7.2.0 (2024-07-09)

Bug Fixes

Invalid push notification tokens are not cleaned up from database for FCM API v2 (#9173) (284da09)

Features

Add support for dot notation on array fields of Parse Object (#9115) (cf4c880)
Upgrade to @parse/push-adapter 6.4.0 (#9182) (ef1634b)
Upgrade to Parse JS SDK 5.3.0 (#9180) (dca187f)

7.1.0 (2024-06-30)

Bug Fixes

Parse.Cloud.startJob and Parse.Push.send not returning status ID when setting Parse Server option directAccess: true (#8766) (5b0efb2)
Required option not handled correctly for special fields (File, GeoPoint, Polygon) on GraphQL API mutations (#8915) (907ad42)
Facebook Limited Login not working due to incorrect domain in JWT validation (#9122) (9d0bd2b)
Live query throws error when constraint notEqualTo is set to null (#8835) (11d3e48)
Parse Server option extendSessionOnUse not working for session lengths < 24 hours (#9113) (0a054e6)
Rate limiting can fail when using Parse Server option rateLimit.redisUrl with clusters (#8632) (c277739)
SQL injection when using Parse Server with PostgreSQL; fixes security vulnerability GHSA-c2hr-cqg6-8j6r (#9167) (2edf1e4)

Features

Add silent log level for Cloud Code (#8803) (5f81efb)
Add server security check status security.enableCheck to Features Router (#8679) (b07ec15)
Prevent Parse Server start in case of unknown option in server configuration (#8987) (8758e6a)
Upgrade to @parse/push-adapter 6.0.0 (#9066) (18bdbf8)
Upgrade to @parse/push-adapter 6.2.0 (#9127) (ca20496)
Upgrade to Parse JS SDK 5.2.0 (#9128) (665b8d5)

7.0.0 (2024-03-19)

Bug Fixes

CacheAdapter does not connect when using a CacheAdapter with a JSON config (#8633) (720d24e)
Conditional email verification not working in some cases if verifyUserEmails, preventLoginWithUnverifiedEmail set to functions (#8838) (8e7a6b1)
Context not passed to Cloud Code Trigger beforeFind when using Parse.Query.include (#8765) (7d32d89)
Deny request if master key is not set in Parse Server option masterKeyIps regardless of ACL and CLP (#8957) (a7b5b38)
Docker image not published to Docker Hub on new release (#8905) (a2ac8d1)
Docker version releases by removing arm/v6 and arm/v7 support (#8976) (1f62dd0)
GraphQL file upload fails in case of use of pointer or relation (#8721) (1aba638)
Improve PostgreSQL injection detection; fixes security vulnerability GHSA-6927-3vr9-fxf2 which affects Parse Server deployments using a Postgres database (#8961) (cbefe77)
Incomplete user object in verifyEmail function if both username and email are changed (#8889) (1eb95ae)
Parse Server option emailVerifyTokenReuseIfValid: true generates new token on every email verification request (#8885) (0023ce4)
Parse Server option fileExtensions default value rejects file extensions that are less than 3 or more than 4 characters long (#8699) (2760381)
Parse Server option fileUpload.fileExtensions fails to determine file extension if filename contains multiple dots (#8754) (3d6d50e)
Security bump @babel/traverse from 7.20.5 to 7.23.2 (#8777) (2d6b3d1)
Security upgrade graphql from 16.6.0 to 16.8.1 (#8758) (71dfd8a)
Server crashes on invalid Cloud Function or Cloud Job name; fixes security vulnerability GHSA-6hh7-46r2-vf29 (#9024) (9f6e342)
Server crashes when receiving an array of Parse.Pointer in the request body (#8784) (66e3603)
Username is undefined in email verification link on email change (#8887) (e315c13)

Features

Add $setOnInsert operator to Parse.Server.database.update (#8791) (f630a45)
Add installationId to arguments for verifyUserEmails, preventLoginWithUnverifiedEmail (#8836) (a22dbe1)
Add installationId, ip, resendRequest to arguments passed to verifyUserEmails on verification email request (#8873) (8adcbee)
Add Parse.User as function parameter to Parse Server options verifyUserEmails, preventLoginWithUnverifiedEmail on login (#8850) (972f630)
Add compatibility for MongoDB Atlas Serverless and AWS Amazon DocumentDB with collation options enableCollationCaseComparison, transformEmailToLowercase, transformUsernameToLowercase (#8805) (09fbeeb)
Add context to Cloud Code Triggers beforeLogin and afterLogin (#8724) (a9c34ef)
Add password validation via POST request for user with unverified email using master key and option ignoreEmailVerification (#8895) (633a9d2)
Add support for MongoDB 7 (#8761) (3de8494)
Add support for MongoDB query comment (#8928) (2170962)
Add support for Node 20, drop support for Node 14, 16 (#8907) (ced4872)
Add support for Postgres 16 (#8898) (99489b2)
Allow Parse.Session.current on expired session token instead of throwing error (#8722) (f9dde4a)
Allow setting createdAt and updatedAt during Parse.Object creation with maintenance key (#8696) (77bbfb3)
Deprecation DEPPS5: Config option allowClientClassCreation defaults to false (#8849) (29624e0)
Deprecation DEPPS6: Authentication adapters disabled by default (#8858) (0cf58eb)
Deprecation DEPPS7: Remove deprecated Cloud Code file trigger syntax (#8855) (4e6a375)
Deprecation DEPPS8: Parse Server option allowExpiredAuthDataToken defaults to false (#8860) (e29845f)
Deprecation DEPPS9: LiveQuery fields option is renamed to keys (#8852) (38983e8)
Node process exits with error code 1 on uncaught exception to allow custom uncaught exception handling (#8894) (70c280c)
Switch GraphQL server from Yoga v2 to Apollo v4 (#8959) (105ae7c)
Upgrade Parse Server Push Adapter to 5.0.2 (#8813) (6ef1986)
Upgrade to Parse JS SDK 5 (#9022) (ad4aa83)

Performance Improvements

Improved IP validation performance for masterKeyIPs, maintenanceKeyIPs (#8510) (b87daba)

BREAKING CHANGES

The Parse Server option allowClientClassCreation defaults to false. (29624e0)
A request using the master key will now be rejected as unauthorized if the IP from which the request originates is not set in the Parse Server option masterKeyIps, even if the request does not require the master key permission, for example for a public object in a public class class. (a7b5b38)
Node process now exits with code 1 on uncaught exceptions, enabling custom handlers that were blocked by Parse Server's default behavior of re-throwing errors. This change may lead to automatic process restarts by the environment, unlike before. (70c280c)
Authentication adapters are disabled by default; to use an authentication adapter it needs to be explicitly enabled in the Parse Server authentication adapter option auth.<provider>.enabled: true (0cf58eb)
Parse Server option allowExpiredAuthDataToken defaults to false; a 3rd party authentication token will be validated every time the user tries to log in and the login will fail if the token has expired; the effect of this change may differ for different authentication adapters, depending on the token lifetime and the token refresh logic of the adapter (e29845f)
LiveQuery fields option is renamed to keys (38983e8)
Cloud Code file trigger syntax has been aligned with object trigger syntax, for example Parse.Cloud.beforeDeleteFile' has been changed to Parse.Cloud.beforeDelete(Parse.File, (request) => {})' (4e6a375)
Removes support for Node 14 and 16 (ced4872)
Removes support for Postgres 11 and 12 (99489b2)
The Parse.User passed as argument if verifyUserEmails is set to a function is renamed from user to object for consistency with invocations of verifyUserEmails on signup or login; the user object is not a plain JavaScript object anymore but an instance of Parse.User (8adcbee)
Parse.Session.current() no longer throws an error if the session token is expired, but instead returns the session token with its expiration date to allow checking its validity (f9dde4a)
Parse.Query no longer supports the BSON type code; although this feature was never officially documented, its removal is announced as a breaking change to protect deployments where it might be in use. (3de8494)

6.4.0 (2023-11-16)

Bug Fixes

Parse Server option fileUpload.fileExtensions does not work with an array of extensions (#8688) (6a4a00c)
Redis 4 does not reconnect after unhandled error (#8706) (2b3d4e5)
Remove config logging when launching Parse Server via CLI (#8710) (ae68f0c)
Server does not start via CLI when auth option is set (#8666) (4e2000b)

Features

Add conditional email verification via dynamic Parse Server options verifyUserEmails, sendUserEmailVerification that now accept functions (#8425) (44acd6d)
Add property Parse.Server.version to determine current version of Parse Server in Cloud Code (#8670) (a9d376b)
Add TOTP authentication adapter (#8457) (cc079a4)

Performance Improvements

Improve performance of recursive pointer iterations (#8741) (45a3ed0)

6.3.1 (2023-10-20)

Bug Fixes

Server crash when uploading file without extension; fixes security vulnerability GHSA-792q-q67h-w579 (#8781) (fd86278)

6.3.0 (2023-09-16)

Bug Fixes

Cloud Code Trigger afterSave executes even if not set (#8520) (afd0515)
GridFS file storage doesn't work with certain enableSchemaHooks settings (#8467) (d4cda4b)
Inaccurate table total row count for PostgreSQL (#8511) (0823a02)
LiveQuery server is not shut down properly when handleShutdown is called (#8491) (967700b)
Rate limit feature is incompatible with Node 14 (#8578) (f911f2c)
Unnecessary log entries by extendSessionOnUse (#8562) (fd6a007)

Features

extendSessionOnUse to automatically renew Parse Sessions (#8505) (6f885d3)
Add new Parse Server option preventSignupWithUnverifiedEmail to prevent returning a user without session token on sign-up with unverified email address (#8451) (82da308)
Add option to change the log level of logs emitted by Cloud Functions (#8530) (2caea31)
Add support for $eq query constraint in LiveQuery (#8614) (656d673)
Add zones for rate limiting by ip, user, session, global (#8508) (03fba97)
Allow Parse.Object pointers in Cloud Code arguments (#8490) (28aeda3)

Reverts

fix: Inaccurate table total row count for PostgreSQL (6722110)

6.2.2 (2023-09-04)

Bug Fixes

Parse Pointer allows to access internal Parse Server classes and circumvent beforeFind query trigger; fixes security vulnerability GHSA-fcv6-fg5r-jm9q (be4c7e2)

6.2.1 (2023-06-28)

Bug Fixes

Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability GHSA-462x-c3jw-7vr6 (#8674) (3dd99dd)

6.2.0 (2023-05-20)

Features

Add new Parse Server option fileUpload.fileExtensions to restrict file upload by file extension; this fixes a security vulnerability in which a phishing attack could be performed using an uploaded HTML file; by default the new option only allows file extensions matching the regex pattern ^[^hH][^tT][^mM][^lL]?$, which excludes HTML files; if your app currently depends on uploading files with HTML file extensions then this may be a breaking change and you could allow HTML file upload by setting the option to ['.*'] (#8538) (a318e7b)

6.1.0 (2023-05-01)

Bug Fixes

LiveQuery can return incorrectly formatted date (#8456) (4ce135a)
Nested date is incorrectly decoded as empty object {} when fetching a Parse Object (#8446) (22d2446)
Parameters missing in afterFind trigger of authentication adapters (#8458) (ce34747)
Rate limiting across multiple servers via Redis not working (#8469) (d9e347d)
Security upgrade jsonwebtoken to 9.0.0 (#8420) (f5bfe45)

Features

Add afterFind trigger to authentication adapters (#8444) (c793bb8)
Add option schemaCacheTtl for schema cache pulling as alternative to enableSchemaHooks (#8436) (b3b76de)
Add Parse Server option resetPasswordSuccessOnInvalidEmail to choose success or error response on password reset with invalid email (#7551) (e5d610e)
Add rate limiting across multiple servers via Redis (#8394) (34833e4)
Allow multiple origins for header Access-Control-Allow-Origin (#8517) (4f15539)
Deprecate LiveQuery fields option in favor of keys for semantic consistency (#8388) (a49e323)
Export AuthAdapter to make it available for extension with custom authentication adapters (#8443) (40c1961)

6.0.0 (2023-01-31)

Bug Fixes

ParseServer.verifyServerUrl may fail if server response headers are missing; remove unnecessary logging (#8391) (1c37a7c)
Cloud Code trigger beforeSave does not work with Parse.Role (#8320) (f29d972)
ES6 modules do not await the import of Cloud Code files (#8368) (a7bd180)
Nested objects are encoded incorrectly for MongoDB (#8209) (1412666)
Parse Server option masterKeyIps does not include localhost by default for IPv6 (#8322) (ab82635)
Rate limiter may reject requests that contain a session token (#8399) (c114dc8)
Remove Node 12 and Node 17 support (#8279) (2546cc8)
Schema without class level permissions may cause error (#8409) (aa2cd51)
The client IP address may be determined incorrectly in some cases; this fixes a security vulnerability in which the Parse Server option masterKeyIps may be circumvented, see GHSA-vm5r-c87r-pf6x (#8372) (892040d)
Throwing error in Cloud Code Triggers afterLogin, afterLogout crashes server (#8280) (130d290)

Features

Access the internal scope of Parse Server using the new maintenanceKey; the internal scope contains unofficial and undocumented fields (prefixed with underscore _) which are used internally by Parse Server; you may want to manipulate these fields for out-of-band changes such as data migration or correction tasks; changes within the internal scope of Parse Server may happen at any time without notice or changelog entry, it is therefore recommended to look at the source code of Parse Server to understand the effects of manipulating internal fields before using the key; it is discouraged to use the maintenanceKey for routine operations in a production environment; see access scopes (#8212) (f3bcc93)
Adapt verifyServerUrl for new asynchronous Parse Server start-up states (#8366) (ffa4974)
Add ParseQuery.watch to trigger LiveQuery only on update of specific fields (#8028) (fc92faa)
Add Node 19 support (#8363) (a4990dc)
Add option to change the log level of the logs emitted by triggers (#8328) (8f3b694)
Add request rate limiter based on IP address (#8174) (6c79f6a)
Asynchronous initialization of Parse Server (#8232) (99fcf45)
Improve authentication adapter interface to support multi-factor authentication (MFA), authentication challenges, and provide a more powerful interface for writing custom authentication adapters (#8156) (5bbf9ca)
Reduce Docker image size by improving stages (#8359) (40810b4)
Remove deprecation DEPPS1: Native MongoDB syntax in aggregation pipeline (#8362) (d0d30c4)
Remove deprecation DEPPS2: Config option directAccess defaults to true (#8284) (f535ee6)
Remove deprecation DEPPS3: Config option enforcePrivateUsers defaults to true (#8283) (ed499e3)
Remove deprecation DEPPS4: Remove convenience method for http request Parse.Cloud.httpRequest (#8287) (2d79c08)
Remove support for MongoDB 4.0 (#8292) (37245f6)
Restrict use of masterKey to localhost by default (#8281) (6c16021)
Upgrade Node Package Manager lock file package-lock.json to version 2 (#8285) (ee72467)
Upgrade Redis 3 to 4 (#8293) (7d622f0)
Upgrade Redis 3 to 4 for LiveQuery (#8333) (b2761fb)
Upgrade to Parse JavaScript SDK 4 (#8332) (9092874)
Write log entry when request with master key is rejected as outside of masterKeyIps (#8350) (e22b73d)

BREAKING CHANGES

The Docker image does not contain the git dependency anymore; if you have been using git as a transitive dependency it now needs to be explicitly installed in your Docker file, for example with RUN apk --no-cache add git (#8359) (40810b4)
Fields in the internal scope of Parse Server (prefixed with underscore _) are only returned using the new maintenanceKey; previously the masterKey allowed reading of internal fields; see access scopes for a comparison of the keys' access permissions (#8212) (f3bcc93)
The method ParseServer.verifyServerUrl now returns a promise instead of a callback. (ffa4974)
The MongoDB aggregation pipeline requires native MongoDB syntax instead of the custom Parse Server syntax; for example pipeline stage names require a leading dollar sign like $match and the MongoDB document ID is referenced using _id instead of objectId (#8362) (d0d30c4)
The mechanism to determine the client IP address has been rewritten; to correctly determine the IP address it is now required to set the Parse Server option trustProxy accordingly if Parse Server runs behind a proxy server, see the express framework's trust proxy setting (#8372) (892040d)
The Node Package Manager lock file package-lock.json is upgraded to version 2; while it is backwards with version 1 for the npm installer, consider this if you run any non-npm analysis tools that use the lock file (#8285) (ee72467)
This release introduces the asynchronous initialization of Parse Server to prevent mounting Parse Server before being ready to receive request; it changes how Parse Server is imported, initialized and started; it also removes the callback serverStartComplete; see the Parse Server 6 migration guide for more details (#8232) (99fcf45)
Nested objects are now properly stored in the database using JSON serialization; previously, due to a bug only top-level objects were serialized, but nested objects were saved as raw JSON; for example, a nested Date object was saved as a JSON object like { "__type": "Date", "iso": "2020-01-01T00:00:00.000Z" } instead of its serialized representation 2020-01-01T00:00:00.000Z (#8209) (1412666)
The Parse Server option enforcePrivateUsers is set to true by default; in previous releases this option defaults to false; this change improves the default security configuration of Parse Server (#8283) (ed499e3)
This release restricts the use of masterKey to localhost by default; if you are using Parse Dashboard on a different server to connect to Parse Server you need to add the IP address of the server that hosts Parse Dashboard to this option (#8281) (6c16021)
This release upgrades to Redis 4; if you are using the Redis cache adapter with Parse Server then this is a breaking change as the Redis client options have changed; see the Redis migration guide for more details (#8293) (7d622f0)
This release removes support for MongoDB 4.0; the new minimum supported MongoDB version is 4.2. which also removes support for the deprecated MongoDB MMAPv1 storage engine (37245f6)
Throwing an error in Cloud Code Triggers afterLogin, afterLogout returns a rejected promise; in previous releases it crashed the server if you did not handle the error on the Node.js process level; consider adapting your code if your app currently handles these errors on the Node.js process level with process.on('unhandledRejection', ...) (130d290)
Config option directAccess defaults to true; set this to false in environments where multiple Parse Server instances run behind a load balancer and Parse requests within the current Node.js environment should be routed via the load balancer and distributed as HTTP requests among all instances via the serverURL. (f535ee6)
The convenience method for HTTP requests Parse.Cloud.httpRequest is removed; use your preferred 3rd party library for making HTTP requests (2d79c08)
This release removes Node 12 and Node 17 support (2546cc8)

5.4.0 (2022-11-19)

Bug Fixes

graphQL query ignores condition equalTo with value false (#8032) (7f5a15d)
internal indices for classes _Idempotency and _Role are not protected in defined schema (#8121) (c16f529)
liveQuery with containedIn not working when object field is an array (#8128) (1d9605b)
push notifications badge doesn't update with Installation beforeSave trigger (#8162) (3c75c2b)
query aggregation pipeline cannot handle value of type Date when directAccess: true (#8167) (e424137)
relation constraints in compound queries Parse.Query.or, Parse.Query.and not working (#8203) (28f0d26)
security upgrade undici from 5.6.0 to 5.8.0 (#8108) (4aa016b)
sorting by non-existing value throws INVALID_SERVER_ERROR on Postgres (#8157) (3b775a1)
updating object includes unchanged keys in client response for certain key types (#8159) (37af1d7)

Features

add convenience access to Parse Server configuration in Cloud Code via Parse.Server (#8244) (9f11115)
add option to change the default value of the Parse.Query.limit() constraint (#8152) (0388956)
add support for MongoDB 6 (#8242) (aba0081)
add support for Postgres 15 (#8215) (2feb6c4)
liveQuery support for unsorted distance queries (#8221) (0f763da)

5.3.3 (2022-11-09)

Bug Fixes

Prototype pollution via Cloud Code Webhooks; fixes security vulnerability GHSA-93vw-8fm5-p2jf (#8305) (60c5a73)

5.3.2 (2022-11-09)

Bug Fixes

Parse Server option requestKeywordDenylist can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability GHSA-xprv-wvh7-qqqx (#8302) (6728da1)

5.3.1 (2022-11-07)

Bug Fixes

Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability GHSA-prm5-8g2m-24gg (#8295) (50eed3c)

5.3.0 (2022-10-29)

Bug Fixes

afterSave trigger removes pointer in Parse object (#7913) (47d796e)
auto-release process may fail if optional back-merging task fails (#8051) (cf925e7)
custom database options are not passed to MongoDB GridFS (#7911) (b1e5565)
depreciate allowClientClassCreation defaulting to true (#7925) (38ed96a)
errors in GraphQL do not show the original error but a general Unexpected Error (#8045) (0d81887)
interrupted WebSocket connection not closed by LiveQuery server (#8012) (2d5221e)
live query role cache does not clear when a user is added to a role (#8026) (199dfc1)
peer dependency mismatch for GraphQL dependencies (#7934) (0a6faa8)
return correct response when revert is used in beforeSave (#7839) (19900fc)
security upgrade @parse/fs-files-adapter from 1.2.1 to 1.2.2 (#7948) (3a70fda)
security upgrade moment from 2.29.1 to 2.29.2 (#7931) (731c550)
security upgrade parse push adapter from 4.1.0 to 4.1.2 (#7893) (93667b4)
websocket connection of LiveQuery interrupts frequently (#8048) (03caae1)

Features

add MongoDB 5.1 compatibility (#7682) (022a856)
add MongoDB 5.2 support (#7894) (5bfa716)
add support for Node 17 and 18 (#7896) (3e9f292)
align file trigger syntax with class trigger; use the new syntax Parse.Cloud.beforeSave(Parse.File, (request) => {}), the old syntax Parse.Cloud.beforeSaveFile((request) => {}) has been deprecated (#7966) (c6dcad8)
replace GraphQL Apollo with GraphQL Yoga (#7967) (1aa2204)
selectively enable / disable default authentication adapters (#7953) (c1e808f)
upgrade mongodb from 4.4.1 to 4.5.0 (#7991) (e692b5d)

Performance Improvements

reduce database operations when using the constant parameter in Cloud Function validation (#7892) (041197f)

5.2.8 (2022-10-14)

Bug Fixes

server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests (GHSA-h423-w6qv-2wj3) (#8235) (066f296)

5.2.7 (2022-09-20)

Bug Fixes

authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) (GHSA-r657-33vp-gp22) (#8185) (ecf0814)

5.2.6 (2022-09-20)

Bug Fixes

session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects (GHSA-6w4q-23cf-j9jp) (#8182) (6d0b2f5)

5.2.5 (2022-09-02)

Bug Fixes

brute force guessing of user sensitive data via search patterns; this fixes a security vulnerability in which internal and protected fields may be used as query constraints to guess the value of these fields and obtain sensitive data (GHSA-2m6g-crv8-p3c6) (#8144) (e39d51b)

5.2.4 (2022-06-30)

Bug Fixes

protected fields exposed via LiveQuery; this removes protected fields from the client response; this may be a breaking change if your app is currently expecting to receive these protected fields (GHSA-crrq-vr9j-fxxh) (#8074) (#8073) (309f64c)

5.2.3 (2022-06-17)

Bug Fixes

invalid file request not properly handled; this fixes a security vulnerability in which an invalid file request can crash the server (GHSA-xw6g-jjvf-wwf9) (#8060) (5be375d)

5.2.2 (2022-06-17)

Bug Fixes

certificate in Apple Game Center auth adapter not validated; this fixes a security vulnerability in which authentication could be bypassed using a fake certificate; if you are using the Apple Gamer Center auth adapter it is your responsibility to keep its root certificate up-to-date and we advice you read the security advisory (GHSA-rh9j-f5f8-rvgc) (ba2b0a9)

5.2.1 (2022-05-01)

Bug Fixes

authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter (GHSA-qf8x-vqjv-92gr) (#7962) (af4a041)

5.2.0 (2022-03-24)

Bug Fixes

security bump minimist from 1.2.5 to 1.2.6 (#7884) (c5cf282)
sensitive keyword detection may produce false positives (#7881) (0d6f9e9)

Features

improved LiveQuery error logging with additional information (#7837) (443a509)

5.1.1 (2022-03-18)

Reverts

ci: temporarily disable breaking change detection (#7861) (effed92)

5.1.0 (2022-03-18)

Bug Fixes

adding or modifying a nested property requires addField permissions (#7679) (6a6248b)
bump nanoid from 3.1.25 to 3.2.0 (#7781) (f5f63bf)
bump node-fetch from 2.6.1 to 3.1.1 (#7782) (9082351)
node engine compatibility did not include node 16 (#7739) (ea7c014)
node engine range has no upper limit to exclude incompatible node versions (#7692) (573558d)
package.json & package-lock.json to reduce vulnerabilities (#7823) (5ca2288)
schema cache not cleared in some cases (#7678) (5af6e5d)
security upgrade follow-redirects from 1.14.6 to 1.14.7 (#7769) (8f5a861)
security upgrade follow-redirects from 1.14.7 to 1.14.8 (#7801) (70088a9)
security vulnerability that allows remote code execution (GHSA-p6h4-93qp-jhcm) (#7844) (e569f40)
server crash using GraphQL due to missing @apollo/client peer dependency (#7787) (08089d6)
unable to use objectId size higher than 19 on GraphQL API (#7627) (ed86c80)
upgrade mime from 2.5.2 to 3.0.0 (#7725) (f5ef98b)
upgrade parse from 3.3.1 to 3.4.0 (#7723) (d4c1f47)
upgrade winston from 3.5.0 to 3.5.1 (#7820) (4af253d)

Features

add Cloud Code context to ParseObject.fetch (#7779) (315290d)
add Idempotency to Postgres (#7750) (0c3feaa)
add support for Node 16 (#7707) (45cc58c)
bump required node engine to >=12.22.10 (#7846) (5ace99d)
support postgresql protocol in database URI (#7757) (caf4a23)
support relativeTime query constraint on Postgres (#7747) (16b1b2a)
upgrade to MongoDB Node.js driver 4.x for MongoDB 5.0 support (#7794) (f88aa2a)

Reverts

refactor: allow ES import for cloud string if package type is module (b64640c)
update node engine to 2.22.0 (#7827) (f235412)

⚠️ NOTABLE CHANGES

The following changes would formally require a major version increment (Parse Server 6.0), but given their low relevance they are released as part of this minor version increment (Parse Server 5.1).

The MongoDB GridStore adapter has been removed. By default, Parse Server already uses GridFS, so if you do not manually use the GridStore adapter, you can ignore this change. Parse Server uses the GridFSBucket adapter instead of GridStore adapter by default since 2018. (f88aa2a)
Removes official Node 15 support which has already reached it End-of-Life date. (45cc58c)

5.0.0 (2022-03-14)

BREAKING CHANGES

Improved schema caching through database real-time hooks. Reduces DB queries, decreases Parse Query execution time and fixes a potential schema memory leak. If multiple Parse Server instances connect to the same DB (for example behind a load balancer), set the Parse Server Option databaseOptions.enableSchemaHooks: true to enable this feature and keep the schema in sync across all instances. Failing to do so will cause a schema change to not propagate to other instances and re-syncing will only happen when these instances restart. The options enableSingleSchemaCache and schemaCacheTTL have been removed. To use this feature with MongoDB, a replica set cluster with change stream support is required. (Diamond Lewis, SebC) #7214
Fix security vulnerability that allows remote code execution; as part of the fix a new security feature scans for sensitive keywords in request data to prevent JavaScript prototype pollution. If such a keyword is found, the request is rejected with HTTP response code 400 and Parse Error 105 (INVALID_KEY_NAME). By default these keywords are: {_bsontype: "Code"}, constructor, __proto__. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server option requestKeywordDenylist to [] and specify your own keywords as needed. (GHSA-p6h4-93qp-jhcm) (#7843) (971adb5)
Added file upload restriction. File upload is now only allowed for authenticated users by default for improved security. To allow file upload also for Anonymous Users or Public, set the fileUpload parameter in the Parse Server Options (dblythy, Manuel Trezza) #7071
Removed parse-server-simple-mailgun-adapter dependency; to continue using the adapter it has to be explicitly installed (Manuel Trezza) #7321
Remove support for MongoDB 3.6 which has reached its End-of-Life date and PostgreSQL 10 (Manuel Trezza) #7315
Remove support for Node 10 which has reached its End-of-Life date (Manuel Trezza) #7314
Bump required Node engine to >=12.22.10 (#7848) (23a3488)
Remove S3 Files Adapter from Parse Server, instead install separately as @parse/s3-files-adapter (Manuel Trezza) #7324
Remove Session field restricted; the field was a code artifact from a feature that never existed in Open Source Parse Server; if you have been using this field for custom purposes, consider that for new Parse Server installations the field does not exist anymore in the schema, and for existing installations the field default value false will not be set anymore when creating a new session (Manuel Trezza) #7543
To delete a field via the GraphQL API, the field value has to be set to null. Previously, setting a field value to null would save a null value in the database, which was not according to the GraphQL specs. To delete a file field use file: null, the previous way of using file: { file: null } has become obsolete. (626fad2)

Notable Changes

Alphabetical ordered GraphQL API, improved GraphQL Schema cache system and fix GraphQL input reassign issue (Moumouls) #7344
Added Parse Server Security Check to report weak security settings (Manuel Trezza, dblythy) #7247
EXPERIMENTAL: Added new page router with placeholder rendering and localization of custom and feature pages such as password reset and email verification (Manuel Trezza) #7128
EXPERIMENTAL: Added custom routes to easily customize flows for password reset, email verification or build entirely new flows (Manuel Trezza) #7231
Added Deprecation Policy to govern the introduction of breaking changes in a phased pattern that is more predictable for developers (Manuel Trezza) #7199
Add REST API endpoint /loginAs to create session of any user with master key; allows to impersonate another user. (GormanFletcher) #7406
Add official support for MongoDB 5.0 (Manuel Trezza) #7469
Added Parse Server Configuration enforcePrivateUsers, which will remove public access by default on new Parse.Users (dblythy) #7319
add support for Postgres 14 (#7644) (090350a)
add user-defined schema and migrations (#7418) (25d5c30)
setting a field to null does not delete it via GraphQL API (#7649) (626fad2)
combined and query with relational query condition returns incorrect results (#7593) (174886e)
node engine range has no upper limit to exclude incompatible node versions (#7693) (6a54dac)
unable to use objectId size higher than 19 on GraphQL API (#7722) (8ee0445)
schema cache not cleared in some cases (#7771) (3b92fa1)

