refactor: Bump parse-server from 9.6.1 to 9.7.0

[mtrezza]

Changes

Upgrades parse-server from 9.6.1 to 9.7.0 (pinned, exact version).

Security Fixes

• Auth data exposed via verify password endpoint (GHSA-wp76-gg32-8258)
• Cloud Code trigger context vulnerable to prototype pollution
• Cloud function validator bypass via prototype chain traversal (GHSA-vpj2-qq7w-5qq6)
• GraphQL API endpoint ignores CORS origin restriction (GHSA-q3p6-g7c4-829c)
• GraphQL complexity validator exponential fragment traversal DoS (GHSA-mfj6-6p54-m98c)
• LiveQuery protected field leak via shared mutable state (GHSA-m983-v2ff-wq65)
• LiveQuery protected-field guard bypass via array-like logical operator value (GHSA-mmg8-87c5-jrc2)
• MFA single-use token bypass via concurrent authData login requests (GHSA-w73w-g5xw-rwhf)
• Session field immutability bypass via falsy-value guard (GHSA-f6j3-w9v3-cq22)

Bug Fixes

• Batch login sub-request rate limit uses IP-based keying
• Duplicate session destruction can cause unhandled promise rejection
• Maintenance key blocked from querying protected fields
• Missing error messages in Parse errors
• Postgres query on non-existent column throws internal server error

New Features

• Add protectedFieldsSaveResponseExempt option
• Add protectedFieldsTriggerExempt option
• Add support for partialFilterExpression in MongoDB storage adapter
• Extend storage adapter interface for matchedCount and modifiedCount

Incompatible Changes

None. All changes are backward compatible.

Code Changes Required

None. This is a drop-in upgrade.

Closes #825

Summary by CodeRabbit

• Chores
  • Updated parse-server to version 9.7.0 and associated dependencies.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated parse-server dependency from 9.6.1 to 9.7.0, triggering cascading updates to multiple transitive dependencies including Apollo Server, GraphQL, Redis, and other packages in the lock file.

Changes

Cohort / File(s)	Summary
Dependency Updates package.json, package-lock.json	Bumped parse-server from 9.6.1 to 9.7.0; lock file updated with transitive dependency version increments including @apollo/server (5.4.0→5.5.0), graphql (16.11.0→16.13.2), redis (5.10.0→5.11.0), lru-cache (10.4.0→11.2.7), and others.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix: Bump parse-server from 9.2.0 to 9.6.1 #819: Direct predecessor PR that bumped parse-server to 9.6.1; this PR advances the version further to 9.7.0.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Linked Issues check	❓ Inconclusive	The PR successfully updates parse-server and package-lock.json to version 9.7.0, addressing the core dependency upgrade requirement [#825]. However, the code changes alone do not demonstrate verification of compatibility, adapter audits, or regression testing as required.	Verify that unit, integration, and end-to-end tests have been executed to validate Cloud Code triggers, GraphQL CORS, LiveQuery protected-fields, MFA flows, session handling, and batch login rate-limiting as specified in #825.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Out of Scope Changes check	✅ Passed	All changes are directly related to the dependency upgrade objective. Package.json and package-lock.json updates for parse-server 9.7.0 and its transitive dependencies are within scope of issue #825.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title accurately describes the primary change: updating parse-server from version 9.6.1 to 9.7.0. It is concise, specific, and directly reflects the main objective of the pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package-lock.json`:
- Around line 12950-12956: The CI/lockfile shows production dependencies require
Node >=20, but app.yaml and package.json still allow Node 18; update the
deployment/runtime spec and package engines to require Node 20+: change
app.yaml's runtime_version to "20" (or higher) and tighten package.json
"engines" to remove Node 18 ranges so it requires >=20.x (or match your chosen
>=20 range), then run npm install / regenerate package-lock.json to ensure the
lockfile aligns with the new engine constraints (verify transitive deps like
lru-cache, redis, express-rate-limit, follow-redirects, ws install without
engine errors).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ce4a19c9-6a79-43ad-92cd-e88a58c4f336

📥 Commits

Reviewing files that changed from the base of the PR and between 4121f61 and bae2bde.

