Skip to content

refactor: Bump parse-server from 9.8.0 to 9.9.0#559

Closed
mtrezza wants to merge 1 commit into
parse-community:masterfrom
mtrezza:refactor/parse-server-9.9.0
Closed

refactor: Bump parse-server from 9.8.0 to 9.9.0#559
mtrezza wants to merge 1 commit into
parse-community:masterfrom
mtrezza:refactor/parse-server-9.9.0

Conversation

@mtrezza

@mtrezza mtrezza commented Jul 13, 2026

Copy link
Copy Markdown
Member

Bumps parse-server from 9.8.0 to 9.9.0. parse-server is a devDependency used only for running the test suite.

Closes #550

Changes

Breaking Changes

None.

Code Changes Required

None.

Summary by CodeRabbit

  • Bug Fixes
    • Updated the Parse Server version and related packages to improve compatibility, stability, and security.
    • Refreshed authentication and request-routing dependencies.
  • Chores
    • Updated the supported Node.js version requirement for the latest Parse Server release.

@parse-github-assistant

Copy link
Copy Markdown

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

  • Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
  • Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
  • Group code into logical blocks. Add a short comment before each block to explain its purpose.
  • We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
  • Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
  • Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@mtrezza, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 56 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7e5cfb97-3b18-4095-929e-7a3ff7f03186

📥 Commits

Reviewing files that changed from the base of the PR and between a005420 and 49a4565.

📒 Files selected for processing (2)
  • package-lock.json
  • package.json
📝 Walkthrough

Walkthrough

The project upgrades parse-server from 9.8.0 to 9.9.0 and refreshes the lockfile with updated transitive dependencies, engine requirements, and package resolutions.

Changes

Parse Server dependency upgrade

Layer / File(s) Summary
Dependency declaration
package.json, package-lock.json
The declared and root-locked parse-server version changes from 9.8.0 to 9.9.0.
Locked dependency graph
package-lock.json
The lockfile updates parse-server metadata, jsonwebtoken, parse, path-to-regexp, Babel runtime packages, engine constraints, and the top-level jwa/jws resolution structure.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 5 | ❌ 2

❌ Failed checks (2 inconclusive)

Check name Status Explanation Resolution
Security Check ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Engage In Review Feedback ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the dependency bump and follows the required prefix format.
Linked Issues check ✅ Passed The PR upgrades parse-server from 9.8.0 to 9.9.0 in package.json and lockfile, matching issue #550.
Out of Scope Changes check ✅ Passed The changes are limited to the requested dependency update and related lockfile refresh.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jul 13, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.77%. Comparing base (ec7738a) to head (49a4565).

Additional details and impacted files
@@           Coverage Diff           @@
##           master     #559   +/-   ##
=======================================
  Coverage   97.77%   97.77%           
=======================================
  Files           2        2           
  Lines         225      225           
=======================================
  Hits          220      220           
  Misses          5        5           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package-lock.json`:
- Line 13101: Raise the Node 22 version pin from 22.12.0 to at least 22.13.0 in
package.json and the CI configuration, ensuring all local and workflow
references use the updated baseline required by parse-server@9.9.0.

In `@package.json`:
- Line 42: Upgrade the parse-server devDependency from 9.9.0 to 9.10.0 in
package.json, then regenerate package-lock.json so its root dependency entry and
resolved package entry both reference 9.10.0.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3f55a048-5e58-4cac-8a4a-70e054535c17

📥 Commits

Reviewing files that changed from the base of the PR and between 4be5ee8 and a005420.

📒 Files selected for processing (2)
  • package-lock.json
  • package.json

Comment thread package-lock.json
},
"engines": {
"node": ">=20.19.0 <21.0.0 || >=22.12.0 <23.0.0 || >=24.11.0 <25.0.0"
"node": ">=20.19.0 <21.0.0 || >=22.13.0 <23.0.0 || >=24.11.0 <25.0.0"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the project's declared Node.js version
fd -H -i '(^|\.)(nvmrc|tool-versions|node-version)$' -t f --max-depth 2
cat .nvmrc 2>/dev/null || echo "no .nvmrc found"
fd -H -i 'Dockerfile' -t f --max-depth 3 --exec sh -c 'grep -i "node" "$1" | head -5' _ {}
fd -H -i 'ci.yml' -t f .github/workflows --exec sh -c 'grep -i "node-version" "$1" | head -10' _ {}

Repository: parse-community/parse-server-s3-adapter

Length of output: 244


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '== package.json =='
if [ -f package.json ]; then
  cat -n package.json | sed -n '1,220p'
else
  echo 'package.json not found'
fi

echo
echo '== package-lock.json (engine references) =='
rg -n '"node": ">=20\.19\.0 <21\.0\.0 \|\| >=22\.[0-9]+\.[0-9]+ <23\.0\.0 \|\| >=24\.[0-9]+\.[0-9]+ <25\.0\.0"|engine-strict|engines' package-lock.json package.json .github/workflows -n -S || true

echo
echo '== .github/workflows files =='
fd -H -t f .github/workflows -E '*.png' -E '*.jpg' -E '*.jpeg' -E '*.gif' | while read -r f; do
  echo "--- $f ---"
  cat -n "$f" | sed -n '1,260p'
done

Repository: parse-community/parse-server-s3-adapter

Length of output: 42850


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '== workflows =='
fd -t f .github/workflows

for f in .github/workflows/*; do
  [ -f "$f" ] || continue
  echo
  echo "=== $f ==="
  cat -n "$f" | sed -n '1,260p'
done

echo
echo '== search for Node version declarations =='
rg -n 'NODE_VERSION|node-version|22\.12|22\.13|22\.14|22\.15|22\.16|22\.17|22\.18|22\.19|22\.20|24\.11|20\.18|20\.19|engines' .github/workflows package.json package-lock.json -S

Repository: parse-community/parse-server-s3-adapter

Length of output: 567


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '== workflow files =='
git ls-files '.github/workflows/*' || true

for f in $(git ls-files '.github/workflows/*' || true); do
  echo
  echo "=== $f ==="
  cat -n "$f" | sed -n '1,260p'
done

echo
echo '== package-lock.json around line 13101 =='
sed -n '13085,13115p' package-lock.json | cat -n

echo
echo '== package-lock.json root package metadata =='
sed -n '1,120p' package-lock.json | cat -n

Repository: parse-community/parse-server-s3-adapter

Length of output: 10523


Raise the Node 22 baseline to 22.13.0 parse-server@9.9.0 now requires >=22.13.0, but this repo still pins 22.12.0 in package.json and .github/workflows/ci.yml. npm ci will fail on Node 22.12.x for the Parse Server 9 job and local installs; bump the Node 22 pin everywhere to 22.13.0+.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package-lock.json` at line 13101, Raise the Node 22 version pin from 22.12.0
to at least 22.13.0 in package.json and the CI configuration, ensuring all local
and workflow references use the updated baseline required by parse-server@9.9.0.

Comment thread package.json
"mongodb-runner": "6.7.3",
"nyc": "18.0.0",
"parse-server": "9.8.0",
"parse-server": "9.9.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check latest parse-server version on npm
curl -s https://registry.npmjs.org/parse-server | jq -r '.dist-tags.latest'

# Check GitHub security advisories for parse-server
gh api graphql -f query='
{
  securityVulnerabilities(first: 20, ecosystem: NPM, package: "parse-server") {
    nodes {
      advisory {
        summary
        severity
        ghsaId
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: parse-community/parse-server-s3-adapter

Length of output: 6415


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== package.json parse-server context =="
nl -ba package.json | sed -n '1,120p' | rg -n '"parse-server"|devDependencies|dependencies|scripts' -n -C 2

echo
echo "== package-lock parse-server root entry =="
nl -ba package-lock.json | sed -n '1,80p' | rg -n '"parse-server"|devDependencies' -n -C 2

echo
echo "== npm registry latest + 9.9.x versions =="
python3 - <<'PY'
import json, urllib.request
url = "https://registry.npmjs.org/parse-server"
with urllib.request.urlopen(url, timeout=30) as r:
    data = json.load(r)
print("latest:", data["dist-tags"]["latest"])
vers = sorted(v for v in data["versions"].keys() if v.startswith("9.9."))
print("9.9.* versions:", ", ".join(vers[-20:]))
PY

echo
echo "== GitHub advisories relevant to parse-server 9.9.0 =="
gh api graphql -f query='
{
  securityVulnerabilities(first: 50, ecosystem: NPM, package: "parse-server") {
    nodes {
      advisory {
        summary
        severity
        ghsaId
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}' | jq -r '
  .data.securityVulnerabilities.nodes[]
  | select(.vulnerableVersionRange | test(">= 9\\.0\\.0"))
  | [.advisory.severity, .advisory.ghsaId, .advisory.summary, .vulnerableVersionRange, (.firstPatchedVersion.identifier // "")]
  | `@tsv`'

Repository: parse-community/parse-server-s3-adapter

Length of output: 253


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== package.json parse-server context =="
awk 'NR>=1 && NR<=120 { printf "%6d  %s\n", NR, $0 }' package.json \
  | grep -n -C 2 -E '"parse-server"|devDependencies|dependencies|scripts' || true

echo
echo "== package-lock parse-server root entry =="
awk 'NR>=1 && NR<=90 { printf "%6d  %s\n", NR, $0 }' package-lock.json \
  | grep -n -C 2 -E '"parse-server"|devDependencies' || true

echo
echo "== npm registry latest + 9.9.x versions =="
python3 - <<'PY'
import json, urllib.request
url = "https://registry.npmjs.org/parse-server"
with urllib.request.urlopen(url, timeout=30) as r:
    data = json.load(r)
print("latest:", data["dist-tags"]["latest"])
vers = sorted(v for v in data["versions"].keys() if v.startswith("9.9."))
print("9.9.* versions:", ", ".join(vers[-30:]))
PY

echo
echo "== GitHub advisories relevant to parse-server 9.9.0 =="
gh api graphql -f query='
{
  securityVulnerabilities(first: 50, ecosystem: NPM, package: "parse-server") {
    nodes {
      advisory {
        summary
        severity
        ghsaId
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}' | jq -r '
  .data.securityVulnerabilities.nodes[]
  | select(.vulnerableVersionRange | test(">= 9\\.0\\.0"))
  | [.advisory.severity, .advisory.ghsaId, .advisory.summary, .vulnerableVersionRange, (.firstPatchedVersion.identifier // "")]
  | `@tsv`'

Repository: parse-community/parse-server-s3-adapter

Length of output: 4269


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== npm registry latest and recent 9.9.x versions =="
curl -ks https://registry.npmjs.org/parse-server \
  | python3 - <<'PY'
import json, sys
data = json.load(sys.stdin)
print("latest:", data["dist-tags"]["latest"])
vers = sorted(v for v in data["versions"] if v.startswith("9.9."))
print("9.9.* versions:", ", ".join(vers[-30:]))
PY

echo
echo "== advisories that include 9.9.0 =="
gh api graphql -f query='
{
  securityVulnerabilities(first: 100, ecosystem: NPM, package: "parse-server") {
    nodes {
      advisory { ghsaId summary severity }
      vulnerableVersionRange
      firstPatchedVersion { identifier }
    }
  }
}' | jq -r '
  .data.securityVulnerabilities.nodes[]
  | select(.vulnerableVersionRange | test("(^|, )>= 9\\.0\\.0|9\\.9\\.0|< 9\\.9\\.1"))
  | [.advisory.severity, .advisory.ghsaId, .advisory.summary, .vulnerableVersionRange, (.firstPatchedVersion.identifier // "")]
  | `@tsv`'

Repository: parse-community/parse-server-s3-adapter

Length of output: 950


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== registry response probe =="
tmp=$(mktemp)
code=$(curl -k -sS -D /tmp/headers.txt -o "$tmp" -w '%{http_code}' https://registry.npmjs.org/parse-server || true)
echo "http_code=$code"
echo "-- headers --"
sed -n '1,20p' /tmp/headers.txt || true
echo "-- body head --"
head -c 500 "$tmp" | sed -n '1,5p' || true
echo
echo "body bytes:"
wc -c "$tmp" || true

echo
echo "== parse-server advisories from GraphQL =="
gh api graphql -f query='
{
  securityVulnerabilities(first: 100, ecosystem: NPM, package: "parse-server") {
    nodes {
      advisory { ghsaId summary severity }
      vulnerableVersionRange
      firstPatchedVersion { identifier }
    }
  }
}' | jq -r '
  .data.securityVulnerabilities.nodes[]
  | [.advisory.severity, .advisory.ghsaId, .advisory.summary, .vulnerableVersionRange, (.firstPatchedVersion.identifier // "")]
  | `@tsv`' | sed -n '1,30p'

Repository: parse-community/parse-server-s3-adapter

Length of output: 5615


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== npm registry latest =="
curl -ks https://registry.npmjs.org/parse-server | jq -r '.["dist-tags"].latest'

echo
echo "== recent 9.9.x versions =="
curl -ks https://registry.npmjs.org/parse-server \
  | jq -r '.versions | keys[]' \
  | awk -F. '$1==9 && $2==9 {print}' \
  | sort -V \
  | tail -n 20

Repository: parse-community/parse-server-s3-adapter

Length of output: 473


Upgrade parse-server to 9.10.0
9.9.0 is still below the current npm release and falls into multiple advisory ranges, including high-severity DoS issues. Bump the devDependency and regenerate the lockfile so both entries move off the vulnerable line.

📍 Affects 2 files
  • package.json#L42-L42 (this comment)
  • package-lock.json#L32-L32
  • package-lock.json#L13048-L13050
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 42, Upgrade the parse-server devDependency from 9.9.0
to 9.10.0 in package.json, then regenerate package-lock.json so its root
dependency entry and resolved package entry both reference 9.10.0.

@mtrezza
mtrezza force-pushed the refactor/parse-server-9.9.0 branch from a005420 to 49a4565 Compare July 16, 2026 20:34
@mtrezza

mtrezza commented Jul 16, 2026

Copy link
Copy Markdown
Member Author

Superseded by #565, which bumps parse-server to 9.10.0.

@mtrezza mtrezza closed this Jul 16, 2026
@mtrezza
mtrezza deleted the refactor/parse-server-9.9.0 branch July 16, 2026 21:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant