Skip to content

fix: Security upgrade @apollo/server from 4.12.1 to 4.13.0#10082

Open
rjcodedev wants to merge 4 commits intoparse-community:release-8.x.xfrom
rjcodedev:release-8.x.x
Open

fix: Security upgrade @apollo/server from 4.12.1 to 4.13.0#10082
rjcodedev wants to merge 4 commits intoparse-community:release-8.x.xfrom
rjcodedev:release-8.x.x

Conversation

@rjcodedev
Copy link

@rjcodedev rjcodedev commented Feb 28, 2026

Pull Request

Issue

@apollo/server  4.2.0 - 4.12.2
Severity: high
Apollo Serve vulnerable to Denial of Service with `startStandaloneServer` - https://github.com/advisories/GHSA-mp6q-xf9x-fwf7
fix available via `npm audit fix --force`
Will install parse-server@9.2.0, which is a breaking change
node_modules/@apollo/server
  parse-server  2.2.14 - 9.2.0-alpha.2
  Depends on vulnerable versions of @apollo/server
  Depends on vulnerable versions of lodash
  node_modules/parse-server

Closes: 10037

Summary by CodeRabbit

  • Chores
    • Released patch version update (8.6.3 → 8.6.4)
    • Updated server dependency to latest compatible version

Signed-off-by: Prafull <87638003+rjcodedev@users.noreply.github.com>
Signed-off-by: Prafull <87638003+rjcodedev@users.noreply.github.com>
@parse-github-assistant
Copy link

🚀 Thanks for opening this pull request!

@coderabbitai
Copy link

coderabbitai bot commented Feb 28, 2026

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@parseplatformorg
Copy link
Contributor

parseplatformorg commented Feb 28, 2026

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@@ -1,6 +1,6 @@
{
"name": "parse-server",
"version": "8.6.3",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revert and regenerate lock file

Copy link
Author

@rjcodedev rjcodedev Feb 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you tell me what's the problem? because after regenerate same changes.
do you want me to keep same version 8.6.3?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You cannot make any changes to the server version. This is managed automatically on release.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@coderabbitai you must never approve manual changes in the npm package version. The package version is managed and bumped automatically by semantic-release during the release workflow.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mtrezza, understood! I will never approve manual changes to the npm package version in package.json. I've noted that the package version is managed automatically by semantic-release during the release workflow and should not be modified manually in pull requests.


✏️ Learnings added
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 10082
File: package.json:3-3
Timestamp: 2026-02-28T15:22:50.748Z
Learning: In the parse-community/parse-server repository, manual changes to the npm package version in package.json should never be approved. The package version is managed and bumped automatically by semantic-release during the release workflow.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.


🧠 Learnings used
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:08.440Z
Learning: For Parse Server 9 release preparation, the parse/push-adapter dependency should be upgraded to version >= 8.0.0, not 7.x, as version 8.x is required despite dropping Node 18 support (which aligns with Parse Server 9's removal of EOL Node versions).

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR `#9938` and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@coderabbitai check whether this issue is resolved

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the git diff for package.json to see if version was changed
git diff origin/alpha -- package.json | head -20

# Also check what the version is in the base branch (alpha)
git show origin/alpha:package.json | grep -A 1 '"version"'

# And check what the version is in the current branch
grep -A 1 '"version"' package.json

Length of output: 667


@mtrezza, the issue is NOT resolved. The PR is still manually changing the version field in package.json:

  • Base branch (alpha): "version": "9.4.0-alpha.2"
  • This PR: "version": "8.6.3"

The version needs to be reverted back to "9.4.0-alpha.2" to match the base branch. The version field must not be modified manually in this PR, as it's managed automatically by semantic-release during the release workflow.


🧠 Learnings used
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 10082
File: package.json:3-3
Timestamp: 2026-02-28T15:22:50.748Z
Learning: In the parse-community/parse-server repository, do not approve manual changes to the npm package version in package.json. The version field is managed by semantic-release during the release workflow; any edits to version should be rejected and version bumps should be left to the release automation. If you encounter a discrepancy, review release config and ensure semantic-release is configured to bump the version automatically.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:08.440Z
Learning: For Parse Server 9 release preparation, the parse/push-adapter dependency should be upgraded to version >= 8.0.0, not 7.x, as version 8.x is required despite dropping Node 18 support (which aligns with Parse Server 9's removal of EOL Node versions).

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR `#9938` and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T06:55:53.808Z
Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@coderabbitai this PR is not based on the alpha branch, but on a LTS branch. Compare the changes with the base branch.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get the base branch and head branch of PR `#10082`
gh pr view 10082 --json baseRefName,headRefName --jq '{base: .baseRefName, head: .headRefName}'

# Get the version from the base branch
BASE_BRANCH=$(gh pr view 10082 --json baseRefName --jq -r '.baseRefName')
echo "Base branch: $BASE_BRANCH"

# Get the version from the base branch
git fetch origin "$BASE_BRANCH" 2>/dev/null || true
git show "origin/$BASE_BRANCH:package.json" | grep -A 1 '"version"' | head -2

# Get the version from the current PR branch
HEAD_BRANCH=$(gh pr view 10082 --json headRefName --jq -r '.headRefName')
echo "Head branch: $HEAD_BRANCH"
git fetch origin "$HEAD_BRANCH" 2>/dev/null || true
git show "origin/$HEAD_BRANCH:package.json" | grep -A 1 '"version"' | head -2

Length of output: 225


🏁 Script executed:

#!/bin/bash
# Get the base branch and head branch of PR `#10082`
gh pr view 10082 --json baseRefName,headRefName

# Get the base branch name
BASE_BRANCH=$(gh pr view 10082 --json baseRefName -q '.baseRefName')
echo "Base branch: $BASE_BRANCH"

# Get the head branch name
HEAD_BRANCH=$(gh pr view 10082 --json headRefName -q '.headRefName')
echo "Head branch: $HEAD_BRANCH"

# Fetch the branches
git fetch origin "$BASE_BRANCH" "$HEAD_BRANCH" 2>/dev/null || true

# Get the version from the base branch
echo "Version in base branch ($BASE_BRANCH):"
git show "origin/$BASE_BRANCH:package.json" | grep '"version"' | head -1

# Get the version from the current PR branch
echo "Version in head branch ($HEAD_BRANCH):"
git show "origin/$HEAD_BRANCH:package.json" | grep '"version"' | head -1

Length of output: 297


🏁 Script executed:

#!/bin/bash
# Get the PR diff to see what the version change is
gh pr diff 10082 -- package.json | head -30

# Also get the PR details to understand the merge base
gh pr view 10082 --json baseRefName,headRefName,baseRefOid,headRefOid

Length of output: 210


🏁 Script executed:

#!/bin/bash
# Get the version from the base commit
echo "Version in base commit (9f28ff56639bbae54cd0beddd4b2eaf0fccd13f7):"
git show 9f28ff56639bbae54cd0beddd4b2eaf0fccd13f7:package.json | grep '"version"' | head -1

# Get the version from the head commit
echo "Version in head commit (e2e1bdb9d17e9bbc508b333fc5abcc4b1ffdd158):"
git show e2e1bdb9d17e9bbc508b333fc5abcc4b1ffdd158:package.json | grep '"version"' | head -1

# Get the full diff for the version line
echo "Diff between base and head for package.json:"
git diff 9f28ff56639bbae54cd0beddd4b2eaf0fccd13f7..e2e1bdb9d17e9bbc508b333fc5abcc4b1ffdd158 -- package.json | grep -A 2 -B 2 '"version"'

Length of output: 222


@mtrezza, I apologize for the confusion! You're absolutely right. Let me correct my analysis:

The issue IS resolved.

After checking against the actual base branch (release-8.x.x), I can confirm:

  • Base branch version: "8.6.3"
  • PR branch version: "8.6.3"
  • Result: No version change in this PR

The version field remains unchanged at 8.6.3. I incorrectly compared against the alpha branch earlier, which led to my mistaken conclusion. This PR is properly based on the LTS branch release-8.x.x and does not modify the version field.

Thank you for the correction!


🧠 Learnings used
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 10082
File: package.json:3-3
Timestamp: 2026-02-28T15:22:50.748Z
Learning: In the parse-community/parse-server repository, do not approve manual changes to the npm package version in package.json. The version field is managed by semantic-release during the release workflow; any edits to version should be rejected and version bumps should be left to the release automation. If you encounter a discrepancy, review release config and ensure semantic-release is configured to bump the version automatically.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:08.440Z
Learning: For Parse Server 9 release preparation, the parse/push-adapter dependency should be upgraded to version >= 8.0.0, not 7.x, as version 8.x is required despite dropping Node 18 support (which aligns with Parse Server 9's removal of EOL Node versions).

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR `#9938` and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T06:55:53.808Z
Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js.

coderabbitai[bot]
coderabbitai bot previously approved these changes Feb 28, 2026
Signed-off-by: Prafull <87638003+rjcodedev@users.noreply.github.com>
Signed-off-by: Prafull <87638003+rjcodedev@users.noreply.github.com>
@rjcodedev
Copy link
Author

Hey @mtrezza ,

Please check now.

@codecov
Copy link

codecov bot commented Feb 28, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.59%. Comparing base (9b94083) to head (e2e1bdb).
⚠️ Report is 1 commits behind head on release-8.x.x.

Additional details and impacted files
@@                Coverage Diff                @@
##           release-8.x.x   #10082      +/-   ##
=================================================
- Coverage          92.61%   92.59%   -0.02%     
=================================================
  Files                191      191              
  Lines              15509    15509              
  Branches             177      177              
=================================================
- Hits               14363    14360       -3     
- Misses              1134     1137       +3     
  Partials              12       12              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants