chore(deps): update dependency parse to v7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
parse (source)	^1.11.0 -> ^7.0.0
parse (source)	1.11.0 -> 7.0.0

GitHub Vulnerability Alerts

GHSA-wvh7-5p38-2qfc

The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext."

Example Code:

async () => {
    const user = Parse.User.current()
    if (user) {
        user.setPassword('newpass')
        await user.save()
    }
}

After running the above code, the new password will be stored in localStorage as a property named "password".

Proposed Solution:
Before saving anything to localStorage, Parse should strip out any properties named "password" that are attempting to be stored with a Parse.User type object.

Configuration:
Parse SDK: 2.9.1
Parse Server: 3.9.0

CVE-2025-62374

Summary

Prototype pollution capabilities on various APIs.

Details

Injection of malicious payload allows attacker to remotely execute arbitrary code. Parse.Object and internal APIs are affected, specifically:

• ParseObject.fromJSON
• ParseObject.pin
• ParseObject.registerSubclass
• ObjectStateMutations (internal)
• encode/decode (internal)

PoC

Demonstrative tests added as part of the fix.

References

• GHSA-9f2h-7v79-mxw3
• Patch https://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1

CVE-2025-57324

parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState function of parse allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.

---

Release Notes

parse-community/Parse-SDK-JS (parse)

v7.0.0

Compare Source

[!CAUTION]
We recommend to skip this release as it contains a bug that introduces a breaking change in the format of Parse Server 5xx responses. The issue has been fixed in 7.0.1.

Bug Fixes

• Prototype Pollution vulnerability in SingleInstanceStateController; fixes security vulnerability GHSA-9g8m-v378-pcg3 (#​2745) (9e7c1ba)
• HTTP status code 3XX redirection for Parse Server URL not handled properly (#​2608) (58e7f58)
• Incorrect type in ParseObject.fetch parameter options (#​2726) (dc78419)
• Missing error message when returning an internal server error (#​2543) (f91f3f1)
• Prototype pollution in Parse.Object and internal APIs; fixes security vulnerability GHSA-9f2h-7v79-mxw (#​2749) (0097398)
• Unhandled exception when calling Parse.Cloud.run with option value null (#​2622) (#​2623) (2818ed9)

Features

• Add Parse.File upload and download progress in browser and Node environments (#​2503) (d3ca465)
• Add Uint8Array support for Parse.File data (#​2548) (6f6bb66)
• Add option Parse.nodeLogging to fully log Parse.Object in Node.js environments (#​1594) (de9d057)
• Remove Parse.serverAuthType, Parse.serverAuthToken infavor of CoreManager REQUEST_HEADERS config (#​2639) (ddc66a1)

Performance Improvements

• Optimize bundle packaging with Vite (#​2553) (a4b19e5)

BREAKING CHANGES

• The methods Parse.serverAuthType() and Parse.serverAuthToken() have been removed; use the CoreManager REQUEST_HEADER config to set authorization headers instead. (ddc66a1)

v6.1.1

Compare Source

Bug Fixes

• Remove unused option sessionToken from Parse.Query.aggregate (#​2547) (c7015ba)
• Security upgrade tar-fs from 2.1.1 to 2.1.2 (#​2540) (44eeacd)

v6.1.0

Compare Source

Features

• Add Parse.Query option useMaintenanceKey (#​2484) (2ead3f3)
• Allow Parse.Object field names to begin with underscore _ to access internal fields of Parse Server (#​2475) (08e43ba)
• Publish TypeScript definitions (#​2491) (fc3e573)

v6.0.0

Compare Source

Bug Fixes

• Parse.Hooks requests have double forward slash in URL (#​2441) (1fc520c)
• Parse.Query.findAll not returning all objects with option json: true (#​2449) (f160b8c)
• Cannot pass useMasterKey: false to Parse.Cloud.run (#​2431) (abadac9)
• Remove validation error handler option error from various methods of Parse.Object (#​2445) (52ddaee)
• Security upgrade dset from 3.1.3 to 3.1.4 (#​2277) (058f8e4)

Features

• Add transaction to save and destroy on Parse.Object (#​2265) (2b55bdf)

