New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency parse [security] #37

Open

renovate wants to merge 1 commit into master from renovate/npm-parse-vulnerability

renovate bot commented Aug 21, 2020 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
parse (source)	`^1.11.0` -> `^1.11.0 \|\| ^5.0.0`
parse (source)	`1.11.0` -> `2.10.0`

GitHub Vulnerability Alerts

GHSA-wvh7-5p38-2qfc

The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext."

Example Code:

async () => {
    const user = Parse.User.current()
    if (user) {
        user.setPassword('newpass')
        await user.save()
    }
}

After running the above code, the new password will be stored in localStorage as a property named "password".

Proposed Solution:
Before saving anything to localStorage, Parse should strip out any properties named "password" that are attempting to be stored with a Parse.User type object.

Configuration:
Parse SDK: 2.9.1
Parse Server: 3.9.0

Release Notes

parse-community/Parse-SDK-JS (parse)

`v5.3.0`

Bug Fixes

Parse.Object.get returns array instead of object if key name is number-like (#2201) (5921ba2)

Features

Add support for Node 22 (#2209) (c74fd4c)

`v5.2.0`

Bug Fixes

LiveQueryClient.resubscribe with Parse Server 7 causes many open connections (#2184) (71b4d17)
Parse.Installation not working when installation is deleted on server (#2126) (22360b4)
Dot notation on JSON arrays doesn't work on PushStatus offset fields (#2194) (e0eb6f0)
Duplicate pending operations on nested fields (#2162) (df6df7c)

Features

Support dot notation on array fields (#2120) (25ec684)

`v5.1.0`

Bug Fixes

Parse.GeoPoint.current returns undefined (#2127) (3860535)
Chrome browser console warning about unsafe header access-control-expose-headers when calling Cloud Function (#2095) (7b73c03)
Live Query not working on Expo React Native (#2109) (7a89665)
Local datastore throws error when Parse.Query.notEqualTo is set to null (#2102) (6afd32a)
Multiple object updates of nested keys overwrite each other (#1451) (fa4341a)
Pending updates to nested field causes ParseObject.toJSON() to return incorrect object (#1453) (23cc573)
Remove circular dependencies (#2125) (b415165)

Features

Add password validation for user with unverified email via Parse.User.verifyPassword using master key and option ignoreEmailVerification: true (#2076) (b0adf7e)
Add support for setting Parse.ACL from json (#2097) (72bc9ac)
Allow setting custom queue for handling offline operations via Parse.EventuallyQueue (#2106) (f92e4d4)
Improve installation object Parse.Installation.currentInstallation to support web push notifications (#2119) (4fc62ce)
Lazy load Parse.CoreManager controllers to add support for swappable CryptoController, LocalDatastoreController, StorageController, WebSocketController, ParseLiveQuery (#2100) (fbd0ab1)

`v5.0.0`

Bug Fixes

Calling Parse.Object.relation.add multiple times adds only the first object (#2078) (0f98117)

Features

Add comment to MongoDB query via Parse.Query.comment (#2088) (a970913)
Add compatibility with Parse Server 7 (#2089) (86600bc)
Add support for Node 20, remove support for Node 14 and 16 (#2063) (74eb4d5)

BREAKING CHANGES

Parse JS SDK 5 requires Parse Server 7 and is incompatible with Parse Server 6. (86600bc)
Removes support for Node 14 and 16. (74eb4d5)

`v4.3.1`

Bug Fixes

Connection failure in Parse.Object.saveEventually and Parse.Object.destroyEventually not handled on custom Parse.Error.CONNECTION_FAILURE message (#2032) (4da3ebc)
Docs fail with Cannot find module 'taffydb' (#2036) (dc91d0f)
Error in web context when window.indexedDB API is available but protected (#2039) (360981f)
Security upgrade browserify-sign from 4.2.1 to 4.2.2 (#2043) (fd50b9d)
Security upgrade crypto-js from 4.1.1 to 4.2.0 (#2042) (681fbdf)

