Merge branch 'upstream/alpha' into moumouls/sync-upstream

# Conflicts:
#	package-lock.json
#	package.json
#	spec/AuthenticationAdaptersV2.spec.js
#	src/cli/utils/runner.js

Author: Moumouls

.github/workflows/ci.yml

@@ -8,7 +8,7 @@ on:
     paths-ignore:
       - '**/**.md'
 env:
-  NODE_VERSION: 20.12.0
+  NODE_VERSION: 22.4.1
   PARSE_SERVER_TEST_TIMEOUT: 20000
 jobs:
   check-code-analysis:
@@ -42,15 +42,10 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
-      - name: Cache Node.js modules
-        uses: actions/cache@v4
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ matrix.NODE_VERSION }}-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-node-${{ matrix.NODE_VERSION }}-
-      - name: Install dependencies
+      - name: Install prod dependencies
         run: npm ci
+      - name: Remove dev dependencies
+        run: ./ci/uninstallDevDeps.sh @actions/core
       - name: CI Node Engine Check
         run: npm run ci:checkNodeEngine
   check-lint:
@@ -148,35 +143,39 @@ jobs:
           - name: MongoDB 4.2, ReplicaSet
             MONGODB_VERSION: 4.2.25
             MONGODB_TOPOLOGY: replset
-            NODE_VERSION: 20.12.0
+            NODE_VERSION: 22.4.1
           - name: MongoDB 4.4, ReplicaSet
             MONGODB_VERSION: 4.4.29
             MONGODB_TOPOLOGY: replset
-            NODE_VERSION: 20.12.0
+            NODE_VERSION: 22.4.1
           - name: MongoDB 5, ReplicaSet
             MONGODB_VERSION: 5.0.26
             MONGODB_TOPOLOGY: replset
-            NODE_VERSION: 20.12.0
+            NODE_VERSION: 22.4.1
           - name: MongoDB 6, ReplicaSet
             MONGODB_VERSION: 6.0.14
             MONGODB_TOPOLOGY: replset
-            NODE_VERSION: 20.12.0
+            NODE_VERSION: 22.4.1
           - name: MongoDB 7, ReplicaSet
             MONGODB_VERSION: 7.0.8
             MONGODB_TOPOLOGY: replset
-            NODE_VERSION: 20.12.0
+            NODE_VERSION: 22.4.1
           - name: Redis Cache
             PARSE_SERVER_TEST_CACHE: redis
             MONGODB_VERSION: 7.0.8
             MONGODB_TOPOLOGY: standalone
-            NODE_VERSION: 20.12.0
+            NODE_VERSION: 22.4.1
+          - name: Node 20
+            MONGODB_VERSION: 7.0.8
+            MONGODB_TOPOLOGY: standalone
+            NODE_VERSION: 20.15.1
           - name: Node 18
             MONGODB_VERSION: 7.0.8
             MONGODB_TOPOLOGY: standalone
-            NODE_VERSION: 18.20.0
+            NODE_VERSION: 18.20.4
       fail-fast: false
     name: ${{ matrix.name }}
-    timeout-minutes: 15
+    timeout-minutes: 20
     runs-on: ubuntu-latest
     services:
       redis:
@@ -213,36 +212,37 @@ jobs:
       - name: Upload code coverage
         uses: codecov/codecov-action@v4
         with:
-          fail_ci_if_error: true
+          # Set to `true` once codecov token bug is fixed; https://github.com/parse-community/parse-server/issues/9129
+          fail_ci_if_error: false
           token: ${{ secrets.CODECOV_TOKEN }}
   check-postgres:
     strategy:
       matrix:
         include:
           - name: PostgreSQL 13, PostGIS 3.1
             POSTGRES_IMAGE: postgis/postgis:13-3.1
-            NODE_VERSION: 20.12.0
+            NODE_VERSION: 22.4.1
           - name: PostgreSQL 13, PostGIS 3.2
             POSTGRES_IMAGE: postgis/postgis:13-3.2
-            NODE_VERSION: 20.12.0
+            NODE_VERSION: 22.4.1
           - name: PostgreSQL 13, PostGIS 3.3
             POSTGRES_IMAGE: postgis/postgis:13-3.3
-            NODE_VERSION: 20.12.0
+            NODE_VERSION: 22.4.1
           - name: PostgreSQL 13, PostGIS 3.4
             POSTGRES_IMAGE: postgis/postgis:13-3.4
-            NODE_VERSION: 20.12.0
+            NODE_VERSION: 22.4.1
           - name: PostgreSQL 14, PostGIS 3.4
             POSTGRES_IMAGE: postgis/postgis:14-3.4
-            NODE_VERSION: 20.12.0
+            NODE_VERSION: 22.4.1
           - name: PostgreSQL 15, PostGIS 3.4
             POSTGRES_IMAGE: postgis/postgis:15-3.4
-            NODE_VERSION: 20.12.0
+            NODE_VERSION: 22.4.1
           - name: PostgreSQL 16, PostGIS 3.4
-            POSTGRES_IMAGE: postgis/postgis:15-3.4
-            NODE_VERSION: 20.12.0
+            POSTGRES_IMAGE: postgis/postgis:16-3.4
+            NODE_VERSION: 22.4.1
       fail-fast: false
     name: ${{ matrix.name }}
-    timeout-minutes: 15
+    timeout-minutes: 20
     runs-on: ubuntu-latest
     services:
       redis:
@@ -288,8 +288,10 @@ jobs:
       - name: Upload code coverage
         uses: codecov/codecov-action@v4
         with:
-          fail_ci_if_error: true
+          fail_ci_if_error: false
           token: ${{ secrets.CODECOV_TOKEN }}
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true

