parse-community
diff --git a/‎.babelrc
Lines changed: 3 additions & 2 deletions b/‎.babelrc
Lines changed: 3 additions & 2 deletions
diff --git a/‎.eslintrc.json
Lines changed: 3 additions & 2 deletions b/‎.eslintrc.json
Lines changed: 3 additions & 2 deletions
diff --git a/‎.github/pull_request_template.md
Lines changed: 1 addition & 2 deletions b/‎.github/pull_request_template.md
Lines changed: 1 addition & 2 deletions
diff --git a/‎.github/workflows/ci.yml
Lines changed: 49 additions & 55 deletions b/‎.github/workflows/ci.yml
Lines changed: 49 additions & 55 deletions
diff --git a/‎.github/workflows/release-automated.yml
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/release-automated.yml
Lines changed: 3 additions & 3 deletions
diff --git a/‎6.0.0.md
Lines changed: 63 additions & 0 deletions b/‎6.0.0.md
Lines changed: 63 additions & 0 deletions
diff --git a/‎CONTRIBUTING.md
Lines changed: 19 additions & 0 deletions b/‎CONTRIBUTING.md
Lines changed: 19 additions & 0 deletions
diff --git a/‎DEPRECATIONS.md
Lines changed: 4 additions & 3 deletions b/‎DEPRECATIONS.md
Lines changed: 4 additions & 3 deletions
@@ -6,8 +6,9 @@
     "presets": [
         ["@babel/preset-env", {
             "targets": {
-                "node": "12"
-            }
+                "node": "14", 
+            },
+            "exclude": ["proposal-dynamic-import"]
         }]
     ],
     "sourceMaps": "inline"
 
@@ -5,13 +5,14 @@
         "node": true,
         "es6": true
     },
-    "parser": "babel-eslint",
+    "parser": "@babel/eslint-parser",
     "plugins": [
         "flowtype"
     ],
     "parserOptions": {
         "ecmaVersion": 6,
-        "sourceType": "module"
+        "sourceType": "module",
+        "requireConfigFile": false
     },
     "rules": {
         "indent": ["error", 2, { "SwitchCase": 1 }],
 
@@ -11,7 +11,7 @@
 ### Issue Description
 <!-- Add a brief description of the issue this PR solves. -->
 
-Related issue: FILL_THIS_OUT
+Closes: FILL_THIS_OUT
 
 ### Approach
 <!-- Add a description of the approach in this PR. -->
@@ -26,4 +26,3 @@ Related issue: FILL_THIS_OUT
 - [ ] Add changes to documentation (guides, repository pages, in-code descriptions)
 - [ ] Add [security check](https://github.com/parse-community/parse-server/blob/master/CONTRIBUTING.md#security-checks)
 - [ ] Add new Parse Error codes to Parse JS SDK <!-- no hard-coded error codes in Parse Server -->
-- [x] A changelog entry is created automatically using the pull request title (do not manually add a changelog entry)
@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ release, alpha, beta ]
 env:
-  NODE_VERSION: 18.1.0
+  NODE_VERSION: 18.12.1
   PARSE_SERVER_TEST_TIMEOUT: 20000
 jobs:
   check-code-analysis:
@@ -32,7 +32,7 @@ jobs:
   check-ci:
     name: Node Engine Check
     timeout-minutes: 15
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
       - name: Use Node.js ${{ matrix.NODE_VERSION }}
@@ -53,7 +53,7 @@ jobs:
   check-lint:
      name: Lint
      timeout-minutes: 15
-     runs-on: ubuntu-20.04
+     runs-on: ubuntu-latest
      steps:
        - uses: actions/checkout@v2
        - name: Use Node.js ${{ matrix.NODE_VERSION }}
@@ -70,10 +70,31 @@ jobs:
        - name: Install dependencies
          run: npm ci
        - run: npm run lint
+  check-definitions:
+     name: Check Definitions
+     timeout-minutes: 5
+     runs-on: ubuntu-18.04
+     steps:
+      - uses: actions/checkout@v2
+      - name: Use Node.js ${{ matrix.NODE_VERSION }}
+        uses: actions/setup-node@v2
+        with:
+          node-version: ${{ matrix.node-version }}
+      - name: Cache Node.js modules
+        uses: actions/cache@v2
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ matrix.NODE_VERSION }}-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-${{ matrix.NODE_VERSION }}-
+      - name: Install dependencies
+        run: npm ci
+      - name: CI Definitions Check
+        run: npm run ci:definitionsCheck
   check-circular:
      name: Circular Dependencies
      timeout-minutes: 5
-     runs-on: ubuntu-20.04
+     runs-on: ubuntu-latest
      steps:
        - uses: actions/checkout@v2