Other Changes

Support native mongodb syntax in aggregation pipelines (Raschid JF Rafeally) #7339
Fix error when a not yet inserted job is updated (Antonio Davi Macedo Coelho de Castro) #7196
request.context for afterFind triggers (dblythy) #7078
Winston Logger interpolating stdout to console (dplewis) #7114
Added convenience method Parse.Cloud.sendEmail(...) to send email via email adapter in Cloud Code (dblythy) #7089
LiveQuery support for $and, $nor, $containedBy, $geoWithin, $geoIntersects queries (dplewis) #7113
Supporting patterns in LiveQuery server's config parameter classNames (Nes-si) #7131
Added requireAnyUserRoles and requireAllUserRoles for Parse Cloud validator (dblythy) #7097
Support Facebook Limited Login (miguel-s) #7219
Removed Stage name check on aggregate pipelines (BRETT71) #7237
Retry transactions on MongoDB when it fails due to transient error (Antonio Davi Macedo Coelho de Castro) #7187
Bump tests to use Mongo 4.4.4 (Antonio Davi Macedo Coelho de Castro) #7184
Added new account lockout policy option accountLockout.unlockOnPasswordReset to automatically unlock account on password reset (Manuel Trezza) #7146
Test Parse Server continuously against all recent MongoDB versions that have not reached their end-of-life support date, added MongoDB compatibility table to Parse Server docs (Manuel Trezza) #7161
Test Parse Server continuously against all recent Node.js versions that have not reached their end-of-life support date, added Node.js compatibility table to Parse Server docs (Manuel Trezza) 7161
Throw error on invalid Cloud Function validation configuration (dblythy) #7154
Allow Cloud Validator options to be async (dblythy) #7155
Optimize queries on classes with pointer permissions (Pedro Diaz) #7061
Test Parse Server continuously against all relevant Postgres versions (minor versions), added Postgres compatibility table to Parse Server docs (Corey Baker) #7176
Randomize test suite (Diamond Lewis) #7265
LDAP: Properly unbind client on group search error (Diamond Lewis) #7265
Improve data consistency in Push and Job Status update (Diamond Lewis) #7267
Excluding keys that have trailing edges.node when performing GraphQL resolver (Chris Bland) #7273
Added centralized feature deprecation with standardized warning logs (Manuel Trezza) #7303
Use Node.js 15.13.0 in CI (Olle Jonsson) #7312
Fix file upload issue for S3 compatible storage (Linode, DigitalOcean) by avoiding empty tags property when creating a file (Ali Oguzhan Yildiz) #7300
Add building Docker image as CI check (Manuel Trezza) #7332
Add NPM package-lock version check to CI (Manuel Trezza) #7333
Fix incorrect LiveQuery events triggered for multiple subscriptions on the same class with different events #7341
Fix select and excludeKey queries to properly accept JSON string arrays. Also allow nested fields in exclude (Corey Baker) #7242
Fix LiveQuery server crash when using $all query operator on a missing object key (Jason Posthuma) #7421
Added runtime deprecation warnings (Manuel Trezza) #7451
Add ability to pass context of an object via a header, X-Parse-Cloud-Context, for Cloud Code triggers. The header addition allows client SDK's to add context without injecting _context in the body of JSON objects (Corey Baker) #7437
Add CI check to add changelog entry (Manuel Trezza) #7512
Refactor: uniform issue templates across repos (Manuel Trezza) #7528
ci: bump ci environment (Manuel Trezza) #7539
CI now pushes docker images to Docker Hub (Corey Baker) #7548
Allow afterFind and afterLiveQueryEvent to set unsaved pointers and keys (dblythy) #7310
Allow setting descending sort to full text queries (dblythy) #7496
Allow cloud string for ES modules (Daniel Blyth) #7560
docs: Introduce deprecation ID for reference in comments and online search (Manuel Trezza) #7562
refactor: deprecate Parse.Cloud.httpRequest; it is recommended to use a HTTP library instead. (Daniel Blyth) #7595
refactor: Modernize HTTPRequest tests (brandongregoryscott) #7604
Allow liveQuery on Session class (Daniel Blyth) #7554
security upgrade follow-redirects from 1.14.2 to 1.14.7 (#7772) (4bd34b1)
security upgrade follow-redirects from 1.14.7 to 1.14.8 (#7802) (7029b27)
Add node engine version check (Manuel Trezza) #7574

4.10.7 (2022-03-11)

Bug Fixes

security vulnerability that allows remote code execution (GHSA-p6h4-93qp-jhcm) (#7841) (886bfd7)

Note that as part of the fix a new security feature scans for sensitive keywords in request data to prevent JavaScript prototype pollution. If such a keyword is found, the request is rejected with HTTP response code 400 and Parse Error 105 (INVALID_KEY_NAME). By default these keywords are: {_bsontype: "Code"}, constructor, __proto__. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server option requestKeywordDenylist to [] and specify your own keywords as needed.

4.10.6 (2022-02-12)

Bug Fixes

update graphql dependencies to work with Parse Dashboard (#7658) (350ecde)

4.10.5 (2022-02-12)

Bug Fixes

security upgrade follow-redirects from 1.13.0 to 1.14.8 (#7803) (611332e)

4.10.4

Security Fixes

Strip out sessionToken when LiveQuery is used on Parse.User (Daniel Blyth) GHSA-7pr3-p5fm-8r9x

4.10.3

Security Fixes

Validate explain query parameter to avoid a server crash due to MongoDB bug NODE-3463 (Kartal Kaan Bozdogan) GHSA-xqp8-w826-hh6x

4.10.2

Other Changes

Move graphql-tag from devDependencies to dependencies (Antonio Davi Macedo Coelho de Castro) #7183

4.10.1

Security Fixes

Updated to Parse JS SDK 3.3.0 and other security fixes (Manuel Trezza) #7508

⚠️ This includes a security fix of the Parse JS SDK where logIn will default to POST instead of GET method. This may require changes in your deployment before you upgrade to this release, see the Parse JS SDK 3.0.0 release notes.

4.10.0

Versions >4.5.2 and <4.10.0 are skipped.

⚠️ A security incident caused a number of incorrect version tags to be pushed to the Parse Server repository. These version tags linked to a personal fork of a contributor who had write access to the repository. The code to which these tags linked has not been reviewed or approved by Parse Platform. Even though no releases were published with these incorrect versions, it was possible to define a Parse Server dependency that pointed to these version tags, for example if you defined this dependency:
"parse-server": "git@github.com:parse-community/parse-server.git#4.9.3"
We have since deleted the incorrect version tags, but they may still show up if your personal fork on GitHub or locally. We do not know when these tags have been pushed to the Parse Server repository, but we first became aware of this issue on July 21, 2021. We are not aware of any malicious code or concerns related to privacy, security or legality (e.g. proprietary code). However, it has been reported that some functionality does not work as expected and the introduction of security vulnerabilities cannot be ruled out.

You may be also affected if you used the Bitnami image for Parse Server. Bitnami picked up the incorrect version tag 4.9.3 and published a new Bitnami image for Parse Server.

If you are using any of the affected versions, we urgently recommend to upgrade to version 4.10.0.

4.5.2

Security Fixes

SECURITY FIX: Fixes incorrect session property authProvider: password of anonymous users. When signing up an anonymous user, the session field createdWith indicates incorrectly that the session has been created using username and password with authProvider: password, instead of an anonymous sign-up with authProvider: anonymous. This fixes the issue by setting the correct authProvider: anonymous for future sign-ups of anonymous users. This fix does not fix incorrect authProvider: password for existing sessions of anonymous users. Consider this if your app logic depends on the authProvider field. (Corey Baker) GHSA-23r4-5mxp-c7g5

4.5.1

This version was published by mistake and has been removed.

4.5.0

Breaking Changes

FIX: Consistent casing for afterLiveQueryEvent. The afterLiveQueryEvent was introduced in 4.4.0 with inconsistent casing for the event names, which was fixed in 4.5.0. #7023. Thanks to dblythy.

Other Changes

FIX: Properly handle serverURL and publicServerUrl in Batch requests. #7049. Thanks to Zach Goldberg.
IMPROVE: Prevent invalid column names (className and length). #7053. Thanks to Diamond Lewis.
IMPROVE: GraphQL: Remove viewer from logout mutation. #7029. Thanks to Antoine Cormouls.
IMPROVE: GraphQL: Optimize on Relation. #7044. Thanks to Antoine Cormouls.
NEW: Include sessionToken in onLiveQueryEvent. #7043. Thanks to dblythy.
FIX: Definitions for accountLockout and passwordPolicy. #7040. Thanks to dblythy.
FIX: Fix typo in server definitions for emailVerifyTokenReuseIfValid. #7037. Thanks to dblythy.
SECURITY FIX: LDAP auth stores password in plain text. See GHSA-4w46-w44m-3jq3 for more details about the vulnerability and da905a3 for the fix. Thanks to Fabian Strachanski.
NEW: Reuse tokens if they haven't expired. #7017. Thanks to dblythy.
NEW: Add LDAPS-support to LDAP-Authcontroller. #7014. Thanks to Fabian Strachanski.
FIX: (beforeSave/afterSave): Return value instead of Parse.Op for nested fields. #7005. Thanks to Diamond Lewis.
FIX: (beforeSave): Skip Sanitizing Database results. #7003. Thanks to Diamond Lewis.
FIX: Fix includeAll for querying a Pointer and Pointer array. #7002. Thanks to Corey Baker.
FIX: Add encryptionKey to src/options/index.js. #6999. Thanks to dblythy.
IMPROVE: Update PostgresStorageAdapter.js. #6989. Thanks to Vitaly Tomilov.

4.4.0

IMPROVE: Update PostgresStorageAdapter.js. #6981. Thanks to Vitaly Tomilov
NEW: skipWithMasterKey on Built-In Validator. #6972. Thanks to dblythy.
NEW: Add fileKey rotation to GridFSBucketAdapter. #6768. Thanks to Corey Baker.
IMPROVE: Remove unused parameter in Cloud Function. #6969. Thanks to Diamond Lewis.
IMPROVE: Validation Handler Update. #6968. Thanks to dblythy.
FIX: (directAccess): Properly handle response status. #6966. Thanks to Diamond Lewis.
FIX: Remove hostnameMaxLen for Mongo URL. #6693. Thanks to markhoward02.
IMPROVE: Show a message if cloud functions are duplicated. #6963. Thanks to dblythy.
FIX: Pass request.query to afterFind. #6960. Thanks to dblythy.
SECURITY FIX: Patch session vulnerability over Live Query. See GHSA-2xm2-xj2q-qgpj for more details about the vulnerability and 78b59fb for the fix. Thanks to Antonio Davi Macedo Coelho de Castro.
IMPROVE: LiveQueryEvent Error Logging Improvements. #6951. Thanks to dblythy.
IMPROVE: Include stack in Cloud Code. #6958. Thanks to dblythy.
FIX: (jobs): Add Error Message to JobStatus Failure. #6954. Thanks to Diamond Lewis.
NEW: Create Cloud function afterLiveQueryEvent. #6859. Thanks to dblythy.
FIX: Update vkontakte API to the latest version. #6944. Thanks to Antonio Davi Macedo Coelho de Castro.
FIX: Use an empty object as default value of options for Google Sign in. #6844. Thanks to Kevin Kuang.
FIX: Postgres: prepend className to unique indexes. #6741. Thanks to Corey Baker.
FIX: GraphQL: Transform input types also on user mutations. #6934. Thanks to Antoine Cormouls.
FIX: Set objectId into query for Email Validation. #6930. Thanks to Danaru.
FIX: GraphQL: Optimize queries, fixes some null returns (on object), fix stitched GraphQLUpload. #6709. Thanks to Antoine Cormouls.
FIX: Do not throw error if user provide a pointer like index onMongo. #6923. Thanks to Antoine Cormouls.
FIX: Hotfix instagram api. #6922. Thanks to Tim.
FIX: (directAccess/cloud-code): Pass installationId with LogIn. #6903. Thanks to Diamond Lewis.
FIX: Fix bcrypt binary incompatibility. #6891. Thanks to Manuel Trezza.
NEW: Keycloak auth adapter. #6376. Thanks to Rhuan.
IMPROVE: Changed incorrect key name in apple auth adapter tests. #6861. Thanks to Manuel Trezza.
FIX: Fix mutating beforeSubscribe Query. #6868. Thanks to dblythy.
FIX: Fix beforeLogin for users logging in with AuthData. #6872. Thanks to Kevin Kuang.
FIX: Remove Facebook AccountKit auth. #6870. Thanks to Diamond Lewis.
FIX: Updated TOKEN_ISSUER to 'accounts.google.com'. #6836. Thanks to Arjun Vedak.
IMPROVE: Optimized deletion of class field from schema by using an index if available to do an index scan instead of a collection scan. #6815. Thanks to Manuel Trezza.
IMPROVE: Enable MongoDB transaction test for MongoDB >= 4.0.4 #6827. Thanks to Manuel.

4.3.0

PERFORMANCE: Optimizing pointer CLP query decoration done by DatabaseController#addPointerPermissions #6747. Thanks to mess-lelouch.
SECURITY: Fix security breach on GraphQL viewer 78239ac, security advisory. Thanks to Antoine Cormouls.
FIX: Save context not present if direct access enabled #6764. Thanks to Omair Vaiyani.
NEW: Before Connect + Before Subscribe #6793. Thanks to dblythy.
FIX: Add version to playground to fix CDN #6804. Thanks to Antoine Cormouls.
NEW (EXPERIMENTAL): Idempotency enforcement for client requests. This deduplicates requests where the client intends to send one request to Parse Server but due to network issues the server receives the request multiple times. Caution, this is an experimental feature that may not be appropriate for production. #6748. Thanks to Manuel Trezza.
FIX: Add production Google Auth Adapter instead of using the development url #6734. Thanks to SebC..
IMPROVE: Run Prettier JS Again Without requiring () on arrow functions #6796. Thanks to Diamond Lewis.
IMPROVE: Run Prettier JS #6795. Thanks to Diamond Lewis.
IMPROVE: Replace bcrypt with @node-rs/bcrypt #6794. Thanks to LongYinan.
IMPROVE: Make clear description of anonymous user #6655. Thanks to Jerome De Leon.
IMPROVE: Simplify GraphQL merge system to avoid js ref bugs #6791. Thanks to Antoine Cormouls.
NEW: Pass context in beforeDelete, afterDelete, beforeFind and Parse.Cloud.run #6666. Thanks to yog27ray.
NEW: Allow passing custom gql schema function to ParseServer#start options #6762. Thanks to Luca.
NEW: Allow custom cors origin header #6772. Thanks to Kevin Yao.
FIX: Fix context for cascade-saving and saving existing object #6735. Thanks to Manuel.
NEW: Add file bucket encryption using fileKey #6765. Thanks to Corey Baker.
FIX: Removed gaze from dev dependencies and removed not working dev script #6745. Thanks to Vincent Semrau.
IMPROVE: Upgrade graphql-tools to v6 #6701. Thanks to Yaacov Rydzinski.
NEW: Support Metadata in GridFSAdapter #6660. Thanks to Diamond Lewis.
NEW: Allow to unset file from graphql #6651. Thanks to Antoine Cormouls.
NEW: Handle shutdown for RedisCacheAdapter #6658. Thanks to promisenxu.
FIX: Fix explain on user class #6650. Thanks to Manuel.
FIX: Fix read preference for aggregate #6585. Thanks to Manuel.
NEW: Add context to Parse.Object.save #6626. Thanks to Manuel.
NEW: Adding ssl config params to Postgres URI #6580. Thanks to Corey Baker.
FIX: Travis postgres update: removing unnecessary start of mongo-runner #6594. Thanks to Corey Baker.
FIX: ObjectId size for Pointer in Postgres #6619. Thanks to Corey Baker.
IMPROVE: Improve a test case #6629. Thanks to Gordon Sun.
NEW: Allow to resolve automatically Parse Type fields from Custom Schema #6562. Thanks to Antoine Cormouls.
FIX: Remove wrong console log in test #6627. Thanks to Gordon Sun.
IMPROVE: Graphql tools v5 #6611. Thanks to Yaacov Rydzinski.
FIX: Catch JSON.parse and return 403 properly #6589. Thanks to Gordon Sun.
PERFORMANCE: Allow covering relation queries with minimal index #6581. Thanks to Noah Silas.
FIX: Fix Postgres group aggregation #6522. Thanks to Siddharth Ramesh.
NEW: Allow set user mapped from JWT directly on request #6411. Thanks to Gordon Sun.

4.2.0

Breaking Changes

CHANGE: The Sign-In with Apple authentication adapter parameter client_id has been changed to clientId. If using the Apple authentication adapter, this change requires to update the Parse Server configuration accordingly. See #6523 for details.

UPGRADE: Parse JS SDK to 2.12.0 #6548
NEW: Support Group aggregation on multiple columns for Postgres #6483. Thanks to Siddharth Ramesh.
FIX: Improve test reliability by instructing Travis to only install one version of Postgres #6490. Thanks to Corey Baker.
FIX: Unknown type bug on overloaded types #6494. Thanks to Antoine Cormouls.
FIX: Improve reliability of 'SignIn with AppleID' #6416. Thanks to Andy King.
FIX: Improve Travis reliability by separating Postgres & Mongo scripts #6505. Thanks to Corey Baker.
NEW: Apple SignIn support for multiple IDs #6523. Thanks to UnderratedDev.
NEW: Add support for new Instagram API #6398. Thanks to Maravilho Singa.
FIX: Updating Postgres/Postgis Call and Postgis to 3.0 #6528. Thanks to Corey Baker.
FIX: enableExpressErrorHandler logic #6423. Thanks to Nikolay Andryukhin.
FIX: Change Order Enum Strategy for GraphQL #6515. Thanks to Antoine Cormouls.
FIX: Switch ACL to Relay Global Id for GraphQL #6495. Thanks to Antoine Cormouls.
FIX: Handle keys for pointer fields properly for GraphQL #6499. Thanks to Antoine Cormouls.
FIX: GraphQL file mutation #6507. Thanks to Antoine Cormouls.
FIX: Aggregate geoNear with date query #6540. Thanks to Manuel.
NEW: Add file triggers and file meta data #6344. Thanks to stevestencil.
FIX: Improve local testing of postgres #6531. Thanks to Corey Baker.
NEW: Case insensitive username and email indexing and query planning for Postgres #6506. Thanks to Corey Baker.

4.1.0

SECURITY RELEASE: see advisory for details

SECURITY FIX: Patch Regex vulnerabilities. See 3a3a5ee. Special thanks to W0lfw00d for identifying and responsibly reporting the vulnerability. Thanks to Antonio Davi Macedo Coelho de Castro for the speedy fix.

4.0.2

Breaking Changes

Remove Support for Mongo 3.2 & 3.4. The new minimum supported version is Mongo 3.6.
Change username and email validation to be case insensitive. This change should be transparent in most use cases. The validation behavior should now behave 'as expected'. See #5634 for details.

Special Note on Upgrading to Parse Server 4.0.0 and above

In addition to the breaking changes noted above, #5634 introduces a two new case insensitive indexes on the User collection. Special care should be taken when upgrading to this version to ensure that:

The new indexes can be successfully created (see issue #6465 for details on a potential issue for your installation).

Care is taken ensure that there is adequate compute capacity to create the index in the background while still servicing requests.

FIX: attempt to get travis to deploy to npmjs again. See #6475. Thanks to Arthur Cinader.

4.0.1

FIX: correct 'new' travis config to properly deploy. See #6452. Thanks to Arthur Cinader.
FIX: Better message on not allowed to protect default fields. See #6439.Thanks to Old Grandpa

4.0.0

Special Note on Upgrading to Parse Server 4.0.0 and above

In addition to the breaking changes noted below, #5634 introduces a two new case insensitive indexes on the User collection. Special care should be taken when upgrading to this version to ensure that:

The new indexes can be successfully created (see issue #6465 for details on a potential issue for your installation).

Care is taken ensure that there is adequate compute capacity to create the index in the background while still servicing requests.

NEW: add hint option to Parse.Query #6322. Thanks to Steve Stencil
FIX: CLP objectId size validation fix #6332. Thanks to Old Grandpa
FIX: Add volumes to Docker command #6356. Thanks to Kasra Bigdeli
NEW: GraphQL 3rd Party LoginWith Support #6371. Thanks to Antoine Cormouls
FIX: GraphQL Geo Queries #6363. Thanks to Antoine Cormouls
NEW: GraphQL Nested File Upload #6372. Thanks to Antoine Cormouls
NEW: Granular CLP pointer permissions #6352. Thanks to Old Grandpa
FIX: Add missing colon for customPages #6393. Thanks to Jerome De Leon
NEW: afterLogin cloud code hook #6387. Thanks to David Corona
FIX: BREAKING CHANGE Prevent new usernames or emails that clash with existing users' email or username if it only differs by case. For example, don't allow a new user with the name 'Jane' if we already have a user 'jane'. #5634. Thanks to Arthur Cinader
FIX: Support Travis CI V2. #6414. Thanks to Diamond Lewis
FIX: Prevent crashing on websocket error. #6418. Thanks to Diamond Lewis
NEW: Allow protectedFields for Authenticated users and Public. $6415. Thanks to Old Grandpa
FIX: Correct bug in determining GraphQL pointer errors when mutating. #6413. Thanks to Antoine Cormouls
NEW: Allow true GraphQL Schema Customization. #6360. Thanks to Antoine Cormouls
BREAKING CHANGE: Remove Support for Mongo version < 3.6 #6445. Thanks to Arthur Cinader

3.10.0

FIX: correct and cover ordering queries in GraphQL #6316. Thanks to Antonio Davi Macedo Coelho de Castro
NEW: GraphQL support for reset password email #6301. Thanks to Antoine Cormouls
FIX: Add default limit to GraphQL fetch #6304. Thanks to Antoine Cormouls
DOCS: use bash syntax highlighting #6302. Thanks to Jerome De Leon
NEW: Add max log file option #6296. Thanks to Diamond Lewis
NEW: support user supplied objectId #6101. Thanks to Ruhan
FIX: Add missing encodeURIComponent on username #6278. Thanks to Christopher Brookes
NEW: update PostgresStorageAdapter.js to use async/await #6275. Thanks to Vitaly Tomilov
NEW: Support required fields on output type for GraphQL #6279. Thanks to Antoine Cormouls
NEW: Support required fields for GraphQL #6271. Thanks to Antoine Cormouls
CHANGE: use mongodb 3.3.5 #6263. Thanks to Diamond Lewis
NEW: GraphQL: DX Relational Where Query #6255. Thanks to Antoine Cormouls
CHANGE: test against Postgres 11 #6260. Thanks to Diamond Lewis
CHANGE: test against Postgres 11 #6260. Thanks to Diamond Lewis
NEW: GraphQL alias for mutations in classConfigs #6258. Thanks to Old Grandpa
NEW: GraphQL classConfig query alias #6257. Thanks to Old Grandpa
NEW: Allow validateFilename to return a string or Parse Error #6246. Thanks to Mike Patnode
NEW: Relay Spec #6089. Thanks to Antonio Davi Macedo Coelho de Castro
CHANGE: Set default ACL for GraphQL #6249. Thanks to Antoine Cormouls
NEW: LDAP auth Adapter #6226. Thanks to Julian Dax
FIX: improve beforeFind to include Query info #6237. Thanks to Diamond Lewis
FIX: improve websocket error handling #6230. Thanks to Diamond Lewis
NEW: addition of an afterLogout trigger #6217. Thanks to Diamond Lewis
FIX: Initialize default logger #6186. Thanks to Diamond Lewis
NEW: Add funding link #6192. Thanks to Tom Fox
FIX: installationId on LiveQuery connect #6180. Thanks to Diamond Lewis
NEW: Add exposing port in docker container #6165. Thanks to Priyash Patil
NEW: Support Google Play Games Service #6147. Thanks to Diamond Lewis
DOC: Throw error when setting authData to null #6154. Thanks to Manuel
CHANGE: Move filename validation out of the Router and into the FilesAdaptor #6157. Thanks to Mike Patnode
NEW: Added warning for special URL sensitive characters for appId #6159. Thanks to Saimoom Safayet Akash
NEW: Support Apple Game Center Auth #6143. Thanks to Diamond Lewis
CHANGE: test with Node 12 #6133. Thanks to Arthur Cinader
FIX: prevent after find from firing when saving objects #6127. Thanks to Diamond Lewis
FIX: GraphQL Mutations not returning updated information 6130. Thanks to Omair Vaiyani
CHANGE: Cleanup Schema cache per request #6216. Thanks to Diamond Lewis
DOC: Improve installation instructions #6120. Thanks to Andres Galante
DOC: add code formatting to contributing guidelines #6119. Thanks to Andres Galante
NEW: Add GraphQL ACL Type + Input #5957. Thanks to Antoine Cormouls
CHANGE: replace public key #6099. Thanks to Arthur Cinader
NEW: Support microsoft authentication in GraphQL #6051. Thanks to Alann Maulana
NEW: Install parse-server 3.9.0 instead of 2.2 #6069. Thanks to Julian Dax
NEW: Use #!/bin/bash instead of #!/bin/sh #6062. Thanks to Julian Dax
DOC: Update GraphQL readme section #6030. Thanks to Antonio Davi Macedo Coelho de Castro

3.9.0

NEW: Add allowHeaders to Options #6044. Thanks to Omair Vaiyani
CHANGE: Introduce ReadOptionsInput to GraphQL API #6030. Thanks to Antonio Davi Macedo Coelho de Castro
NEW: Stream video with GridFSBucketAdapter (implements byte-range requests) #6028. Thanks to Diamond Lewis
FIX: Aggregate not matching null values #6043. Thanks to Antonio Davi Macedo Coelho de Castro
CHANGE: Improve callCloudCode mutation to receive a CloudCodeFunction enum instead of a String in the GraphQL API #6029. Thanks to Antonio Davi Macedo Coelho de Castro
TEST: Add more tests to transactions #6022. Thanks to Antonio Davi Macedo Coelho de Castro
CHANGE: Pointer constraint input type as ID in the GraphQL API #6020. Thanks to Douglas Muraoka
CHANGE: Remove underline from operators of the GraphQL API #6024. Thanks to Antonio Davi Macedo Coelho de Castro
FIX: Make method async as expected in usage #6025. Thanks to Omair Vaiyani
DOC: Added breaking change note to 3.8 release #6023. Thanks to Manuel
NEW: Added support for line auth #6007. Thanks to Saimoom Safayet Akash
FIX: Fix aggregate group id #5994. Thanks to Antonio Davi Macedo Coelho de Castro
CHANGE: Schema operations instead of generic operations in the GraphQL API #5993. Thanks to Antonio Davi Macedo Coelho de Castro
DOC: Fix changelog formatting#6009. Thanks to Tom Fox
CHANGE: Rename objectId to id in the GraphQL API #5985. Thanks to Douglas Muraoka
FIX: Fix beforeLogin trigger when user has a file #6001. Thanks to Antonio Davi Macedo Coelho de Castro
DOC: Update GraphQL Docs with the latest changes #5980. Thanks to Antonio Davi Macedo Coelho de Castro

3.8.0

NEW: Protected fields pointer-permissions support #5951. Thanks to Dobbias Nan
NEW: GraphQL DX: Relation/Pointer #5946. Thanks to Antoine Cormouls
NEW: Master Key Only Config Properties #5953. Thanks to Manuel
FIX: Better validation when creating a Relation fields #5922. Thanks to Lucas Alencar
NEW: enable GraphQL file upload #5944. Thanks to Antonio Davi Macedo Coelho de Castro
NEW: Handle shutdown on grid adapters #5943. Thanks to Antonio Davi Macedo Coelho de Castro
NEW: Fix GraphQL max upload size #5940. Thanks to Antonio Davi Macedo Coelho de Castro
FIX: Remove Buffer() deprecation notice #5942. Thanks to Antonio Davi Macedo Coelho de Castro
FIX: Remove MongoDB unified topology deprecation notice from the grid adapter #5941. Thanks to Antonio Davi Macedo Coelho de Castro
NEW: add callback for serverCloseComplete #5937. Thanks to Diamond Lewis
DOCS: Add Cloud Code guide to README #5936. Thanks to Diamond Lewis
NEW: Remove nested operations from GraphQL API #5931. Thanks to Antonio Davi Macedo Coelho de Castro
NEW: Improve Live Query Monitoring #5927. Thanks to Diamond Lewis
FIX: GraphQL: Fix undefined Array #5296. Thanks to Antoine Cormouls
NEW: Added array support for pointer-permissions #5921. Thanks to Dobbias Nan
GraphQL: Renaming Types/Inputs #5921. Thanks to Antoine Cormouls
FIX: Lint no-prototype-builtins #5920. Thanks to Diamond Lewis
GraphQL: Inline Fragment on Array Fields #5908. Thanks to Antoine Cormouls
DOCS: Add instructions to launch a compatible Docker Postgres . Thanks to Antoine Cormouls
Fix: Undefined dot notation in matchKeyInQuery #5917. Thanks to Diamond Lewis
Fix: Logger print JSON and Numbers #5916. Thanks to Diamond Lewis
GraphQL: Return specific Type on specific Mutation #5893. Thanks to Antoine Cormouls
FIX: Apple sign-in authAdapter #5891. Thanks to SebC.
DOCS: Add GraphQL beta notice #5886. Thanks to Antonio Davi Macedo Coelho de Castro
GraphQL: Remove "password" output field from _User class #5889. Thanks to Douglas Muraoka
GraphQL: Object constraints #5715. Thanks to Douglas Muraoka
DOCS: README top section overhaul + add sponsors #5876. Thanks to Tom Fox
FIX: Return a Promise from classUpdate method #5877. Thanks to Lucas Alencar
FIX: Use UTC Month in aggregate tests #5879. Thanks to Antonio Davi Macedo Coelho de Castro
FIX: Transaction was aborting before all promises have either resolved or rejected #5878. Thanks to Antonio Davi Macedo Coelho de Castro
NEW: Use transactions for batch operation #5849. Thanks to Antonio Davi Macedo Coelho de Castro

Breaking Changes

If you are running Parse Server on top of a MongoDB deployment which does not fit the Retryable Writes Requirements, you will have to add retryWrites=false to your connection string in order to upgrade to Parse Server 3.8.

3.7.2

FIX: Live Query was failing on release 3.7.1

3.7.1

FIX: Missing APN module
FIX: Set falsy values as default to schema fields #5868, thanks to Lucas Alencar
NEW: Implement WebSocketServer Adapter #5866, thanks to Diamond Lewis

3.7.0

FIX: Prevent linkWith sessionToken from generating new session #5801, thanks to Diamond Lewis
GraphQL: Improve session token error messages #5753, thanks to Douglas Muraoka
NEW: GraphQL { functions { call } } generic mutation #5818, thanks to Antonio Davi Macedo Coelho de Castro
NEW: GraphQL Custom Schema #5821, thanks to Antonio Davi Macedo Coelho de Castro
NEW: GraphQL custom schema on CLI #5828, thanks to Antonio Davi Macedo Coelho de Castro
NEW: GraphQL @mock directive #5836, thanks to Antonio Davi Macedo Coelho de Castro
FIX: GraphQL _or operator not working #5840, thanks to Antonio Davi Macedo Coelho de Castro
NEW: Add "count" to CLP initial value #5841, thanks to Douglas Muraoka
NEW: Add ability to alter the response from the after save trigger #5814, thanks to BrunoMaurice
FIX: Cache apple public key for the case it fails to fetch again #5848, thanks to Antonio Davi Macedo Coelho de Castro
NEW: GraphQL Configuration Options #5782, thanks to Omair Vaiyani
NEW: Required fields and default values #5835, thanks to Antonio Davi Macedo Coelho de Castro
FIX: Postgres safely escape strings in nested objects #5855, thanks to Diamond Lewis
NEW: Support PhantAuth authentication #5850, thanks to Ivan SZKIBA
FIX: Remove uws package #5860, thanks to Zeal Murapa

3.6.0

SECURITY FIX: Address Security Advisory of a potential Enumeration Attack 73b0f9a, big thanks to Fabian Strachanski for identifying the problem, creating a fix and following the vulnerability disclosure guidelines
NEW: Added rest option: excludeKeys #5737, thanks to Raschid J.F. Rafeally
FIX: LiveQuery create event with fields #5790, thanks to Diamond Lewis
FIX: Generate sessionToken with linkWith #5799, thanks to Diamond Lewis

3.5.0

NEW: GraphQL Support #5674, thanks to Antonio Davi Macedo Coelho de Castro

GraphQL Guide

NEW: Sign in with Apple #5694, thanks to Diamond Lewis
NEW: AppSecret to Facebook Auth #5695, thanks to Diamond Lewis
NEW: Postgres: Regex support foreign characters #5598, thanks to Jeff Gu Kang
FIX: Winston Logger string interpolation #5729, thanks to Diamond Lewis

3.4.4

Fix: Commit changes

3.4.3

Fix: Use changes in master to travis configuration to enable pushing to npm and gh_pages. See diff for details.

3.4.2

Fix: In my haste to get a Security Fix out, I added 8709daf to master instead of to 3.4.1. This commit fixes that. Arthur Cinader

3.4.1

Security Fix: see Advisory: GHSA-2479-qvv7-47q for details 8709daf. Big thanks to: Benjamin Simonsson for identifying the issue and promptly bringing it to the Parse Community's attention and also big thanks to the indefatigable Diamond Lewis for crafting a failing test and then a solution within an hour of the report.

3.4.0

NEW: Aggregate supports group by date fields #5538 thanks to Antonio Davi Macedo Coelho de Castro
NEW: API for Read Preferences #3963 thanks to Antonio Davi Macedo Coelho de Castro
NEW: Add Redis options for LiveQuery #5584 thanks to Diamond Lewis
NEW: Add Direct Access option for Server Config #5550 thanks to Diamond Lewis
FIX: updating mixed array in Postgres #5552 thanks to Diamond Lewis
FIX: notEqualTo GeoPoint Query in Postgres #5549, thanks to Diamond Lewis
FIX: put the timestamp back in logs that was lost after Winston upgrade #5571, thanks to Steven Rowe and Arthur Cinader
FIX: Validates permission before calling beforeSave #5546, thanks to Antonio Davi Macedo Coelho de Castro
FIX: Remove userSensitiveFields default value. #5588, thanks to William George
FIX: Decode Date JSON value in LiveQuery. #5540, thanks to ananfang

3.3.0

NEW: beforeLogin trigger with support for auth providers (#5445), thanks to Omair Vaiyani
NEW: RFC 7662 compliant OAuth2 auth adapter (#4910), thanks to Müller Zsolt
FIX: cannot change password when maxPasswordHistory is 1 (#5191), thanks to Tulsi Sapkota
FIX (Postgres): count being very slow on large Parse Classes' collections (#5330), thanks to CoderickLamar
FIX: using per-key basis queue (#5420), thanks to Georges Jamous
FIX: issue on count with Geo constraints and mongo (#5286), thanks to Julien Quéré

3.2.3

Correct previous release with patch that is fully merged

3.2.2

Security fix to properly process userSensitiveFields when parse-server is started with ../lib/cli/parse-server #5463

3.2.1

Increment package.json version to match the deployment tag

3.2.0

NEW: Support accessing sensitive fields with an explicit ACL. Not documented yet, see tests for examples
Upgrade Parse SDK JS to 2.3.1 #5457
Hides token contents in logStartupOptions if they arrive as a buffer #6a9380
Support custom message for password requirements #5399
Support for Ajax password reset #5332
Postgres: Refuse to build unsafe JSON lists for contains #5337
Properly handle return values in beforeSave #5228
Fixes issue when querying user roles #5276
Fixes issue affecting update with CLP #5269

3.1.3

Postgres: Fixes support for global configuration
Postgres: Fixes support for numeric arrays
Postgres: Fixes issue affecting queries on empty arrays
LiveQuery: Adds support for transmitting the original object
Queries: Use estimated count if query is empty
Docker: Reduces the size of the docker image to 154Mb

3.1.2

Removes dev script, use TDD instead of server.
Removes nodemon and problematic dependencies.
Addressed event-stream security debacle.

3.1.1

Improvements:

Fixes issue that would prevent users with large number of roles to resolve all of them Antoine Cormouls (#5131, #5132)
Fixes distinct query on special fields (#5144)

3.1.0

Breaking Changes:

Return success on sendPasswordResetEmail even if email not found. (#7fe4030)

Security Fix:

Expire password reset tokens on email change (#5104)

Improvements:

Live Query CLPs (#4387)
Reduces number of calls to injectDefaultSchema (#5107)
Remove runtime dependency on request (#5076)

Bug fixes:

Fixes issue with vkontatke authentication (#4977)
Use the correct function when validating google auth tokens (#5018)
fix unexpected 'delete' trigger issue on LiveQuery (#5031)
Improves performance for roles and ACL's in live query server (#5126)

3.0.0

parse-server 3.0.0 comes with brand new handlers for cloud code. It now fully supports promises and async / await. For more informations, visit the v3.0.0 migration guide.

Breaking Changes:

Cloud Code handlers have a new interface based on promises.
response.success / response.error are removed in Cloud Code
Cloud Code runs with Parse-SDK 2.0
The aggregate now require aggregates to be passed in the form: {"pipeline": [...]} (REST Only)

Improvements:

Adds Pipeline Operator to Aggregate Router.
Adds documentations for parse-server's adapters, constructors and more.
Adds ability to pass a context object between beforeSave and afterSave affecting the same object.

Bug Fixes:

Fixes issue that would crash the server when mongo objects had undefined values #4966
Fixes issue that prevented ACL's from being used with select (see #571)

Dependency updates:

@parse/simple-mailgun-adapter@1.1.0
mongodb@3.1.3
request@2.88.0

Development Dependencies Updates:

@parse/minami@1.0.0
deep-diff@1.0.2
flow-bin@0.79.0
jsdoc@3.5.5
jsdoc-babel@0.4.0

2.8.4

Improvements:

Adds ability to forward errors to express handler (#4697)
Adds ability to increment the push badge with an arbitrary value (#4889)
Adds ability to preserve the file names when uploading (#4915)
_User now follow regular ACL policy. Letting administrator lock user out. (#4860) and (#4898)
Ensure dates are properly handled in aggregates (#4743)
Aggregates: Improved support for stages sharing the same name
Add includeAll option
Added verify password to users router and tests. (#4747)
Ensure read preference is never overriden, so DB config prevails (#4833)
add support for geoWithin.centerSphere queries via withJSON (#4825)
Allow sorting an object field (#4806)
Postgres: Don't merge JSON fields after save() to keep same behaviour as MongoDB (#4808) (#4815)

Dependency updates

commander@2.16.0
mongodb@3.1.1
pg-promise@8.4.5
ws@6.0.0
bcrypt@3.0.0
uws@10.148.1

Development Dependencies Updates:

cross-env@5.2.0
eslint@5.0.0
flow-bin@0.76.0
mongodb-runner@4.0.0
nodemon@1.18.1
nyc@12.0.2
request-promise@4.2.2
supports-color@5.4.0

2.8.3

Improvements:

Adds support for JS SDK 2.0 job status header
Removes npm-git scripts as npm supports using git repositories that build, thanks to Florent Vilmart

2.8.2

Bug Fixes:

Ensure legacy users without ACL's are not locked out, thanks to Florent Vilmart

Improvements:

Use common HTTP agent to increase webhooks performance, thanks to Tyler Brock
Adds withinPolygon support for Polygon objects, thanks to Mads Bjerre

Dependency Updates:

ws@5.2.0
commander@2.15.1
nodemon@1.17.5

Development Dependencies Updates:

flow-bin@0.73.0
cross-env@5.1.6
gaze@1.1.3
deepcopy@1.0.0
deep-diff@1.0.1

2.8.1

Ensure all the files are properly exported to the final package.

2.8.0

New Features

Adding Mongodb element to add arrayMatches the #4762 (#4766), thanks to Jérémy Piednoel
Adds ability to Lockout users (#4749), thanks to Florent Vilmart

Bug fixes:

Fixes issue when using afterFind with relations (#4752), thanks to Florent Vilmart
New query condition support to match all strings that starts with some other given strings (#3864), thanks to Eduard Bosch Bertran
Allow creation of indices on default fields (#4738), thanks to Claire Neveu
Purging empty class (#4676), thanks to Diamond Lewis
Postgres: Fixes issues comparing to zero or false (#4667), thanks to Diamond Lewis
Fix Aggregate Match Pointer (#4643), thanks to Diamond Lewis

Improvements:

Allow Parse.Error when returning from Cloud Code (#4695), thanks to Saulo Tauil
Fix typo: "requrest" -> "request" (#4761), thanks to Joseph Frazier
Send version for Vkontakte API (#4725), thanks to oleg
Ensure we respond with invalid password even if email is unverified (#4708), thanks to dblythy
Add _password_history to default sensitive data (#4699), thanks to Jong Eun Lee
Check for node version in postinstall script (#4657), thanks to Diamond Lewis
Remove FB Graph API version from URL to use the oldest non deprecated version, thanks to SebC

Dependency Updates:

@parse/push-adapter@2.0.3
@parse/simple-mailgun-adapter@1.0.2
uws@10.148.0
body-parser@1.18.3
mime@2.3.1
request@2.85.0
mongodb@3.0.7
bcrypt@2.0.1
ws@5.1.1

Development Dependencies Updates:

cross-env@5.1.5
flow-bin@0.71.0
deep-diff@1.0.0
nodemon@1.17.3

2.7.4

Bug Fixes:

Fixes an issue affecting polygon queries, thanks to Diamond Lewis

Dependency Updates:

pg-promise@8.2.1

Development Dependencies Updates:

nodemon@1.17.1

2.7.3

Improvements:

Improve documentation for LiveQuery options, thanks to Arthur Cinader
Improve documentation for using cloud code with docker, thanks to Stephen Tuso
Adds support for Facebook's AccountKit, thanks to 6thfdwp
Disable afterFind routines when running aggregates, thanks to Diamond Lewis
Improve support for distinct aggregations of nulls, thanks to Diamond Lewis
Regenreate the email verification token when requesting a new email, thanks to Benjamin Wilson Friedman

Bug Fixes:

Fix issue affecting readOnly masterKey and purge command, thanks to AreyouHappy
Fixes Issue unsetting in beforeSave doesn't allow object creation, thanks to Diamond Lewis
Fixes issue crashing server on invalid live query payload, thanks to fridays
Fixes issue affecting postgres storage adapter "undefined property '__op'", thanks to Tyson Andre

Dependency Updates:

winston@2.4.1
pg-promise@8.2.0
commander@2.15.0
lru-cache@4.1.2
parse@1.11.1
ws@5.0.0
mongodb@3.0.4
lodash@4.17.5

Development Dependencies Updates:

cross-env@5.1.4
flow-bin@0.67.1
jasmine@3.1.0
parse@1.11.1
babel-eslint@8.2.2
nodemon@1.15.0

2.7.2

Improvements:

Improved match aggregate
Do not mark the empty push as failed
Support pointer in aggregate query
Introduces flow types for storage
Postgres: Refactoring of Postgres Storage Adapter
Postgres: Support for multiple projection in aggregate
Postgres: performance optimizations
Adds infos about vulnerability disclosures
Adds ability to login with email when provided as username

Bug Fixes

Scrub Passwords with URL Encoded Characters
Fixes issue affecting using sorting in beforeFind

Dependency Updates:

commander@2.13.0
semver@5.5.0
pg-promise@7.4.0
ws@4.0.0
mime@2.2.0
parse@1.11.0

Development Dependencies Updates:

nodemon@1.14.11
flow-bin@0.64.0
jasmine@2.9.0
cross-env@5.1.3

2.7.1

⚠️ Fixes a security issue affecting Class Level Permissions

Adds support for dot notation when using matchesKeyInQuery, thanks to Henrik and Arthur Cinader

2.7.0

⚠️ This version contains an issue affecting Class Level Permissions on mongoDB. Please upgrade to 2.7.1.

