5.3.0-alpha.30 (2022-10-17)

Features

• add support for MongoDB 6 (#8242) (aba0081)

5.3.0-alpha.29 (2022-10-15)

Bug Fixes

• server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests (GHSA-h423-w6qv-2wj3) [skip release] (#8238) (c03908f)

Features

• add support for Postgres 15 (#8215) (2feb6c4)

4.10.17 (2022-10-15)

Bug Fixes

• server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests (GHSA-h423-w6qv-2wj3) (#8236) (3d7a61e)

5.2.8 (2022-10-14)

Bug Fixes

• server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests (GHSA-h423-w6qv-2wj3) (#8235) (066f296)

5.3.0-alpha.28 (2022-10-11)

Features

• liveQuery support for unsorted distance queries (#8221) (0f763da)

5.3.0-alpha.27 (2022-09-29)

Bug Fixes

• authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) (GHSA-r657-33vp-gp22) [skip release] (#8187) (8c8ec71)
• session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects (GHSA-6w4q-23cf-j9jp) [skip release] (#8180) (37fed30)

Features

• add option to change the default value of the Parse.Query.limit() constraint (#8152) (0388956)

4.10.16 (2022-09-20)

Bug Fixes

• authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) (GHSA-r657-33vp-gp22) (#8186) (b3e7939)

5.2.7 (2022-09-20)

Bug Fixes

• authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) (GHSA-r657-33vp-gp22) (#8185) (ecf0814)

4.10.15 (2022-09-20)

Bug Fixes

• session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects (GHSA-6w4q-23cf-j9jp) (#8183) (7ca9ed0)

5.2.6 (2022-09-20)

Bug Fixes

• session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects (GHSA-6w4q-23cf-j9jp) (#8182) (6d0b2f5)

5.3.0-alpha.26 (2022-09-17)

Bug Fixes

• sorting by non-existing value throws INVALID_SERVER_ERROR on Postgres (#8157) (3b775a1)

5.3.0-alpha.25 (2022-09-17)

Bug Fixes

• updating object includes unchanged keys in client response for certain key types (#8159) (37af1d7)

5.3.0-alpha.24 (2022-09-17)

Bug Fixes

• query aggregation pipeline cannot handle value of type Date when directAccess: true (#8167) (e424137)

5.3.0-alpha.23 (2022-09-17)

Bug Fixes

• liveQuery with containedIn not working when object field is an array (#8128) (1d9605b)

5.3.0-alpha.22 (2022-09-16)

Bug Fixes

• brute force guessing of user sensitive data via search patterns (GHSA-2m6g-crv8-p3c6) (#8146) [skip release] (4c0c7c7)
• push notifications badge doesn't update with Installation beforeSave trigger (#8162) (3c75c2b)

4.10.14 (2022-09-02)

Bug Fixes

• brute force guessing of user sensitive data via search patterns; this fixes a security vulnerability in which internal and protected fields may be used as query constraints to guess the value of these fields and obtain sensitive data (GHSA-2m6g-crv8-p3c6) (#8143) (634c44a)

5.2.5 (2022-09-02)

Bug Fixes

• brute force guessing of user sensitive data via search patterns; this fixes a security vulnerability in which internal and protected fields may be used as query constraints to guess the value of these fields and obtain sensitive data (GHSA-2m6g-crv8-p3c6) (#8144) (e39d51b)

5.3.0-alpha.21 (2022-08-05)

Bug Fixes

• internal indices for classes _Idempotency and _Role are not protected in defined schema (#8121) (c16f529)

5.3.0-alpha.20 (2022-07-22)

Bug Fixes

• security upgrade undici from 5.6.0 to 5.8.0 (#8108) (4aa016b)

5.3.0-alpha.19 (2022-07-03)

Bug Fixes

• certificate in Apple Game Center auth adapter not validated [skip release] (#8058) (75af9a2)
• graphQL query ignores condition equalTo with value false (#8032) (7f5a15d)
• invalid file request not properly handled [skip release] (#8062) (4c9e956)
• protected fields exposed via LiveQuery (GHSA-crrq-vr9j-fxxh) [skip release] (#8076) (9fd4516)