        - name: Use Node.js ${{ matrix.NODE_VERSION }}
@@ -93,7 +114,7 @@ jobs:
   check-docker:
     name: Docker Build
     timeout-minutes: 15
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
@@ -110,77 +131,50 @@ jobs:
   check-lock-file-version:
     name: NPM Lock File Version
     timeout-minutes: 5
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
       - name: Check NPM lock file version
         uses: mansona/npm-lockfile-version@v1
         with:
-          version: 1
+          version: 2
   check-mongo:
     strategy:
       matrix:
         include:
-          - name: MongoDB 4.0, Standalone, MMAPv1
-            MONGODB_VERSION: 4.0.28
-            MONGODB_TOPOLOGY: standalone
-            MONGODB_STORAGE_ENGINE: mmapv1
-            NODE_VERSION: 18.1.0
-          - name: MongoDB 4.0, ReplicaSet, WiredTiger
-            MONGODB_VERSION: 4.0.28
-            MONGODB_TOPOLOGY: replicaset
-            MONGODB_STORAGE_ENGINE: wiredTiger
-            NODE_VERSION: 18.1.0
-          - name: MongoDB 4.2, ReplicaSet, WiredTiger
+          - name: MongoDB 4.2, ReplicaSet
             MONGODB_VERSION: 4.2.19
             MONGODB_TOPOLOGY: replicaset
-            MONGODB_STORAGE_ENGINE: wiredTiger
-            NODE_VERSION: 18.1.0
-          - name: MongoDB 4.4, ReplicaSet, WiredTiger
+            NODE_VERSION: 18.12.1
+          - name: MongoDB 4.4, ReplicaSet
             MONGODB_VERSION: 4.4.13
             MONGODB_TOPOLOGY: replicaset
-            MONGODB_STORAGE_ENGINE: wiredTiger
-            NODE_VERSION: 18.1.0
-          - name: MongoDB 5, ReplicaSet, WiredTiger
+            NODE_VERSION: 18.12.1
+          - name: MongoDB 5, ReplicaSet
             MONGODB_VERSION: 5.3.2
             MONGODB_TOPOLOGY: replicaset
-            MONGODB_STORAGE_ENGINE: wiredTiger
-            NODE_VERSION: 18.1.0
-          - name: MongoDB 6, ReplicaSet, WiredTiger
+            NODE_VERSION: 18.12.1
+          - name: MongoDB 6, ReplicaSet
             MONGODB_VERSION: 6.0.2
             MONGODB_TOPOLOGY: replicaset
-            MONGODB_STORAGE_ENGINE: wiredTiger
-            NODE_VERSION: 18.1.0
+            NODE_VERSION: 18.12.1
           - name: Redis Cache
             PARSE_SERVER_TEST_CACHE: redis
             MONGODB_VERSION: 4.4.13
             MONGODB_TOPOLOGY: standalone
-            MONGODB_STORAGE_ENGINE: wiredTiger
-            NODE_VERSION: 18.1.0
-          - name: Node 12
-            MONGODB_VERSION: 4.4.13
-            MONGODB_TOPOLOGY: standalone
-            MONGODB_STORAGE_ENGINE: wiredTiger
-            NODE_VERSION: 12.22.11
+            NODE_VERSION: 18.12.1
           - name: Node 14
             MONGODB_VERSION: 4.4.13
             MONGODB_TOPOLOGY: standalone
-            MONGODB_STORAGE_ENGINE: wiredTiger
-            NODE_VERSION: 14.19.1
+            NODE_VERSION: 14.21.1
           - name: Node 16
             MONGODB_VERSION: 4.4.13
             MONGODB_TOPOLOGY: standalone
-            MONGODB_STORAGE_ENGINE: wiredTiger
-            NODE_VERSION: 16.14.2
-          - name: Node 17
-            MONGODB_VERSION: 4.4.13
-            MONGODB_TOPOLOGY: standalone
-            MONGODB_STORAGE_ENGINE: wiredTiger
-            NODE_VERSION: 17.9.0
+            NODE_VERSION: 16.18.1
       fail-fast: false
     name: ${{ matrix.name }}
     timeout-minutes: 15
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     services:
       redis:
         image: redis
@@ -220,32 +214,32 @@ jobs:
         include:
           - name: PostgreSQL 11, PostGIS 3.0
             POSTGRES_IMAGE: postgis/postgis:11-3.0
-            NODE_VERSION: 18.1.0
+            NODE_VERSION: 18.12.1
           - name: PostgreSQL 11, PostGIS 3.1
             POSTGRES_IMAGE: postgis/postgis:11-3.1
-            NODE_VERSION: 18.1.0
+            NODE_VERSION: 18.12.1
           - name: PostgreSQL 11, PostGIS 3.2
             POSTGRES_IMAGE: postgis/postgis:11-3.2
-            NODE_VERSION: 18.1.0
+            NODE_VERSION: 18.12.1
           - name: PostgreSQL 11, PostGIS 3.3
             POSTGRES_IMAGE: postgis/postgis:11-3.3
-            NODE_VERSION: 18.1.0
+            NODE_VERSION: 18.12.1
