From 8f1739788d434c91109f049a438c32bdd4fc26a5 Mon Sep 17 00:00:00 2001 From: Manuel <5673677+mtrezza@users.noreply.github.com> Date: Tue, 3 Mar 2026 00:39:56 +0000 Subject: [PATCH 1/7] fix: MongoDB default batch size changed from 1000 to 100 without announcement (#10085) --- spec/GridFSBucketStorageAdapter.spec.js | 8 +++ spec/MongoStorageAdapter.spec.js | 52 +++++++++++++++++++ src/Adapters/Files/GridFSBucketAdapter.js | 9 ++-- src/Adapters/Storage/Mongo/MongoCollection.js | 9 +++- .../Storage/Mongo/MongoStorageAdapter.js | 6 +++ src/Options/Definitions.js | 6 +++ src/Options/docs.js | 1 + src/Options/index.js | 3 ++ src/ParseServer.ts | 18 ++++++- src/defaults.js | 11 +++- types/Options/index.d.ts | 1 + 11 files changed, 116 insertions(+), 8 deletions(-) diff --git a/spec/GridFSBucketStorageAdapter.spec.js b/spec/GridFSBucketStorageAdapter.spec.js index 6a274125bc..033292063c 100644 --- a/spec/GridFSBucketStorageAdapter.spec.js +++ b/spec/GridFSBucketStorageAdapter.spec.js @@ -29,6 +29,7 @@ describe_only_db('mongo')('GridFSBucket', () => { enableSchemaHooks: true, schemaCacheTtl: 5000, maxTimeMS: 30000, + batchSize: 500, disableIndexFieldValidation: true, logClientEvents: [{ name: 'commandStarted' }], createIndexUserUsername: true, @@ -46,6 +47,13 @@ describe_only_db('mongo')('GridFSBucket', () => { expect(db.options?.retryWrites).toEqual(true); }); + it('should store batchSize and filter it from MongoClient options', async () => { + const gfsAdapter = new GridFSBucketAdapter(databaseURI, { batchSize: 500 }); + expect(gfsAdapter._batchSize).toEqual(500); + // Verify batchSize is filtered from MongoClient options + expect(gfsAdapter._mongoOptions.batchSize).toBeUndefined(); + }); + it('should save an encrypted file that can only be decrypted by a GridFS adapter with the encryptionKey', async () => { const unencryptedAdapter = new GridFSBucketAdapter(databaseURI); const encryptedAdapter = new GridFSBucketAdapter( diff --git a/spec/MongoStorageAdapter.spec.js b/spec/MongoStorageAdapter.spec.js index 1deaa169d8..ffaaf94c98 100644 --- a/spec/MongoStorageAdapter.spec.js +++ b/spec/MongoStorageAdapter.spec.js @@ -108,6 +108,58 @@ describe_only_db('mongo')('MongoStorageAdapter', () => { ); }); + it('passes batchSize to the MongoDB driver find() call', async () => { + const batchSize = 50; + const adapter = new MongoStorageAdapter({ + uri: databaseURI, + mongoOptions: { batchSize }, + }); + await adapter.createObject('BatchTest', { fields: {} }, { objectId: 'obj1' }); + + // Spy on the MongoDB driver's Collection.prototype.find to verify batchSize is forwarded + const originalFind = Collection.prototype.find; + let capturedOptions; + spyOn(Collection.prototype, 'find').and.callFake(function (query, options) { + capturedOptions = options; + return originalFind.call(this, query, options); + }); + + await adapter.find('BatchTest', { fields: {} }, {}, {}); + expect(capturedOptions).toBeDefined(); + expect(capturedOptions.batchSize).toEqual(50); + }); + + it('passes batchSize to the MongoDB driver aggregate() call', async () => { + const batchSize = 50; + const adapter = new MongoStorageAdapter({ + uri: databaseURI, + mongoOptions: { batchSize }, + }); + await adapter.createObject('AggBatchTest', { fields: { count: { type: 'Number' } } }, { objectId: 'obj1', count: 1 }); + + // Spy on the MongoDB driver's Collection.prototype.aggregate to verify batchSize is forwarded + const originalAggregate = Collection.prototype.aggregate; + let capturedOptions; + spyOn(Collection.prototype, 'aggregate').and.callFake(function (pipeline, options) { + capturedOptions = options; + return originalAggregate.call(this, pipeline, options); + }); + + await adapter.aggregate('AggBatchTest', { fields: { count: { type: 'Number' } } }, [{ $match: {} }]); + expect(capturedOptions).toBeDefined(); + expect(capturedOptions.batchSize).toEqual(50); + }); + + it('defaults batchSize to 1000', async () => { + await reconfigureServer({ + databaseURI: databaseURI, + collectionPrefix: 'test_', + databaseAdapter: undefined, + }); + const