build: Release#10525
Conversation
## [9.9.1-alpha.1](9.9.0...9.9.1-alpha.1) (2026-05-17) ### Bug Fixes * Pre-authentication denial of service via client version header regex backtracking ([GHSA-38m6-82c8-4xfm](GHSA-38m6-82c8-4xfm)) ([#10463](#10463)) ([56c159e](56c159e))
… unauthenticated callers ([GHSA-8cph-rgr4-g5vj](GHSA-8cph-rgr4-g5vj)) (#10467)
## [9.9.1-alpha.2](9.9.1-alpha.1...9.9.1-alpha.2) (2026-05-18) ### Bug Fixes * GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers ([GHSA-8cph-rgr4-g5vj](GHSA-8cph-rgr4-g5vj)) ([#10467](#10467)) ([155123a](155123a))
## [9.9.1-alpha.3](9.9.1-alpha.2...9.9.1-alpha.3) (2026-05-27) ### Bug Fixes * Server option routeAllowList is bypassable through batch sub-requests ([GHSA-p84r-h6rx-f2xr](GHSA-p84r-h6rx-f2xr)) ([#10482](#10482)) ([552c6dd](552c6dd))
## [9.9.1-alpha.4](9.9.1-alpha.3...9.9.1-alpha.4) (2026-06-01) ### Bug Fixes * Stored XSS via trailing-dot filename bypassing file upload extension blocklist ([GHSA-7wqv-xjf3-x35v](GHSA-7wqv-xjf3-x35v)) ([#10489](#10489)) ([66484ce](66484ce))
…d protected fields when `_User` get is denied ([GHSA-75v4-m273-5j49](GHSA-75v4-m273-5j49)) (#10492)
## [9.9.1-alpha.5](9.9.1-alpha.4...9.9.1-alpha.5) (2026-06-03) ### Bug Fixes * Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied ([GHSA-75v4-m273-5j49](GHSA-75v4-m273-5j49)) ([#10492](#10492)) ([83e90ed](83e90ed))
## [9.9.1-alpha.6](9.9.1-alpha.5...9.9.1-alpha.6) (2026-06-03) ### Bug Fixes * Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL ([GHSA-wmwx-jr2p-4j4r](GHSA-wmwx-jr2p-4j4r)) ([#10493](#10493)) ([43658f1](43658f1))
…to GraphQL operations (#10496)
## [9.9.1-alpha.7](9.9.1-alpha.6...9.9.1-alpha.7) (2026-06-06) ### Bug Fixes * Cloud Function multipart requests bypass the maxUploadSize limit ([#10498](#10498)) ([f12e1c3](f12e1c3))
## [9.9.1-alpha.8](9.9.1-alpha.7...9.9.1-alpha.8) (2026-06-10) ### Bug Fixes * LiveQuery subscriptions leak when a client reuses a subscribe requestId ([#10499](#10499)) ([3fad4fb](3fad4fb))
## [9.9.1-alpha.9](9.9.1-alpha.8...9.9.1-alpha.9) (2026-06-11) ### Bug Fixes * rateLimit on exact static routes is bypassed by appending a query string ([#10500](#10500)) ([880e8e6](880e8e6))
…iants (trailing slash, case) (#10501)
## [9.9.1-alpha.10](9.9.1-alpha.9...9.9.1-alpha.10) (2026-06-12) ### Bug Fixes * Middleware route checks do not match routing-equivalent path variants (trailing slash, case) ([#10501](#10501)) ([f861210](f861210))
… extension blocklist ([GHSA-v8x7-r927-cc93](GHSA-v8x7-r927-cc93)) (#10505)
## [9.9.1-alpha.11](9.9.1-alpha.10...9.9.1-alpha.11) (2026-06-16) ### Bug Fixes * Stored XSS via non-standard file extension bypassing file upload extension blocklist ([GHSA-v8x7-r927-cc93](GHSA-v8x7-r927-cc93)) ([#10505](#10505)) ([be12a60](be12a60))
…ed query operators ([GHSA-cgxm-vr2f-6fj8](GHSA-cgxm-vr2f-6fj8)) (#10511)
## [9.9.1-alpha.12](9.9.1-alpha.11...9.9.1-alpha.12) (2026-06-17) ### Bug Fixes * Denial of service via exponential-time processing of deeply nested query operators ([GHSA-cgxm-vr2f-6fj8](GHSA-cgxm-vr2f-6fj8)) ([#10511](#10511)) ([1103c7a](1103c7a))
## [9.9.1-alpha.13](9.9.1-alpha.12...9.9.1-alpha.13) (2026-06-19) ### Bug Fixes * LiveQuery discloses object data to a subscriber across an ACL read-access change ([GHSA-97pr-9hgg-3p8r](GHSA-97pr-9hgg-3p8r)) ([#10515](#10515)) ([e9c85df](e9c85df))
# [9.10.0-alpha.1](9.9.1-alpha.13...9.10.0-alpha.1) (2026-06-19) ### Features * Add option to disallow aggregation pipelines for the read-only master key ([#10517](#10517)) ([816078f](816078f))
# [9.10.0-alpha.2](9.10.0-alpha.1...9.10.0-alpha.2) (2026-06-25) ### Bug Fixes * Stored XSS via malformed Content-Type bypassing file upload extension blocklist ([GHSA-r899-h629-j84r](GHSA-r899-h629-j84r)) ([#10521](#10521)) ([cce91e5](cce91e5))
|
🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review. Tip
Note Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect. Caution Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## release #10525 +/- ##
===========================================
+ Coverage 92.58% 92.66% +0.08%
===========================================
Files 194 193 -1
Lines 16901 16981 +80
Branches 234 248 +14
===========================================
+ Hits 15648 15736 +88
+ Misses 1230 1224 -6
+ Partials 23 21 -2 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Release
This pull request was created automatically according to the release cycle.
Warning
Only use
Merge Committo merge this pull request. Do not useRebase and MergeorSquash and Merge.