           - name: PostgreSQL 12, PostGIS 3.3
             POSTGRES_IMAGE: postgis/postgis:12-3.3
-            NODE_VERSION: 18.1.0
+            NODE_VERSION: 18.12.1
           - name: PostgreSQL 13, PostGIS 3.3
             POSTGRES_IMAGE: postgis/postgis:13-3.3
-            NODE_VERSION: 18.1.0
+            NODE_VERSION: 18.12.1
           - name: PostgreSQL 14, PostGIS 3.3
             POSTGRES_IMAGE: postgis/postgis:14-3.3
-            NODE_VERSION: 18.1.0
+            NODE_VERSION: 18.12.1
           - name: PostgreSQL 15, PostGIS 3.3
             POSTGRES_IMAGE: postgis/postgis:15-3.3
-            NODE_VERSION: 18.1.0
+            NODE_VERSION: 18.12.1
       fail-fast: false
     name: ${{ matrix.name }}
     timeout-minutes: 15
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     services:
       redis:
         image: redis
 
@@ -1,7 +1,7 @@
 name: release-automated
 on:
   push:
-    branches: [ release, alpha, beta, next-major ]
+    branches: [ release, alpha, beta, next-major, 'release-[0-9]+.x.x' ]
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -17,7 +17,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@v2
         with:
-          node-version: 14
+          node-version: 18.1.0
           registry-url: https://registry.npmjs.org/
       - name: Cache Node.js modules
         uses: actions/cache@v2
@@ -93,7 +93,7 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v1
         with:
-          node-version: 14
+          node-version: 18.1.0
       - name: Cache Node.js modules
         uses: actions/cache@v2
         with:
 
@@ -0,0 +1,63 @@
+# Parse Server 6 Migration Guide <!-- omit in toc -->
+
+This document only highlights specific changes that require a longer explanation. For a full list of changes in Parse Server 6 please refer to the [changelog](https://github.com/parse-community/parse-server/blob/alpha/CHANGELOG.md).
+
+---
+
+- [Import Statement](#import-statement)
+- [Asynchronous Initialization](#asynchronous-initialization)
+
+---
+
+## Import Statement
+
+The import and initialization syntax has been simplified with more intuitive naming and structure.
+
+*Parse Server 5:*
+```js
+// Returns a Parse Server instance
+const ParseServer = require('parse-server');
+
+// Returns a Parse Server express middleware
+const { ParseServer } = require('parse-server');
+```
+
+*Parse Server 6:*
+```js
+// Both return a Parse Server instance
+const ParseServer = require('parse-server');
+const { ParseServer } = require('parse-server');
+```
+
+To get the express middleware in Parse Server 6, configure the Parse Server instance, start Parse Server and use its `app` property. See [Asynchronous Initialization](#asynchronous-initialization) for more details.
+
+## Asynchronous Initialization
+
+Previously, it was possible to mount Parse Server before it was fully started up and ready to receive requests. This could result in undefined behavior, such as Parse Objects could be saved before Cloud Code was registered. To prevent this, Parse Server 6 requires to be started asynchronously before being mounted.
+
+*Parse Server 5:*
+```js
+// 1. Import Parse Server
+const { ParseServer } = require('parse-server');
+
+// 2. Create a Parse Server instance as express middleware
+const server = new ParseServer(config);
+
+// 3. Mount express middleware
+app.use("/parse", server);
+```
+
+*Parse Server 6:*
+```js
+// 1. Import Parse Server
+const ParseServer = require('parse-server');
+
+// 2. Create a Parse Server instance
+const server = new ParseServer(config);
+
+// 3. Start up Parse Server asynchronously
+await server.start();
+
+// 4. Mount express middleware
+app.use("/parse", server.app);
+```
@@ -32,6 +32,7 @@
 - [Merging](#merging)
   - [Breaking Change](#breaking-change-1)
   - [Reverting](#reverting)
+  - [Security Vulnerability](#security-vulnerability)
 - [Releasing](#releasing)
   - [General Considerations](#general-considerations)
   - [Major Release / Long-Term-Support](#major-release--long-term-support)
@@ -451,6 +452,24 @@ If the commit reverts a previous commit, use the prefix `revert:`, followed by t
   This reverts commit 1234567890abcdef.
