Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
# [5.3.0](5.2.8...5.3.0) (2022-10-29) ### Bug Fixes * afterSave trigger removes pointer in Parse object ([#7913](#7913)) ([47d796e](47d796e)) * authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for *Facebook* or *Spotify* and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`) ([GHSA-r657-33vp-gp22](GHSA-r657-33vp-gp22)) [skip release] ([#8188](#8188)) ([1a2b1b9](1a2b1b9)) * auto-release process may fail if optional back-merging task fails ([#8051](#8051)) ([cf925e7](cf925e7)) * brute force guessing of user sensitive data via search patterns (GHSA-2m6g-crv8-p3c6) ([#8145](#8145)) [skip release] ([f0db4ca](f0db4ca)) * certificate in Apple Game Center auth adapter not validated [skip release] ([#8055](#8055)) ([4c2aa63](4c2aa63)) * custom database options are not passed to MongoDB GridFS ([#7911](#7911)) ([b1e5565](b1e5565)) * depreciate allowClientClassCreation defaulting to true ([#7925](#7925)) ([38ed96a](38ed96a)) * errors in GraphQL do not show the original error but a general `Unexpected Error` ([#8045](#8045)) ([0d81887](0d81887)) * interrupted WebSocket connection not closed by LiveQuery server ([#8012](#8012)) ([2d5221e](2d5221e)) * invalid file request not properly handled [skip release] ([#8061](#8061)) ([1a04a34](1a04a34)) * live query role cache does not clear when a user is added to a role ([#8026](#8026)) ([199dfc1](199dfc1)) * peer dependency mismatch for GraphQL dependencies ([#7934](#7934)) ([0a6faa8](0a6faa8)) * protected fields exposed via LiveQuery (GHSA-crrq-vr9j-fxxh) [skip release] ([#8075](#8075)) ([636d16e](636d16e)) * return correct response when revert is used in beforeSave ([#7839](#7839)) ([19900fc](19900fc)) * security upgrade @parse/fs-files-adapter from 1.2.1 to 1.2.2 ([#7948](#7948)) ([3a70fda](3a70fda)) * security upgrade moment from 2.29.1 to 2.29.2 ([#7931](#7931)) ([731c550](731c550)) * security upgrade parse push adapter from 4.1.0 to 4.1.2 ([#7893](#7893)) ([93667b4](93667b4)) * server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](GHSA-h423-w6qv-2wj3)) [skip release] ([#8237](#8237)) ([4c1befa](4c1befa)) * session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects ([GHSA-6w4q-23cf-j9jp](GHSA-6w4q-23cf-j9jp)) [skip release] ([#8181](#8181)) ([83cdc89](83cdc89)) * websocket connection of LiveQuery interrupts frequently ([#8048](#8048)) ([03caae1](03caae1)) ### Features * add MongoDB 5.1 compatibility ([#7682](#7682)) ([022a856](022a856)) * add MongoDB 5.2 support ([#7894](#7894)) ([5bfa716](5bfa716)) * add support for Node 17 and 18 ([#7896](#7896)) ([3e9f292](3e9f292)) * align file trigger syntax with class trigger; use the new syntax `Parse.Cloud.beforeSave(Parse.File, (request) => {})`, the old syntax `Parse.Cloud.beforeSaveFile((request) => {})` has been deprecated ([#7966](#7966)) ([c6dcad8](c6dcad8)) * replace GraphQL Apollo with GraphQL Yoga ([#7967](#7967)) ([1aa2204](1aa2204)) * selectively enable / disable default authentication adapters ([#7953](#7953)) ([c1e808f](c1e808f)) * upgrade mongodb from 4.4.1 to 4.5.0 ([#7991](#7991)) ([e692b5d](e692b5d)) ### Performance Improvements * reduce database operations when using the constant parameter in Cloud Function validation ([#7892](#7892)) ([041197f](041197f))
- Loading branch information
1 parent
2549540
commit 12e174b