chore(release): 9.7.0 [skip ci]

semantic-release-bot · semantic-release-bot · commit 84ca53352fd2 · 2026-03-30T00:31:17.000Z
# [9.7.0](9.6.1...9.7.0) (2026-03-30) ### Bug Fixes * Auth data exposed via verify password endpoint ([GHSA-wp76-gg32-8258](GHSA-wp76-gg32-8258)) ([#10323](#10323)) ([770be86](770be86)) * Batch login sub-request rate limit uses IP-based keying ([#10349](#10349)) ([63c37c4](63c37c4)) * Cloud Code trigger context vulnerable to prototype pollution ([#10352](#10352)) ([d5f5128](d5f5128)) * Cloud function validator bypass via prototype chain traversal ([GHSA-vpj2-qq7w-5qq6](GHSA-vpj2-qq7w-5qq6)) ([#10342](#10342)) ([dc59e27](dc59e27)) * Duplicate session destruction can cause unhandled promise rejection ([#10319](#10319)) ([92791c1](92791c1)) * GraphQL API endpoint ignores CORS origin restriction ([GHSA-q3p6-g7c4-829c](GHSA-q3p6-g7c4-829c)) ([#10334](#10334)) ([4dd0d3d](4dd0d3d)) * GraphQL complexity validator exponential fragment traversal DoS ([GHSA-mfj6-6p54-m98c](GHSA-mfj6-6p54-m98c)) ([#10344](#10344)) ([f759bda](f759bda)) * LiveQuery protected field leak via shared mutable state across concurrent subscribers ([GHSA-m983-v2ff-wq65](GHSA-m983-v2ff-wq65)) ([#10330](#10330)) ([776c71c](776c71c)) * LiveQuery protected-field guard bypass via array-like logical operator value ([GHSA-mmg8-87c5-jrc2](GHSA-mmg8-87c5-jrc2)) ([#10350](#10350)) ([f63fd1a](f63fd1a)) * Maintenance key blocked from querying protected fields ([#10290](#10290)) ([7c8b213](7c8b213)) * MFA single-use token bypass via concurrent authData login requests ([GHSA-w73w-g5xw-rwhf](GHSA-w73w-g5xw-rwhf)) ([#10326](#10326)) ([e7efbeb](e7efbeb)) * Missing error messages in Parse errors ([#10304](#10304)) ([f128048](f128048)) * Postgres query on non-existent column throws internal server error ([#10308](#10308)) ([c5c4325](c5c4325)) * Session field immutability bypass via falsy-value guard ([GHSA-f6j3-w9v3-cq22](GHSA-f6j3-w9v3-cq22)) ([#10347](#10347)) ([9080296](9080296)) ### Features * Add `protectedFieldsSaveResponseExempt` option to strip protected fields from save responses ([#10289](#10289)) ([4f7cb53](4f7cb53)) * Add `protectedFieldsTriggerExempt` option to exempt Cloud Code triggers from `protectedFields` ([#10288](#10288)) ([1610f98](1610f98)) * Add support for `partialFilterExpression` in MongoDB storage adapter ([#10346](#10346)) ([8dd7bf2](8dd7bf2)) * Extend storage adapter interface to optionally return `matchedCount` and `modifiedCount` from `DatabaseController.update` with `many: true` ([#10353](#10353)) ([aea7596](aea7596))
diff --git a/changelogs/CHANGELOG_release.md b/changelogs/CHANGELOG_release.md
@@ -1,3 +1,30 @@
+# [9.7.0](https://github.com/parse-community/parse-server/compare/9.6.1...9.7.0) (2026-03-30)
+
+
+### Bug Fixes
+
+* Auth data exposed via verify password endpoint ([GHSA-wp76-gg32-8258](https://github.com/parse-community/parse-server/security/advisories/GHSA-wp76-gg32-8258)) ([#10323](https://github.com/parse-community/parse-server/issues/10323)) ([770be86](https://github.com/parse-community/parse-server/commit/770be8647424d92f5425c41fa81065ffbbb171ed))
+* Batch login sub-request rate limit uses IP-based keying ([#10349](https://github.com/parse-community/parse-server/issues/10349)) ([63c37c4](https://github.com/parse-community/parse-server/commit/63c37c49c7a72dc617635da8859004503021b8fd))
+* Cloud Code trigger context vulnerable to prototype pollution ([#10352](https://github.com/parse-community/parse-server/issues/10352)) ([d5f5128](https://github.com/parse-community/parse-server/commit/d5f5128ade49749856d8ad5f9750ffd26d44836a))
+* Cloud function validator bypass via prototype chain traversal ([GHSA-vpj2-qq7w-5qq6](https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6)) ([#10342](https://github.com/parse-community/parse-server/issues/10342)) ([dc59e27](https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674))
+* Duplicate session destruction can cause unhandled promise rejection ([#10319](https://github.com/parse-community/parse-server/issues/10319)) ([92791c1](https://github.com/parse-community/parse-server/commit/92791c1d1d4b042a0e615ba45dcef491b904eccf))
+* GraphQL API endpoint ignores CORS origin restriction ([GHSA-q3p6-g7c4-829c](https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c)) ([#10334](https://github.com/parse-community/parse-server/issues/10334)) ([4dd0d3d](https://github.com/parse-community/parse-server/commit/4dd0d3d8be1c39664c74ad10bb0abaa76bc41203))
+* GraphQL complexity validator exponential fragment traversal DoS ([GHSA-mfj6-6p54-m98c](https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c)) ([#10344](https://github.com/parse-community/parse-server/issues/10344)) ([f759bda](https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b))
+* LiveQuery protected field leak via shared mutable state across concurrent subscribers ([GHSA-m983-v2ff-wq65](https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65)) ([#10330](https://github.com/parse-community/parse-server/issues/10330)) ([776c71c](https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055))
+* LiveQuery protected-field guard bypass via array-like logical operator value ([GHSA-mmg8-87c5-jrc2](https://github.com/parse-community/parse-server/security/advisories/GHSA-mmg8-87c5-jrc2)) ([#10350](https://github.com/parse-community/parse-server/issues/10350)) ([f63fd1a](https://github.com/parse-community/parse-server/commit/f63fd1a3fe0a7c1c5fe809f01b0e04759e8c9b98))
+* Maintenance key blocked from querying protected fields ([#10290](https://github.com/parse-community/parse-server/issues/10290)) ([7c8b213](https://github.com/parse-community/parse-server/commit/7c8b213d96f1fd79f27d3a2bc01bef8bcaf588cd))
+* MFA single-use token bypass via concurrent authData login requests ([GHSA-w73w-g5xw-rwhf](https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf)) ([#10326](https://github.com/parse-community/parse-server/issues/10326)) ([e7efbeb](https://github.com/parse-community/parse-server/commit/e7efbebba398ce6abe5b6b6fb9829c6ebe310fbf))
+* Missing error messages in Parse errors ([#10304](https://github.com/parse-community/parse-server/issues/10304)) ([f128048](https://github.com/parse-community/parse-server/commit/f12804800bc9232de02b4314e886bab6b169f041))
+* Postgres query on non-existent column throws internal server error ([#10308](https://github.com/parse-community/parse-server/issues/10308)) ([c5c4325](https://github.com/parse-community/parse-server/commit/c5c43259d1f98af5bbbbc44d9daf7c0f1f8168d3))
+* Session field immutability bypass via falsy-value guard ([GHSA-f6j3-w9v3-cq22](https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22)) ([#10347](https://github.com/parse-community/parse-server/issues/10347)) ([9080296](https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21))
+
+### Features
+
+* Add `protectedFieldsSaveResponseExempt` option to strip protected fields from save responses ([#10289](https://github.com/parse-community/parse-server/issues/10289)) ([4f7cb53](https://github.com/parse-community/parse-server/commit/4f7cb53bd114554cf9e6d7855b5e8911cb87544b))
+* Add `protectedFieldsTriggerExempt` option to exempt Cloud Code triggers from `protectedFields` ([#10288](https://github.com/parse-community/parse-server/issues/10288)) ([1610f98](https://github.com/parse-community/parse-server/commit/1610f98316f7cb1120a7e20be7a1570b0e116df7))
+* Add support for `partialFilterExpression` in MongoDB storage adapter ([#10346](https://github.com/parse-community/parse-server/issues/10346)) ([8dd7bf2](https://github.com/parse-community/parse-server/commit/8dd7bf2f61c07b0467d6dbc7aad5142db6694339))
+* Extend storage adapter interface to optionally return `matchedCount` and `modifiedCount` from `DatabaseController.update` with `many: true` ([#10353](https://github.com/parse-community/parse-server/issues/10353)) ([aea7596](https://github.com/parse-community/parse-server/commit/aea7596cd2336c1c179ae130efd550f1596f5f3a))
+
 ## [9.6.1](https://github.com/parse-community/parse-server/compare/9.6.0...9.6.1) (2026-03-22)
 
 
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "9.7.0-alpha.18",
+  "version": "9.7.0",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "parse-server",`
`3`		`- "version": "9.7.0-alpha.18",`
	`3`	`+ "version": "9.7.0",`
`4`	`4`	`"description": "An express module providing a Parse-compatible API server",`
`5`	`5`	`"main": "lib/index.js",`
`6`	`6`	`"repository": {`