BREAKING CHANGES

• Internal REST requests for Parse.Hooks use a URL that contains a double forward slash, for example http://localhost/parse//hooks/functions. This release changes the double forward slash to a single forward slash. (1fc520c)
• Removes the error handler option error from Parse.Object.set, Parse.Object.setACL, Parse.Object.unset, Parse.Role.setName and instead throws on validation error. Previously, if the error option was set, the handler was invoked if a validation error occurred on Parse.Object.set, and if no handler was set, an error was thrown on Parse.Object.save. The new behavior is that an error is thrown at Parse.Object.set. For example, instead of using Parse.Object.set(key, value, { error: ... }) wrap Parse.Object.set(key, value) into a try/catch block. (52ddaee)

v5.3.0

Compare Source

Bug Fixes

• Parse.Object.get returns array instead of object if key name is number-like (#​2201) (5921ba2)

Features

• Add support for Node 22 (#​2209) (c74fd4c)

v5.2.0

Compare Source

Bug Fixes

• LiveQueryClient.resubscribe with Parse Server 7 causes many open connections (#​2184) (71b4d17)
• Parse.Installation not working when installation is deleted on server (#​2126) (22360b4)
• Dot notation on JSON arrays doesn't work on PushStatus offset fields (#​2194) (e0eb6f0)
• Duplicate pending operations on nested fields (#​2162) (df6df7c)

Features

• Support dot notation on array fields (#​2120) (25ec684)

v5.1.0

Compare Source

Bug Fixes

• Parse.GeoPoint.current returns undefined (#​2127) (3860535)
• Chrome browser console warning about unsafe header access-control-expose-headers when calling Cloud Function (#​2095) (7b73c03)
• Live Query not working on Expo React Native (#​2109) (7a89665)
• Local datastore throws error when Parse.Query.notEqualTo is set to null (#​2102) (6afd32a)
• Multiple object updates of nested keys overwrite each other (#​1451) (fa4341a)
• Pending updates to nested field causes ParseObject.toJSON() to return incorrect object (#​1453) (23cc573)
• Remove circular dependencies (#​2125) (b415165)

Features

• Add password validation for user with unverified email via Parse.User.verifyPassword using master key and option ignoreEmailVerification: true (#​2076) (b0adf7e)
• Add support for setting Parse.ACL from json (#​2097) (72bc9ac)
• Allow setting custom queue for handling offline operations via Parse.EventuallyQueue (#​2106) (f92e4d4)
• Improve installation object Parse.Installation.currentInstallation to support web push notifications (#​2119) (4fc62ce)
• Lazy load Parse.CoreManager controllers to add support for swappable CryptoController, LocalDatastoreController, StorageController, WebSocketController, ParseLiveQuery (#​2100) (fbd0ab1)

v5.0.0

Compare Source

Bug Fixes

• Calling Parse.Object.relation.add multiple times adds only the first object (#​2078) (0f98117)

Features

• Add comment to MongoDB query via Parse.Query.comment (#​2088) (a970913)
• Add compatibility with Parse Server 7 (#​2089) (86600bc)
• Add support for Node 20, remove support for Node 14 and 16 (#​2063) (74eb4d5)

BREAKING CHANGES

• Parse JS SDK 5 requires Parse Server 7 and is incompatible with Parse Server 6. (86600bc)
• Removes support for Node 14 and 16. (74eb4d5)

v4.3.1

Compare Source

Bug Fixes

• Connection failure in Parse.Object.saveEventually and Parse.Object.destroyEventually not handled on custom Parse.Error.CONNECTION_FAILURE message (#​2032) (4da3ebc)
• Docs fail with Cannot find module 'taffydb' (#​2036) (dc91d0f)
• Error in web context when window.indexedDB API is available but protected (#​2039) (360981f)
• Security upgrade browserify-sign from 4.2.1 to 4.2.2 (#​2043) (fd50b9d)
• Security upgrade crypto-js from 4.1.1 to 4.2.0 (#​2042) (681fbdf)

v4.3.0

Compare Source

Bug Fixes

• ParseUser.linkWith doesn't remove anonymous auth data (#​2007) (7e2585c)
• Hard-coding of react-native path does not work for workspace builds (#​1930) (8222f3c)

Features

• Add Bytes type to Parse.Schema (#​2001) (343d0d7)
• Add Cloud Code context accessibility to ParseUser.logIn (#​2010) (2446007)
• Add support for custom EventEmitter (#​1999) (ca568a6)
• Add support for excluding keys in ParseQuery.findAll (#​2000) (012ba4c)
• Add support to invoke a Cloud Function with a custom installationId via Parse.Cloud.run (#​1939) (eb70b93)
• Allow overriding Parse.Error message with custom message via new Core Manager option PARSE_ERRORS (#​2014) (be0c8a6)
• Login with username, password and additional authentication data via ParseUser.logInWithAdditionalAuth (#​1955) (2bad411)

v4.2.0

Compare Source

Bug Fixes

• Parse.File.cancel starts new attempt to save file (#​1781) (b755e42)