adapter = Config.get(Parse.applicationId).database.adapter; + expect(adapter._batchSize).toEqual(1000); + }); + it('stores pointers with a _p_ prefix', done => { const obj = { objectId: 'bar', diff --git a/src/Adapters/Files/GridFSBucketAdapter.js b/src/Adapters/Files/GridFSBucketAdapter.js index 6157b8e7b2..0236bec219 100644 --- a/src/Adapters/Files/GridFSBucketAdapter.js +++ b/src/Adapters/Files/GridFSBucketAdapter.js @@ -38,6 +38,7 @@ export class GridFSBucketAdapter extends FilesAdapter { const defaultMongoOptions = {}; const _mongoOptions = Object.assign(defaultMongoOptions, mongoOptions); this._clientMetadata = mongoOptions.clientMetadata; + this._batchSize = mongoOptions.batchSize; // Remove Parse Server-specific options that should not be passed to MongoDB client for (const key of ParseServerDatabaseOptions) { delete _mongoOptions[key]; @@ -135,7 +136,7 @@ export class GridFSBucketAdapter extends FilesAdapter { async deleteFile(filename: string) { const bucket = await this._getBucket(); - const documents = await bucket.find({ filename }).toArray(); + const documents = await bucket.find({ filename }, { batchSize: this._batchSize }).toArray(); if (documents.length === 0) { throw new Error('FileNotFound'); } @@ -196,7 +197,7 @@ export class GridFSBucketAdapter extends FilesAdapter { if (options.fileNames !== undefined) { fileNames = options.fileNames; } else { - const fileNamesIterator = await bucket.find().toArray(); + const fileNamesIterator = await bucket.find({}, { batchSize: this._batchSize }).toArray(); fileNamesIterator.forEach(file => { fileNames.push(file.filename); }); @@ -226,7 +227,7 @@ export class GridFSBucketAdapter extends FilesAdapter { async getMetadata(filename) { const bucket = await this._getBucket(); - const files = await bucket.find({ filename }).toArray(); + const files = await bucket.find({ filename }, { batchSize: this._batchSize }).toArray(); if (files.length === 0) { return {}; } @@ -236,7 +237,7 @@ export class GridFSBucketAdapter extends FilesAdapter { async handleFileStream(filename: string, req, res, contentType) { const bucket = await this._getBucket(); - const files = await bucket.find({ filename }).toArray(); + const files = await bucket.find({ filename }, { batchSize: this._batchSize }).toArray(); if (files.length === 0) { throw new Error('FileNotFound'); } diff --git a/src/Adapters/Storage/Mongo/MongoCollection.js b/src/Adapters/Storage/Mongo/MongoCollection.js index 4f02c5c8fa..04f8ca1dc2 100644 --- a/src/Adapters/Storage/Mongo/MongoCollection.js +++ b/src/Adapters/Storage/Mongo/MongoCollection.js @@ -21,6 +21,7 @@ export default class MongoCollection { sort, keys, maxTimeMS, + batchSize, readPreference, hint, caseInsensitive, @@ -39,6 +40,7 @@ export default class MongoCollection { sort, keys, maxTimeMS, + batchSize, readPreference, hint, caseInsensitive, @@ -68,6 +70,7 @@ export default class MongoCollection { sort, keys, maxTimeMS, + batchSize, readPreference, hint, caseInsensitive, @@ -94,6 +97,7 @@ export default class MongoCollection { sort, keys, maxTimeMS, + batchSize, readPreference, hint, caseInsensitive, @@ -108,6 +112,7 @@ export default class MongoCollection { readPreference, hint, comment, + batchSize, }); if (keys) { @@ -153,9 +158,9 @@ export default class MongoCollection { return this._mongoCollection.distinct(field, query); } - aggregate(pipeline, { maxTimeMS, readPreference, hint, explain, comment } = {}) { + aggregate(pipeline, { maxTimeMS, batchSize, readPreference, hint, explain, comment } = {}) { return this._mongoCollection - .aggregate(pipeline, { maxTimeMS, readPreference, hint, explain, comment }) + .aggregate(pipeline, { maxTimeMS, batchSize, readPreference, hint, explain, comment }) .toArray(); } diff --git a/src/Adapters/Storage/Mongo/MongoStorageAdapter.js b/src/Adapters/Storage/Mongo/MongoStorageAdapter.js index 59101bba72..9d8ef47941 100644 --- a/src/Adapters/Storage/Mongo/MongoStorageAdapter.js +++ b/src/Adapters/Storage/Mongo/MongoStorageAdapter.js @@ -170,6 +170,7 @@ export class MongoStorageAdapter implements StorageAdapter { database: any; client: MongoClient; _maxTimeMS: ?number; + _batchSize: ?number; canSortOnJoinTables: boolean; enableSchemaHooks: boolean; schemaCacheTtl: ?number; @@ -182,6 +183,8 @@ export class MongoStorageAdapter implements StorageAdapter { // MaxTimeMS is not a global MongoDB client option, it is applied per operation. this._maxTimeMS = mongoOptions.maxTimeMS; + // BatchSize is not a global MongoDB client option, it is applied per cursor operation. + this._batchSize = mongoOptions.batchSize; this.canSortOnJoinTables = true; this.enableSchemaHooks = !!mongoOptions.enableSchemaHooks; this.schemaCacheTtl = mongoOptions.schemaCacheTtl; @@ -735,6 +738,7 @@ export class MongoStorageAdapter implements StorageAdapter { sort: mongoSort, keys: mongoKeys, maxTimeMS: this._maxTimeMS, + batchSize: this._batchSize, readPreference, hint, caseInsensitive, @@ -820,6 +824,7 @@ export class MongoStorageAdapter implements StorageAdapter { .then(collection => collection.find(query, { maxTimeMS: this._maxTimeMS, + batchSize: this._batchSize, }) ) .catch(err => this.handleError(err)); @@ -909,6 +914,7 @@ export class MongoStorageAdapter implements StorageAdapter { collection.aggregate(pipeline, { readPreference, maxTimeMS: this._maxTimeMS, + batchSize: this._batchSize, hint, explain, comment, diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js index 9715af12de..323cd19a9b 100644 --- a/src/Options/Definitions.js +++ b/src/Options/Definitions.js @@ -1097,6 +1097,12 @@ module.exports.DatabaseOptions = { help: 'The MongoDB driver option to specify the amount of time in milliseconds to wait for a connection attempt to finish before trying the next address when using the autoSelectFamily option. If set to a positive integer less than 10, the value 10 is used instead.', action: parsers.numberParser('autoSelectFamilyAttemptTimeout'), }, + batchSize: { + env: 'PARSE_SERVER_DATABASE_BATCH_SIZE', + help: 'The number of documents per batch for MongoDB cursor `getMore` operations. A lower value reduces memory usage per batch; a higher value reduces the number of network round-trips.', + action: parsers.numberParser('batchSize'), + default: 1000, + }, clientMetadata: { env: 'PARSE_SERVER_DATABASE_CLIENT_METADATA', help: "Custom metadata to append to database client connections for identifying Parse Server instances in database logs. If set, this metadata will be visible in database logs during connection handshakes. This can help with debugging and monitoring in deployments with multiple database clients. Set `name` to identify your application (e.g., 'MyApp') and `version` to your application's version. Leave undefined (default) to disable this feature and avoid the additional data transfer overhead.", diff --git a/src/Options/docs.js b/src/Options/docs.js index 0c2a296a31..13aaa00f17 100644 --- a/src/Options/docs.js +++ b/src/Options/docs.js @@ -265,6 +265,7 @@ * @property {String} authSource The MongoDB driver option to specify the database name associated with the user's credentials. * @property {Boolean} autoSelectFamily The MongoDB driver option to set whether the socket attempts to connect to IPv6 and IPv4 addresses until a connection is established. If available, the driver will select the first IPv6 address. * @property {Number} autoSelectFamilyAttemptTimeout The MongoDB driver option to specify the amount of time in milliseconds to wait for a connection attempt to finish before trying the next address when using the autoSelectFamily option. If set to a positive integer less than 10, the value 10 is used instead. + * @property {Number} batchSize The number of documents per batch for MongoDB cursor `getMore` operations. A lower value reduces memory usage per batch; a higher value reduces the number of network round-trips. * @property {DatabaseOptionsClientMetadata} clientMetadata Custom metadata to append to database client connections for identifying Parse Server instances in database logs. If set, this metadata will be visible in database logs during connection