fix: Bump parse-server from 9.2.0 to 9.6.1

[mtrezza]

Bumps parse-server from 9.2.0 to 9.6.1.

This is a security update that addresses multiple vulnerabilities including:

• Account takeover via operator injection in authentication data identifier (GHSA-5fw2-8jcv-xh87)
• Auth data exposed via /users/me endpoint (GHSA-37mj-c2wf-cx96)
• Auth provider validation bypass on login via partial authData (GHSA-pfj7-wv7c-22pr)
• Bypass of class-level permissions in LiveQuery (GHSA-7ch5-98q2-7289)
• Cloud function dispatch crashes server via prototype chain traversal (GHSA-4263-jgmp-7pf4)
• Denial-of-service via unbounded query complexity in REST and GraphQL API (GHSA-cmj3-wx7h-ffvg)
• Empty authData bypasses credential requirement on signup (GHSA-wjqw-r9x4-j59v)
• GraphQL WebSocket endpoint bypasses security middleware (GHSA-p2x3-8689-cwpg)
• LDAP injection via unsanitized user input (GHSA-7m6r-fhh7-r47c)
• LiveQuery bypasses CLP pointer permission enforcement (GHSA-fph2-r4qg-9576)
• LiveQuery subscription query depth bypass (GHSA-6qh5-m6g3-xhq6)
• LiveQuery subscription with invalid regular expression crashes server (GHSA-827p-g5x5-h86c)
• MFA recovery code single-use bypass (GHSA-2299-ghjr-6vjp, GHSA-4hf6-3x24-c9m8)
• Missing audience validation in Keycloak authentication adapter (GHSA-48mh-j4p5-7j9v)
• Denial of service via unindexed database query for unconfigured auth providers (GHSA-g4cf-xj29-wqqr)
• Classes _GraphQLConfig and _Audience master key bypass (GHSA-7xg7-rqf6-pw6c)

Additional bug fixes:

• User cannot retrieve own email with protectedFieldsOwnerExempt: false despite email not in protectedFields
• LiveQuery regexTimeout default value not applied
• Account lockout race condition allows bypassing threshold via concurrent requests
• Concurrent signup with same authentication creates duplicate users

Closes #818

Summary by CodeRabbit

• Chores
  • Updated server dependencies to the latest stable versions, including parse-server and Firebase packages, to improve stability and security.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[coderabbitai]

📝 Walkthrough

Walkthrough

Dependency upgrade that bumps parse-server from version 9.2.0 to 9.6.1 in package.json and updates the corresponding lock file. The lock file reflects transitive dependency updates including Firebase packages, @parse/node-apn, expo-server-sdk, and removals of unused packages like subscriptions-transport-ws.

Changes

Cohort / File(s)	Summary
parse-server dependency upgrade package.json	Updated parse-server from 9.2.0 to 9.6.1.
Lock file and transitive dependencies package-lock.json	Updated lock file reflecting parse-server 9.6.1 and its transitive dependencies including @parse/push-adapter, commander, express-rate-limit, mongodb, parse, Firebase packages (@firebase/component, @firebase/util, @firebase/database, etc.), @parse/node-apn, and expo-server-sdk. Removed unused packages like subscriptions-transport-ws, backo2, eventemitter3, and others. Normalized devOptional: true to dev: true.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change—bumping parse-server from 9.2.0 to 9.6.1—which is the primary objective of the pull request.
Linked Issues check	✅ Passed	The pull request fully addresses the linked issue #818 by upgrading parse-server from 9.2.0 to 9.6.1 in both package.json and package-lock.json, incorporating all upstream bug fixes and security patches.
Out of Scope Changes check	✅ Passed	All changes are in-scope, limited to dependency version updates in package.json and transitive dependency updates in package-lock.json from the parse-server upgrade.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Checkov (3.2.510)

package.json

2026-03-30 16:55:35,031 [MainThread ] [ERROR] Template file not found: package.json
2026-03-30 16:55:35,042 [MainThread ] [ERROR] Template file not found: package.json
2026-03-30 16:55:35,052 [MainThread ] [ERROR] Template file not found: package.json
2026-03-30 16:55:35,167 [MainThread ] [WARNI] Secret scanning: could not process file package.json
2026-03-30 16:55:35,147 [MainThread ] [ERROR] Failed to invoke function /usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner. with package.json
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 88, in func_wrapper
result = original_func(item)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner.py", line 74, in
results = parallel_runner.run_function(lambda f: (f, self._parse_file(f)), files_to_load)

... [truncated 2547 characters] ...

ck__)
FileNotFoundError: [Errno 2] No such file or directory: 'package.json'
2026-03-30 16:55:35,180 [MainThread ] [ERROR] Exception traceback:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/main.py", line 647, in run
self.scan_reports = runner_registry.run(
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/runner_registry.py", line 177, in run
for result in parallel_runner_results:
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 118, in _run_function_multiprocess_fork
raise v.internal_exception.with_traceback(v.internal_exception.traceback)
FileNotFoundError: [Errno 2] No such file or directory: 'package.json'

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package-lock.json`:
- Line 12852: The project locks path-to-regexp at 8.3.0 which has known
vulnerabilities; update it to 8.4.0 by either bumping the direct dependency (if
present) or adding an npm override to force the safe version: add an "overrides"
(or "resolutions" for yarn) entry in package.json with "path-to-regexp":
"8.4.0", run npm install to regenerate package-lock.json, and verify the
package-lock.json entries that currently show "path-to-regexp": "8.3.0" are
updated to 8.4.0 (ensure parse-server transitive dependency is covered by the
override if it hasn’t been updated upstream).
- Line 12893: Update the Node engine constraint to match parse-server@9.6.1 by
changing the engines.node entry in package.json to exclude <20.19.0 (e.g.,
">=20.19.0 <21.0.0"), and make the corresponding update to the "node" field in
package-lock.json so both manifest and lockfile are consistent; modify the
engines.node value in package.json and the "node" value in package-lock.json
accordingly and re-run npm install to refresh the lock if needed.
- Line 2830: The lockfile pins node-forge at 1.3.2 (transitively via
`@parse/node-apn`) which has HIGH-severity vulnerabilities; update the dependency
to node-forge@1.4.0 by either upgrading the `@parse/node-apn` package to a version
that depends on node-forge@1.4.0 or by manually bumping the node-forge entry in
package-lock.json (ensure the package name "node-forge" and the transitive
reference from "@parse/node-apn" are updated), then run npm install / npm ci to
regenerate the lockfile and verify the resolved node-forge version is 1.4.0.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e7f9df5e-9f51-4f0b-8f99-1528dc0ef19f

📥 Commits

Reviewing files that changed from the base of the PR and between 220852e and 4827416.

📒 Files selected for processing (2)

• package-lock.json
• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether node-forge vulnerability advisories still affect 1.3.2
# and whether a patched version is available upstream.

set -euo pipefail

echo "== Locations of node-forge in lockfile =="
rg -n -C2 '"node-forge": "1\.3\.2"|node_modules/.*/node-forge' package-lock.json || true

echo "== npm metadata for node-forge =="
npm view node-forge version versions --json

echo "== OSV query for node-forge 1.3.2 =="
curl -s https://api.osv.dev/v1/query \
  -H 'content-type: application/json' \
  -d '{"package":{"name":"node-forge","ecosystem":"npm"},"version":"1.3.2"}' | jq

Repository: parse-community/parse-server-example

Length of output: 42180

---

🌐 Web query:

@parse/node-apn npm versions node-forge dependency

💡 Result:

@parse/node-apn pins (exact) node-forge versions (from each release’s package.json) as follows:

• @parse/node-apn@5.1.3 → node-forge@1.3.0 [1]
• @parse/node-apn@6.5.0 → node-forge@1.3.1 [2]
• @parse/node-apn@7.1.0 → node-forge@1.3.2 (latest) [3]

Sources: UNPKG package.json for each version. [1][2][3]

---

Update transitive node-forge dependency to 1.4.0 to resolve HIGH-severity vulnerabilities.

@parse/node-apn pins node-forge@1.3.2, which contains four HIGH-severity vulnerabilities:

• CVE-2026-33896 (GHSA-2328-f5f3-gj25): basicConstraints bypass in certificate chain verification
• CVE-2026-33891 (GHSA-5m6q-g25r-mvwx): Denial of Service in BigInteger.modInverse()
• CVE-2026-33894 (GHSA-ppp5-5v6c-4jwp): Signature forgery in RSA-PKCS#1 v1.5
• CVE-2026-33895 (GHSA-q67f-28xg-22rw): Signature forgery in Ed25519

All are fixed in node-forge@1.4.0. Upgrade @parse/node-apn or update node-forge directly in the lockfile.

🧰 Tools

🪛 OSV Scanner (2.3.5)

[HIGH] 2830-2830: node-forge 1.3.2: Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)

(GHSA-2328-f5f3-gj25)

---

[HIGH] 2830-2830: node-forge 1.3.2: Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input

(GHSA-5m6q-g25r-mvwx)

---

[HIGH] 2830-2830: node-forge 1.3.2: Forge has signature forgery in RSA-PKCS due to ASN.1 extra field

(GHSA-ppp5-5v6c-4jwp)

---

[HIGH] 2830-2830: node-forge 1.3.2: Forge has signature forgery in Ed25519 due to missing S > L check

(GHSA-q67f-28xg-22rw)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package-lock.json` at line 2830, The lockfile pins node-forge at 1.3.2
(transitively via `@parse/node-apn`) which has HIGH-severity vulnerabilities;
update the dependency to node-forge@1.4.0 by either upgrading the
`@parse/node-apn` package to a version that depends on node-forge@1.4.0 or by
manually bumping the node-forge entry in package-lock.json (ensure the package
name "node-forge" and the transitive reference from "@parse/node-apn" are
updated), then run npm install / npm ci to regenerate the lockfile and verify
the resolved node-forge version is 1.4.0.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirm advisory status and available fixed versions for path-to-regexp.

set -euo pipefail

echo "== path-to-regexp entries in lockfile =="
rg -n -C2 '"path-to-regexp": "8\.3\.0"|node_modules/path-to-regexp' package-lock.json

echo "== npm metadata for path-to-regexp =="
npm view path-to-regexp version versions --json

echo "== OSV query for path-to-regexp 8.3.0 =="
curl -s https://api.osv.dev/v1/query \
  -H 'content-type: application/json' \
  -d '{"package":{"name":"path-to-regexp","ecosystem":"npm"},"version":"8.3.0"}' | jq

Repository: parse-community/parse-server-example

Length of output: 6934

---

Upgrade path-to-regexp from 8.3.0 to 8.4.0 to address two security vulnerabilities.

path-to-regexp@8.3.0 is locked in the dependencies (lines 12852 and 25594), and the scanner reports two vulnerabilities:

• HIGH: Denial of Service via sequential optional groups (CVE-2026-4926, GHSA-j3q9-mxjg-w52f)
• MODERATE: Regular Expression Denial of Service via multiple wildcards (CVE-2026-4923, GHSA-27v5-c462-wpq7)

Both are fixed in version 8.4.0. Upgrade the dependency or apply an npm override if parse-server has not yet bumped it.

🧰 Tools

🪛 OSV Scanner (2.3.5)

[HIGH] 12852-12852: path-to-regexp 8.3.0: path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards

(GHSA-27v5-c462-wpq7)

---

[HIGH] 12852-12852: path-to-regexp 8.3.0: path-to-regexp vulnerable to Denial of Service via sequential optional groups

(GHSA-j3q9-mxjg-w52f)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package-lock.json` at line 12852, The project locks path-to-regexp at 8.3.0
which has known vulnerabilities; update it to 8.4.0 by either bumping the direct
dependency (if present) or adding an npm override to force the safe version: add
an "overrides" (or "resolutions" for yarn) entry in package.json with
"path-to-regexp": "8.4.0", run npm install to regenerate package-lock.json, and
verify the package-lock.json entries that currently show "path-to-regexp":
"8.3.0" are updated to 8.4.0 (ensure parse-server transitive dependency is
covered by the override if it hasn’t been updated upstream).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify Node engine constraints across repo config and CI workflow files.

set -euo pipefail

echo "== Engine constraints in package manifests =="
fd -HI 'package.json$' | xargs -I{} sh -c 'echo "--- {}"; jq -r ".engines // empty" "{}"'

echo "== Node versions pinned in GitHub Actions =="
fd -HI '\.ya?ml$' .github | xargs -I{} rg -n --no-heading 'node-version|setup-node|container:' "{}"

echo "== Lockfile engine requirements around upgraded deps =="
rg -n -C2 '"node": ">=20\.19\.0"|"node": ">=20\.18\.1"|node_modules/parse-server|node_modules/expo-server-sdk/node_modules/undici' package-lock.json

