build: Release (#10354)

Author: mtrezza

.github/workflows/ci-performance.yml

@@ -68,6 +68,7 @@ jobs:
         env:
           NODE_ENV: production
         run: |
+          set -o pipefail
           echo "Running baseline benchmarks..."
           if [ ! -f "benchmark/performance.js" ]; then
             echo "⚠️ Benchmark script not found - this is expected for new features"
@@ -76,17 +77,9 @@ jobs:
             echo "Baseline: N/A (no benchmark script)" > baseline-output.txt
             exit 0
           fi
-          taskset -c 0 npm run benchmark > baseline-output.txt 2>&1 || npm run benchmark > baseline-output.txt 2>&1 || true
-          echo "Benchmark command completed with exit code: $?"
-          echo "Output file size: $(wc -c < baseline-output.txt) bytes"
-          echo "--- Begin baseline-output.txt ---"
-          cat baseline-output.txt
-          echo "--- End baseline-output.txt ---"
+          taskset -c 0 npm run benchmark 2>&1 | tee baseline-output.txt || npm run benchmark 2>&1 | tee baseline-output.txt || true
           # Extract JSON from output (everything between first [ and last ])
           sed -n '/^\[/,/^\]/p' baseline-output.txt > baseline.json || echo '[]' > baseline.json
-          echo "Extracted JSON size: $(wc -c < baseline.json) bytes"
-          echo "Baseline benchmark results:"
-          cat baseline.json
         continue-on-error: true
 
       - name: Save baseline results to temp location
@@ -133,18 +126,11 @@ jobs:
         env:
           NODE_ENV: production
         run: |
+          set -o pipefail
           echo "Running PR benchmarks..."
-          taskset -c 0 npm run benchmark > pr-output.txt 2>&1 || npm run benchmark > pr-output.txt 2>&1 || true
-          echo "Benchmark command completed with exit code: $?"
-          echo "Output file size: $(wc -c < pr-output.txt) bytes"
-          echo "--- Begin pr-output.txt ---"
-          cat pr-output.txt
-          echo "--- End pr-output.txt ---"
+          taskset -c 0 npm run benchmark 2>&1 | tee pr-output.txt || npm run benchmark 2>&1 | tee pr-output.txt || true
           # Extract JSON from output (everything between first [ and last ])
           sed -n '/^\[/,/^\]/p' pr-output.txt > pr.json || echo '[]' > pr.json
-          echo "Extracted JSON size: $(wc -c < pr.json) bytes"
-          echo "PR benchmark results:"
-          cat pr.json
         continue-on-error: true
 
       - name: Upload PR results

.github/workflows/release-automated.yml

@@ -17,7 +17,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 22
           registry-url: https://registry.npmjs.org/
       - name: Cache Node.js modules
         uses: actions/cache@v4

DEPRECATIONS.md

@@ -24,6 +24,9 @@ The following is a list of deprecations, according to the [Deprecation Policy](h
 | DEPPS18 | Config option `requestComplexity` limits enabled by default                                  | [#10207](https://github.com/parse-community/parse-server/pull/10207)   | 9.6.0 (2026)                    | 10.0.0 (2027)                   | deprecated            | -     |
 | DEPPS19 | Remove config option `enableProductPurchaseLegacyApi`                                        | [#10228](https://github.com/parse-community/parse-server/pull/10228)   | 9.6.0 (2026)                    | 10.0.0 (2027)                   | deprecated            | -     |
 | DEPPS20 | Remove config option `allowExpiredAuthDataToken`                                             |                                                                        | 9.6.0 (2026)                    | 10.0.0 (2027)                   | deprecated            | -     |
+| DEPPS21 | Config option `protectedFieldsOwnerExempt` defaults to `false`                               |                                                                        | 9.6.0 (2026)                    | 10.0.0 (2027)                   | deprecated            | -     |
+| DEPPS22 | Config option `protectedFieldsTriggerExempt` defaults to `true`                              |                                                                        | 9.6.0 (2026)                    | 10.0.0 (2027)                   | deprecated            | -     |
+| DEPPS23 | Config option `protectedFieldsSaveResponseExempt` defaults to `false`                               |                                                                        | 9.7.0 (2026)                    | 10.0.0 (2027)                   | deprecated            | -     |
 
 [i_deprecation]: ## "The version and date of the deprecation."
 [i_change]: ## "The version and date of the planned change."

Dockerfile

@@ -16,6 +16,11 @@ COPY package*.json ./
 # Copy src to have config files for install
 COPY . .
 
