{{ message }}
Tags: parse-community/parse-server
Tags
chore(release): 9.9.0-alpha.1 [skip ci] # [9.9.0-alpha.1](9.8.1-alpha.1...9.9.0-alpha.1) (2026-04-17) ### Features * Add `rawValues` and `rawFieldNames` options for aggregation queries ([#10438](#10438)) ([f26700e](f26700e))
chore(release): 9.8.1-alpha.1 [skip ci] ## [9.8.1-alpha.1](9.8.0...9.8.1-alpha.1) (2026-04-12) ### Bug Fixes * Context mutations leak across requests in `ParseServerRESTController` ([#10291](#10291)) ([60a58ec](60a58ec))
chore(release): 9.8.0 [skip ci] # [9.8.0](9.7.0...9.8.0) (2026-04-12) ### Bug Fixes * Bump lodash from 4.17.23 to 4.18.1 ([#10393](#10393)) ([19716ad](19716ad)) * Endpoint `/sessions/me` bypasses `_Session` `protectedFields` ([GHSA-g4v2-qx3q-4p64](GHSA-g4v2-qx3q-4p64)) ([#10406](#10406)) ([d507575](d507575)) * Endpoint `/upgradeToRevocableSession` ignores `_Session` `protectedFields` ([#10408](#10408)) ([c136e2b](c136e2b)) * Endpoints `/login` and `/verifyPassword` ignore `_User` `protectedFields` ([#10409](#10409)) ([8a3db3b](8a3db3b)) * Facebook Standard Login missing app ID validation ([#10429](#10429)) ([fd31159](fd31159)) * File upload Content-Type override via extension mismatch ([GHSA-vr5f-2r24-w5hc](GHSA-vr5f-2r24-w5hc)) ([#10383](#10383)) ([dd7cc41](dd7cc41)) * Login timing side-channel reveals user existence ([GHSA-mmpq-5hcv-hf2v](GHSA-mmpq-5hcv-hf2v)) ([#10398](#10398)) ([531b9ab](531b9ab)) * Maintenance key IP mismatch silently downgrades to regular auth instead of rejecting ([#10391](#10391)) ([7d8b367](7d8b367)) * Master key does not bypass `protectedFields` on various endpoints ([#10412](#10412)) ([c0889c8](c0889c8)) * Nested batch sub-requests cause unclear error ([#10371](#10371)) ([6635096](6635096)) * Session field guard bypass via falsy values for ACL and user fields ([#10382](#10382)) ([ead12bd](ead12bd)) * Streaming file download bypasses afterFind file trigger authorization ([GHSA-hpm8-9qx6-jvwv](GHSA-hpm8-9qx6-jvwv)) ([#10361](#10361)) ([a0b0c69](a0b0c69)) ### Features * Add `requestComplexity.allowRegex` option to disable `$regex` query operator ([#10418](#10418)) ([18482e3](18482e3)) * Add `requestComplexity.subqueryLimit` option to limit subquery results ([#10420](#10420)) ([bf40004](bf40004)) * Add route block with new server option `routeAllowList` ([#10389](#10389)) ([f2d06e7](f2d06e7)) * Add server option `fileDownload` to restrict file download ([#10394](#10394)) ([fc117ef](fc117ef)) * Add support for invoking Cloud Function with `multipart/form-data` protocol ([#10395](#10395)) ([a3f36a2](a3f36a2))
chore(release): 9.8.0-alpha.13 [skip ci] # [9.8.0-alpha.13](9.8.0-alpha.12...9.8.0-alpha.13) (2026-04-12) ### Bug Fixes * Facebook Standard Login missing app ID validation ([#10429](#10429)) ([fd31159](fd31159))
chore(release): 9.8.0-alpha.12 [skip ci] # [9.8.0-alpha.12](9.8.0-alpha.11...9.8.0-alpha.12) (2026-04-10) ### Features * Add `requestComplexity.subqueryLimit` option to limit subquery results ([#10420](#10420)) ([bf40004](bf40004))
chore(release): 9.8.0-alpha.11 [skip ci] # [9.8.0-alpha.11](9.8.0-alpha.10...9.8.0-alpha.11) (2026-04-09) ### Features * Add `requestComplexity.allowRegex` option to disable `$regex` query operator ([#10418](#10418)) ([18482e3](18482e3))
chore(release): 9.8.0-alpha.10 [skip ci] # [9.8.0-alpha.10](9.8.0-alpha.9...9.8.0-alpha.10) (2026-04-07) ### Bug Fixes * Master key does not bypass `protectedFields` on various endpoints ([#10412](#10412)) ([c0889c8](c0889c8))
chore(release): 9.8.0-alpha.9 [skip ci] # [9.8.0-alpha.9](9.8.0-alpha.8...9.8.0-alpha.9) (2026-04-07) ### Bug Fixes * Endpoints `/login` and `/verifyPassword` ignore `_User` `protectedFields` ([#10409](#10409)) ([8a3db3b](8a3db3b))
chore(release): 9.8.0-alpha.8 [skip ci] # [9.8.0-alpha.8](9.8.0-alpha.7...9.8.0-alpha.8) (2026-04-07) ### Bug Fixes * Endpoint `/upgradeToRevocableSession` ignores `_Session` `protectedFields` ([#10408](#10408)) ([c136e2b](c136e2b))
chore(release): 9.8.0-alpha.7 [skip ci] # [9.8.0-alpha.7](9.8.0-alpha.6...9.8.0-alpha.7) (2026-04-06) ### Bug Fixes * Endpoint `/sessions/me` bypasses `_Session` `protectedFields` ([GHSA-g4v2-qx3q-4p64](GHSA-g4v2-qx3q-4p64)) ([#10406](#10406)) ([d507575](d507575))
PreviousNext