Merge branch 'alpha' into fix-fields

Author: dblythy

.babelrc

@@ -6,8 +6,9 @@
     "presets": [
         ["@babel/preset-env", {
             "targets": {
-                "node": "14"
-            }
+                "node": "14", 
+            },
+            "exclude": ["proposal-dynamic-import"]
         }]
     ],
     "sourceMaps": "inline"

.eslintrc.json

@@ -5,13 +5,14 @@
         "node": true,
         "es6": true
     },
-    "parser": "babel-eslint",
+    "parser": "@babel/eslint-parser",
     "plugins": [
         "flowtype"
     ],
     "parserOptions": {
         "ecmaVersion": 6,
-        "sourceType": "module"
+        "sourceType": "module",
+        "requireConfigFile": false
     },
     "rules": {
         "indent": ["error", 2, { "SwitchCase": 1 }],

.github/workflows/ci.yml

@@ -70,6 +70,27 @@ jobs:
        - name: Install dependencies
          run: npm ci
        - run: npm run lint
+  check-definitions:
+     name: Check Definitions
+     timeout-minutes: 5
+     runs-on: ubuntu-18.04
+     steps:
+      - uses: actions/checkout@v2
+      - name: Use Node.js ${{ matrix.NODE_VERSION }}
+        uses: actions/setup-node@v2
+        with:
+          node-version: ${{ matrix.node-version }}
+      - name: Cache Node.js modules
+        uses: actions/cache@v2
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ matrix.NODE_VERSION }}-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-${{ matrix.NODE_VERSION }}-
+      - name: Install dependencies
+        run: npm ci
+      - name: CI Definitions Check
+        run: npm run ci:definitionsCheck
   check-circular:
      name: Circular Dependencies
      timeout-minutes: 5
@@ -116,7 +137,7 @@ jobs:
       - name: Check NPM lock file version
         uses: mansona/npm-lockfile-version@v1
         with:
-          version: 1
+          version: 2
   check-mongo:
     strategy:
       matrix:

6.0.0.md

@@ -0,0 +1,63 @@
+# Parse Server 6 Migration Guide <!-- omit in toc -->
+
+This document only highlights specific changes that require a longer explanation. For a full list of changes in Parse Server 6 please refer to the [changelog](https://github.com/parse-community/parse-server/blob/alpha/CHANGELOG.md).
+
+---
+
+- [Import Statement](#import-statement)
+- [Asynchronous Initialization](#asynchronous-initialization)
+
+---
+
+## Import Statement
+
+The import and initialization syntax has been simplified with more intuitive naming and structure.
+
+*Parse Server 5:*
+```js
+// Returns a Parse Server instance
+const ParseServer = require('parse-server');
+
+// Returns a Parse Server express middleware
+const { ParseServer } = require('parse-server');
+```
+
+*Parse Server 6:*
+```js
+// Both return a Parse Server instance
+const ParseServer = require('parse-server');
+const { ParseServer } = require('parse-server');
+```
+
+To get the express middleware in Parse Server 6, configure the Parse Server instance, start Parse Server and use its `app` property. See [Asynchronous Initialization](#asynchronous-initialization) for more details.
+
+## Asynchronous Initialization
+
+Previously, it was possible to mount Parse Server before it was fully started up and ready to receive requests. This could result in undefined behavior, such as Parse Objects could be saved before Cloud Code was registered. To prevent this, Parse Server 6 requires to be started asynchronously before being mounted.
+
+*Parse Server 5:*
+```js
+// 1. Import Parse Server
+const { ParseServer } = require('parse-server');
+
+// 2. Create a Parse Server instance as express middleware
+const server = new ParseServer(config);
+
+// 3. Mount express middleware
+app.use("/parse", server);
+```
+
+*Parse Server 6:*
+```js
+// 1. Import Parse Server
+const ParseServer = require('parse-server');
+
+// 2. Create a Parse Server instance
+const server = new ParseServer(config);
+
+// 3. Start up Parse Server asynchronously
+await server.start();
+
+// 4. Mount express middleware
+app.use("/parse", server.app);
+```