   ```
 
+### Security Vulnerability
+
+#### Local Testing
+
+Fixes for securify vulnerabilities are developed in private forks with a closed audience, inaccessible to the public. A current GitHub limitation does not allow to run CI tests on pull requests in private forks. Whether a pull requests fully passes all CI tests can only be determined by publishing the fix as a public pull request and running the CI. This means the fix and implicitly information about the vulnerabilty are made accessible to the public. This increases the risk that a vulnerability fix is published, but then cannot be merged immediately due to a CI issue. To mitigate that risk, before publishing a vulnerability fix, the following tests needs to be run locally and pass:
+
+- `npm run test` (MongoDB)
+- `npm run test` (Postgres)
+- `npm run madge:circular` (circular dependencies)
+- `npm run lint` (Lint)
+- `npm run definitions` (Parse Server options definitions)
+
+#### Merging
+
+A current GitHub limitation does not allow to customize the commit message when merging pull requests of a private fork that was created to fix a security vulnerabilty. Our release automation framework demands a specific commit message syntax which therefore cannot be met. This prohibits to follow the process that GitHub suggest, which is to merge a pull request from a private fork directly to a public branch. Instead, after [local testing](#local-testing), a public pull request needs to be created with the code fix copied over from the private pull request.
+
+This creates a risk that a vulnerability is indirectly disclosed by publishing a pull request with the fix, but the fix cannot be merged due to a CI issue. To mitigate that risk, the pull request title and description should be kept marginal or generic, not hiting to a vulnerabilty or giving any details about the vulnerabilty, until the pull request has been successfully merged.
+
 ## Releasing
 
 ### General Considerations
 
@@ -5,12 +5,13 @@ The following is a list of deprecations, according to the [Deprecation Policy](h
 | ID     | Change                                          | Issue                                                                | Deprecation [ℹ️][i_deprecation] | Planned Removal [ℹ️][i_removal] | Status [ℹ️][i_status] | Notes |
 |--------|-------------------------------------------------|----------------------------------------------------------------------|---------------------------------|---------------------------------|-----------------------|-------|
 | DEPPS1 | Native MongoDB syntax in aggregation pipeline   | [#7338](https://github.com/parse-community/parse-server/issues/7338) | 5.0.0 (2022)                    | 6.0.0 (2023)                    | deprecated            | -     |
-| DEPPS2 | Config option `directAccess` defaults to `true` | [#6636](https://github.com/parse-community/parse-server/pull/6636)   | 5.0.0 (2022)                    | 6.0.0 (2023)                    | deprecated            | -     |
-| DEPPS3 | Config option `enforcePrivateUsers` defaults to `true` | [#7319](https://github.com/parse-community/parse-server/pull/7319)   | 5.0.0 (2022)                    | 6.0.0 (2023)                    | deprecated            | -     |
-| DEPPS4 | Remove convenience method for http request `Parse.Cloud.httpRequest` | [#7589](https://github.com/parse-community/parse-server/pull/7589)   | 5.0.0 (2022)                    | 6.0.0 (2023)                    | deprecated            | -     |
+| DEPPS2 | Config option `directAccess` defaults to `true` | [#6636](https://github.com/parse-community/parse-server/pull/6636)   | 5.0.0 (2022)                    | 6.0.0 (2023)                    | removed            | -     |
+| DEPPS3 | Config option `enforcePrivateUsers` defaults to `true` | [#7319](https://github.com/parse-community/parse-server/pull/7319)   | 5.0.0 (2022)                    | 6.0.0 (2023)                    | removed            | -     |
+| DEPPS4 | Remove convenience method for http request `Parse.Cloud.httpRequest` | [#7589](https://github.com/parse-community/parse-server/pull/7589)   | 5.0.0 (2022)                    | 6.0.0 (2023)                    | removed            | -     |
 | DEPPS5 | Config option `allowClientClassCreation` defaults to `false` | [#7925](https://github.com/parse-community/parse-server/pull/7925)   | 5.3.0 (2022)                    | 7.0.0 (2024)                    | deprecated            | -     |
 | DEPPS6 | Auth providers disabled by default | [#7953](https://github.com/parse-community/parse-server/pull/7953)   | 5.3.0 (2022)                    | 7.0.0 (2024)                    | deprecated            | -     |
 | DEPPS7 | Remove file trigger syntax `Parse.Cloud.beforeSaveFile((request) => {})` | [#7966](https://github.com/parse-community/parse-server/pull/7966)   | 5.3.0 (2022)                    | 7.0.0 (2024)                    | deprecated            | -     |
+| DEPPS8 | Login with expired 3rd party authentication token defaults to `false` | [#7079](https://github.com/parse-community/parse-server/pull/7079)   | 5.3.0 (2022)                    | 7.0.0 (2024)                    | deprecated            | -     |
 
 [i_deprecation]: ## "The version and date of the deprecation."
 [i_removal]: ## "The version and date of the planned removal."