Updated to Parse JS SDK 3.3.0 and other security fixes (Manuel Trezza) #7508
⚠️ This includes a security fix of the Parse JS SDK where logIn will default to POST instead of GET method. This may require changes in your deployment before you upgrade to this release, see the Parse JS SDK 3.0.0 release notes.
⚠️ A security incident caused a number of incorrect version tags to be pushed to the Parse Server repository. These version tags linked to a personal fork of a contributor who had write access to the repository. The code to which these tags linked has not been reviewed or approved by Parse Platform. Even though no releases were published with these incorrect versions, it was possible to define a Parse Server dependency that pointed to these version tags, for example if you defined this dependency:
We have since deleted the incorrect version tags, but they may still show up in your personal fork on GitHub or locally. We do not know when these tags have been pushed to the Parse Server repository, but we first became aware of this issue on July 21, 2021. We are not aware of any malicious code or concerns related to privacy, security or legality (e.g. proprietary code). However, it has been reported that some functionality does not work as expected and the introduction of security vulnerabilities cannot be ruled out.
You may be also affected if you used the Bitnami image for Parse Server. Bitnami picked up the incorrect version tag 4.9.3 and published a new Bitnami image for Parse Server.
If you are using any of the affected versions, we urgently recommend to upgrade to version 4.10.0.GHSA-593v-wcqx-hq2w
SECURITY FIX: Fixes incorrect session property authProvider: password of anonymous users. When signing up an anonymous user, the session field createdWith indicates incorrectly that the session has been created using username and password with authProvider: password, instead of an anonymous sign-up with authProvider: anonymous. This fixes the issue by setting the correct authProvider: anonymous for future sign-ups of anonymous users. This fix does not fix incorrect authProvider: password for existing sessions of anonymous users. Consider this if your app logic depends on the authProvider field. (Corey Baker) GHSA-23r4-5mxp-c7g5
FIX: Consistent casing for afterLiveQueryEvent. The afterLiveQueryEvent was introduced in 4.4.0 with inconsistent casing for the event names, which was fixed in 4.5.0. #7023. Thanks to dblythy.
FIX: Properly handle serverURL and publicServerUrl in Batch requests. #7049. Thanks to Zach Goldberg.
IMPROVE: Prevent invalid column names (className and length). #7053. Thanks to Diamond Lewis.
IMPROVE: GraphQL: Remove viewer from logout mutation. #7029. Thanks to Antoine Cormouls.
Updated to Parse JS SDK 3.3.0 and other security fixes (Manuel Trezza) #7508
⚠️ This includes a security fix of the Parse JS SDK where logIn will default to POST instead of GET method. This may require changes in your deployment before you upgrade to this release, see the Parse JS SDK 3.0.0 release notes.
⚠️ A security incident caused a number of incorrect version tags to be pushed to the Parse Server repository. These version tags linked to a personal fork of a contributor who had write access to the repository. The code to which these tags linked has not been reviewed or approved by Parse Platform. Even though no releases were published with these incorrect versions, it was possible to define a Parse Server dependency that pointed to these version tags, for example if you defined this dependency:
We have since deleted the incorrect version tags, but they may still show up if your personal fork on GitHub or locally. We do not know when these tags have been pushed to the Parse Server repository, but we first became aware of this issue on July 21, 2021. We are not aware of any malicious code or concerns related to privacy, security or legality (e.g. proprietary code). However, it has been reported that some functionality does not work as expected and the introduction of security vulnerabilities cannot be ruled out.
You may be also affected if you used the Bitnami image for Parse Server. Bitnami picked up the incorrect version tag 4.9.3 and published a new Bitnami image for Parse Server.
If you are using any of the affected versions, we urgently recommend to upgrade to version 4.10.0.
SECURITY FIX: Fixes incorrect session property authProvider: password of anonymous users. When signing up an anonymous user, the session field createdWith indicates incorrectly that the session has been created using username and password with authProvider: password, instead of an anonymous sign-up with authProvider: anonymous. This fixes the issue by setting the correct authProvider: anonymous for future sign-ups of anonymous users. This fix does not fix incorrect authProvider: password for existing sessions of anonymous users. Consider this if your app logic depends on the authProvider field. (Corey Baker) GHSA-23r4-5mxp-c7g5
4.5.1
This version was published by mistake and was deprecated.
FIX: Consistent casing for afterLiveQueryEvent. The afterLiveQueryEvent was introduced in 4.4.0 with inconsistent casing for the event names, which was fixed in 4.5.0. #7023. Thanks to dblythy.
This version was pushed to npm by parseadmin, a new releaser for parse-server since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/gnu-lorien/yorick/network/alerts).
Bumps parse-server from 2.2.21 to 4.10.3.
Release notes
Sourced from parse-server's releases.
... (truncated)
Changelog
Sourced from parse-server's changelog.
... (truncated)
Commits
c71ae7d
chore(release): 4.10.3 (#7538)6ae5835
Merge pull request from GHSA-xqp8-w826-hh6x0bfa6b7
Release 4.10.2 (#7513)0be0b87
bump versionf3133ac
Release 4.10.1 (#7508)7e1da90
added changelog0e3cae5
audit fixf0d5232
bumped versiona3483d8
fix changelog skip 4.5.13c42584
4.5.2Maintainer changes
This version was pushed to npm by parseadmin, a new releaser for parse-server since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/gnu-lorien/yorick/network/alerts).