CONTRIBUTING.md

@@ -32,6 +32,7 @@
 - [Merging](#merging)
   - [Breaking Change](#breaking-change-1)
   - [Reverting](#reverting)
+  - [Security Vulnerability](#security-vulnerability)
 - [Releasing](#releasing)
   - [General Considerations](#general-considerations)
   - [Major Release / Long-Term-Support](#major-release--long-term-support)
@@ -451,6 +452,24 @@ If the commit reverts a previous commit, use the prefix `revert:`, followed by t
   This reverts commit 1234567890abcdef.
   ```
 
+### Security Vulnerability
+
+#### Local Testing
+
+Fixes for securify vulnerabilities are developed in private forks with a closed audience, inaccessible to the public. A current GitHub limitation does not allow to run CI tests on pull requests in private forks. Whether a pull requests fully passes all CI tests can only be determined by publishing the fix as a public pull request and running the CI. This means the fix and implicitly information about the vulnerabilty are made accessible to the public. This increases the risk that a vulnerability fix is published, but then cannot be merged immediately due to a CI issue. To mitigate that risk, before publishing a vulnerability fix, the following tests needs to be run locally and pass:
+
+- `npm run test` (MongoDB)
+- `npm run test` (Postgres)
+- `npm run madge:circular` (circular dependencies)
+- `npm run lint` (Lint)
+- `npm run definitions` (Parse Server options definitions)
+
+#### Merging
+
+A current GitHub limitation does not allow to customize the commit message when merging pull requests of a private fork that was created to fix a security vulnerabilty. Our release automation framework demands a specific commit message syntax which therefore cannot be met. This prohibits to follow the process that GitHub suggest, which is to merge a pull request from a private fork directly to a public branch. Instead, after [local testing](#local-testing), a public pull request needs to be created with the code fix copied over from the private pull request.
+
+This creates a risk that a vulnerability is indirectly disclosed by publishing a pull request with the fix, but the fix cannot be merged due to a CI issue. To mitigate that risk, the pull request title and description should be kept marginal or generic, not hiting to a vulnerabilty or giving any details about the vulnerabilty, until the pull request has been successfully merged.
+
 ## Releasing
 
 ### General Considerations

README.md

@@ -40,7 +40,7 @@ A big *thank you* 🙏 to our [sponsors](#sponsors) and [backers](#backers) who
 
 ---
 
-- [Flavors & Branches](#flavors--branches)
+- [Flavors \& Branches](#flavors--branches)
   - [Long Term Support](#long-term-support)
 - [Getting Started](#getting-started)
   - [Running Parse Server](#running-parse-server)
@@ -55,6 +55,8 @@ A big *thank you* 🙏 to our [sponsors](#sponsors) and [backers](#backers) who
   - [Running Parse Server elsewhere](#running-parse-server-elsewhere)
     - [Sample Application](#sample-application)
     - [Parse Server + Express](#parse-server--express)
+  - [Parse Server Health](#parse-server-health)
+    - [Status Values](#status-values)
 - [Configuration](#configuration)
   - [Basic Options](#basic-options)
   - [Client Key Options](#client-key-options)
@@ -136,13 +138,13 @@ Parse Server is continuously tested with the most recent releases of Node.js to
 
 Parse Server is continuously tested with the most recent releases of MongoDB to ensure compatibility. We follow the [MongoDB support schedule](https://www.mongodb.com/support-policy) and [MongoDB lifecycle schedule](https://www.mongodb.com/support-policy/lifecycles) and only test against versions that are officially supported and have not reached their end-of-life date. We consider the end-of-life date of a MongoDB "rapid release" to be the same as its major version release.
 
-| Version     | Latest Version | End-of-Life   | Compatible   |
-|-------------|----------------|---------------|--------------|
-| MongoDB 4.0 | 4.0.28         | April 2022    | ✅ Yes        |
-| MongoDB 4.2 | 4.2.19         | April 2023    | ✅ Yes        |
-| MongoDB 4.4 | 4.4.13         | February 2024 | ✅ Yes        |
-| MongoDB 5   | 5.3.2          | October 2024  | ✅ Yes        |
-| MongoDB 6   | 6.0.2          | July 2025     | ✅ Yes        |
+| Version     | Latest Version | End-of-Life   | Compatible |
+|-------------|----------------|---------------|------------|
+| MongoDB 4.0 | 4.0.28         | April 2022    | ✅ Yes      |
+| MongoDB 4.2 | 4.2.19         | April 2023    | ✅ Yes      |
+| MongoDB 4.4 | 4.4.13         | February 2024 | ✅ Yes      |
+| MongoDB 5   | 5.3.2          | October 2024  | ✅ Yes      |
+| MongoDB 6   | 6.0.2          | July 2025     | ✅ Yes      |
 
 #### PostgreSQL
 
@@ -282,11 +284,11 @@ We have provided a basic [Node.js application](https://github.com/parse-communit
 You can also create an instance of Parse Server, and mount it on a new or existing Express website:
 
 ```js
-var express = require('express');
-var ParseServer = require('parse-server').ParseServer;
-var app = express();
+const express = require('express');
+const ParseServer = require('parse-server').ParseServer;
+const app = express();
 
-var api = new ParseServer({
+const server = new ParseServer({
   databaseURI: 'mongodb://localhost:27017/dev', // Connection string for your MongoDB database
   cloud: './cloud/main.js', // Path to your Cloud Code
   appId: 'myAppId',
@@ -295,8 +297,11 @@ var api = new ParseServer({
   serverURL: 'http://localhost:1337/parse' // Don't forget to change to https if needed
 });
 
+// Start server
+await server.start();
+
 // Serve the Parse API on the /parse URL prefix
-app.use('/parse', api);
+app.use('/parse', server.app);
 
 app.listen(1337, function() {
   console.log('parse-server-example running on port 1337.');
@@ -305,6 +310,27 @@ app.listen(1337, function() {
 
 For a full list of available options, run `parse-server --help` or take a look at [Parse Server Configurations](http://parseplatform.org/parse-server/api/master/ParseServerOptions.html).
 
+## Parse Server Health
+
+Check the Parse Server health by sending a request to the `/parse/health` endpoint.
+
+The response looks like this:
+
+```json
+{
+  "status": "ok"
+}
+```
+
+### Status Values
+
+| Value         | Description                                                                 |
+|---------------|-----------------------------------------------------------------------------|
+| `initialized` | The server has been created but the `start` method has not been called yet. |
+| `starting`    | The server is starting up.                                                  |
+| `ok`          | The server started and is running.                                          |
+| `error`       | There was a startup error, see the logs for details.                        |
+
 # Configuration
 
 Parse Server can be configured using the following options. You may pass these as parameters when running a standalone `parse-server`, or by loading a configuration file in JSON format using `parse-server path/to/configuration.json`. If you're using Parse Server on Express, you may also pass these to the `ParseServer` object as options.
@@ -461,7 +487,7 @@ The following paths are already used by Parse Server's built-in features and are
 It’s possible to change the default pages of the app and redirect the user to another path or domain.
 
 ```js
-var server = ParseServer({
+const server = ParseServer({
   ...otherOptions,
 
   customPages: {
@@ -851,7 +877,7 @@ Then, create an `index.js` file with the following content:
 
 ```js
 const express = require('express');
-const { default: ParseServer, ParseGraphQLServer } = require('parse-server');
+const { ParseServer, ParseGraphQLServer } = require('parse-server');
 
 const app = express();
 
@@ -875,6 +901,7 @@ app.use('/parse', parseServer.app); // (Optional) Mounts the REST API
 parseGraphQLServer.applyGraphQL(app); // Mounts the GraphQL API
 parseGraphQLServer.applyPlayground(app); // (Optional) Mounts the GraphQL Playground - do NOT use in Production
 
+await parseServer.start();
 app.listen(1337, function() {
   console.log('REST API running on http://localhost:1337/parse');
   console.log('GraphQL API running on http://localhost:1337/graphql');