📒 Files selected for processing (2)

• package-lock.json
• package.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check for engine constraints in all dependencies that conflict with Node 18

echo "=== Checking for Node engine constraints that exclude Node 18 ==="

# Extract all engine constraints from package-lock.json
jq -r '
  .. | 
  objects | 
  select(has("engines") and .engines.node != null) | 
  {name: .name, version: .version, engines: .engines.node}
' package-lock.json | jq -s '
  map(select(.engines | test("^20|>=22|^22") and (test("18") | not)))
'

echo ""
echo "=== Current configuration ==="
echo "Root package.json engines.node:"
jq -r '.engines.node' package.json

echo ""
echo "app.yaml runtime_version:"
grep -A1 "runtime_version" app.yaml

Repository: parse-community/parse-server-example

Length of output: 1112

---

🏁 Script executed:

#!/bin/bash
# Check if parse-server is in production dependencies or devDependencies
echo "=== Checking parse-server location in package.json ==="
echo "Dependencies section:"
jq -r '.dependencies | keys[] | select(. == "parse-server")' package.json

echo ""
echo "DevDependencies section:"
jq -r '.devDependencies | keys[] | select(. == "parse-server")' package.json

echo ""
echo "=== Full dependency structure for parse-server ==="
jq '.dependencies["parse-server"] // .devDependencies["parse-server"] // "NOT FOUND"' package.json

echo ""
echo "=== Check if lru-cache, redis, etc. are direct dependencies ==="
jq -r '.dependencies | keys[] | grep -E "(lru-cache|redis|graphql|express-rate-limit)" || echo "None found in direct dependencies"' package.json 2>/dev/null || echo "Checking via jq..."

Repository: parse-community/parse-server-example

Length of output: 339

---

Critical: Production dependencies require Node 20+, but app.yaml and package.json specify Node 18.

Multiple transitive production dependencies (via parse-server) enforce minimum Node 20 or 22:

• lru-cache@11.2.7: requires "node": "20 || >=22"
• redis@9.0.2: requires "node": "^20.17.0 || >=22.9.0"
• express-rate-limit@8.3.1: requires "node": "20 || 22 || 24"
• follow-redirects@1.14.2: requires "node": ">=22.0.0"
• ws@8.0.0: requires "node": "^20.17.0 || >=22.9.0"

Current configuration conflicts:

• app.yaml: runtime_version: "18" (Google App Engine)
• package.json: supports ">=18.20.4 <19.0.0 || >=20.18.0 <21.0.0 || >=22.12.0 <23.0.0"

This will cause installation or runtime failures when deploying to Google App Engine or running on Node 18.

Fix: Update app.yaml to runtime_version: "20" (or higher), OR remove Node 18 support from package.json and set minimum to Node 20.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package-lock.json` around lines 12950 - 12956, The CI/lockfile shows
production dependencies require Node >=20, but app.yaml and package.json still
allow Node 18; update the deployment/runtime spec and package engines to require
Node 20+: change app.yaml's runtime_version to "20" (or higher) and tighten
package.json "engines" to remove Node 18 ranges so it requires >=20.x (or match
your chosen >=20 range), then run npm install / regenerate package-lock.json to
ensure the lockfile aligns with the new engine constraints (verify transitive
deps like lru-cache, redis, express-rate-limit, follow-redirects, ws install
without engine errors).

[mtrezza]

The Node.js engine constraint conflict with app.yaml (runtime_version 18) and package.json engines is a pre-existing issue that already exists with parse-server 9.6.1, which also requires Node >= 20.19.0. This PR (upgrading from 9.6.1 to 9.7.0) does not introduce or worsen this compatibility gap. The existing CI tests pass on Node 20+. Updating app.yaml and package.json engines is out of scope for this dependency upgrade PR.

[coderabbitai]

@mtrezza, understood — thank you for the clarification. Since the Node.js engine constraint gap between app.yaml/package.json and the production transitive dependencies already existed with parse-server 9.6.1 (which also required Node ≥ 20.19.0), this PR neither introduces nor worsens that incompatibility. I'll note this for future reviews.

---

✏️ Learnings added

Learnt from: mtrezza
Repo: parse-community/parse-server-example PR: 830
File: package-lock.json:12950-12956
Timestamp: 2026-03-30T21:45:59.695Z
Learning: In the `parse-community/parse-server-example` repository, the Node.js engine constraint conflict between `app.yaml` (runtime_version: "18"), `package.json` engines field, and production transitive dependencies (e.g., lru-cache, redis, express-rate-limit requiring Node 20+) is a pre-existing issue that predates any individual dependency upgrade PR. Do not flag this as an issue introduced by dependency upgrade PRs (e.g., upgrading parse-server), as parse-server 9.6.1 already required Node >= 20.19.0. Only flag if a new PR materially worsens the compatibility gap.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

---

🧠 Learnings used

Learnt from: mtrezza
Repo: parse-community/parse-server-example PR: 827
File: package-lock.json:42-42
Timestamp: 2026-03-30T20:50:32.570Z
Learning: In the `parse-community/parse-server-example` repository, the `engines.node` field in `package.json` defines supported Node.js versions for **production runtime only**. It should NOT be narrowed based on engine constraints from transitive devDependencies (e.g., linting tools like `eslint-visitor-keys`). Do not flag mismatches between `engines.node` and transitive devDependency engine requirements as issues in this repository.

Node 18 engine constraint conflict is a pre-existing issue (parse-server 9.6.1 already requires Node >= 20.19.0). This PR does not introduce or worsen it. CI passes.