+# Increase npm network timeout and retries for slow platforms (e.g. arm64 via QEMU)
+ENV npm_config_fetch_retries=5
+ENV npm_config_fetch_retry_mintimeout=60000
+ENV npm_config_fetch_retry_maxtimeout=300000
+
 # Install without scripts
 RUN npm ci --omit=dev --ignore-scripts \
     # Copy production node_modules aside for later

benchmark/performance.js

@@ -30,6 +30,8 @@ let core;
 // Logging helpers
 const logInfo = message => core.info(message);
 const logError = message => core.error(message);
+const logGroup = title => core.startGroup(title);
+const logGroupEnd = () => core.endGroup();
 
 /**
  * Initialize Parse Server for benchmarking
@@ -199,9 +201,10 @@ async function measureOperation({ name, operation, iterations, skipWarmup = fals
 
 /**
  * Measure GC pressure for an async operation over multiple iterations.
- * Tracks garbage collection duration per operation using PerformanceObserver.
- * Larger transient allocations (e.g., from unbounded cursor batch sizes) cause
- * more frequent and longer GC pauses, which this metric directly captures.
+ * Tracks total garbage collection time per operation using PerformanceObserver.
+ * Using total GC time (sum of all pauses) rather than max single pause provides
+ * much more stable metrics — it eliminates the variance from V8 choosing to do
+ * one long pause vs. many short pauses for the same amount of GC work.
  * @param {Object} options Measurement options.
  * @param {string} options.name Name of the operation being measured.
  * @param {Function} options.operation Async function to measure.
@@ -236,31 +239,34 @@ async function measureMemoryOperation({ name, operation, iterations, skipWarmup
       global.gc();
     }
 
-    // Track GC events during this iteration; measure the longest single GC pause,
-    // which reflects the production impact of large transient allocations
-    let maxGcPause = 0;
+    // Track GC events during this iteration; sum all GC pause durations to
+    // measure total GC work, which is stable regardless of whether V8 chooses
+    // one long pause or many short pauses
+    let totalGcTime = 0;
     const obs = new PerformanceObserver((list) => {
       for (const entry of list.getEntries()) {
-        if (entry.duration > maxGcPause) {
-          maxGcPause = entry.duration;
-        }
+        totalGcTime += entry.duration;
       }
     });
     obs.observe({ type: 'gc', buffered: false });
 
     await operation();
 
+    // Force GC after the operation to flush pending GC work into this
+    // iteration's measurement, preventing cross-iteration contamination
+    if (typeof global.gc === 'function') {
+      global.gc();
+    }
+
     // Flush any buffered entries before disconnecting to avoid data loss
     for (const entry of obs.takeRecords()) {
-      if (entry.duration > maxGcPause) {
-        maxGcPause = entry.duration;
-      }
+      totalGcTime += entry.duration;
     }
     obs.disconnect();
-    gcDurations.push(maxGcPause);
+    gcDurations.push(totalGcTime);
 
     if (LOG_ITERATIONS) {
-      logInfo(`Iteration ${i + 1}: ${maxGcPause.toFixed(2)} ms GC`);
+      logInfo(`Iteration ${i + 1}: ${totalGcTime.toFixed(2)} ms GC`);
     } else if ((i + 1) % progressInterval === 0 || i + 1 === iterations) {
       const progress = Math.round(((i + 1) / iterations) * 100);
       logInfo(`Progress: ${progress}%`);
@@ -862,22 +868,38 @@ async function runBenchmarks() {
     ];
 
     // Run each benchmark with database cleanup
-    for (const benchmark of benchmarks) {
-      logInfo(`\nRunning benchmark '${benchmark.name}'...`);
-      resetParseServer();
-      await cleanupDatabase();
-      results.push(await benchmark.fn(benchmark.name));
+    const suiteStart = performance.now();
+    for (let idx = 0; idx < benchmarks.length; idx++) {
+      const benchmark = benchmarks[idx];
+      const label = `[${idx + 1}/${benchmarks.length}] ${benchmark.name}`;
+      logGroup(label);
+      try {
+        logInfo('Resetting database...');
+        resetParseServer();
+        await cleanupDatabase();
+        logInfo('Running benchmark...');
+        const benchStart = performance.now();
+        const result = await benchmark.fn(benchmark.name);
+        const benchDuration = ((performance.now() - benchStart) / 1000).toFixed(1);
+        results.push(result);
+        logInfo(`Result: ${result.value.toFixed(2)} ${result.unit} (${result.extra})`);
+        logInfo(`Duration: ${benchDuration}s`);
+      } finally {
+        logGroupEnd();
+      }
     }
+    const suiteDuration = ((performance.now() - suiteStart) / 1000).toFixed(1);
 
     // Output results in github-action-benchmark format (stdout)
     logInfo(JSON.stringify(results, null, 2));
 
-    // Output summary to stderr for visibility
-    logInfo('Benchmarks completed successfully!');
-    logInfo('Summary:');
+    // Output summary
+    logGroup('Summary');
     results.forEach(result => {
-      logInfo(`  ${result.name}: ${result.value.toFixed(2)} ${result.unit} (${result.extra})`);
+      logInfo(`${result.name}: ${result.value.toFixed(2)} ${result.unit} (${result.extra})`);
     });
+    logInfo(`Total duration: ${suiteDuration}s`);
+    logGroupEnd();
 
   } catch (error) {
     logError('Error running benchmarks:', error);

changelogs/CHANGELOG_alpha.md

@@ -1,3 +1,129 @@
+# [9.7.0-alpha.18](https://github.com/parse-community/parse-server/compare/9.7.0-alpha.17...9.7.0-alpha.18) (2026-03-30)
+
+
+### Features
+
+* Extend storage adapter interface to optionally return `matchedCount` and `modifiedCount` from `DatabaseController.update` with `many: true` ([#10353](https://github.com/parse-community/parse-server/issues/10353)) ([aea7596](https://github.com/parse-community/parse-server/commit/aea7596cd2336c1c179ae130efd550f1596f5f3a))
+
+# [9.7.0-alpha.17](https://github.com/parse-community/parse-server/compare/9.7.0-alpha.16...9.7.0-alpha.17) (2026-03-29)
+
+
+### Bug Fixes
+
+* Cloud Code trigger context vulnerable to prototype pollution ([#10352](https://github.com/parse-community/parse-server/issues/10352)) ([d5f5128](https://github.com/parse-community/parse-server/commit/d5f5128ade49749856d8ad5f9750ffd26d44836a))
+
+# [9.7.0-alpha.16](https://github.com/parse-community/parse-server/compare/9.7.0-alpha.15...9.7.0-alpha.16) (2026-03-29)
+
+
+### Bug Fixes
+
+* LiveQuery protected-field guard bypass via array-like logical operator value ([GHSA-mmg8-87c5-jrc2](https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2)) ([#10350](https://github.com/parse-community/parse-server/issues/10350)) ([f63fd1a](https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98))
+
+# [9.7.0-alpha.15](https://github.com/parse-community/parse-server/compare/9.7.0-alpha.14...9.7.0-alpha.15) (2026-03-29)
+
+
+### Bug Fixes
+
+* Batch login sub-request rate limit uses IP-based keying ([#10349](https://github.com/parse-community/parse-server/issues/10349)) ([63c37c4](https://github.com/parse-community/parse-server/commit/63c37c49c7a72dc617635da8859004503021b8fd))
+
+# [9.7.0-alpha.14](https://github.com/parse-community/parse-server/compare/9.7.0-alpha.13...9.7.0-alpha.14) (2026-03-29)
+
+
+### Bug Fixes
+
+* Session field immutability bypass via falsy-value guard ([GHSA-f6j3-w9v3-cq22](https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22)) ([#10347](https://github.com/parse-community/parse-server/issues/10347)) ([9080296](https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21))
+
+# [9.7.0-alpha.13](https://github.com/parse-community/parse-server/compare/9.7.0-alpha.12...9.7.0-alpha.13) (2026-03-29)
+
+
+### Features
+
+* Add support for `partialFilterExpression` in MongoDB storage adapter ([#10346](https://github.com/parse-community/parse-server/issues/10346)) ([8dd7bf2](https://github.com/parse-community/parse-server/commit/8dd7bf2f61c07b0467d6dbc7aad5142db6694339))
+
+# [9.7.0-alpha.12](https://github.com/parse-community/parse-server/compare/9.7.0-alpha.11...9.7.0-alpha.12) (2026-03-29)
+
+
+### Bug Fixes
+
+* GraphQL complexity validator exponential fragment traversal DoS ([GHSA-mfj6-6p54-m98c](https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c)) ([#10344](https://github.com/parse-community/parse-server/issues/10344)) ([f759bda](https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b))
+
+# [9.7.0-alpha.11](https://github.com/parse-community/parse-server/compare/9.7.0-alpha.10...9.7.0-alpha.11) (2026-03-28)
+
+
+### Bug Fixes
+
+* Cloud function validator bypass via prototype chain traversal ([GHSA-vpj2-qq7w-5qq6](https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6)) ([#10342](https://github.com/parse-community/parse-server/issues/10342)) ([dc59e27](https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674))
+
+# [9.7.0-alpha.10](https://github.com/parse-community/parse-server/compare/9.7.0-alpha.9...9.7.0-alpha.10) (2026-03-27)
+
+
+### Bug Fixes
+
+* GraphQL API endpoint ignores CORS origin restriction ([GHSA-q3p6-g7c4-829c](https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c)) ([#10334](https://github.com/parse-community/parse-server/issues/10334)) ([4dd0d3d](https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203))
+
+# [9.7.0-alpha.9](https://github.com/parse-community/parse-server/compare/9.7.0-alpha.8...9.7.0-alpha.9) (2026-03-27)
+
+
+### Bug Fixes
+
+* LiveQuery protected field leak via shared mutable state across concurrent subscribers ([GHSA-m983-v2ff-wq65](https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65)) ([#10330](https://github.com/parse-community/parse-server/issues/10330)) ([776c71c](https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055))
+
+# [9.7.0-alpha.8](https://github.com/parse-community/parse-server/compare/9.7.0-alpha.7...9.7.0-alpha.8) (2026-03-26)
+
+
+### Bug Fixes
+
+* MFA single-use token bypass via concurrent authData login requests ([GHSA-w73w-g5xw-rwhf](https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf)) ([#10326](https://github.com/parse-community/parse-server/issues/10326)) ([e7efbeb](https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf))
+
+# [9.7.0-alpha.7](https://github.com/parse-community/parse-server/compare/9.7.0-alpha.6...9.7.0-alpha.7) (2026-03-26)
+
+
+### Bug Fixes
+
+* Auth data exposed via verify password endpoint ([GHSA-wp76-gg32-8258](https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258)) ([#10323](https://github.com/parse-community/parse-server/issues/10323)) ([770be86](https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed))
+
+# [9.7.0-alpha.6](https://github.com/parse-community/parse-server/compare/9.7.0-alpha.5...9.7.0-alpha.6) (2026-03-26)
+
+
+### Bug Fixes
+
+* Duplicate session destruction can cause unhandled promise rejection ([#10319](https://github.com/parse-community/parse-server/issues/10319)) ([92791c1](https://github.com/parse-community/parse-server/commit/92791c1d1d4b042a0e615ba45dcef491b904eccf))
+
+# [9.7.0-alpha.5](https://github.com/parse-community/parse-server/compare/9.7.0-alpha.4...9.7.0-alpha.5) (2026-03-25)
+
+
+### Bug Fixes
+
+* Postgres query on non-existent column throws internal server error ([#10308](https://github.com/parse-community/parse-server/issues/10308)) ([c5c4325](https://github.com/parse-community/parse-server/commit/c5c43259d1f98af5bbbbc44d9daf7c0f1f8168d3))
+
+# [9.7.0-alpha.4](https://github.com/parse-community/parse-server/compare/9.7.0-alpha.3...9.7.0-alpha.4) (2026-03-24)
+
+
+### Bug Fixes
+
+* Missing error messages in Parse errors ([#10304](https://github.com/parse-community/parse-server/issues/10304)) ([f128048](https://github.com/parse-community/parse-server/commit/f12804800bc9232de02b4314e886bab6b169f041))
+
+# [9.7.0-alpha.3](https://github.com/parse-community/parse-server/compare/9.7.0-alpha.2...9.7.0-alpha.3) (2026-03-23)
+
+
+### Bug Fixes
+
+* Maintenance key blocked from querying protected fields ([#10290](https://github.com/parse-community/parse-server/issues/10290)) ([7c8b213](https://github.com/parse-community/parse-server/commit/7c8b213d96f1fd79f27d3a2bc01bef8bcaf588cd))
+
+# [9.7.0-alpha.2](https://github.com/parse-community/parse-server/compare/9.7.0-alpha.1...9.7.0-alpha.2) (2026-03-23)
+
+
+### Features
+
+* Add `protectedFieldsSaveResponseExempt` option to strip protected fields from save responses ([#10289](https://github.com/parse-community/parse-server/issues/10289)) ([4f7cb53](https://github.com/parse-community/parse-server/commit/4f7cb53bd114554cf9e6d7855b5e8911cb87544b))
+
+# [9.7.0-alpha.1](https://github.com/parse-community/parse-server/compare/9.6.1...9.7.0-alpha.1) (2026-03-23)
+
+
+### Features
+
+* Add `protectedFieldsTriggerExempt` option to exempt Cloud Code triggers from `protectedFields` ([#10288](https://github.com/parse-community/parse-server/issues/10288)) ([1610f98](https://github.com/parse-community/parse-server/commit/1610f98316f7cb1120a7e20be7a1570b0e116df7))
+
 ## [9.6.1-alpha.1](https://github.com/parse-community/parse-server/compare/9.6.0...9.6.1-alpha.1) (2026-03-22)