`v4.3.0`

Bug Fixes

ParseUser.linkWith doesn't remove anonymous auth data (#2007) (7e2585c)
Hard-coding of react-native path does not work for workspace builds (#1930) (8222f3c)

Features

Add Bytes type to Parse.Schema (#2001) (343d0d7)
Add Cloud Code context accessibility to ParseUser.logIn (#2010) (2446007)
Add support for custom EventEmitter (#1999) (ca568a6)
Add support for excluding keys in ParseQuery.findAll (#2000) (012ba4c)
Add support to invoke a Cloud Function with a custom installationId via Parse.Cloud.run (#1939) (eb70b93)
Allow overriding Parse.Error message with custom message via new Core Manager option PARSE_ERRORS (#2014) (be0c8a6)
Login with username, password and additional authentication data via ParseUser.logInWithAdditionalAuth (#1955) (2bad411)

`v4.2.0`

Bug Fixes

Parse.File.cancel starts new attempt to save file (#1781) (b755e42)

Features

Add Parse.User.loginAs (#1875) (381fcfc)
Add ParseQuery.watch to trigger LiveQuery only on update of specific fields (#1839) (7479343)

`v4.1.0`

Bug Fixes

LiveQuerySubscription.unsubscribe resolves promise before unsubscribing completes (#1727) (1c96205)
Node engine version upper range is <19 despite Node 19 support (#1732) (febe187)
Saving a new Parse.Object with an unsaved Parse.File fails (#1662) (16535a4)

Features

LiveQueryClient.close returns promise when WebSocket closes (#1735) (979d660)
Upgrade Node Package Manager lock file package-lock.json to version 2 (#1729) (e993786)

`v4.0.1`

Bug Fixes

Local datastore query with containedIn not working when field is an array (#1666) (2391bff)
Request execution time keeps increasing over time when using Parse.Object.extend (#1682) (f555c43)

`v4.0.0`

Bug Fixes

Parse.Query.subscribe() does not return a rejected promise on error in Cloud Code Triggers beforeConnect or beforeSubscribe (#1490) (96d7174)
Remove support for Node <14 (#1603) (bc04b4b)

Features

Add Node 16 and 18 support (#1598) (2c79a31)
Add node 19 support (8ed0fab)
Add Node 19 support (#1643) (dfb5196)

Performance Improvements

Avoid CORS preflight request by removing upload listener when not used (#1610) (6125419)

BREAKING CHANGES

Calling Parse.Query.subscribe() will now return a rejected promise if an error is thrown in Cloud Code Triggers beforeConnect or beforeSubscribe; in previous releases a resolved promise was returned, even if subscribing failed and it was necessary to create an error.on listener to handle these errors (#1490) (96d7174)
This release removes support for Node versions <14 (bc04b4b)

`v3.5.1`

Bug Fixes

File upload fails when uploading base64 data (#1578) (03ee3ff)
React Native build does not maintain arrow functions and causes error with AsyncStorage (#1587) (8aeaa4f)
SDK builds incorrectly since release 3.5.0 causing various bugs (#1600) (f15154f)

`v3.5.0`

Warning

⚠️ This release contains several bugs due to a code compilation issue. We strongly recommend to skip this release.

