Skip to content

build: Release#10525

Open
parseplatformorg wants to merge 35 commits into
releasefrom
build/release-20260701
Open

build: Release#10525
parseplatformorg wants to merge 35 commits into
releasefrom
build/release-20260701

Conversation

@parseplatformorg

Copy link
Copy Markdown
Contributor

Release

This pull request was created automatically according to the release cycle.

Warning

Only use Merge Commit to merge this pull request. Do not use Rebase and Merge or Squash and Merge.

mtrezza and others added 30 commits May 17, 2026 15:11
## [9.9.1-alpha.1](9.9.0...9.9.1-alpha.1) (2026-05-17)

### Bug Fixes

* Pre-authentication denial of service via client version header regex backtracking ([GHSA-38m6-82c8-4xfm](GHSA-38m6-82c8-4xfm)) ([#10463](#10463)) ([56c159e](56c159e))
## [9.9.1-alpha.2](9.9.1-alpha.1...9.9.1-alpha.2) (2026-05-18)

### Bug Fixes

* GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers ([GHSA-8cph-rgr4-g5vj](GHSA-8cph-rgr4-g5vj)) ([#10467](#10467)) ([155123a](155123a))
## [9.9.1-alpha.3](9.9.1-alpha.2...9.9.1-alpha.3) (2026-05-27)

### Bug Fixes

* Server option routeAllowList is bypassable through batch sub-requests ([GHSA-p84r-h6rx-f2xr](GHSA-p84r-h6rx-f2xr)) ([#10482](#10482)) ([552c6dd](552c6dd))
## [9.9.1-alpha.4](9.9.1-alpha.3...9.9.1-alpha.4) (2026-06-01)

### Bug Fixes

* Stored XSS via trailing-dot filename bypassing file upload extension blocklist ([GHSA-7wqv-xjf3-x35v](GHSA-7wqv-xjf3-x35v)) ([#10489](#10489)) ([66484ce](66484ce))
## [9.9.1-alpha.5](9.9.1-alpha.4...9.9.1-alpha.5) (2026-06-03)

### Bug Fixes

* Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied ([GHSA-75v4-m273-5j49](GHSA-75v4-m273-5j49)) ([#10492](#10492)) ([83e90ed](83e90ed))
## [9.9.1-alpha.6](9.9.1-alpha.5...9.9.1-alpha.6) (2026-06-03)

### Bug Fixes

* Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL ([GHSA-wmwx-jr2p-4j4r](GHSA-wmwx-jr2p-4j4r)) ([#10493](#10493)) ([43658f1](43658f1))
## [9.9.1-alpha.7](9.9.1-alpha.6...9.9.1-alpha.7) (2026-06-06)

### Bug Fixes

* Cloud Function multipart requests bypass the maxUploadSize limit ([#10498](#10498)) ([f12e1c3](f12e1c3))
## [9.9.1-alpha.8](9.9.1-alpha.7...9.9.1-alpha.8) (2026-06-10)

### Bug Fixes

* LiveQuery subscriptions leak when a client reuses a subscribe requestId ([#10499](#10499)) ([3fad4fb](3fad4fb))
## [9.9.1-alpha.9](9.9.1-alpha.8...9.9.1-alpha.9) (2026-06-11)

### Bug Fixes

* rateLimit on exact static routes is bypassed by appending a query string ([#10500](#10500)) ([880e8e6](880e8e6))
## [9.9.1-alpha.10](9.9.1-alpha.9...9.9.1-alpha.10) (2026-06-12)

### Bug Fixes

* Middleware route checks do not match routing-equivalent path variants (trailing slash, case) ([#10501](#10501)) ([f861210](f861210))
## [9.9.1-alpha.11](9.9.1-alpha.10...9.9.1-alpha.11) (2026-06-16)

### Bug Fixes

* Stored XSS via non-standard file extension bypassing file upload extension blocklist ([GHSA-v8x7-r927-cc93](GHSA-v8x7-r927-cc93)) ([#10505](#10505)) ([be12a60](be12a60))
## [9.9.1-alpha.12](9.9.1-alpha.11...9.9.1-alpha.12) (2026-06-17)

### Bug Fixes

* Denial of service via exponential-time processing of deeply nested query operators ([GHSA-cgxm-vr2f-6fj8](GHSA-cgxm-vr2f-6fj8)) ([#10511](#10511)) ([1103c7a](1103c7a))
## [9.9.1-alpha.13](9.9.1-alpha.12...9.9.1-alpha.13) (2026-06-19)

### Bug Fixes

* LiveQuery discloses object data to a subscriber across an ACL read-access change ([GHSA-97pr-9hgg-3p8r](GHSA-97pr-9hgg-3p8r)) ([#10515](#10515)) ([e9c85df](e9c85df))
semantic-release-bot and others added 5 commits June 19, 2026 23:12
# [9.10.0-alpha.1](9.9.1-alpha.13...9.10.0-alpha.1) (2026-06-19)

### Features

* Add option to disallow aggregation pipelines for the read-only master key ([#10517](#10517)) ([816078f](816078f))
# [9.10.0-alpha.2](9.10.0-alpha.1...9.10.0-alpha.2) (2026-06-25)

### Bug Fixes

* Stored XSS via malformed Content-Type bypassing file upload extension blocklist ([GHSA-r899-h629-j84r](GHSA-r899-h629-j84r)) ([#10521](#10521)) ([cce91e5](cce91e5))
@parse-github-assistant

Copy link
Copy Markdown

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

  • Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
  • Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
  • Group code into logical blocks. Add a short comment before each block to explain its purpose.
  • We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
  • Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
  • Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8f06fa48-1c6e-41b3-a216-ac46ff27b0da

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch build/release-20260701

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 98.34254% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.66%. Comparing base (eb64413) to head (b4d6c5a).
⚠️ Report is 1 commits behind head on release.

Files with missing lines Patch % Lines
src/middlewares.js 93.93% 2 Missing ⚠️
src/Controllers/DatabaseController.js 96.42% 1 Missing ⚠️
Additional details and impacted files
@@             Coverage Diff             @@
##           release   #10525      +/-   ##
===========================================
+ Coverage    92.58%   92.66%   +0.08%     
===========================================
  Files          194      193       -1     
  Lines        16901    16981      +80     
  Branches       234      248      +14     
===========================================
+ Hits         15648    15736      +88     
+ Misses        1230     1224       -6     
+ Partials        23       21       -2     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants