refactor: Bump parse-server from 9.8.0 to 9.9.0#559
Conversation
|
🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review. Tip
Note Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect. Caution Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code. |
|
Warning Review limit reached
Next review available in: 56 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThe project upgrades ChangesParse Server dependency upgrade
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5 | ❌ 2❌ Failed checks (2 inconclusive)
✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #559 +/- ##
=======================================
Coverage 97.77% 97.77%
=======================================
Files 2 2
Lines 225 225
=======================================
Hits 220 220
Misses 5 5 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package-lock.json`:
- Line 13101: Raise the Node 22 version pin from 22.12.0 to at least 22.13.0 in
package.json and the CI configuration, ensuring all local and workflow
references use the updated baseline required by parse-server@9.9.0.
In `@package.json`:
- Line 42: Upgrade the parse-server devDependency from 9.9.0 to 9.10.0 in
package.json, then regenerate package-lock.json so its root dependency entry and
resolved package entry both reference 9.10.0.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 3f55a048-5e58-4cac-8a4a-70e054535c17
📒 Files selected for processing (2)
package-lock.jsonpackage.json
| }, | ||
| "engines": { | ||
| "node": ">=20.19.0 <21.0.0 || >=22.12.0 <23.0.0 || >=24.11.0 <25.0.0" | ||
| "node": ">=20.19.0 <21.0.0 || >=22.13.0 <23.0.0 || >=24.11.0 <25.0.0" |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check the project's declared Node.js version
fd -H -i '(^|\.)(nvmrc|tool-versions|node-version)$' -t f --max-depth 2
cat .nvmrc 2>/dev/null || echo "no .nvmrc found"
fd -H -i 'Dockerfile' -t f --max-depth 3 --exec sh -c 'grep -i "node" "$1" | head -5' _ {}
fd -H -i 'ci.yml' -t f .github/workflows --exec sh -c 'grep -i "node-version" "$1" | head -10' _ {}Repository: parse-community/parse-server-s3-adapter
Length of output: 244
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo '== package.json =='
if [ -f package.json ]; then
cat -n package.json | sed -n '1,220p'
else
echo 'package.json not found'
fi
echo
echo '== package-lock.json (engine references) =='
rg -n '"node": ">=20\.19\.0 <21\.0\.0 \|\| >=22\.[0-9]+\.[0-9]+ <23\.0\.0 \|\| >=24\.[0-9]+\.[0-9]+ <25\.0\.0"|engine-strict|engines' package-lock.json package.json .github/workflows -n -S || true
echo
echo '== .github/workflows files =='
fd -H -t f .github/workflows -E '*.png' -E '*.jpg' -E '*.jpeg' -E '*.gif' | while read -r f; do
echo "--- $f ---"
cat -n "$f" | sed -n '1,260p'
doneRepository: parse-community/parse-server-s3-adapter
Length of output: 42850
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo '== workflows =='
fd -t f .github/workflows
for f in .github/workflows/*; do
[ -f "$f" ] || continue
echo
echo "=== $f ==="
cat -n "$f" | sed -n '1,260p'
done
echo
echo '== search for Node version declarations =='
rg -n 'NODE_VERSION|node-version|22\.12|22\.13|22\.14|22\.15|22\.16|22\.17|22\.18|22\.19|22\.20|24\.11|20\.18|20\.19|engines' .github/workflows package.json package-lock.json -SRepository: parse-community/parse-server-s3-adapter
Length of output: 567
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo '== workflow files =='
git ls-files '.github/workflows/*' || true
for f in $(git ls-files '.github/workflows/*' || true); do
echo
echo "=== $f ==="
cat -n "$f" | sed -n '1,260p'
done
echo
echo '== package-lock.json around line 13101 =='
sed -n '13085,13115p' package-lock.json | cat -n
echo
echo '== package-lock.json root package metadata =='
sed -n '1,120p' package-lock.json | cat -nRepository: parse-community/parse-server-s3-adapter
Length of output: 10523
Raise the Node 22 baseline to 22.13.0 parse-server@9.9.0 now requires >=22.13.0, but this repo still pins 22.12.0 in package.json and .github/workflows/ci.yml. npm ci will fail on Node 22.12.x for the Parse Server 9 job and local installs; bump the Node 22 pin everywhere to 22.13.0+.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package-lock.json` at line 13101, Raise the Node 22 version pin from 22.12.0
to at least 22.13.0 in package.json and the CI configuration, ensuring all local
and workflow references use the updated baseline required by parse-server@9.9.0.
| "mongodb-runner": "6.7.3", | ||
| "nyc": "18.0.0", | ||
| "parse-server": "9.8.0", | ||
| "parse-server": "9.9.0", |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check latest parse-server version on npm
curl -s https://registry.npmjs.org/parse-server | jq -r '.dist-tags.latest'
# Check GitHub security advisories for parse-server
gh api graphql -f query='
{
securityVulnerabilities(first: 20, ecosystem: NPM, package: "parse-server") {
nodes {
advisory {
summary
severity
ghsaId
publishedAt
}
vulnerableVersionRange
firstPatchedVersion {
identifier
}
}
}
}'Repository: parse-community/parse-server-s3-adapter
Length of output: 6415
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== package.json parse-server context =="
nl -ba package.json | sed -n '1,120p' | rg -n '"parse-server"|devDependencies|dependencies|scripts' -n -C 2
echo
echo "== package-lock parse-server root entry =="
nl -ba package-lock.json | sed -n '1,80p' | rg -n '"parse-server"|devDependencies' -n -C 2
echo
echo "== npm registry latest + 9.9.x versions =="
python3 - <<'PY'
import json, urllib.request
url = "https://registry.npmjs.org/parse-server"
with urllib.request.urlopen(url, timeout=30) as r:
data = json.load(r)
print("latest:", data["dist-tags"]["latest"])
vers = sorted(v for v in data["versions"].keys() if v.startswith("9.9."))
print("9.9.* versions:", ", ".join(vers[-20:]))
PY
echo
echo "== GitHub advisories relevant to parse-server 9.9.0 =="
gh api graphql -f query='
{
securityVulnerabilities(first: 50, ecosystem: NPM, package: "parse-server") {
nodes {
advisory {
summary
severity
ghsaId
}
vulnerableVersionRange
firstPatchedVersion {
identifier
}
}
}
}' | jq -r '
.data.securityVulnerabilities.nodes[]
| select(.vulnerableVersionRange | test(">= 9\\.0\\.0"))
| [.advisory.severity, .advisory.ghsaId, .advisory.summary, .vulnerableVersionRange, (.firstPatchedVersion.identifier // "")]
| `@tsv`'Repository: parse-community/parse-server-s3-adapter
Length of output: 253
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== package.json parse-server context =="
awk 'NR>=1 && NR<=120 { printf "%6d %s\n", NR, $0 }' package.json \
| grep -n -C 2 -E '"parse-server"|devDependencies|dependencies|scripts' || true
echo
echo "== package-lock parse-server root entry =="
awk 'NR>=1 && NR<=90 { printf "%6d %s\n", NR, $0 }' package-lock.json \
| grep -n -C 2 -E '"parse-server"|devDependencies' || true
echo
echo "== npm registry latest + 9.9.x versions =="
python3 - <<'PY'
import json, urllib.request
url = "https://registry.npmjs.org/parse-server"
with urllib.request.urlopen(url, timeout=30) as r:
data = json.load(r)
print("latest:", data["dist-tags"]["latest"])
vers = sorted(v for v in data["versions"].keys() if v.startswith("9.9."))
print("9.9.* versions:", ", ".join(vers[-30:]))
PY
echo
echo "== GitHub advisories relevant to parse-server 9.9.0 =="
gh api graphql -f query='
{
securityVulnerabilities(first: 50, ecosystem: NPM, package: "parse-server") {
nodes {
advisory {
summary
severity
ghsaId
}
vulnerableVersionRange
firstPatchedVersion {
identifier
}
}
}
}' | jq -r '
.data.securityVulnerabilities.nodes[]
| select(.vulnerableVersionRange | test(">= 9\\.0\\.0"))
| [.advisory.severity, .advisory.ghsaId, .advisory.summary, .vulnerableVersionRange, (.firstPatchedVersion.identifier // "")]
| `@tsv`'Repository: parse-community/parse-server-s3-adapter
Length of output: 4269
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== npm registry latest and recent 9.9.x versions =="
curl -ks https://registry.npmjs.org/parse-server \
| python3 - <<'PY'
import json, sys
data = json.load(sys.stdin)
print("latest:", data["dist-tags"]["latest"])
vers = sorted(v for v in data["versions"] if v.startswith("9.9."))
print("9.9.* versions:", ", ".join(vers[-30:]))
PY
echo
echo "== advisories that include 9.9.0 =="
gh api graphql -f query='
{
securityVulnerabilities(first: 100, ecosystem: NPM, package: "parse-server") {
nodes {
advisory { ghsaId summary severity }
vulnerableVersionRange
firstPatchedVersion { identifier }
}
}
}' | jq -r '
.data.securityVulnerabilities.nodes[]
| select(.vulnerableVersionRange | test("(^|, )>= 9\\.0\\.0|9\\.9\\.0|< 9\\.9\\.1"))
| [.advisory.severity, .advisory.ghsaId, .advisory.summary, .vulnerableVersionRange, (.firstPatchedVersion.identifier // "")]
| `@tsv`'Repository: parse-community/parse-server-s3-adapter
Length of output: 950
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== registry response probe =="
tmp=$(mktemp)
code=$(curl -k -sS -D /tmp/headers.txt -o "$tmp" -w '%{http_code}' https://registry.npmjs.org/parse-server || true)
echo "http_code=$code"
echo "-- headers --"
sed -n '1,20p' /tmp/headers.txt || true
echo "-- body head --"
head -c 500 "$tmp" | sed -n '1,5p' || true
echo
echo "body bytes:"
wc -c "$tmp" || true
echo
echo "== parse-server advisories from GraphQL =="
gh api graphql -f query='
{
securityVulnerabilities(first: 100, ecosystem: NPM, package: "parse-server") {
nodes {
advisory { ghsaId summary severity }
vulnerableVersionRange
firstPatchedVersion { identifier }
}
}
}' | jq -r '
.data.securityVulnerabilities.nodes[]
| [.advisory.severity, .advisory.ghsaId, .advisory.summary, .vulnerableVersionRange, (.firstPatchedVersion.identifier // "")]
| `@tsv`' | sed -n '1,30p'Repository: parse-community/parse-server-s3-adapter
Length of output: 5615
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== npm registry latest =="
curl -ks https://registry.npmjs.org/parse-server | jq -r '.["dist-tags"].latest'
echo
echo "== recent 9.9.x versions =="
curl -ks https://registry.npmjs.org/parse-server \
| jq -r '.versions | keys[]' \
| awk -F. '$1==9 && $2==9 {print}' \
| sort -V \
| tail -n 20Repository: parse-community/parse-server-s3-adapter
Length of output: 473
Upgrade parse-server to 9.10.0
9.9.0 is still below the current npm release and falls into multiple advisory ranges, including high-severity DoS issues. Bump the devDependency and regenerate the lockfile so both entries move off the vulnerable line.
📍 Affects 2 files
package.json#L42-L42(this comment)package-lock.json#L32-L32package-lock.json#L13048-L13050
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` at line 42, Upgrade the parse-server devDependency from 9.9.0
to 9.10.0 in package.json, then regenerate package-lock.json so its root
dependency entry and resolved package entry both reference 9.10.0.
a005420 to
49a4565
Compare
|
Superseded by #565, which bumps parse-server to 9.10.0. |
Bumps parse-server from 9.8.0 to 9.9.0.
parse-serveris a devDependency used only for running the test suite.Closes #550
Changes
parse-serverdevDependency from9.8.0to9.9.0(pinned exact) inpackage.jsonand updatepackage-lock.jsonaccordingly.rawValuesandrawFieldNamesoptions for aggregation queries parse-server#10438, feat: Add installation deviceToken deduplication options parse-server#10451 (features), plus routine bug fixes. Minor version, no API used by this adapter's tests is affected.Breaking Changes
None.
Code Changes Required
None.
Summary by CodeRabbit