Bug Fixes

Parse.User.signUp() does not pass context to Cloud Code (#1527) (53edcfd)
Schema.addField does not correctly add value of type Date (#1544) (15111f7)
creating a Parse.File with base64 string fails for some encodings (#1517) (0439862)
initialization fails in non-browser environment that doesn't support indexedDB (#1569) (3560a5e)
remove base64 validation due to validation inefficiency (#1543) (473949d)

Features

add json option to Parse.Query.each() (#1539) (89fd5ec)
add json option to query.each (299fb0d)
generate Parse.Object.objectId automatically when allowCustomObjectId is enabled and no objectId is passed (#1540) (68f3ff5)
localDatastore support for unsorted distance queries (#1570) (ea3e75f)

`v3.4.4`

Bug Fixes

subscription to a LiveQuery containing ParseQuery.select overrides properties (#1488) (b80eee4)

`v3.4.3`

Bug Fixes

creating a Parse.File with base64 string fails for some file types (#1467) (c07d6c9)
invalid name for Parse.Role throws incorrect error (#1481) (8326a6f)

`v3.4.2`

Bug Fixes

security upgrade moment from 2.29.1 to 2.29.2 (#1472) (893c2a5)

`v3.4.1`

Bug Fixes

upgrade idb-keyval from 5.0.6 to 6.0.3 (#1397) (922a6db)

`v3.4.0`

Bug Fixes

update parse server dependency branch; recreate package lock (#1424) (38455ef)
upgrade @babel/runtime from 7.14.8 to 7.15.3 (#1404) (8cb321c)

Features

add options to enable polling and set the polling interval; fixes excessive polling (#1419) (0f804b8)

`v3.3.1`

3.3.1

Fixes

Upgraded crypto-js dependency for compatibility with webpack in Parse Dashboard

`v3.3.0`

Improvements

Improve support for nested keys (#1364)
Doc improvement (#1349)
Add npm version ci check (#1345)
Added an error code for geospatial index failures (#1342)
Added date support to OfflineQuery class (#1344)

Fixes

Fix react native build (#1381)
Fix weapp uuid error (#1356)
Fix EventEmitter undefined on React Native 0.64 (#1351)

`v3.2.0`

Breaking Changes

Remove deletion of Anonymous User on logout (#1324)
See https://community.parseplatform.org/t/anonymous-user-destroyed-on-logout/1425

Improvements

Allow multiple classNames for Parse.Object.registerSubclass (#1315)

const classNames = ['ClassOne', 'ClassTwo', 'ClassThree'];
for (const className of classNames) {
  Parse.Object.registerSubclass(className, CustomClass);
}

Fixes

Fixes build for WeChat WeApp, to reduce package size, see issue/#1331

`v3.1.0`

Breaking Changes
Parse.Push.send will now return the pushStatusId instead of { result: true }

Features

Add Server Health Check Parse.getServerHealth() (#1307)
Allow saving with custom objectId Parse.allowCustomObjectId = true (#1309)
Parse.Push.send now returns pushStatusId (#1302)
Add Parse.Push.getPushStatus (#1302)

Improvements

Add modifiers to query.startsWith (#1306)
Add modifiers to query.endsWith (#1306)

Fixes

EventuallyQueue now polls against /health endpoint, caused 403 forbidden side effect (#1305)
Allow nested increment on undefined fields (#1303)
Handle increment on nested fields any level deep (#1301)

`v3.0.0`

Breaking Changes
For security purposes, logIn will default to POST instead of GET method. (#1284)

If you need to use GET set the usePost option to false.
Parse.User.logIn('username', 'password', { usePost: false })

Features

Add EventuallyQueue API, object.saveEventually, object.destroyEventually (#1291)
Add Parse.CLP Object to control ClassLevelPermissions (#1145)
Add option { json: true } on queries (#1294)
Add IndexedDB Storage Controller (#1297)
Add Parse.User.isCurrentAsync() for async storage (#1298)

Improvements

Add useMasterKey option to Parse.File.destroy() (#1285)
User management on React-Native (#1298)
Parse.Schema.addField accepts Pointer and Relation types (#1281)

Fixes

Allow connect to LiveQuery with null fields (#1282)
fromJSON: Return date if value is type Date (#1293)
fromJSON: Allow keys to dirty, allows save fromJSON (#1295)

`v2.19.0`

Features

New error code 210 (MFA_ERROR) (#1268)
New error code 211 (MFA_TOKEN_REQUIRED) (#1268)
New error code 161 (FILE_DELETE_UNNAMED_ERROR) (#1257)

Improvements

Parse.File.destroy without name error message (#1257)

Fixes

Remove unnecessary object reference and comment from AddUniqueOp (#1253)
Internal Referencing for Increment Dot Notation (#1255)
Saving for Increment Dot Notation (#1219)

`v2.18.0`

Features

Support query.findAll() (#1233)

Improvements

Pass objects into query.equalTo / query.notEqualTo (#1235)
Improving legacy initialization setters/getters (#1237)
Remove deprecated backbone options from Parse.Push (#1238)
Code Coverage and Unit Tests (#1241)

Fixes

Prevent crashing LiveQueryClient if emitter error is not set (#1241)
Handle LiveQuery subscription socket error (#1241)
Set WeChat socket handlers before connecting (#1241)
Parse.Installation validating attribute error (#1241)

`v2.17.0`

Improvements

User LogIn with usePost option (#1229)

`v2.16.0`

Idempotency enforcement for client requests. This deduplicates requests where the client intends to send one request to Parse Server but due to network issues the server receives the request multiple times.
(Parse-Server 4.3.0+)
Caution, this is an experimental feature that may not be appropriate for production.

To enable use either of the following:

Parse.CoreManager.set('IDEMPOTENCY', true)
Parse.idempotency = true

Features

Idempotency Request (#1210) (parse-server/6748)

Improvements

Allow Pin of unsaved objects in LocalDatastore (#1225)

Fixes

crypto-js crashing React Native (#1218)
Schema mismatch error on add / remove empty array on Relation (#1222)
query.select error on null fields (#1223)

`v2.15.0`

Features

New Parse.Error 159 DUPLICATE_REQUEST (#1189)

Fixes

Live Query Subscription Error Event (#1193)

`v2.14.0`

New Features

Passing context in destroy, saveAll, get, find hooks. (#1159)
Support using aggregate on top of constructed query (#1170)

Improvements

Performance improvement for Query.eachBatch (#1179)

Fixes

Fix context for cascade saving (#1186)

`v2.13.0`

New Features

Add Email Verification to Parse.User (#1144)
Add Verify Password to Parse.User (#1144)

Improvements

Add read preference for aggregate query (#1143)
Add file progress type (upload/download) (#1140)
Add context to Parse.Object.save (#1150)

Fixes

File upload progress (#1133)
Live Query Subscription Open Event (#1151)

`v2.12.0`

New Features

Support Parse.Query hint (#1054)
Support Parse.Query eachBatch (#1114)
Support Parse.Object decrement (#1069)
Support deleting Parse.File (#1067)
Support File Metadata (#1065) (#1070)

Improvements

Support global request batch size (#1053)
Username signup error (#1080)
Pass SaveAll options to Files (#1107)
Make iteration query methods (map, filter, reduce) returned promises (#1112)

Fixes

Fix user.become for AsyncStorage (#1056)
Subscribing to query with null sessionToken (#1058)
Fix addIndex annotation in Parse.Schema (#1071)
Fix cascadeSave=false bug for SingleInstance objects (#1078)
Fix react-native build (#1094)

`v2.11.0`

New Features

Support encrypting current user (#1036)
File Upload Progress on Wechat (#1029)

Improvements

Support query.cancel() on Node (#1030)

Fixes

File Upload Progress on browser (#1029)
User signup with installationId (#1031)

`v2.10.0`

New Features

Add query.fromNetwork() (#1002)
Add query.cancel() (browser only) (#1003)
Support custom request headers (#1019)

Fixes

To subclass Parse.User: Parse.Object.registerSubclass('_User', CustomUser);

Security

Address Security Advisory of possible leak of sensitive user info. (#d110617), big thanks to Colin Ulin for identifying the problem, following the vulnerability disclosure guidelines

