[Snyk] Security upgrade parse-server from 5.2.1 to 9.0.0#70
[Snyk] Security upgrade parse-server from 5.2.1 to 9.0.0#70
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-FORMDATA-10841150 - https://snyk.io/vuln/SNYK-JS-NODEFORGE-14114940 - https://snyk.io/vuln/SNYK-JS-PARSE-13551630 - https://snyk.io/vuln/SNYK-JS-NODEFORGE-14125745 - https://snyk.io/vuln/SNYK-JS-BABELRUNTIMECOREJS3-9397696 - https://snyk.io/vuln/SNYK-JS-PARSE-13053302 - https://snyk.io/vuln/SNYK-JS-REQUEST-3361831 - https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873 - https://snyk.io/vuln/SNYK-JS-NODEFORGE-14125097 - https://snyk.io/vuln/SNYK-JS-PARSESERVER-14423948
Summary of ChangesHello @skmezanul, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request, automatically generated by Snyk, aims to bolster the project's security by performing a significant upgrade of the Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request, automatically generated by Snyk, upgrades parse-server from v5.2.1 to v9.0.0 to fix several security vulnerabilities. While this is an important security update, it's a major version jump that introduces significant breaking changes. The application will likely fail to start without manual intervention. Key issues include a new minimum Node.js version requirement (>=18.18.0) and a mandatory change in the database connection configuration, as databaseURI is deprecated. Please review the detailed comment for the necessary code modifications and consult the official parse-server migration guides before merging.
| "express": "4.18.1", | ||
| "parse": "3.4.2", | ||
| "parse-server": "5.2.1" | ||
| "parse-server": "9.0.0" |
There was a problem hiding this comment.
Upgrading parse-server from version 5.2.1 to 9.0.0 is a major update that includes several significant breaking changes. This automated upgrade by Snyk resolves security vulnerabilities but is very likely to break your application without manual code changes.
Here are some critical breaking changes you need to address:
-
Node.js Version Requirement:
parse-serverv9.0.0 requires Node.js version>= 18.18.0. Yourpackage.jsoncurrently specifies"node": ">=12.22.10 <19". You must update your runtime environment to a compatible Node.js version and update theenginesfield inpackage.jsonaccordingly to prevent deployment failures or runtime errors. -
Database Configuration: The
databaseURIconfiguration option for MongoDB was removed in Parse Server v7.0.0. You must migrate to usingdatabaseAdapter. Your current configuration inindex.jsusesdatabaseURIand will cause the server to fail on startup.You'll need to modify
index.jsto use thedatabaseAdapter. Here is an example:// In index.js const { MongoAdapter } = require('parse-server/lib/Adapters/Database/Mongo/MongoAdapter'); const config = { databaseAdapter: new MongoAdapter({ uri: databaseUri || 'mongodb://localhost:27017/dev', }), // ... other config };
-
Other Breaking Changes: There are many other breaking changes across versions 6, 7, 8, and 9. It is crucial to review the official migration guides for each major version to identify all potential issues and required updates. You can find the guide in the
parse-serverrepository (MIGRATION_GUIDE.md).
Given the extent of these changes, please carefully test your application after making the necessary updates.
Snyk has created this PR to fix 10 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-FORMDATA-10841150
SNYK-JS-NODEFORGE-14114940
SNYK-JS-PARSE-13551630
SNYK-JS-NODEFORGE-14125745
SNYK-JS-BABELRUNTIMECOREJS3-9397696
SNYK-JS-PARSE-13053302
SNYK-JS-REQUEST-3361831
SNYK-JS-TOUGHCOOKIE-5672873
SNYK-JS-NODEFORGE-14125097
SNYK-JS-PARSESERVER-14423948
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Predictable Value Range from Previous Values
🦉 Integer Overflow or Wraparound
🦉 More lessons are available in Snyk Learn