Add new Parse Server option fileUpload.fileExtensions to restrict file upload by file extension; this fixes a security vulnerability in which a phishing attack could be performed using an uploaded HTML file; by default the new option only allows file extensions matching the regex pattern ^[^hH][^tT][^mM][^lL]?$, which excludes HTML files; if your app currently depends on uploading files with HTML file extensions then this may be a breaking change and you could allow HTML file upload by setting the option to ['.*'] (#8537) (196e05f)
The client IP address may be determined incorrectly in some cases; it is now required to set the Parse Server option trustProxy accordingly if Parse Server runs behind a proxy server, see the express framework's trust proxy setting; this fixes a security vulnerability in which the Parse Server option masterKeyIps may be circumvented, see GHSA-vm5r-c87r-pf6x (#8369) (e016d81)
This version was pushed to npm by parseadmin, a new releaser for parse-server since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/josephfrazier/reported-web/network/alerts).
dependabot[bot]
commented
1 year ago
Bumps parse-server from 2.8.4 to 5.5.2.
Release notes
Sourced from parse-server's releases.
... (truncated)
Commits
e6374e7chore(release): 5.5.2 [skip ci]5fad292fix: Remote code execution via MongoDB BSON parser through prototype pollutio...a036071refactor: Upgrade semver from 7.3.8 to 7.5.1 (#8606)f5c6b3erefactor: Upgrade body-parser from 1.20.1 to 1.20.2 (#8607)733dc29refactor: Upgrade winston from 3.8.1 to 3.8.2 (#8609)e13f7bbrefactor: Upgrade express from 4.18.1 to 4.18.2 (#8600)81d51f3refactor: Upgrade ws from 8.9.0 to 8.13.0 (#8567)c83b343chore(release): 5.5.1 [skip ci]8e83cacfix: Security upgrade@parse/push-adapterfrom 4.1.2 to 4.1.3 (#8571)d8bff57refactor: Upgrade@graphql-tools/mergefrom 8.3.17 to 8.4.1 (#8555)Maintainer changes
This version was pushed to npm by parseadmin, a new releaser for parse-server since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/josephfrazier/reported-web/network/alerts).