.github/workflows/release-automated.yml

@@ -17,7 +17,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@v4
         with:
-          node-version: 18.20.0
+          node-version: 20
           registry-url: https://registry.npmjs.org/
       - name: Cache Node.js modules
         uses: actions/cache@v4

.nvmrc

@@ -1,2 +1 @@
-10.14.2
-
+20.15.0

release.config.js .releaserc.jsrelease.config.js renamed to .releaserc.js

@@ -2,8 +2,13 @@
  * Semantic Release Config
  */
 
-const fs = require('fs').promises;
-const path = require('path');
+const { readFile } = require('fs').promises;
+const { resolve } = require('path');
+
+// For ES6 modules use:
+// import { readFile } from 'fs/promises';
+// import { resolve, dirname } from 'path';
+// import { fileURLToPath } from 'url';
 
 // Get env vars
 const ref = process.env.GITHUB_REF;
@@ -24,7 +29,7 @@ const templates = {
 async function config() {
 
   // Get branch
-  const branch = ref.split('/').pop().split('-')[0];
+  const branch = ref?.split('/')?.pop()?.split('-')[0] || '(current branch could not be determined)';
   console.log(`Running on branch: ${branch}`);
 
   // Set changelog file
@@ -89,7 +94,7 @@ async function config() {
       [
         "@saithodev/semantic-release-backmerge",
         {
-          "branches": [
+          "backmergeBranches": [
             { from: "beta", to: "alpha" },
             { from: "release", to: "beta" },
           ]
@@ -103,15 +108,17 @@ async function config() {
 
 async function loadTemplates() {
   for (const template of Object.keys(templates)) {
-    const text = await readFile(path.resolve(__dirname, resourcePath, templates[template].file));
+    
+    // For ES6 modules use:
+    // const fileUrl = import.meta.url;
+    // const __dirname = dirname(fileURLToPath(fileUrl));
+
+    const filePath = resolve(__dirname, resourcePath, templates[template].file);
+    const text = await readFile(filePath, 'utf-8');
     templates[template].text = text;
   }
 }
 
-async function readFile(filePath) {
-  return await fs.readFile(filePath, 'utf-8');
-}
-
 function getReleaseComment() {
   const url = repositoryUrl + '/releases/tag/${nextRelease.gitTag}';
   const comment = '🎉 This change has been released in version [${nextRelease.version}](' + url + ')';

CONTRIBUTING.md

@@ -39,6 +39,7 @@
   - [Reverting](#reverting)
   - [Security Vulnerability](#security-vulnerability)
     - [Local Testing](#local-testing)
+    - [Environment](#environment)
     - [Merging](#merging-1)
 - [Releasing](#releasing)
   - [General Considerations](#general-considerations)
@@ -499,19 +500,33 @@ If the commit reverts a previous commit, use the prefix `revert:`, followed by t
 
 #### Local Testing
 
-Fixes for securify vulnerabilities are developed in private forks with a closed audience, inaccessible to the public. A current GitHub limitation does not allow to run CI tests on pull requests in private forks. Whether a pull requests fully passes all CI tests can only be determined by publishing the fix as a public pull request and running the CI. This means the fix and implicitly information about the vulnerabilty are made accessible to the public. This increases the risk that a vulnerability fix is published, but then cannot be merged immediately due to a CI issue. To mitigate that risk, before publishing a vulnerability fix, the following tests needs to be run locally and pass:
+Fixes for security vulnerabilities are developed in private forks with a closed audience, inaccessible to the public. A current GitHub limitation does not allow to run CI tests on pull requests in private forks. Whether a pull requests fully passes all CI tests can only be determined by publishing the fix as a public pull request and running the CI. This means the fix and implicitly information about the vulnerability are made accessible to the public. This increases the risk that a vulnerability fix is published, but then cannot be merged immediately due to a CI issue. To mitigate that risk, before publishing a vulnerability fix, the following tests needs to be run locally and pass:
 
 - `npm run test` (MongoDB)
 - `npm run test` (Postgres)
 - `npm run madge:circular` (circular dependencies)
 - `npm run lint` (Lint)
 - `npm run definitions` (Parse Server options definitions)
 
+#### Environment
+
+A reported vulnerability may have already been fixed since it was reported, either due to a targeted fix or as side-effect of other code changed. To verify that a vulnerability exists, tests need to be run in an environment that uses the latest commit of the development branch of Parse Server.
+
+> [!NOTE]
+> Do not use the latest alpha version for testing as it may be behind the latest commit of the development branch.
+
+Vulnerability test must only be conducted in environments for which the tester can ensure that no unauthorized 3rd party has potentially access to. This is to ensure a vulnerability stays confidential and is not exposed prematurely to the public.
+
+You must not test a vulnerability using any 3rd party APIs that provide Parse Server as a hosted service (SaaS) as this may expose the vulnerability to an unauthorized 3rd party and the effects of the vulnerability may cause issues on the provider's side. 
+
+> [!CAUTION]
+> Utilizing a vulnerability in a third-party service, even for testing or development purposes, can result in legal repercussions. You are solely accountable for any damage arising from such actions and agree to indemnify Parse Platform against any liabilities or claims resulting from your actions.
+
 #### Merging
 
-A current GitHub limitation does not allow to customize the commit message when merging pull requests of a private fork that was created to fix a security vulnerabilty. Our release automation framework demands a specific commit message syntax which therefore cannot be met. This prohibits to follow the process that GitHub suggest, which is to merge a pull request from a private fork directly to a public branch. Instead, after [local testing](#local-testing), a public pull request needs to be created with the code fix copied over from the private pull request.
+A current GitHub limitation does not allow to customize the commit message when merging pull requests of a private fork that was created to fix a security vulnerability. Our release automation framework demands a specific commit message syntax which therefore cannot be met. This prohibits to follow the process that GitHub suggest, which is to merge a pull request from a private fork directly to a public branch. Instead, after [local testing](#local-testing), a public pull request needs to be created with the code fix copied over from the private pull request.
 
-This creates a risk that a vulnerability is indirectly disclosed by publishing a pull request with the fix, but the fix cannot be merged due to a CI issue. To mitigate that risk, the pull request title and description should be kept marginal or generic, not hiting to a vulnerabilty or giving any details about the vulnerabilty, until the pull request has been successfully merged.
+This creates a risk that a vulnerability is indirectly disclosed by publishing a pull request with the fix, but the fix cannot be merged due to a CI issue. To mitigate that risk, the pull request title and description should be kept marginal or generic, not hinting to a vulnerability or giving any details about the vulnerability, until the pull request has been successfully merged.
 
 ## Releasing
 

Dockerfile

@@ -1,9 +1,13 @@
 ############################################################
 # Build stage
 ############################################################
-FROM node:lts-alpine AS build
+FROM node:20.14.0-alpine3.20 AS build
+
+RUN apk --no-cache add \
+   build-base \
+   git \
+   python3
 
-RUN apk --no-cache add git
 WORKDIR /tmp
 
 # Copy package.json first to benefit from layer caching
@@ -24,7 +28,7 @@ RUN npm ci --omit=dev --ignore-scripts \
 ############################################################
 # Release stage
 ############################################################
-FROM node:lts-alpine AS release
+FROM node:20.14.0-alpine3.20 AS release
 
 VOLUME /parse-server/cloud /parse-server/config
 

README.md

@@ -2,14 +2,14 @@
 
 ---
 
-[![Build Status](https://github.com/parse-community/parse-server/workflows/ci/badge.svg?branch=alpha)](https://github.com/parse-community/parse-server/actions?query=workflow%3Aci+branch%3Aalpha)
-[![Build Status](https://github.com/parse-community/parse-server/workflows/ci/badge.svg?branch=beta)](https://github.com/parse-community/parse-server/actions?query=workflow%3Aci+branch%3Abeta)
-[![Build Status](https://github.com/parse-community/parse-server/workflows/ci/badge.svg?branch=release)](https://github.com/parse-community/parse-server/actions?query=workflow%3Aci+branch%3Arelease)
+[![Build Status](https://github.com/parse-community/parse-server/actions/workflows/ci.yml/badge.svg?branch=alpha)](https://github.com/parse-community/parse-server/actions/workflows/ci.yml?query=workflow%3Aci+branch%3Aalpha)
+[![Build Status](https://github.com/parse-community/parse-server/actions/workflows/ci.yml/badge.svg?branch=beta)](https://github.com/parse-community/parse-server/actions/workflows/ci.yml?query=workflow%3Aci+branch%3Abeta)
+[![Build Status](https://github.com/parse-community/parse-server/actions/workflows/ci.yml/badge.svg?branch=release)](https://github.com/parse-community/parse-server/actions/workflows/ci.yml?query=workflow%3Aci+branch%3Arelease)
 [![Snyk Badge](https://snyk.io/test/github/parse-community/parse-server/badge.svg)](https://snyk.io/test/github/parse-community/parse-server)
-[![Coverage](https://img.shields.io/codecov/c/github/parse-community/parse-server/alpha.svg)](https://codecov.io/github/parse-community/parse-server?branch=alpha)
+[![Coverage](https://codecov.io/github/parse-community/parse-server/branch/alpha/graph/badge.svg)](https://app.codecov.io/github/parse-community/parse-server/tree/alpha)
 [![auto-release](https://img.shields.io/badge/%F0%9F%9A%80-auto--release-9e34eb.svg)](https://github.com/parse-community/parse-dashboard/releases)
 
-[![Node Version](https://img.shields.io/badge/nodejs-18,_20-green.svg?logo=node.js&style=flat)](https://nodejs.org)
+[![Node Version](https://img.shields.io/badge/nodejs-18,_20,_22-green.svg?logo=node.js&style=flat)](https://nodejs.org)
 [![MongoDB Version](https://img.shields.io/badge/mongodb-4.2,_4.4,_5,_6,_7-green.svg?logo=mongodb&style=flat)](https://www.mongodb.com)
 [![Postgres Version](https://img.shields.io/badge/postgresql-13,_14,_15,_16-green.svg?logo=postgresql&style=flat)](https://www.postgresql.org)
 
@@ -129,20 +129,21 @@ Parse Server is continuously tested with the most recent releases of Node.js to
 
 | Version    | Latest Version | End-of-Life | Compatible |
 |------------|----------------|-------------|------------|
-| Node.js 18 | 18.20.0        | April 2025  | ✅ Yes      |
-| Node.js 20 | 20.12.0        | April 2026  | ✅ Yes      |
+| Node.js 18 | 18.20.4        | April 2025  | ✅ Yes      |
+| Node.js 20 | 20.15.1        | April 2026  | ✅ Yes      |
+| Node.js 22 | 22.4.1         | April 2027  | ✅ Yes      |
 
 #### MongoDB
 
 Parse Server is continuously tested with the most recent releases of MongoDB to ensure compatibility. We follow the [MongoDB support schedule](https://www.mongodb.com/support-policy) and [MongoDB lifecycle schedule](https://www.mongodb.com/support-policy/lifecycles) and only test against versions that are officially supported and have not reached their end-of-life date. MongoDB "rapid releases" are ignored as these are considered pre-releases of the next major version.
 
 | Version     | Latest Version | End-of-Life   | Compatible |
-| ----------- | -------------- | ------------- | ---------- |
-| MongoDB 4.2 | 4.2.25         | April 2023    | ✅ Yes     |
-| MongoDB 4.4 | 4.4.29         | February 2024 | ✅ Yes     |
-| MongoDB 5   | 5.0.26         | October 2024  | ✅ Yes     |
-| MongoDB 6   | 6.0.14         | July 2025     | ✅ Yes     |
-| MongoDB 7   | 7.0.8          | TDB           | ✅ Yes     |
+|-------------|----------------|---------------|------------|
+| MongoDB 4.2 | 4.2.25         | April 2023    | ✅ Yes      |
+| MongoDB 4.4 | 4.4.29         | February 2024 | ✅ Yes      |
+| MongoDB 5   | 5.0.26         | October 2024  | ✅ Yes      |
+| MongoDB 6   | 6.0.14         | July 2025     | ✅ Yes      |
+| MongoDB 7   | 7.0.8          | TDB           | ✅ Yes      |
 
 #### PostgreSQL
 
@@ -305,7 +306,7 @@ app.listen(1337, function() {
 });
 ```
 
-For a full list of available options, run `parse-server --help` or take a look at [Parse Server Configurations](http://parseplatform.org/parse-server/api/master/ParseServerOptions.html).
+For a full list of available options, run `parse-server --help` or take a look at [Parse Server Configurations][server-options].
 
 ## Parse Server Health
 
@@ -332,7 +333,7 @@ The response looks like this:
 
 Parse Server can be configured using the following options. You may pass these as parameters when running a standalone `parse-server`, or by loading a configuration file in JSON format using `parse-server path/to/configuration.json`. If you're using Parse Server on Express, you may also pass these to the `ParseServer` object as options.
 
-For the full list of available options, run `parse-server --help` or take a look at [Parse Server Configurations](http://parseplatform.org/parse-server/api/master/ParseServerOptions.html).
+For the full list of available options, run `parse-server --help` or take a look at [Parse Server Configurations][server-options].
 
 ## Basic Options
 
@@ -366,7 +367,7 @@ The client keys used with Parse are no longer necessary with Parse Server. If yo
 
 ## Email Verification and Password Reset
 
-Verifying user email addresses and enabling password reset via email requires an email adapter. There are many email adapters provided and maintained by the community. The following is an example configuration with an example email adapter. See the [Parse Server Options](https://parseplatform.org/parse-server/api/master/ParseServerOptions.html) for more details and a full list of available options.
+Verifying user email addresses and enabling password reset via email requires an email adapter. There are many email adapters provided and maintained by the community. The following is an example configuration with an example email adapter. See the [Parse Server Options][server-options] for more details and a full list of available options.
 
 ```js
 const server = ParseServer({
@@ -406,7 +407,7 @@ Email adapters contributed by the community:
 
 ## Password and Account Policy
 
-Set a password and account policy that meets your security requirements. The following is an example configuration. See the [Parse Server Options](https://parseplatform.org/parse-server/api/master/ParseServerOptions.html) for more details and a full list of available options.
+Set a password and account policy that meets your security requirements. The following is an example configuration. See the [Parse Server Options][server-options] for more details and a full list of available options.
 
 ```js
 const server = ParseServer({
@@ -1206,3 +1207,4 @@ Support us with a monthly donation and help us continue our activities. [Become
 [log_release]: https://github.com/parse-community/parse-server/blob/release/changelogs/CHANGELOG_release.md
 [log_beta]: https://github.com/parse-community/parse-server/blob/beta/changelogs/CHANGELOG_beta.md
 [log_alpha]: https://github.com/parse-community/parse-server/blob/alpha/changelogs/CHANGELOG_alpha.md
+[server-options] http://parseplatform.org/parse-server/api/release/ParseServerOptions.html