`v2.9.1`

Fixes

Storing user to disk (#992) (#999)

`v2.9.0`

Deprecation
_linkWith and _logInWith are deprecated. Replace with linkWith and logInWith respectively. (#963)

New Features

Set Class Level Permission via Parse.Schema (#960)
Set required fields and default values via Parse.Schema (#961)
Add installationId to LiveQuery (#977)
Add response object to LiveQuery (#979)
Support query.map, query.filter, query.reduce (#987)

Fixes

Can unlink without provider in cloud code (#971)
Properly store User Subclass in Storage (#978)

Improvements

User subclass support for logInWith, hydrate, me, current (#968)
Remove unused options from Parse.Schema (#959)
Documentation for linking users and custom auth (#963)
Generate installationId as uuid v4 (#972)
Reuse StorageController for LDS (#984)
LiveQuery reconnect on server error (#977)

`v2.8.0`

New Features

Parse.File save cancel (#948)
Parse.File getData cancel (#951)

Fixes

React Native Emitter module (#946)
Parse.Schema deleteIndex, deleteField returns Parse.Schema (#949)

Improvements

Compiling on Windows (#947)
Generate _localId as UUID (#956)

`v2.7.1`

New Features

Support for ParseConfig.save with masterKeyOnlyFlags option (#910) (Requires Parse-Server 3.8.0+)
Support for ParseConfig.get with useMasterKey option (#907)

`v2.7.0`

New Features

Support for ParseObject.fetchAllIfNeededWithInclude (#900)
Support for ParseObject.exists (#898)
Support for ParseObject.save with cascadeSave option (#881)

Fixes

ParseUser.become should return subclass (#897)
Ensure LiveQuery subscribes before returning subscription (#878)

Improvements

Remove deprecated @babel/polyfill (#877)

`v2.6.0`

New Features:
- Support configurable WebSocketController (#64f359a)
- Support for WeChat Mini Program (#874)
- Support withCount query constraint (#868)

Improvements:
- Fix SERVER_RENDERING environment variable (#873)

`v2.5.1`

Update NPM credentials

`v2.4.0`

New Features:

LocalDatastore: Support Users (#801)
LiveQuery subscribe with sessionToken (#791)

Improvements:

LocalDatastore: Improve pinning unsaved objects (#795)
LocalDatastore: Improve error handling (#803)

Dependency Updates:

[email protected]

Development Dependency Updates:

`v2.3.2`

Improvements:

Support getData from Parse.File (#780)
Parse.FacebookUtils logIn and link support MasterKey and SessionToken options (#779)

Fixes:

Remove node modules http and https from React-Native build (#776)

`v2.3.1`

Improvements:

_linkWith and _unlinkFrom support MasterKey and SessionToken options (#767)

Fixes:

File uri upload for Browser / React-Native (#765)

Miscellaneous:

Correct homepage in package.json (#9e198b3)
Add Issues template for opening GitHub Issue (#760)
Add Public email address to satisfy an npmjs requirement (#764)

`v2.3.0`

Breaking Changes:

query.subscribe() and unsubscribe()returns Promise.

Improvements:

LocalDatastore fixes for React-Native (#753)
LocalDatastore update from Server (#734)
Support for Anonymous Users (#750)
File upload via uri (#749)
Add support to secured endpoints throught Authorization header (#358)
Remove authResponse in FacebookUtils (#728)
UserSubclass.logIn and UserSubclass.signUp returns subclass (#756)
Subscribe to multiple LiveQuery subscriptions (#758)

`v2.2.1`

Fixes:

Addresses critical issue with babel runtime regenerator (#740)