Features

• Add Parse.User.loginAs (#​1875) (381fcfc)
• Add ParseQuery.watch to trigger LiveQuery only on update of specific fields (#​1839) (7479343)

v4.1.0

Compare Source

Bug Fixes

• LiveQuerySubscription.unsubscribe resolves promise before unsubscribing completes (#​1727) (1c96205)
• Node engine version upper range is <19 despite Node 19 support (#​1732) (febe187)
• Saving a new Parse.Object with an unsaved Parse.File fails (#​1662) (16535a4)

Features

• LiveQueryClient.close returns promise when WebSocket closes (#​1735) (979d660)
• Upgrade Node Package Manager lock file package-lock.json to version 2 (#​1729) (e993786)

v4.0.1

Compare Source

Bug Fixes

• Local datastore query with containedIn not working when field is an array (#​1666) (2391bff)
• Request execution time keeps increasing over time when using Parse.Object.extend (#​1682) (f555c43)

v4.0.0

Compare Source

Bug Fixes

• Parse.Query.subscribe() does not return a rejected promise on error in Cloud Code Triggers beforeConnect or beforeSubscribe (#​1490) (96d7174)
• Remove support for Node <14 (#​1603) (bc04b4b)

Features

• Add Node 16 and 18 support (#​1598) (2c79a31)
• Add node 19 support (8ed0fab)
• Add Node 19 support (#​1643) (dfb5196)

Performance Improvements

• Avoid CORS preflight request by removing upload listener when not used (#​1610) (6125419)

BREAKING CHANGES

• Calling Parse.Query.subscribe() will now return a rejected promise if an error is thrown in Cloud Code Triggers beforeConnect or beforeSubscribe; in previous releases a resolved promise was returned, even if subscribing failed and it was necessary to create an error.on listener to handle these errors (#​1490) (96d7174)
• This release removes support for Node versions <14 (bc04b4b)

v3.5.1

Compare Source

Bug Fixes

• File upload fails when uploading base64 data (#​1578) (03ee3ff)
• React Native build does not maintain arrow functions and causes error with AsyncStorage (#​1587) (8aeaa4f)
• SDK builds incorrectly since release 3.5.0 causing various bugs (#​1600) (f15154f)

v3.5.0

Compare Source

Warning

⚠️ This release contains several bugs due to a code compilation issue. We strongly recommend to skip this release.

Bug Fixes

• Parse.User.signUp() does not pass context to Cloud Code (#​1527) (53edcfd)
• Schema.addField does not correctly add value of type Date (#​1544) (15111f7)
• creating a Parse.File with base64 string fails for some encodings (#​1517) (0439862)
• initialization fails in non-browser environment that doesn't support indexedDB (#​1569) (3560a5e)
• remove base64 validation due to validation inefficiency (#​1543) (473949d)

Features

• add json option to Parse.Query.each() (#​1539) (89fd5ec)
• add json option to query.each (299fb0d)
• generate Parse.Object.objectId automatically when allowCustomObjectId is enabled and no objectId is passed (#​1540) (68f3ff5)
• localDatastore support for unsorted distance queries (#​1570) (ea3e75f)

v3.4.4

Compare Source

Bug Fixes

• subscription to a LiveQuery containing ParseQuery.select overrides properties (#​1488) (b80eee4)

v3.4.3

Compare Source

Bug Fixes

• creating a Parse.File with base64 string fails for some file types (#​1467) (c07d6c9)
• invalid name for Parse.Role throws incorrect error (#​1481) (8326a6f)

v3.4.2

Compare Source

Bug Fixes

• security upgrade moment from 2.29.1 to 2.29.2 (#​1472) (893c2a5)

v3.4.1

Compare Source

Bug Fixes

• upgrade idb-keyval from 5.0.6 to 6.0.3 (#​1397) (922a6db)

v3.4.0

Compare Source

Bug Fixes

• update parse server dependency branch; recreate package lock (#​1424) (38455ef)
• upgrade @​babel/runtime from 7.14.8 to 7.15.3 (#​1404) (8cb321c)

Features

• add options to enable polling and set the polling interval; fixes excessive polling (#​1419) (0f804b8)

v3.3.1

Compare Source

3.3.1

Full Changelog

Fixes

• Upgraded crypto-js dependency for compatibility with webpack in Parse Dashboard

v3.3.0

Compare Source

Improvements

• Improve support for nested keys (#​1364)
• Doc improvement (#​1349)
• Add npm version ci check (#​1345)
• Added an error code for geospatial index failures (#​1342)
• Added date support to OfflineQuery class (#​1344)

Fixes

• Fix react native build (#​1381)
• Fix weapp uuid error (#​1356)
• Fix EventEmitter undefined on React Native 0.64 (#​1351)

v3.2.0

Compare Source

Breaking Changes

• Remove deletion of Anonymous User on logout (#​1324)
  See https://community.parseplatform.org/t/anonymous-user-destroyed-on-logout/1425

Improvements

• Allow multiple classNames for Parse.Object.registerSubclass (#​1315)

const classNames = ['ClassOne', 'ClassTwo', 'ClassThree'];
for (const className of classNames) {
  Parse.Object.registerSubclass(className, CustomClass);
}

Fixes

• Fixes build for WeChat WeApp, to reduce package size, see issue/#​1331

v3.1.0

Compare Source

Breaking Changes
Parse.Push.send will now return the pushStatusId instead of { result: true }

Features

• Add Server Health Check Parse.getServerHealth() (#​1307)
• Allow saving with custom objectId Parse.allowCustomObjectId = true (#​1309)
• Parse.Push.send now returns pushStatusId (#​1302)
• Add Parse.Push.getPushStatus (#​1302)

Improvements

• Add modifiers to query.startsWith (#​1306)
• Add modifiers to query.endsWith (#​1306)

Fixes

• EventuallyQueue now polls against /health endpoint, caused 403 forbidden side effect (#​1305)
• Allow nested increment on undefined fields (#​1303)
• Handle increment on nested fields any level deep (#​1301)

v3.0.0

Compare Source

Breaking Changes
For security purposes, logIn will default to POST instead of GET method. (#​1284)

If you need to use GET set the usePost option to false.
Parse.User.logIn('username', 'password', { usePost: false })

Features

• Add EventuallyQueue API, object.saveEventually, object.destroyEventually (#​1291)
• Add Parse.CLP Object to control ClassLevelPermissions (#​1145)
• Add option { json: true } on queries (#​1294)
• Add IndexedDB Storage Controller (#​1297)
• Add Parse.User.isCurrentAsync() for async storage (#​1298)

Improvements

• Add useMasterKey option to Parse.File.destroy() (#​1285)
• User management on React-Native (#​1298)
• Parse.Schema.addField accepts Pointer and Relation types (#​1281)

Fixes

• Allow connect to LiveQuery with null fields (#​1282)
• fromJSON: Return date if value is type Date (#​1293)
• fromJSON: Allow keys to dirty, allows save fromJSON (#​1295)

v2.19.0

Compare Source

Features

• New error code 210 (MFA_ERROR) (#​1268)
• New error code 211 (MFA_TOKEN_REQUIRED) (#​1268)
• New error code 161 (FILE_DELETE_UNNAMED_ERROR) (#​1257)

Improvements

• Parse.File.destroy without name error message (#​1257)

Fixes

• Remove unnecessary object reference and comment from AddUniqueOp (#​1253)
• Internal Referencing for Increment Dot Notation (#​1255)
• Saving for Increment Dot Notation (#​1219)

v2.18.0

Compare Source

Features

• Support query.findAll() (#​1233)

Improvements

• Pass objects into query.equalTo / query.notEqualTo (#​1235)
• Improving legacy initialization setters/getters (#​1237)
• Remove deprecated backbone options from Parse.Push (#​1238)
• Code Coverage and Unit Tests (#​1241)

Fixes

• Prevent crashing LiveQueryClient if emitter error is not set (#​1241)
• Handle LiveQuery subscription socket error (#​1241)
• Set WeChat socket handlers before connecting (#​1241)
• Parse.Installation validating attribute error (#​1241)

v2.17.0

Compare Source

Improvements

• User LogIn with usePost option (#​1229)

v2.16.0

Compare Source

Idempotency enforcement for client requests. This deduplicates requests where the client intends to send one request to Parse Server but due to network issues the server receives the request multiple times.
(Parse-Server 4.3.0+)
Caution, this is an experimental feature that may not be appropriate for production.