handshakes. This can help with debugging and monitoring in deployments with multiple database clients. Set `name` to identify your application (e.g., 'MyApp') and `version` to your application's version. Leave undefined (default) to disable this feature and avoid the additional data transfer overhead. * @property {Union} compressors The MongoDB driver option to specify an array or comma-delimited string of compressors to enable network compression for communication between this client and a mongod/mongos instance. * @property {Number} connectTimeoutMS The MongoDB driver option to specify the amount of time, in milliseconds, to wait to establish a single TCP socket connection to the server before raising an error. Specifying 0 disables the connection timeout. diff --git a/src/Options/index.js b/src/Options/index.js index eb1439538d..1539abd283 100644 --- a/src/Options/index.js +++ b/src/Options/index.js @@ -669,6 +669,9 @@ export interface DatabaseOptions { schemaCacheTtl: ?number; /* The MongoDB driver option to set whether to retry failed writes. */ retryWrites: ?boolean; + /* The number of documents per batch for MongoDB cursor `getMore` operations. A lower value reduces memory usage per batch; a higher value reduces the number of network round-trips. + :DEFAULT: 1000 */ + batchSize: ?number; /* The MongoDB driver option to set a cumulative time limit in milliseconds for processing operations on a cursor. */ maxTimeMS: ?number; /* The MongoDB driver option to set the maximum replication lag for reads from secondary nodes.*/ diff --git a/src/ParseServer.ts b/src/ParseServer.ts index 1e916efe61..8b1c6cdf8a 100644 --- a/src/ParseServer.ts +++ b/src/ParseServer.ts @@ -9,7 +9,7 @@ var batch = require('./batch'), fs = require('fs'); import { ParseServerOptions, LiveQueryServerOptions } from './Options'; -import defaults from './defaults'; +import defaults, { DatabaseOptionDefaults } from './defaults'; import * as logging from './logger'; import Config from './Config'; import PromiseRouter from './PromiseRouter'; @@ -593,6 +593,22 @@ function injectDefaults(options: ParseServerOptions) { } }); + // Inject defaults for database options; only when no explicit database adapter is set, + // because an explicit adapter manages its own options and passing databaseOptions alongside + // it would cause a conflict error in getDatabaseController. + if (!options.databaseAdapter) { + if (options.databaseOptions == null) { + options.databaseOptions = {}; + } + if (typeof options.databaseOptions === 'object' && !Array.isArray(options.databaseOptions)) { + Object.keys(DatabaseOptionDefaults).forEach(key => { + if (!Object.prototype.hasOwnProperty.call(options.databaseOptions, key)) { + options.databaseOptions[key] = DatabaseOptionDefaults[key]; + } + }); + } + } + if (!Object.prototype.hasOwnProperty.call(options, 'serverURL')) { options.serverURL = `http://localhost:${options.port}${options.mountPath}`; } diff --git a/src/defaults.js b/src/defaults.js index ba959e22fc..ce4bd09766 100644 --- a/src/defaults.js +++ b/src/defaults.js @@ -1,5 +1,5 @@ import { nullParser } from './Options/parsers'; -const { ParseServerOptions } = require('./Options/Definitions'); +const { ParseServerOptions, DatabaseOptions } = require('./Options/Definitions'); const logsFolder = (() => { let folder = './logs/'; if (typeof process !== 'undefined' && process.env.TESTING === '1') { @@ -34,10 +34,19 @@ const computedDefaults = { export default Object.assign({}, DefinitionDefaults, computedDefaults); export const DefaultMongoURI = DefinitionDefaults.databaseURI; +export const DatabaseOptionDefaults = Object.keys(DatabaseOptions).reduce((memo, key) => { + const def = DatabaseOptions[key]; + if (Object.prototype.hasOwnProperty.call(def, 'default')) { + memo[key] = def.default; + } + return memo; +}, {}); + // Parse Server-specific database options that should be filtered out // before passing to MongoDB client export const ParseServerDatabaseOptions = [ 'allowPublicExplain', + 'batchSize', 'clientMetadata', 'createIndexRoleName', 