Starting parse-server 2.7.0, the minimun nodejs version is 6.11.4, please update your engines before updating parse-server

New Features:

Aggregation endpoints, thanks to Diamond Lewis
Adds indexation options onto Schema endpoints, thanks to Diamond Lewis

Bug fixes:

Fixes sessionTokens being overridden in 'find' (#4332), thanks to Benjamin Wilson Friedman
Proper handleShutdown() feature to close database connections (#4361), thanks to CHANG, TZU-YEN
Fixes issue affecting state of _PushStatus objects, thanks to Benjamin Wilson Friedman
Fixes issue affecting calling password reset password pages with wrong appid, thanks to Bryan de Leon
Fixes issue affecting duplicates _Sessions on successive logins, thanks to Florent Vilmart

Improvements:

Updates contributing guides, and improves windows support, thanks to Addison Elliott
Uses new official scoped packaged, thanks to Florent Vilmart
Improves health checks responses, thanks to Benjamin Wilson Friedman
Add password confirmation to choose_password, thanks to Worathiti Manosroi
Improve performance of relation queries, thanks to Florent Vilmart

Dependency Updates:

commander@2.12.1
ws@3.3.2
uws@9.14.0
pg-promise@7.3.2
parse@1.10.2
pg-promise@7.3.1

Development Dependencies Updates:

cross-env@5.1.1

2.6.5

New Features:

Adds support for read-only masterKey, thanks to Florent Vilmart
Adds support for relative time queries (mongodb only), thanks to Marvel Mathew

Improvements:

Handle possible afterSave exception, thanks to Benjamin Wilson Friedman
Add support for expiration interval in Push, thanks to Marvel Mathew

Bug Fixes:

The REST API key was improperly inferred from environment when using the CLI, thanks to Florent Vilmart

2.6.4

Improvements:

Improves management of configurations and default values, thanks to Florent Vilmart
Adds ability to start ParseServer with ParseServer.start(options), thanks to Florent Vilmart
Adds request original IP to cloud code hooks, thanks to Gustav Ahlberg
Corrects some outdated links, thanks to Benjamin Wilson Friedman
Adds serverURL validation on startup, thanks to Benjamin Wilson Friedman
Adds ability to login with POST requests alongside GET, thanks to Benjamin Wilson Friedman
Adds ability to login with email, instead of username, thanks to Florent Vilmart

Bug Fixes:

Fixes issue affecting beforeSaves and increments, thanks to Benjamin Wilson Friedman

Dependency Updates:

parse-server-push-adapter@2.0.2
semver@5.4.1
pg-promise@7.0.3
mongodb@2.2.33
parse@1.10.1
express@4.16.0
mime@1.4.1
parse-server-simple-mailgun-adapter@1.0.1

Development Dependencies Updates:

babel-preset-env@1.6.1
cross-env@5.1.0
mongodb-runner@3.6.1
eslint-plugin-flowtype@2.39.1
eslint@4.9.0

2.6.3

Improvements:

Queries on Pointer fields with $in and $nin now supports list of objectId's, thanks to Florent Vilmart
LiveQueries on $in and $nin for pointer fields work as expected thanks to Florent Vilmart
Also remove device token when APNS error is BadDeviceToken, thanks to Mauricio Tollin
LRU cache is not available on the ParseServer object, thanks to Tyler Brock
Error messages are more expressive, thanks to Tyler Brock
Postgres: Properly handle undefined field values, thanks to Diamond Lewis
Updating with two GeoPoints fails correctly, thanks to Anthony Mosca

New Features:

Adds ability to set a maxLimit on server configuration for queries, thanks to Chris Norris

Bug fixes:

Fixes issue affecting reporting _PushStatus with misconfigured serverURL, thanks to Florent Vilmart
Fixes issue affecting deletion of class that doesn't exist, thanks to Diamond Lewis

Dependency Updates:

winston@2.4.0
pg-promise@6.10.2
winston-daily-rotate-file@1.6.0
request@2.83.0
body-parser@1.18.2

Development Dependencies Updates:

request-promise@4.2.2
eslint@4.7.1

2.6.2

Improvements:

PushWorker/PushQueue channels are properly prefixed with the Parse applicationId, thanks to Marvel Mathew
You can use Parse.Cloud.afterSave hooks on _PushStatus
You can use Parse.Cloud.onLiveQueryEvent to track the number of clients and subscriptions
Adds support for more fields from the Audience class.

New Features:

Push: Adds ability to track sentPerUTC offset if your push scheduler supports it.
Push: Adds support for cleaning up invalid deviceTokens from _Installation (PARSE_SERVER_CLEANUP_INVALID_INSTALLATIONS=1).

Dependency Updates:

ws@3.2.0
pg-promise@6.5.3
winston-daily-rotate-file@1.5.0
body-parser@1.18.1

Development Dependencies Updates:

nodemon@1.12.1
mongodb-runner@3.6.0
babel-eslint@8.0.0

2.6.1

Improvements:

Improves overall performance of the server, more particularly with large query results.
Improves performance of InMemoryCacheAdapter by removing serialization.
Improves logging performance by skipping necessary log calls.
Refactors object routers to simplify logic.
Adds automatic indexing on $text indexes, thanks to Diamon Lewis

New Features:

Push: Adds ability to send localized pushes according to the _Installation localeIdentifier
Push: proper support for scheduling push in user's locale time, thanks to Marvel Mathew
LiveQuery: Adds ability to use LiveQuery with a masterKey, thanks to Jeremy May

Bug Fixes:

Fixes an issue that would duplicate Session objects per userId-installationId pair.
Fixes an issue affecting pointer permissions introduced in this release.
Fixes an issue that would prevent displaying audiences correctly in dashboard.
Fixes an issue affecting preventLoginWithUnverifiedEmail upon signups.

Dependency Updates:

pg-promise@6.3.2
body-parser@1.18.0
nodemon@1.11.1

Development Dependencies Updates:

babel-cli@6.26.0

2.6.0

Breaking Changes:

parse-server-s3-adapter@1.2.0: A new deprecation notice is introduced with parse-server-s3-adapter's version 1.2.0. An upcoming release will remove passing key and password arguments. AWS credentials should be set using AWS best practices. See the Deprecation Notice for AWS credentials section of the adapter's README.

New Features

Polygon is fully supported as a type, thanks to Diamond Lewis
Query supports PolygonContains, thanks to Diamond Lewis

Improvements

Postgres: Adds support nested contains and containedIn, thanks to Diamond Lewis
Postgres: Adds support for null in containsAll queries, thanks to Diamond Lewis
Cloud Code: Request headers are passed to the cloud functions, thanks to miguel-s
Push: All push queries now filter only where deviceToken exists

Bug Fixes:

Fixes issue affecting updates of _User objects when authData was passed.
Push: Pushing to an empty audience should now properly report a failed _PushStatus
Linking Users: Fixes issue affecting linking users with sessionToken only

Dependency Updates:

ws@3.1.0
mime@1.4.0
semver@5.4.0
uws@8.14.1
bcrypt@1.0.3
mongodb@2.2.31
redis@2.8.0
pg-promise@6.3.1
commander@2.11.0

Development Dependencies Updates:

jasmine@2.8.0
babel-register@6.26.0
babel-core@6.26.0
cross-env@5.0.2

2.5.3

New Features:

badge property on android installations will now be set as on iOS (#3970), thanks to Florent Vilmart

Bug Fixes:

Fixes incorrect number parser for cache options

2.5.2

Improvements:

Restores ability to run on node >= 4.6
Adds ability to configure cache from CLI
Removes runtime check for node >= 4.6

2.5.1

New Features:

Adds ability to set default objectId size (#3950), thanks to Steven Shipton

Improvements:

Uses LRU cache instead of InMemoryCache by default (#3979), thanks to Florent Vilmart
iOS pushes are now using HTTP/2.0 instead of binary API (#3983), thanks to Florent Vilmart

Dependency Updates:

parse@1.10.0
pg-promise@6.3.0
parse-server-s3-adapter@1.1.0
parse-server-push-adapter@2.0.0

2.5.0

New Features:

Adds ability to run full text search (#3904), thanks to Diamond Lewis
Adds ability to run $withinPolygon queries (#3889), thanks to Diamond Lewis
Adds ability to pass read preference per query with mongodb (#3865), thanks to davimacedo
beforeFind trigger now includes isGet for get queries (#3862), thanks to davimacedo
Adds endpoints for dashboard's audience API (#3861), thanks to davimacedo
Restores the job scheduling endpoints (#3927), thanks to Florent Vilmart

Improvements:

Removes unnecessary warning when using maxTimeMs with mongodb, thanks to Tyler Brock
Improves access control on system classes (#3916), thanks to Worathiti Manosroi
Adds bytes support in postgres (#3894), thanks to Diamond Lewis

Bug Fixes:

Fixes issue with vkontakte adapter that would hang the request, thanks to Denis Trofimov
Fixes issue affecting null relational data (#3924), thanks to davimacedo
Fixes issue affecting session token deletion (#3937), thanks to Florent Vilmart
Fixes issue affecting the serverInfo endpoint (#3933), thanks to Florent Vilmart
Fixes issue affecting beforeSave with dot-noted sub-documents (#3912), thanks to IlyaDiallo
Fixes issue affecting emails being sent when using a 3rd party auth (#3882), thanks to davimacedo

Dependency Updates:

commander@2.10.0
pg-promise@5.9.7
lru-cache@4.1.0
mongodb@2.2.28

Development dependencies

babel-core@6.25.0
cross-env@5.0.1
nyc@11.0.2

2.4.2

New Features:

ParseQuery: Support for withinPolygon #3866, thanks to Diamond Lewis

Improvements:

Postgres: Use transactions when deleting a class, #3869, thanks to Vitaly Tomilov
Postgres: Proper support for GeoPoint equality query, #3874, thanks to Diamond Lewis
beforeSave and liveQuery will be correctly triggered on email verification #3851, thanks to Florent Vilmart

Bug fixes:

Skip authData validation if it hasn't changed, on PUT requests #3872, thanks to Florent Vilmart

Dependency Updates:

mongodb@2.2.27
pg-promise@5.7.2

2.4.1

Bug fixes:

Fixes issue affecting relation updates (#3835, #3836), thanks to Florent Vilmart
Fixes issue affecting sending push notifications, thanks to Felipe Andrade
Session are always cleared when updating the passwords (#3289, #3821, thanks to Florent Vilmart

Dependency Updates:

body-parser@1.17.2
pg-promise@5.7.1
ws@3.0.0

2.4.0

Starting 2.4.0, parse-server is tested against node 6.10 and 7.10, mongodb 3.2 and 3.4. If you experience issues with older versions, please open a issue.

New Features:

Adds count Class Level Permission (#3814), thanks to Florent Vilmart
Proper graceful shutdown support (#3786), thanks to Florent Vilmart
Let parse-server store as scheduled Push Notifications with push_time (#3717, #3722), thanks to Felipe Andrade

Improvements

Parse-Server images are built through docker hub, thanks to Florent Vilmart
Skip authData validation if it hasn't changed, thanks to Florent Vilmart
[postgres] Improve performance when adding many new fields to the Schema (#3740), thanks to Paulo Vítor S Reis
Test maintenance, wordsmithing and nits (#3744), thanks to Arthur Cinader

Bug Fixes:

[postgres] Fixes issue affecting deleting multiple fields of a Schema (#3734, #3735), thanks to Paulo Vítor S Reis
Fix issue affecting _PushStatus state (#3808), thanks to Florent Vilmart
requiresAuthentication Class Level Permission behaves correctly, thanks to Florent Vilmart
Email Verification related fields are not exposed (#3681, #3393, #3432), thanks to Anthony Mosca
HTTP query parameters are properly obfuscated in logs (#3793, #3789), thanks to @youngerong
Improve handling of $near operators in $or queries (#3767, #3798), thanks to Jack Wearden
Fix issue affecting arrays of pointers (#3169), thanks to Florent Vilmart
Fix issue affecting overloaded query constraints (#3723, #3678), thanks to Florent Vilmart
Properly catch unhandled rejections in _Installation updates (#3795), thanks to kahoona77

Dependency Updates:

uws@0.14.5
mime@1.3.6
mongodb@2.2.26
pg-promise@5.7.0
semver@5.3.0

Development dependencies

babel-cli@6.24.1
babel-core@6.24.1
babel-preset-es2015@6.24.1
babel-preset-stage-0@6.24.1
babel-register@6.24.1
cross-env@5.0.0
deep-diff@0.3.8
gaze@1.1.2
jasmine@2.6.0
jasmine-spec-reporter@4.1.0
mongodb-runner@3.5.0
nyc@10.3.2
request-promise@4.2.1

2.3.8

New Features

Support for PG-Promise options, thanks to ren dong

Improvements

Improves support for graceful shutdown, thanks to Florent Vilmart
Improves configuration validation for Twitter Authentication, thanks to Benjamin Wilson Friedman

Bug Fixes

Fixes issue affecting GeoPoint __type with Postgres, thanks to zhoul-HS
Prevent user creation if username or password is empty, thanks to Wissam Abirached

Dependency Updates:

cross-env@4.0.0
ws@2.2.3
babel-core@6.24.0
uws@0.14.0
babel-preset-es2015@6.24.0
babel-plugin-syntax-flow@6.18.0
babel-cli@6.24.0
babel-register@6.24.0
winston-daily-rotate-file@1.4.6
mongodb@2.2.25
redis@2.7.0
pg-promise@5.6.4
parse-server-push-adapter@1.3.0

2.3.7

New Features

New endpoint to resend verification email, thanks to Xy Ziemba

Improvements

Add TTL option for Redis Cache Adapter, thanks to Ryan Foster
Update Postgres Storage Adapter, thanks to Vitaly Tomilov

Bug Fixes

Add index on Role.name, fixes (#3579), thanks to Natan Rolnik
Fix default value of userSensitiveFields, fixes (#3593), thanks to Arthur Cinader

Dependency Updates:

body-parser@1.17.1
express@4.15.2
request@2.81.0
winston-daily-rotate-file@1.4.5
ws@2.2.0

2.3.6

Improvements

Adds support for injecting a middleware for instumentation in the CLI, thanks to Florent Vilmart
Alleviate mongodb bug with $or queries SERVER-13732, thanks to Jack Wearden

Bug Fixes

Fix issue affecting password policy and empty passwords, thanks to Bhaskar Reddy Yasa
Fix issue when logging url in non string objects, thanks to Paulo Vítor S Reis

Dependencies updates:

ws@2.1.0
uws@0.13.0
pg-promise@5.6.2

2.3.5

Bug Fixes

Allow empty client key (#3497), thanks to Arthur Cinader
Fix LiveQuery unsafe user (#3525), thanks to David Starke
Use flushdb instead of flushall in RedisCacheAdapter (#3523), thanks to Jeremy Louie
Fix saving GeoPoints and Files in _GlobalConfig (Make sure we don't treat dot notation keys as topLevel atoms) (#3531), thanks to Florent Vilmart

2.3.3

Breaking Changes

Minimum Node engine bumped to 4.6 (#3480), thanks to Florent Vilmart

Bug Fixes

Add logging on failure to create file (#3424), thanks to Arthur Cinader
Log Parse Errors so they are intelligible (#3431), thanks to Arthur Cinader
MongoDB $or Queries avoid SERVER-13732 bug (#3476), thanks to Jack Wearden
Mongo object to Parse object date serialization - avoid re-serialization of iso of type Date (#3389), thanks to nodechefMatt

Improvements

Ground preparations for push scalability (#3080), thanks to Florent Vilmart
Use uWS as optional dependency for ws server (#3231), thanks to Florent Vilmart

2.3.2

New features

Add parseFrameURL for masking user-facing pages (#3267), thanks to Lenart Rudel

Bug fixes

Fix Parse-Server to work with winston-daily-rotate-1.4.2 (#3335), thanks to Arthur Cinader

Improvements

Add support for regex string for password policy validatorPattern setting (#3331), thanks to Bhaskar Reddy Yasa
LiveQuery should match subobjects with dot notation (#3322), thanks to David Starke
Reduce time to process high number of installations for push (#3264), thanks to jeacott1
Fix trivial typo in error message (#3238), thanks to Arthur Cinader

2.3.1

A major issue was introduced when refactoring the authentication modules. This release addresses only that issue.

2.3.0

Breaking Changes

Parse.Cloud.useMasterKey() is a no-op, please refer to (Cloud Code migration guide)[https://github.com/ParsePlatform/parse-server/wiki/Compatibility-with-Hosted-Parse#cloud-code]
Authentication helpers are now proper adapters, deprecates oauth option in favor of auth.
DEPRECATES: facebookAppIds, use auth: { facebook: { appIds: ["AAAAAAAAA" ] } }
email field is not returned anymore for Parse.User queries. (Provided only on the user itself if provided).