changelogs/CHANGELOG_alpha.md

@@ -1,3 +1,46 @@
+# [6.0.0-alpha.17](https://github.com/parse-community/parse-server/compare/6.0.0-alpha.16...6.0.0-alpha.17) (2022-12-22)
+
+
+### Features
+
+* Upgrade Node Package Manager lock file `package-lock.json` to version 2 ([#8285](https://github.com/parse-community/parse-server/issues/8285)) ([ee72467](https://github.com/parse-community/parse-server/commit/ee7246733d63e4bda20401f7b00262ff03299f20))
+
+
+### BREAKING CHANGES
+
+* The Node Package Manager lock file `package-lock.json` is upgraded to version 2; while it is backwards with version 1 for the npm installer, consider this if you run any non-npm analysis tools that use the lock file (#8285) ([ee72467](ee72467))
+
+# [6.0.0-alpha.16](https://github.com/parse-community/parse-server/compare/6.0.0-alpha.15...6.0.0-alpha.16) (2022-12-21)
+
+
+### Features
+
+* Asynchronous initialization of Parse Server ([#8232](https://github.com/parse-community/parse-server/issues/8232)) ([99fcf45](https://github.com/parse-community/parse-server/commit/99fcf45e55c368de2345b0c4d780e70e0adf0e15))
+
+
+### BREAKING CHANGES
+
+* This release introduces the asynchronous initialization of Parse Server to prevent mounting Parse Server before being ready to receive request; it changes how Parse Server is imported, initialized and started; it also removes the callback `serverStartComplete`; see the [Parse Server 6 migration guide](https://github.com/parse-community/parse-server/blob/alpha/6.0.0.md) for more details (#8232) ([99fcf45](99fcf45))
+
+# [6.0.0-alpha.15](https://github.com/parse-community/parse-server/compare/6.0.0-alpha.14...6.0.0-alpha.15) (2022-12-20)
+
+
+### Bug Fixes
+
+* Nested objects are encoded incorrectly for MongoDB ([#8209](https://github.com/parse-community/parse-server/issues/8209)) ([1412666](https://github.com/parse-community/parse-server/commit/1412666f75829612de6fb9d7ccae35761c9b75cb))
+
+
+### BREAKING CHANGES
+
+* Nested objects are now properly stored in the database using JSON serialization; previously, due to a bug only top-level objects were serialized, but nested objects were saved as raw JSON; for example, a nested `Date` object was saved as a JSON object like `{ "__type": "Date", "iso": "2020-01-01T00:00:00.000Z" }` instead of its serialized representation `2020-01-01T00:00:00.000Z` (#8209) ([1412666](1412666))
+
+# [6.0.0-alpha.14](https://github.com/parse-community/parse-server/compare/6.0.0-alpha.13...6.0.0-alpha.14) (2022-12-16)
+
+
+### Features
+
+* Write log entry when request with master key is rejected as outside of `masterKeyIps` ([#8350](https://github.com/parse-community/parse-server/issues/8350)) ([e22b73d](https://github.com/parse-community/parse-server/commit/e22b73d4b700c8ff745aa81726c6680082294b45))
+
 # [6.0.0-alpha.13](https://github.com/parse-community/parse-server/compare/6.0.0-alpha.12...6.0.0-alpha.13) (2022-12-07)
 
 

ci/definitionsCheck.js

@@ -0,0 +1,39 @@
+const fs = require('fs').promises;
+const { exec } = require('child_process');
+const core = require('@actions/core');
+const { nextTick } = require('process');
+const { AbortController } = require("node-abort-controller");
+(async () => {
+  const [currentDefinitions, currentDocs] = await Promise.all([
+    fs.readFile('./src/Options/Definitions.js', 'utf8'),
+    fs.readFile('./src/Options/docs.js', 'utf8'),
+  ]);
+  exec('npm run definitions');
+  const ac = new AbortController();
+  const { signal } = ac;
+  const watcher = fs.watch('./src/Options/docs.js', {signal});
+  let i = 0;
+  // eslint-disable-next-line
+  for await (const _ of watcher) {
+    i++;
+    if (i === 3) {
+      ac.abort();
+      break;
+    }
+  }
+  await new Promise(resolve => nextTick(resolve));
+  const [newDefinitions, newDocs] = await Promise.all([
+    fs.readFile('./src/Options/Definitions.js', 'utf8'),
+    fs.readFile('./src/Options/docs.js', 'utf8'),
+  ]);
+  if (currentDefinitions !== newDefinitions || currentDocs !== newDocs) {
+    console.error(
+      '\x1b[31m%s\x1b[0m',
+      'Definitions files cannot be updated manually. Please update src/Options/index.js then run `npm run definitions` to generate definitions.'
+    );
+    core.error('Definitions files cannot be updated manually. Please update src/Options/index.js then run `npm run definitions` to generate definitions.');
+    process.exit(1);
+  } else {
+    process.exit(0);
+  }
+})();