'createIndexUserEmail', diff --git a/types/Options/index.d.ts b/types/Options/index.d.ts index b8bfa8a83d..49e58cc1df 100644 --- a/types/Options/index.d.ts +++ b/types/Options/index.d.ts @@ -244,6 +244,7 @@ export interface FileUploadOptions { export interface DatabaseOptions { // Parse Server custom options allowPublicExplain?: boolean; + batchSize?: number; createIndexRoleName?: boolean; createIndexUserEmail?: boolean; createIndexUserEmailCaseInsensitive?: boolean; From f69a7f54a8c47fa51f82907b5be55b5e1b4fdccd Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Tue, 3 Mar 2026 00:40:49 +0000 Subject: [PATCH 2/7] chore(release): 9.4.1-alpha.1 [skip ci] ## [9.4.1-alpha.1](https://github.com/parse-community/parse-server/compare/9.4.0...9.4.1-alpha.1) (2026-03-03) ### Bug Fixes * MongoDB default batch size changed from 1000 to 100 without announcement ([#10085](https://github.com/parse-community/parse-server/issues/10085)) ([8f17397](https://github.com/parse-community/parse-server/commit/8f1739788d434c91109f049a438c32bdd4fc26a5)) --- changelogs/CHANGELOG_alpha.md | 7 +++++++ package-lock.json | 4 ++-- package.json | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/changelogs/CHANGELOG_alpha.md b/changelogs/CHANGELOG_alpha.md index 69eb906eed..b9f3dfb296 100644 --- a/changelogs/CHANGELOG_alpha.md +++ b/changelogs/CHANGELOG_alpha.md @@ -1,3 +1,10 @@ +## [9.4.1-alpha.1](https://github.com/parse-community/parse-server/compare/9.4.0...9.4.1-alpha.1) (2026-03-03) + + +### Bug Fixes + +* MongoDB default batch size changed from 1000 to 100 without announcement ([#10085](https://github.com/parse-community/parse-server/issues/10085)) ([8f17397](https://github.com/parse-community/parse-server/commit/8f1739788d434c91109f049a438c32bdd4fc26a5)) + # [9.4.0-alpha.2](https://github.com/parse-community/parse-server/compare/9.4.0-alpha.1...9.4.0-alpha.2) (2026-02-27) diff --git a/package-lock.json b/package-lock.json index 25cbeb0ca4..43aa5750a6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "parse-server", - "version": "9.4.0", + "version": "9.4.1-alpha.1", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "parse-server", - "version": "9.4.0", + "version": "9.4.1-alpha.1", "hasInstallScript": true, "license": "Apache-2.0", "dependencies": { diff --git a/package.json b/package.json index 55b4dd7359..d7585cad45 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "parse-server", - "version": "9.4.0", + "version": "9.4.1-alpha.1", "description": "An express module providing a Parse-compatible API server", "main": "lib/index.js", "repository": { From bebf2fd62b51cfc35c271ad4c76b8f552f886ce8 Mon Sep 17 00:00:00 2001 From: Manuel <5673677+mtrezza@users.noreply.github.com> Date: Tue, 3 Mar 2026 13:53:52 +0000 Subject: [PATCH 3/7] perf: Upgrade to mongodb 7.1.0 (#10087) --- package-lock.json | 19 ++++++++++--------- package.json | 2 +- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/package-lock.json b/package-lock.json index 43aa5750a6..7010b53b45 100644 --- a/package-lock.json +++ b/package-lock.json @@ -35,7 +35,7 @@ "lodash": "4.17.23", "lru-cache": "10.4.0", "mime": "4.0.7", - "mongodb": "7.0.0", + "mongodb": "7.1.0", "mustache": "4.2.0", "otpauth": "9.4.0", "parse": "8.3.0", @@ -14568,12 +14568,13 @@ } }, "node_modules/mongodb": { - "version": "7.0.0", - "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-7.0.0.tgz", - "integrity": "sha512-vG/A5cQrvGGvZm2mTnCSz1LUcbOPl83hfB6bxULKQ8oFZauyox/2xbZOoGNl+64m8VBrETkdGCDBdOsCr3F3jg==", + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-7.1.0.tgz", + "integrity": "sha512-kMfnKunbolQYwCIyrkxNJFB4Ypy91pYqua5NargS/f8ODNSJxT03ZU3n1JqL4mCzbSih8tvmMEMLpKTT7x5gCg==", + "license": "Apache-2.0", "dependencies": { "@mongodb-js/saslprep": "^1.3.0", - "bson": "^7.0.0", + "bson": "^7.1.1", "mongodb-connection-string-url": "^7.0.0" }, "engines": { @@ -32921,12 +32922,12 @@ "integrity": "sha512-5LC9SOxjSc2HF6vO2CyuTDNivEdoz2IvyJJGj6X8DJ0eFyfszE0QiEd+iXmBvUP3WHxSjFH/vIsA0EN00cgr8w==" }, "mongodb": { - "version": "7.0.0", - "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-7.0.0.tgz", - "integrity": "sha512-vG/A5cQrvGGvZm2mTnCSz1LUcbOPl83hfB6bxULKQ8oFZauyox/2xbZOoGNl+64m8VBrETkdGCDBdOsCr3F3jg==", + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-7.1.0.tgz", + "integrity": "sha512-kMfnKunbolQYwCIyrkxNJFB4Ypy91pYqua5NargS/f8ODNSJxT03ZU3n1JqL4mCzbSih8tvmMEMLpKTT7x5gCg==", "requires": { "@mongodb-js/saslprep": "^1.3.0", - "bson": "^7.0.0", + "bson": "^7.1.1", "mongodb-connection-string-url": "^7.0.0" }, "dependencies": { diff --git a/package.json b/package.json index d7585cad45..b72a93cb9e 100644 --- a/package.json +++ b/package.json @@ -45,7 +45,7 @@ "lodash": "4.17.23", "lru-cache": "10.4.0", "mime": "4.0.7", - "mongodb": "7.0.0", + "mongodb": "7.1.0", "mustache": "4.2.0", "otpauth": "9.4.0", "parse": "8.3.0", From 23b22916c215c019f434f09333fe6d6f7c5cf2e2 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Tue, 3 Mar 2026 13:54:48 +0000 Subject: [PATCH 4/7] chore(release): 9.4.1-alpha.2 [skip ci] ## [9.4.1-alpha.2](https://github.com/parse-community/parse-server/compare/9.4.1-alpha.1...9.4.1-alpha.2) (2026-03-03) ### Performance Improvements * Upgrade to mongodb 7.1.0 ([#10087](https://github.com/parse-community/parse-server/issues/10087)) ([bebf2fd](https://github.com/parse-community/parse-server/commit/bebf2fd62b51cfc35c271ad4c76b8f552f886ce8)) --- changelogs/CHANGELOG_alpha.md | 7 +++++++ package-lock.json | 4 ++-- package.json | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/changelogs/CHANGELOG_alpha.md b/changelogs/CHANGELOG_alpha.md index b9f3dfb296..90d7cc3179 100644 --- a/changelogs/CHANGELOG_alpha.md +++ b/changelogs/CHANGELOG_alpha.md @@ -1,3 +1,10 @@ +## [9.4.1-alpha.2](https://github.com/parse-community/parse-server/compare/9.4.1-alpha.1...9.4.1-alpha.2) (2026-03-03) + + +### Performance Improvements + +* Upgrade to mongodb 7.1.0 ([#10087](https://github.com/parse-community/parse-server/issues/10087)) ([bebf2fd](https://github.com/parse-community/parse-server/commit/bebf2fd62b51cfc35c271ad4c76b8f552f886ce8)) + ## [9.4.1-alpha.1](https://github.com/parse-community/parse-server/compare/9.4.0...9.4.1-alpha.1) (2026-03-03) diff --git a/package-lock.json b/package-lock.json index 7010b53b45..9f2b927047 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "parse-server", - "version": "9.4.1-alpha.1", + "version": "9.4.1-alpha.2", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "parse-server", - "version": "9.4.1-alpha.1", + "version": "9.4.1-alpha.2", "hasInstallScript": true, "license": "Apache-2.0", "dependencies": { diff --git a/package.json b/package.json index b72a93cb9e..d4143337ef 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "parse-server", - "version": "9.4.1-alpha.1", + "version": "9.4.1-alpha.2", "description": "An express module providing a Parse-compatible API server", "main": "lib/index.js", "repository": { From 9a3dd4d2d55ad506348062b43a7fe42e22a57fe9 Mon Sep 17 00:00:00 2001 From: Manuel <5673677+mtrezza@users.noreply.github.com> Date: Wed, 4 Mar 2026 00:15:38 +0000 Subject: [PATCH 5/7] fix: Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction ([GHSA-vc89-5g3r-cmhh](https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh)) (#10088) --- spec/rest.spec.js | 135 +++++++++++++++++++++++++++++++++ src/Routers/FunctionsRouter.js | 8 ++ src/Routers/HooksRouter.js | 15 ++++ 3 files changed, 158 insertions(+) diff --git a/spec/rest.spec.js b/spec/rest.spec.js index 4d8f40a982..9e5a9858e4 100644 --- a/spec/rest.spec.js +++ b/spec/rest.spec.js @@ -1172,6 +1172,141 @@ describe('read-only masterKey', () => { done(); }); }); + + it('should throw when trying to create a hook function', async () => { + loggerErrorSpy.calls.reset(); + try { + await request({ + url: `${Parse.serverURL}/hooks/functions`, + method: 'POST', + headers: { + 'X-Parse-Application-Id': Parse.applicationId, + 'X-Parse-Master-Key': 'read-only-test', + 'Content-Type': 'application/json', + }, + body: { functionName: 'readOnlyTest', url: 'https://example.com/hook' }, + }); + fail('should have thrown'); + } catch (res) { + expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN); + expect(res.data.error).toBe('Permission denied'); + } + }); + + it('should throw when trying to create a hook trigger', async () => { + loggerErrorSpy.calls.reset(); + try { + await request({ + url: `${Parse.serverURL}/hooks/triggers`, + method: 'POST', + headers: { + 'X-Parse-Application-Id': Parse.applicationId, + 'X-Parse-Master-Key': 'read-only-test', + 'Content-Type': 'application/json', + }, + body: { className: 'MyClass', triggerName: 'beforeSave', url: 'https://example.com/hook' }, + }); + fail('should have thrown'); + } catch (res) { + expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN); + expect(res.data.error).toBe('Permission denied'); + } + }); + + it('should throw when trying to update a hook function', async () => { + // First create the hook with the real master key + await request({ + url: `${Parse.serverURL}/hooks/functions`, + method: 'POST', + headers: { + 'X-Parse-Application-Id': Parse.applicationId, + 'X-Parse-Master-Key': Parse.masterKey, + 'Content-Type': 'application/json', + }, + body: { functionName: 'readOnlyUpdateTest', url: 'https://example.com/hook' }, + }); + loggerErrorSpy.calls.reset(); + try { + await request({ + url: `${Parse.serverURL}/hooks/functions/readOnlyUpdateTest`, + method: 'PUT', + headers: { + 'X-Parse-Application-Id': Parse.applicationId, + 'X-Parse-Master-Key': 'read-only-test', + 'Content-Type': 'application/json', + }, + body: { url: 'https://example.com/hacked' }, + }); + fail('should have thrown'); + } catch (res) { + expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN); + expect(res.data.error).toBe('Permission denied'); + } + }); + + it('should throw when trying to delete a hook function', async () => { + // First create the hook with the real master key + await request({ + url: `${Parse.serverURL}/hooks/functions`, + method: 'POST', + headers: { + 'X-Parse-Application-Id': Parse.applicationId, + 'X-Parse-Master-Key': Parse.masterKey, + 'Content-Type': 'application/json', + }, + body: { functionName: 'readOnlyDeleteTest', url: 'https://example.com/hook' }, + }); + loggerErrorSpy.calls.reset(); + try { + await request({ + url: `${Parse.serverURL}/hooks/functions/readOnlyDeleteTest`, + method: 'PUT', + headers: { + 'X-Parse-Application-Id': Parse.applicationId, + 'X-Parse-Master-Key': 'read-only-test', + 'Content-Type': 'application/json', + }, + body: { __op: 'Delete' }, + }); + fail('should have thrown'); + } catch (res) { + expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN); + expect(res.data.error).toBe('Permission denied'); + } + }); + + it('should throw when trying to run a job with readOnlyMasterKey', async () => { + Parse.Cloud.job('readOnlyTestJob', () => {}); + loggerErrorSpy.calls.reset(); + try { + await request({ + url: `${Parse.serverURL}/jobs/readOnlyTestJob`, + method: 'POST', + headers: { + 'X-Parse-Application-Id': Parse.applicationId, + 'X-Parse-Master-Key': 'read-only-test', + 'Content-Type': 'application/json', + }, + body: {}, + }); + fail('should have thrown'); + } catch (res) { + expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN); + expect(res.data.error).toBe('Permission denied'); + } + }); + + it('should allow reading hooks with readOnlyMasterKey', async () => { + const res = await request({ + url: `${Parse.serverURL}/hooks/functions`, + method: 'GET', + headers: { + 'X-Parse-Application-Id': Parse.applicationId, + 'X-Parse-Master-Key': 'read-only-test', + }, + }); + expect(Array.isArray(res.data)).toBe(true); + }); }); describe('rest context', () => { diff --git a/src/Routers/FunctionsRouter.js b/src/Routers/FunctionsRouter.js index f116cdc9a8..bfeed577ca 100644 --- a/src/Routers/FunctionsRouter.js +++ b/src/Routers/FunctionsRouter.js @@ -8,6 +8,7 @@ import { promiseEnforceMasterKeyAccess, promiseEnsureIdempotency } from '../midd import { jobStatusHandler } from '../StatusHandler'; import _ from 'lodash'; import { logger } from '../logger'; +import { createSanitizedError } from '../Error'; function parseObject(obj, config) { if (Array.isArray(obj)) { @@ -62,6 +63,13 @@ export class FunctionsRouter extends PromiseRouter { } static handleCloudJob(req) { + if (req.auth.isReadOnly) { + throw createSanitizedError( + Parse.Error.OPERATION_FORBIDDEN, + "read-only masterKey isn't allowed to run a job.", + req.config + ); + } const jobName = req.params.jobName || req.body?.jobName; const applicationId = req.config.applicationId; const jobHandler = jobStatusHandler(req.config); diff --git a/src/Routers/HooksRouter.js b/src/Routers/HooksRouter.js index 104ef799c2..5123efc381 100644 --- a/src/Routers/HooksRouter.js +++ b/src/Routers/HooksRouter.js @@ -1,6 +1,7 @@ import { Parse } from 'parse/node'; import PromiseRouter from '../PromiseRouter'; import * as middleware from '../middlewares'; +import { createSanitizedError } from '../Error'; export class HooksRouter extends PromiseRouter { createHook(aHook, config) { @@ -12,6 +13,13 @@ export class HooksRouter extends PromiseRouter { } handlePost(req) { + if (req.auth.isReadOnly) { + throw createSanitizedError( + Parse.Error.OPERATION_FORBIDDEN, + "read-only masterKey isn't allowed to create a hook.", + req.config + ); + } return this.createHook(req.body || {}, req.config); } @@ -82,6 +90,13 @@ export class HooksRouter extends PromiseRouter { } handlePut(req) { + if (req.auth.isReadOnly) { + throw createSanitizedError( + Parse.Error.OPERATION_FORBIDDEN, + "read-only masterKey isn't allowed to modify a hook.", + req.config + ); + } var body = req.body || {}; if (body.__op == 'Delete') { return this.handleDelete(req); From 3db8b8ebbfe4c84354cdc772187bea29dc204153 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Wed, 4 Mar 2026 00:16:42 +0000 Subject: [PATCH 6/7] chore(release): 9.4.1-alpha.3 [skip ci] ## [9.4.1-alpha.3](https://github.com/parse-community/parse-server/compare/9.4.1-alpha.2...9.4.1-alpha.3) (2026-03-04) ### Bug Fixes * Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction ([GHSA-vc89-5g3r-cmhh](https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh)) ([#10088](https://github.com/parse-community/parse-server/issues/10088)) ([9a3dd4d](https://github.com/parse-community/parse-server/commit/9a3dd4d2d55ad506348062b43a7fe42e22a57fe9)) --- changelogs/CHANGELOG_alpha.md | 7 +++++++ package-lock.json | 4 ++-- package.json | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/changelogs/CHANGELOG_alpha.md b/changelogs/CHANGELOG_alpha.md index 90d7cc3179..d76f1404a1 100644 --- a/changelogs/CHANGELOG_alpha.md +++ b/changelogs/CHANGELOG_alpha.md @@ -1,3 +1,10 @@ +## [9.4.1-alpha.3](https://github.com/parse-community/parse-server/compare/9.4.1-alpha.2...9.4.1-alpha.3) (2026-03-04) + + +### Bug Fixes + +* Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction ([GHSA-vc89-5g3r-cmhh](https://github.com/parse-community/parse-server/security/advisories/GHSA-vc89-5g3r-cmhh)) ([#10088](https://github.com/parse-community/parse-server/issues/10088)) ([9a3dd4d](https://github.com/parse-community/parse-server/commit/9a3dd4d2d55ad506348062b43a7fe42e22a57fe9)) + ## [9.4.1-alpha.2](https://github.com/parse-community/parse-server/compare/9.4.1-alpha.1...9.4.1-alpha.2) (2026-03-03) diff --git a/package-lock.json b/package-lock.json index 9f2b927047..f342d530f9 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "parse-server", - "version": "9.4.1-alpha.2", + "version": "9.4.1-alpha.3", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "parse-server", - "version": "9.4.1-alpha.2", + "version": "9.4.1-alpha.3", "hasInstallScript": true, "license": "Apache-2.0", "dependencies": { diff --git a/package.json b/package.json index d4143337ef..1202a39653 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "parse-server", - "version": "9.4.1-alpha.2", + "version": "9.4.1-alpha.3", "description": "An express module providing a Parse-compatible API server", "main": "lib/index.js", "repository": { From 746f6412ac28b244289fff52b9ab4d8b1db701a8 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 4 Mar 2026 00:23:56 +0000 Subject: [PATCH 7/7] empty commit to trigger CI