip ci]
• d5f5128 fix: Cloud Code trigger context vulnerable to prototype pollution (#10352)
• e573cfa chore(release): 9.7.0-alpha.16 [skip ci]
• f63fd1a fix: LiveQuery protected-field guard bypass via array-like logical operator v...
• f897d83 chore(release): 9.7.0-alpha.15 [skip ci]
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.