Repository: parse-community/parse-server-example

Length of output: 472

---

🏁 Script executed:

# Check for any security advisories affecting the key dependencies
rg -n 'node-forge|path-to-regexp' package-lock.json | head -20

Repository: parse-community/parse-server-example

Length of output: 895

---

🌐 Web query:

node-forge 1.3.2 security vulnerability CVE

💡 Result:

node-forge v1.3.2 is primarily a patched release for the major recent CVEs that affected earlier versions; those CVEs list affected versions as ≤ 1.3.1 (or < 1.3.2), so 1.3.2 is not affected:

• CVE-2025-12816 (ASN.1 interpretation-conflict / potential crypto verification bypass): affects node-forge 1.3.1 and earlier. [1]
• CVE-2025-66030 (ASN.1 OID integer truncation via integer overflow): affects node-forge 1.3.1 and below, patched in 1.3.2. [2]
• CVE-2025-66031 (ASN.1 unbounded recursion → DoS): affects node-forge 1.3.1 and below, patched in 1.3.2. [3]

Older example:

• CVE-2022-24771 (signature verification issue): fixed in 1.3.0, so 1.3.2 is also not affected. [4]

Bottom line: based on these NVD entries, there isn’t a CVE here that indicates node-forge 1.3.2 itself is vulnerable; instead, 1.3.2 is the minimum recommended version to remediate the 2025 issues above. [1][2][3]

Sources: [1] [2] [3] [4]

---

🌐 Web query:

path-to-regexp 8.3.0 security vulnerability

💡 Result:

path-to-regexp@8.3.0 is not currently known to be vulnerable to the main published path-to-regexp ReDoS issue(s).

• CVE-2024-45296 (GHSA-9wv6-86v2-598j) is a Regular Expression DoS (catastrophic backtracking) bug triggered by route patterns with two parameters in one segment separated by something other than . (example /:a-:b). GitHub lists affected ranges as including >= 7.0.0, < 8.0.0 and says the patched version is 8.0.0—so 8.3.0 is outside the affected range. [1]
• A related advisory, CVE-2024-52798 (GHSA-rhx6-c78j-4q9w) applies to the legacy 0.1.x line only (< 0.1.12), not 8.x. [2]
• Snyk’s package page currently shows “No known security issues” for path-to-regexp and lists 8.3.0 as the latest non-vulnerable version. [3]

If you’re seeing an alert against “8.3.0”, it’s often due to a scanner matching a bundled/embedded copy (common in some frameworks) or mis-identifying which major line (0.1.x vs 8.x) is in use—compare the exact installed version(s) in your lockfile to the affected ranges above. [1][2]

Sources
[1] GitHub Advisory Database — GHSA-9wv6-86v2-598j / CVE-2024-45296 (affected & patched versions, technical trigger) (github.com)
[2] pillarjs/path-to-regexp security advisory — GHSA-rhx6-c78j-4q9w / CVE-2024-52798 (0.1.x-only affected range) (github.com)
[3] Snyk — path-to-regexp package vulnerability page (no known issues; latest/non-vulnerable version shown as 8.3.0) (security.snyk.io)

Citations:

• 1: GHSA-9wv6-86v2-598j
• 2: GHSA-rhx6-c78j-4q9w
• 3: https://security.snyk.io/package/npm/path-to-regexp?utm_source=openai

---

Update package.json engines constraint to match parse-server@9.6.1 minimum Node requirement.

parse-server@9.6.1 requires Node >=20.19.0, but package.json currently declares >=20.18.0 <21.0.0, creating a hard incompatibility for users on Node 20.18.0–20.18.1 within the advertised supported range. Update engines to exclude versions below 20.19.0.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package-lock.json` at line 12893, Update the Node engine constraint to match
parse-server@9.6.1 by changing the engines.node entry in package.json to exclude
<20.19.0 (e.g., ">=20.19.0 <21.0.0"), and make the corresponding update to the
"node" field in package-lock.json so both manifest and lockfile are consistent;
modify the engines.node value in package.json and the "node" value in
package-lock.json accordingly and re-run npm install to refresh the lock if
needed.