New Features

Adds ability to restrict access through Class Level Permissions to only authenticated users see docs
Adds ability to strip sensitive data from _User responses, strips emails by default, thanks to Arthur Cinader
Adds password history support for password policies, thanks to Bhaskar Reddy Yasa

Improvements

Bump parse-server-s3-adapter to 1.0.6, thanks to Arthur Cinader
Using PARSE_SERVER_ENABLE_EXPERIMENTAL_DIRECT_ACCESS let you create user sessions when passing {installationId: "xxx-xxx"} on signup in cloud code, thanks to Florent Vilmart
Add CLI option to pass host parameter when creating parse-server from CLI, thanks to Kulshekhar Kabra

Bug fixes

Ensure batch routes are only using posix paths, thanks to Steven Shipton
Ensure falsy options from CLI are properly taken into account, thanks to Steven Shipton
Fixes issues affecting calls to matchesKeyInQuery with pointers.
Ensure that select keys can be changed in triggers (beforeFind...), thanks to Arthur Cinader

Housekeeping

Enables and enforces linting with eslint, thanks to Arthur Cinader

2.2.25

Postgres support requires v9.5

New Features

Dockerizing Parse Server, thanks to Kirill Kravinsky
Login with qq, wechat, weibo, thanks to haifeizhang
Password policy, validation and expiration, thanks to Bhaskar Reddy Yasa
Health check on /health, thanks to Kirill Kravinsky
Reuse SchemaCache across requests option, thanks to Steven Shipton

Improvements

Better support for CLI options, thanks to Steven Shipton
Specity a database timeout with maxTimeMS, thanks to Tyler Brock
Adds the username to reset password success pages, thanks to Halim Qarroum
Better support for Redis cache adapter, thanks to Tyler Brock
Better coverage of Postgres, thanks to Kulshekhar Kabra

Bug Fixes

Fixes issue when sending push to multiple installations, thanks to Florent Vilmart
Fixes issues with twitter authentication, thanks to jonas-db
Ignore createdAt fields update, thanks to Yuki Takeichi
Improve support for array equality with LiveQuery, thanks to David Poetzsch-Heffter
Improve support for batch endpoint when serverURL and publicServerURL have different paths, thanks to Florent Vilmart
Support saving relation objects, thanks to Yuki Takeichi

2.2.24

New Features

LiveQuery: Bring your own adapter (#2902), thanks to Florent Vilmart
LiveQuery: Adds "update" operator to update a query subscription (#2935), thanks to Florent Vilmart

Improvements

Better Postgres support, thanks to Kulshekhar Kabra
Logs the function name when failing (#2963), thanks to Michael Helvey
CLI: forces closing the connections with SIGINT/SIGTERM (#2964), thanks to Kulshekhar Kabra
Reduce the number of calls to the _SCHEMA table (#2912), thanks to Steven Shipton
LiveQuery: Support for Role ACL's, thanks to Aaron Blondeau

Bug Fixes

Better support for checking application and client keys, thanks to Steven Shipton
Google OAuth, better support for android and web logins, thanks to Florent Vilmart

2.2.23

Run liveQuery server from CLI with a different port, thanks to Florent Vilmart
Support for Postgres databaseURI, thanks to Kulshekhar Kabra
Support for Postgres options, thanks to Kulshekhar Kabra
Improved support for google login (id_token and access_token), thanks to Florent Vilmart
Improvements with VKontakte login, thanks to Eugene Antropov
Improved support for select and include, thanks to Florent Vilmart

Bug fixes

Fix error when updating installation with useMasterKey (#2888), thanks to Jeremy Louie
Fix bug affecting usage of multiple notEqualTo, thanks to Jeremy Louie
Improved support for null values in arrays, thanks to Florent Vilmart

2.2.22

Minimum nodejs engine is now 4.5

New Features

New: CLI for parse-live-query-server, thanks to Florent Vilmart
New: Start parse-live-query-server for parse-server CLI, thanks to Florent Vilmart

Bug fixes

Fix: Include with pointers are not conflicting with get CLP anymore, thanks to Florent Vilmart
Fix: Removes dependency on babel-polyfill, thanks to Florent Vilmart
Fix: Support nested select calls, thanks to Florent Vilmart
Fix: Use native column selection instead of runtime, thanks to Florent Vilmart
Fix: installationId header is properly used when updating _Installation objects, thanks to Florent Vilmart
Fix: don't crash parse-server on improperly formatted live-query messages, thanks to Florent Vilmart
Fix: Passwords are properly stripped out of logs, thanks to Arthur Cinader
Fix: Lookup for email in username if email is not set, thanks to Florent Vilmart

2.2.21

Fix: Reverts removal of babel-polyfill

2.2.20

New: Adds CloudCode handler for beforeFind, thanks to Florent Vilmart
New: RedisCacheAdapter for syncing schema, role and user caches across servers, thanks to Florent Vilmart
New: Latest master build available at ParsePlatform/parse-server#latest, thanks to Florent Vilmart
Fix: Better support for upgradeToRevocableSession with missing session token, thanks to Florent Vilmart
Fix: Removes babel-polyfill runtime dependency, thanks to Florent Vilmart
Fix: Cluster option now support a boolean value for automatically choosing the right number of processes, thanks to Florent Vilmart
Fix: Filenames now appear correctly, thanks to Lama Chandrasena
Fix: _acl is properly updated, thanks to Steven Shipton

Other fixes by Mathias Rangel Wulff

2.2.19

New: support for upgrading to revocable sessions, thanks to Florent Vilmart
New: NullCacheAdapter for disabling caching, thanks to Yuki Takeichi
New: Account lockout policy #2601, thanks to Diwakar Cherukumilli
New: Jobs endpoint for defining and run jobs (no scheduling), thanks to Florent Vilmart
New: Add --cluster option to the CLI, thanks to Florent Vilmart
New: Support for login with vk.com, thanks to Nurdaulet Bolatov
New: experimental support for postgres databases, thanks to Florent Vilmart
Fix: parse-server doesn't call next() after successful responses, thanks to Florent Vilmart
Fix: Nested objects are properly includeed with Pointer Permissions on, thanks to Florent Vilmart
Fix: null values in include calls are properly handled, thanks to Florent Vilmart
Fix: Schema validations now runs after beforeSave hooks, thanks to Florent Vilmart
Fix: usersname and passwords are properly type checked, thanks to Bam Wang
Fix: logging in info log would log also in error log, thanks to Florent Vilmart
Fix: removes extaneous logging from ParseLiveQueryServer, thanks to Flavio Torres
Fix: support for Range requests for files, thanks to Brage G. Staven

2.2.18

Fix: Improve support for objects in push alert, thanks to Antoine Lenoir
Fix; Prevent pointed from getting clobbered when they are changed in a beforeSave, thanks to sud
Fix: Improve support for "Bytes" type, thanks to CongHoang
Fix: Better logging compatability with Parse.com, thanks to Arthur Cinader
New: Add Janrain Capture and Janrain Engage auth provider, thanks to Andrew Lane
Improved: Include content length header in files response, thanks to Steven Van Bael
Improved: Support byte range header for files, thanks to Brage G. Staven
Improved: Validations for LinkedIn access_tokens, thanks to Felix Dumit
Improved: Experimental postgres support, thanks to Florent Vilmart
Perf: Use native bcrypt implementation if available, thanks to Florent Vilmart

2.2.17

Cloud code logs #2370 (flovilmart)
Make sure _PushStatus operations are run in order #2367 (flovilmart)
Typo fix for error message when can't ensure uniqueness of user email addresses #2360 (AndrewLane)
LiveQuery constrains matching fix #2357 (simonas-notcat)
Fix typo in logging for commander parseConfigFile #2352 (AndrewLane)
Fix minor typos in test names #2351 (acinader)
Makes sure we don't strip authData or session token from users using masterKey #2348 (flovilmart)
Run coverage with istanbul #2340 (flovilmart)
Run next() after successfully sending data to the client #2338 (blacha)
Cache all the mongodb/version folder #2336 (flovilmart)
updates usage of setting: emailVerifyTokenValidityDuration #2331 (cherukumilli)
Update Mongodb client to 2.2.4 #2329 (flovilmart)
Allow usage of analytics adapter #2327 (deashay)
Fix flaky tests #2324 (flovilmart)
don't serve null authData values #2320 (yuzeh)
Fix null relation problem #2319 (flovilmart)
Clear the connectionPromise upon close or error #2314 (flovilmart)
Report validation errors with correct error code #2299 (flovilmart)
Parses correctly Parse.Files and Dates when sent to Cloud Code Functions #2297 (flovilmart)
Adding proper generic Not Implemented. #2292 (vitaly-t)
Adds schema caching capabilities (5s by default) #2286 (flovilmart)
add digits oauth provider #2284 (ranhsd)
Improve installations query #2281 (flovilmart)
Adding request headers to cloud functions fixes #1461 #2274 (blacha)
Creates a new sessionToken when updating password #2266 (flovilmart)
Add Gitter chat link to the README. #2264 (nlutsenko)
Restores ability to include non pointer keys #2263 (flovilmart)
Allow next middleware handle error in handleParseErrors #2260 (mejcz)
Exposes the ClientSDK infos if available #2259 (flovilmart)
Adds support for multiple twitter auths options #2256 (flovilmart)
validate_purchase fix for SANDBOX requests #2253 (valeryvaskabovich)

2.2.16

New: Expose InMemoryCacheAdapter publicly, thanks to Steven Shipton
New: Add ability to prevent login with unverified email, thanks to Diwakar Cherukumilli
Improved: Better error message for incorrect type, thanks to Andrew Lane
Improved: Better error message for permission denied, thanks to Blayne Chard
Improved: Update authData on login, thanks to Florent Vilmart
Improved: Ability to not check for old files on Parse.com, thanks to OzgeAkin
Fix: Issues with email adapter validation, thanks to Tyler Brock
Fix: Issues with nested $or queries, thanks to Florent Vilmart

2.2.15

Fix: Type in description for Parse.Error.INVALID_QUERY, thanks to Andrew Lane
Improvement: Stop requiring verifyUserEmails for password reset functionality, thanks to Tyler Brock
Improvement: Kill without validation, thanks to Drew Gross
Fix: Deleting a file does not delete from fs.files, thanks to David Keita
Fix: Postgres stoage adapter fix, thanks to Vitaly Tomilov
Fix: Results invalid session when providing an invalid session token, thanks to Florent Vilmart
Fix: issue creating an anonymous user, thanks to Hussam Moqhim
Fix: make http response serializable, thanks to Florent Vilmart
New: Add postmark email adapter alternative Glenn Reyes

2.2.14

Hotfix: Fix Parse.Cloud.HTTPResponse serialization

2.2.13

Hotfix: Pin version of deepcopy

2.2.12

New: Custom error codes in cloud code response.error, thanks to Jeremy Pease
Fix: Crash in beforeSave when response is not an object, thanks to Tyler Brock
Fix: Allow "get" on installations
Fix: Fix overly restrictive Class Level Permissions, thanks to Florent Vilmart
Fix: Fix nested date parsing in Cloud Code, thanks to Marco Cheung
Fix: Support very old file formats from Parse.com

2.2.11

Security: Censor user password in logs, thanks to Marco Cheung
New: Add PARSE_SERVER_LOGS_FOLDER env var for setting log folder, thanks to KartikeyaRokde
New: Webhook key support, thanks to Tyler Brock
Perf: Add cache adapter and default caching of certain objects, thanks to Blayne Chard
Improvement: Better error messages for schema type mismatches, thanks to Jeremy Pease
Improvement: Better error messages for reset password emails
Improvement: Webhook key support in CLI, thanks to Tyler Brock
Fix: Remove read only fields when using beforeSave, thanks to Tyler Brock
Fix: Use content type provided by JS SDK, thanks to Blayne Chard and Florent Vilmart
Fix: Tell the dashboard the stored push data is available, thanks to Jeremy Pease
Fix: Add support for HTTP Basic Auth, thanks to Hussam Moqhim
Fix: Support for MongoDB version 3.2.6, (note: do not use MongoDB 3.2 with migrated apps that still have traffic on Parse.com), thanks to Tyler Brock
Fix: Prevent pm2 from crashing when push notifications fail, thanks to benishak
Fix: Add full list of default _Installation fields, thanks to Jeremy Pease
Fix: Strip objectId out of hooks responses, thanks to Tyler Brock
Fix: Fix external webhook response format, thanks to Tyler Brock
Fix: Fix beforeSave when object is passed to success, thanks to Madhav Bhagat
Fix: Remove use of deprecated APIs, thanks to Emad Ehsan
Fix: Crash when multiple Parse Servers on the same machine try to write to the same logs folder, thanks to Steven Shipton
Fix: Various issues with key names in Parse.Objects
Fix: Treat Bytes type properly
Fix: Caching bugs that caused writes by masterKey or other session token to not show up to users reading with a different session token
Fix: Pin mongo driver version, preventing a regression in version 2.1.19
Fix: Various issues with pointer fields not being treated properly
Fix: Issues with pointed getting un-fetched due to changes in beforeSave
Fix: Fixed crash when deleting classes that have CLPs

2.2.10

Fix: Write legacy ACLs to Mongo so that clients that still go through Parse.com can read them, thanks to Tyler Brock and carmenlau
Fix: Querying installations with limit = 0 and count = 1 now works, thanks to ssk7833
Fix: Return correct error when violating unique index, thanks to Marco Cheung
Fix: Allow unsetting user's email, thanks to Marco Cheung
New: Support for Node 6.1

2.2.9

Fix: Fix a regression that caused Parse Server to crash when a null parameter is passed to a Cloud function

2.2.8

New: Support for Pointer Permissions
New: Expose logger in Cloud Code
New: Option to revoke sessions on password reset
New: Option to expire inactive sessions
Perf: Improvements in ACL checking query
Fix: Issues when sending pushes to list of devices that contains invalid values
Fix: Issues caused by using babel-polyfill outside of Parse Server, but in the same express app
Fix: Remove creation of extra session tokens
Fix: Return authData when querying with master key
Fix: Bugs when deleting webhooks
Fix: Ignore _RevocableSession header, which might be sent by the JS SDK
Fix: Issues with querying via URL params
Fix: Properly encode "Date" parameters to cloud code functions

2.2.7

Adds support for --verbose and verbose option when running ParseServer #1414 (flovilmart)
Adds limit = 0 as a valid parameter for queries #1493 (seijiakiyama)
Makes sure we preserve Installations when updating a token (#1475) #1486 (flovilmart)
Hotfix for tests #1503 (flovilmart)
Enable logs #1502 (drew-gross)
Do some triple equals for great justice #1499 (TylerBrock)
Apply credential stripping to all untransforms for _User #1498 (TylerBrock)
Checking if object has defined key for Pointer constraints in liveQuery #1487 (simonas-notcat)
Remove collection prefix and default mongo URI #1479 (drew-gross)
Store collection prefix in mongo adapter, and clean up adapter interface #1472 (drew-gross)
Move field deletion logic into mongo adapter #1471 (drew-gross)
Adds support for Long and Double mongodb types (fixes #1316) #1470 (flovilmart)
Schema.js database agnostic #1468 (flovilmart)
Remove console.log #1465 (drew-gross)
Push status nits #1462 (flovilmart)
Fixes #1444 #1451 (flovilmart)
Removing sessionToken and authData from _User objects included in a query #1450 (simonas-notcat)
Move mongo field type logic into mongoadapter #1432 (drew-gross)
Prevents _User lock out when setting ACL on signup or afterwards #1429 (flovilmart)
Update .travis.yml #1428 (flovilmart)
Adds relation fields to objects #1424 (flovilmart)
Update .travis.yml #1423 (flovilmart)
Sets the defaultSchemas keys in the SchemaCollection #1421 (flovilmart)
Fixes #1417 #1420 (drew-gross)
Untransform should treat Array's as nested objects #1416 (blacha)
Adds X-Parse-Push-Status-Id header #1412 (flovilmart)
Schema format cleanup #1407 (drew-gross)
Updates the publicServerURL option #1397 (flovilmart)
Fix exception with non-expiring session tokens. #1386 (0x18B2EE)
Move mongo schema format related logic into mongo adapter #1385 (drew-gross)
WIP: Huge performance improvement on roles queries #1383 (flovilmart)
Removes GCS Adapter from provided adapters #1339 (flovilmart)
DBController refactoring #1228 (flovilmart)
Spotify authentication #1226 (1nput0utput)
Expose DatabaseAdapter to simplify application tests #1121 (steven-supersolid)

2.2.6

Important Fix: Disables find on installation from clients #1374 (flovilmart)
Adds missing options to the CLI #1368 (flovilmart)
Removes only master on travis #1367 (flovilmart)
Auth._loadRoles should not query the same role twice. #1366 (blacha)

2.2.5

Improves config loading and tests #1363 (flovilmart)
Adds travis configuration to deploy NPM on new version tags #1361 (gfosco)
Inject the default schemas properties when loading it #1357 (flovilmart)
Adds console transport when testing with VERBOSE=1 #1351 (flovilmart)
Make notEqual work on relations #1350 (flovilmart)
Accept only bool for $exists in LiveQuery #1315 (drew-gross)
Adds more options when using CLI/config #1305 (flovilmart)
Update error message #1297 (drew-gross)
Properly let masterKey add fields #1291 (flovilmart)
Point to #1271 as how to write a good issue report #1290 (drew-gross)
Adds ability to override mount with publicServerURL for production uses #1287 (flovilmart)
Single object queries to use include and keys #1280 (jeremyjackson89)
Improves report for Push error in logs and _PushStatus #1269 (flovilmart)
Removes all stdout/err logs while testing #1268 (flovilmart)
Matching queries with doesNotExist constraint #1250 (andrecardoso)
Added session length option for session tokens to server configuration #997 (Kenishi)
Regression test for #1259 #1286 (drew-gross)
Regression test for #871 #1283 (drew-gross)
Add a test to repro #701 #1281 (drew-gross)
Fix for #1334: using relative cloud code files broken #1353 (airdrummingfool)
Fix Issue/1288 #1346 (flovilmart)
Fixes #1271 #1295 (drew-gross)
Fixes issue #1302 #1314 (flovilmart)
Fixes bug related to include in queries #1312 (flovilmart)

2.2.4

Hotfix: fixed imports issue for S3Adapter, GCSAdapter, FileSystemAdapter #1263 (drew-gross
Fix: Clean null authData values on _User update #1199 (yuzeh)

2.2.3

Fixed bug with invalid email verification link on email update. #1253 (kzielonka)
Badge update supports increment as well as Increment #1248 (flovilmart)
Config/Push Tested with the dashboard. #1235 (drew-gross)
Better logging with winston #1234 (flovilmart)
Make GlobalConfig work like parse.com #1210 (framp)
Improve flattening of results from pushAdapter #1204 (flovilmart)
Push adapters are provided by external packages #1195 (flovilmart)
Fix flaky test #1188 (drew-gross)
Fixes problem affecting finding array pointers #1185 (flovilmart)
Moves Files adapters to external packages #1172 (flovilmart)
Mark push as enabled in serverInfo endpoint #1164 (drew-gross)
Document email adapter #1144 (drew-gross)
Reset password fix #1133 (carmenlau)

2.2.2

Important Fix: Mounts createLiveQueryServer, fix babel induced problem #1153 (flovilmart)
Move ParseServer to it's own file #1166 (flovilmart)
Update README.md * remove deploy buttons * replace with community links #1139 (drew-gross)
Adds bootstrap.sh #1138 (flovilmart)
Fix: Do not override username #1142 (flovilmart)
Fix: Add pushId back to GCM payload #1168 (wangmengyan95)

2.2.1

New: Add FileSystemAdapter file adapter #1098 (dtsolis)
New: Enabled CLP editing #1128 (drew-gross)
Improvement: Reduces the number of connections to mongo created #1111 (flovilmart)
Improvement: Make ParseServer a class #980 (flovilmart)
Fix: Adds support for plain object in $add, $addUnique, $remove #1114 (flovilmart)
Fix: Generates default CLP, freezes objects #1132 (flovilmart)
Fix: Properly sets installationId on creating session with 3rd party auth #1110 (flovilmart)

2.2.0

New Feature: Real-time functionality with Live Queries! #1092 (wangmengyan95)
Improvement: Push Status API #1004 (flovilmart)
Improvement: Allow client operations on Roles #1068 (flovilmart)
Improvement: Add URI encoding to mongo auth parameters #986 (bgw)
Improvement: Adds support for apps key in config file, but only support single app for now #979 (flovilmart)
Documentation: Getting Started and Configuring Parse Server #988 (hramos)
Fix: Various edge cases with REST API #1066 (flovilmart)
Fix: Makes sure the location in results has the proper objectId #1065 (flovilmart)
Fix: Third-party auth is properly removed when unlinked #1081 (flovilmart)
Fix: Clear the session-user cache when changing _User objects #1072 (gfosco)
Fix: Bug related to subqueries on unfetched objects #1046 (flovilmart)
Fix: Properly urlencode parameters for email validation and password reset #1001 (flovilmart)
Fix: Better sanitization/decoding of object data for afterSave triggers #992 (flovilmart)
Fix: Changes default encoding for httpRequest #892 (flovilmart)

2.1.6

Improvement: Full query support for badge Increment (#931) #983 (flovilmart)
Improvement: Shutdown standalone parse server gracefully #958 (raulr)
Improvement: Add database options to ParseServer constructor and pass to MongoStorageAdapter #956 (steven-supersolid)
Improvement: AuthData logic refactor #952 (flovilmart)
Improvement: Changed FileLoggerAdapterSpec to fail gracefully on Windows #946 (aneeshd16)
Improvement: Add new schema collection type and replace all usages of direct mongo collection for schema operations. #943 (nlutsenko)
Improvement: Adds CLP API to Schema router #898 (flovilmart)
Fix: Cleans up authData null keys on login for android crash #978 (flovilmart)
Fix: Do master query for before/afterSaveHook #959 (wangmengyan95)
Fix: re-add shebang #944 (flovilmart)
Fix: Added test command for Windows support #886 (aneeshd16)

2.1.5

New: FileAdapter for Google Cloud Storage #708 (mcdonamp)
Improvement: Minimize extra schema queries in some scenarios. #919 (Marco129)
Improvement: Move DatabaseController and Schema fully to adaptive mongo collection. #909 (nlutsenko)
Improvement: Cleanup PushController/PushRouter, remove raw mongo collection access. #903 (nlutsenko)
Improvement: Increment badge the right way #902 (flovilmart)
Improvement: Migrate ParseGlobalConfig to new database storage API. #901 (nlutsenko)
Improvement: Improve delete flow for non-existent _Join collection #881 (Marco129)
Improvement: Adding a role scenario test for issue 827 #878 (gfosco)
Improvement: Test empty authData block on login for #413 #863 (gfosco)
Improvement: Modified the npm dev script to support Windows #846 (aneeshd16)
Improvement: Move HooksController to use MongoCollection instead of direct Mongo access. #844 (nlutsenko)
Improvement: Adds public_html and views for packaging #839 (flovilmart)
Improvement: Better support for windows builds #831 (flovilmart)
Improvement: Convert Schema.js to ES6 class. #826 (nlutsenko)
Improvement: Remove duplicated instructions #816 (hramos)
Improvement: Completely migrate SchemasRouter to new MongoCollection API. #794 (nlutsenko)
Fix: Do not require where clause in $dontSelect condition on queries. #925 (nlutsenko)
Fix: Make sure that ACLs propagate to before/after save hooks. #924 (nlutsenko)
Fix: Support params option in Parse.Cloud.httpRequest. #912 (carmenlau)
Fix: Fix flaky Parse.GeoPoint test. #908 (nlutsenko)
Fix: Handle legacy _client_permissions key in _SCHEMA. #900 (drew-gross)
Fix: Fixes bug when querying equalTo on objectId and relation #887 (flovilmart)
Fix: Allow crossdomain on filesRouter #876 (flovilmart)
Fix: Remove limit when counting results. #867 (gfosco)
Fix: beforeSave changes should propagate to the response #865 (gfosco)
Fix: Delete relation field when _Join collection not exist #864 (Marco129)
Fix: Related query on non-existing column #861 (gfosco)
Fix: Update markdown in .github/ISSUE_TEMPLATE.md #859 (igorshubovych)
Fix: Issue with creating wrong _Session for Facebook login #857 (tobernguyen)
Fix: Leak warnings in tests, use mongodb-runner from node_modules #843 (drew-gross)
Fix: Reversed roles lookup #841 (flovilmart)
Fix: Improves loading of Push Adapter, fix loading of S3Adapter #833 (flovilmart)
Fix: Add field to system schema #828 (Marco129)

2.1.4

New: serverInfo endpoint that returns server version and info about the server's features
Improvement: Add support for badges on iOS
Improvement: Improve failure handling in cloud code http requests
Improvement: Add support for queries on pointers and relations
Improvement: Add support for multiple $in clauses in a query
Improvement: Add allowClientClassCreation config option
Improvement: Allow atomically setting subdocument keys
Improvement: Allow arbitrarily deeply nested roles
Improvement: Set proper content-type in S3 File Adapter
Improvement: S3 adapter auto-creates buckets
Improvement: Better error messages for many errors
Performance: Improved algorithm for validating client keys
Experimental: Parse Hooks and Hooks API
Experimental: Email verification and password reset emails
Experimental: Improve compatability of logs feature with Parse.com
Fix: Fix for attempting to delete missing classes via schemas API
Fix: Allow creation of system classes via schemas API
Fix: Allow missing where cause in $select
Fix: Improve handling of invalid object ids
Fix: Replace query overwriting existing query
Fix: Propagate installationId in cloud code triggers
Fix: Session expiresAt is now a Date instead of a string
Fix: Fix count queries
Fix: Disallow _Role objects without names or without ACL
Fix: Better handling of invalid types submitted
Fix: beforeSave will not be triggered for attempts to save with invalid authData
Fix: Fix duplicate device token issues on Android
Fix: Allow empty authData on signup
Fix: Allow Master Key Headers (CORS)
Fix: Fix bugs if JavaScript key was not provided in server configuration
Fix: Parse Files on objects can now be stored without URLs
Fix: allow both objectId or installationId when modifying installation
Fix: Command line works better when not given options

2.1.3

Feature: Add initial support for in-app purchases
Feature: Better error messages when attempting to run the server on a port that is already in use or without a server URL
Feature: Allow customization of max file size
Performance: Faster saves if not using beforeSave triggers
Fix: Send session token in response to current user endpoint
Fix: Remove triggers for _Session collection
Fix: Improve compatability of cloud code beforeSave hook for newly created object
Fix: ACL creation for master key only objects
Fix: Allow uploading files without Content-Type
Fix: Add features to http request to match Parse.com
Fix: Bugs in development script when running from locations other than project root
Fix: Can pass query constraints in URL
Fix: Objects with legacy "_tombstone" key now don't cause issues.
Fix: Allow nested keys in objects to begin with underscores
Fix: Allow correct headers for CORS

2.1.2

Change: The S3 file adapter constructor requires a bucket name
Fix: Parse Query should throw if improperly encoded
Fix: Issue where roles were not used in some requests
Fix: serverURL will no longer default to api.parse.com/1

2.1.1

Experimental: Schemas API support for DELETE operations
Fix: Session token issue fetching Users
Fix: Facebook auth validation
Fix: Invalid error when deleting missing session

2.1.0

Feature: Support for additional OAuth providers
Feature: Ability to implement custom OAuth providers
Feature: Support for deleting Parse Files
Feature: Allow querying roles
Feature: Support for logs, extensible via Log Adapter
Feature: New Push Adapter for sending push notifications through OneSignal
Feature: Tighter default security for Users
Feature: Pass parameters to cloud code in query string
Feature: Disable anonymous users via configuration.
Experimental: Schemas API support for PUT operations
Fix: Prevent installation ID from being added to User
Fix: Becoming a user works properly with sessions
Fix: Including multiple object when some object are unavailable will get all the objects that are available
Fix: Invalid URL for Parse Files
Fix: Making a query without a limit now returns 100 results
Fix: Expose installation id in cloud code
Fix: Correct username for Anonymous users
Fix: Session token issue after fetching user
Fix: Issues during install process
Fix: Issue with Unity SDK sending _noBody

2.0.8

Add: support for Android and iOS push notifications
Experimental: cloud code validation hooks (can mark as non-experimental after we have docs)
Experimental: support for schemas API (GET and POST only)
Experimental: support for Parse Config (GET and POST only)
Fix: Querying objects with equality constraint on array column
Fix: User logout will remove session token
Fix: Various files related bugs
Fix: Force minimum node version 4.3 due to security issues in earlier version
Performance Improvement: Improved caching

Files

CHANGELOG_release.md

Latest commit

History

CHANGELOG_release.md

File metadata and controls

7.2.0 (2024-07-09)

Bug Fixes

Features

7.1.0 (2024-06-30)

Bug Fixes

Features

7.0.0 (2024-03-19)

Bug Fixes

Features

Performance Improvements

BREAKING CHANGES

6.4.0 (2023-11-16)

Bug Fixes

Features

Performance Improvements

6.3.1 (2023-10-20)

Bug Fixes

6.3.0 (2023-09-16)

Bug Fixes

Features

Reverts

6.2.2 (2023-09-04)

Bug Fixes

6.2.1 (2023-06-28)

Bug Fixes

6.2.0 (2023-05-20)

Features

6.1.0 (2023-05-01)

Bug Fixes

Features

6.0.0 (2023-01-31)

Bug Fixes

Features

BREAKING CHANGES

5.4.0 (2022-11-19)

Bug Fixes

Features

5.3.3 (2022-11-09)

Bug Fixes

5.3.2 (2022-11-09)

Bug Fixes

5.3.1 (2022-11-07)

Bug Fixes

5.3.0 (2022-10-29)

Bug Fixes

Features

Performance Improvements

5.2.8 (2022-10-14)

Bug Fixes

5.2.7 (2022-09-20)

Bug Fixes

5.2.6 (2022-09-20)

Bug Fixes

5.2.5 (2022-09-02)

Bug Fixes

5.2.4 (2022-06-30)

Bug Fixes

5.2.3 (2022-06-17)

Bug Fixes

5.2.2 (2022-06-17)

Bug Fixes

5.2.1 (2022-05-01)

Bug Fixes

5.2.0 (2022-03-24)

Bug Fixes

Features

5.1.1 (2022-03-18)

Reverts

5.1.0 (2022-03-18)

Bug Fixes

Features

Reverts

⚠️ NOTABLE CHANGES

5.0.0 (2022-03-14)