To enable use either of the following:

• Parse.CoreManager.set('IDEMPOTENCY', true)
• Parse.idempotency = true

Features

• Idempotency Request (#​1210) (parse-server/6748)

Improvements

• Allow Pin of unsaved objects in LocalDatastore (#​1225)

Fixes

• crypto-js crashing React Native (#​1218)
• Schema mismatch error on add / remove empty array on Relation (#​1222)
• query.select error on null fields (#​1223)

v2.15.0

Compare Source

Features

• New Parse.Error 159 DUPLICATE_REQUEST (#​1189)

Fixes

• Live Query Subscription Error Event (#​1193)

v2.14.0

Compare Source

New Features

• Passing context in destroy, saveAll, get, find hooks. (#​1159)
• Support using aggregate on top of constructed query (#​1170)

Improvements

• Performance improvement for Query.eachBatch (#​1179)

Fixes

• Fix context for cascade saving (#​1186)

v2.13.0

Compare Source

New Features

• Add Email Verification to Parse.User (#​1144)
• Add Verify Password to Parse.User (#​1144)

Improvements

• Add read preference for aggregate query (#​1143)
• Add file progress type (upload/download) (#​1140)
• Add context to Parse.Object.save (#​1150)

Fixes

• File upload progress (#​1133)
• Live Query Subscription Open Event (#​1151)

v2.12.0

Compare Source

New Features

• Support Parse.Query hint (#​1054)
• Support Parse.Query eachBatch (#​1114)
• Support Parse.Object decrement (#​1069)
• Support deleting Parse.File (#​1067)
• Support File Metadata (#​1065) (#​1070)

Improvements

• Support global request batch size (#​1053)
• Username signup error (#​1080)
• Pass SaveAll options to Files (#​1107)
• Make iteration query methods (map, filter, reduce) returned promises (#​1112)

Fixes

• Fix user.become for AsyncStorage (#​1056)
• Subscribing to query with null sessionToken (#​1058)
• Fix addIndex annotation in Parse.Schema (#​1071)
• Fix cascadeSave=false bug for SingleInstance objects (#​1078)
• Fix react-native build (#​1094)

v2.11.0

Compare Source

New Features

• Support encrypting current user (#​1036)
• File Upload Progress on Wechat (#​1029)

Improvements

• Support query.cancel() on Node (#​1030)

Fixes

• File Upload Progress on browser (#​1029)
• User signup with installationId (#​1031)

v2.10.0

Compare Source

New Features

• Add query.fromNetwork() (#​1002)
• Add query.cancel() (browser only) (#​1003)
• Support custom request headers (#​1019)

Fixes

• To subclass Parse.User: Parse.Object.registerSubclass('_User', CustomUser);

Security

• Address Security Advisory of possible leak of sensitive user info. (#d110617), big thanks to Colin Ulin for identifying the problem, following the vulnerability disclosure guidelines

v2.9.1

Compare Source

Fixes

• Storing user to disk (#​992) (#​999)

v2.9.0

Compare Source

Deprecation
_linkWith and _logInWith are deprecated. Replace with linkWith and logInWith respectively. (#​963)

New Features

• Set Class Level Permission via Parse.Schema (#​960)
• Set required fields and default values via Parse.Schema (#​961)
• Add installationId to LiveQuery (#​977)
• Add response object to LiveQuery (#​979)
• Support query.map, query.filter, query.reduce (#​987)

Fixes

• Can unlink without provider in cloud code (#​971)
• Properly store User Subclass in Storage (#​978)

Improvements

• User subclass support for logInWith, hydrate, me, current (#​968)
• Remove unused options from Parse.Schema (#​959)
• Documentation for linking users and custom auth (#​963)
• Generate installationId as uuid v4 (#​972)
• Reuse StorageController for LDS (#​984)
• LiveQuery reconnect on server error (#​977)

v2.8.0

Compare Source

New Features

• Parse.File save cancel (#​948)
• Parse.File getData cancel (#​951)

Fixes

• React Native Emitter module (#​946)
• Parse.Schema deleteIndex, deleteField returns Parse.Schema (#​949)

Improvements

• Compiling on Windows (#​947)
• Generate _localId as UUID (#​956)

v2.7.1

Compare Source

New Features

• Support for ParseConfig.save with masterKeyOnlyFlags option (#​910) (Requires Parse-Server 3.8.0+)
• Support for ParseConfig.get with useMasterKey option (#​907)

v2.7.0

Compare Source

New Features

• Support for `ParseObject.fetchAl

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.