`v2.2.0`

Support for Local Datastore (#612)
LiveQuery override data on update (#718) (Requires Parse-Server 3.1.3+)
Support setting user from JSON (hydrate) (#730)
Improve dot notation for updating nested objects (#729)
LiveQuery handle unset operation (#714) (Requires Parse-Server 3.1.3+)
Add original object to LiveQuery events (#712) (Requires Parse-Server 3.1.3+)
Add support for providing file upload progress. (#373) (Browser Only)
Support clone with relation (#382)
Add batchSize to saveAll / destroyAll (#701)
Add save Method for Parse.Config (#684)
Allow specific keys to be reverted in unsaved objects (#565)
Handle undefined in Cloud Code (#682)
Validate if geopoint values is number (#671)
LiveQuery Support for Subclasses (#662)

`v2.1.0`

Parse.Error now inherits from Error

`v2.0.2`: 2.0.2

2.0.2

Fixes issue affecting unsubscribing from liveQueries (#640)
Adds support for aggregate stages with identical names (#637)
Adds ability to fetch an object with includes (#631)
Adds support for $nor operator in queries (#634)
Adds support for containedBy operator in queries (#633)
Adds support for includeAll (#632)

`v2.0.1`

Fixes an issue occurring when uploading files with ajax in SDK 2.0
Fixes an issue that prevented SDK 2.0 to properly function in a web environemnt

`v2.0.0`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot force-pushed the renovate/npm-parse-vulnerability branch from 11c34f5 to 54bf8ae Compare

September 25, 2022 15:53

renovate bot force-pushed the renovate/npm-parse-vulnerability branch from 54bf8ae to 40ea771 Compare

August 6, 2024 09:39

renovate bot force-pushed the renovate/npm-parse-vulnerability branch from 40ea771 to 039895e Compare

October 9, 2024 11:36

renovate bot changed the title ~~chore(deps): update dependency parse to v2 [security]~~ chore(deps): update dependency parse [security]

renovate bot force-pushed the renovate/npm-parse-vulnerability branch from 039895e to bea46ca Compare

October 9, 2024 12:44

renovate bot changed the title ~~chore(deps): update dependency parse [security]~~ chore(deps): update dependency parse to v2 [security]

renovate bot force-pushed the renovate/npm-parse-vulnerability branch from bea46ca to 4952854 Compare

October 28, 2024 14:52

renovate bot changed the title ~~chore(deps): update dependency parse to v2 [security]~~ chore(deps): update dependency parse [security]

renovate bot force-pushed the renovate/npm-parse-vulnerability branch from 4952854 to 950a80d Compare

October 28, 2024 15:39

renovate bot changed the title ~~chore(deps): update dependency parse [security]~~ chore(deps): update dependency parse to v2 [security]

renovate bot force-pushed the renovate/npm-parse-vulnerability branch from 950a80d to 6bc2d90 Compare

December 2, 2024 12:22

renovate bot changed the title ~~chore(deps): update dependency parse to v2 [security]~~ chore(deps): update dependency parse [security]

renovate bot force-pushed the renovate/npm-parse-vulnerability branch from 6bc2d90 to e5d5687 Compare

December 2, 2024 17:44

renovate bot changed the title ~~chore(deps): update dependency parse [security]~~ chore(deps): update dependency parse to v2 [security]

renovate bot changed the title ~~chore(deps): update dependency parse to v2 [security]~~ chore(deps): update dependency parse to v2 [security] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/npm-parse-vulnerability branch

December 8, 2024 18:29

renovate bot changed the title ~~chore(deps): update dependency parse to v2 [security] - autoclosed~~ chore(deps): update dependency parse to v2 [security]

renovate bot reopened this

renovate bot force-pushed the renovate/npm-parse-vulnerability branch from bc8947a to e5d5687 Compare

December 8, 2024 23:21


          chore(deps): update dependency parse [security]

e49a138

renovate bot force-pushed the renovate/npm-parse-vulnerability branch from e5d5687 to e49a138 Compare

December 17, 2024 19:11

renovate bot changed the title ~~chore(deps): update dependency parse to v2 [security]~~ chore(deps): update dependency parse [security]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet