Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency parse-server to v5 [security] - autoclosed #551

Closed
wants to merge 1 commit into from
Closed

fix(deps): update dependency parse-server to v5 [security] - autoclosed #551

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jun 30, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
parse-server 4.4.0 -> 5.5.6 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-26288

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.
In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext.
This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.

CVE-2021-39187

Impact

Parse Server crashes when if a query request contains an invalid value for the explain option. This is due to a bug in the MongoDB Node.js driver which throws an exception that Parse Server cannot catch.

Patches

Upgrade to Parse Server 4.10.3

CVE-2021-39138

Impact

Developers that use the REST API to signup users and also allow users to login anonymously. When an anonymous user is first signed up using REST, the server creates session incorrectly, particularly the authProvider field in _Session class under createdWith shows the user logged in creating a password. If a developer later depends on the createdWith field to provide a different level of access between a password user and anonymous user, the server incorrectly classified the session type as being created with a password.

The server currently doesn't use createdWith to make decisions on how things work internally, so if a developer isn't using createdWith directly, there's nothing to worry about. The vulnerability only affects users who depend on createdWith by using it directly.

Patches

Upgrade to version 4.5.1.

Workarounds

Don't use the createdWith Session field to make decisions if you allow anonymous login.

References

n/a

GHSA-593v-wcqx-hq2w

Impact

A security incident caused a number of incorrect version tags to be pushed to the Parse Server repository. These version tags linked to a personal fork of a contributor who had write access to the repository. The code to which these tags linked has not been reviewed or approved by Parse Platform. Even though no releases were published with these incorrect versions, it was possible to define a Parse Server dependency that pointed to these version tags, for example if you defined this dependency:

"parse-server": "git@github.com:parse-community/parse-server.git#4.9.3"

We have since deleted the incorrect version tags, but they may still show up in your personal fork on GitHub or locally. We do not know when these tags have been pushed to the Parse Server repository, but we first became aware of this issue on July 21, 2021. We are not aware of any malicious code or concerns related to privacy, security or legality (e.g. proprietary code). However, it has been reported that some functionality does not work as expected and the introduction of security vulnerabilities cannot be ruled out.

You may be also affected if you used the Bitnami image for Parse Server. Bitnami picked up the incorrect version tag 4.9.3 and published a new Bitnami image for Parse Server.

If you are using any of the affected versions, we urgently recommend to upgrade to version 4.10.0.

These are the incorrect tags:

4.0.0-beta1
4.0.0-beta2
4.0.0-beta3
4.0.0-beta4
4.0.0-beta5
4.0.0-beta6
4.0.10
4.0.11
4.0.12
4.0.13
4.0.14
4.0.3
4.0.4
4.0.6
4.0.7
4.0.8
4.0.9
4.6.0
4.6.0-beta
4.7.0
4.8.0
4.8.1
4.8.2
4.8.3
4.8.4
4.8.5
4.9.0
4.9.1
4.9.2
4.9.3

Patches

Upgrade to version 4.10.0.

Workarounds

Downgrade to version 4.5.2.

References

n/a

CVE-2021-41109

Impact

For regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the Parse.User class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery payload.

Patches

Remove session token from LiveQuery payload.

Workaround

Set user.acl(new Parse.ACL()) in a beforeSave trigger to make the user private already on sign-up.

CVE-2022-24760

Impact

This is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file DatabaseController.js, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows.

Patches

Upgrade to Parse Server >=4.10.7. If you are using a prerelease version of Parse Server 5.0 (alpha, beta) we will publish a timely fix for these. However, as a general reminder we do not consider prerelease versions to be suitable for production deployment.

Note that as part of the fix a new security feature scans for sensitive keywords in request data to prevent JavaScript prototype pollution. If such a keyword is found, the request is rejected with HTTP response code 400 and Parse Error 105 (INVALID_KEY_NAME). By default these keywords are: {_bsontype: "Code"}, constructor, __proto__. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server option requestKeywordDenylist to [] and specify your own keywords as needed.

Workarounds

Although the fix is more broad and includes several aspects of the vulnerability, a quick and targeted fix can be achieved by patching the MongoDB Node.js driver and disable BSON code execution. To apply the patch, add the following code to be executed before starting Parse Server, for example in index.js.

const BSON = require('bson');
 const internalDeserialize = BSON.prototype.deserialize;
 BSON.prototype.deserialize = (buffer, options = Object.create(null), ...others) => {
   if (options.constructor) {
     options = Object.assign(Object.create(null), options);
   }
   return internalDeserialize(buffer, options, ...others);
 };
 const internalDeserializeStream = BSON.prototype.deserializeStream;
 BSON.prototype.deserializeStream = (
   data,
   startIndex,
   numberOfDocuments,
   documents,
   docStartIndex,
   options = Object.create(null),
   ...others
 ) => {
   if (options.constructor) {
     options = Object.assign(Object.create(null), options);
   }
   return internalDeserializeStream(
     data,
     startIndex,
     numberOfDocuments,
     documents,
     docStartIndex,
     options,
     ...others
   );
 };

References

CVE-2022-24901

Impact

Weak validation of the Apple certificate URL in the Apple Game Center authentication adapter allows to bypass authentication and makes the server vulnerable to DoS attacks.

Patches

The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it.

CVE-2022-31083

Impact

The certificate in Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object.

Patches

To prevent this, a new rootCertificateUrl property is introduced to the Parse Server Apple Game Center auth adapter which takes the URL to the root certificate of Apple's Game Center authentication certificate. If no value is set, the rootCertificateUrl property defaults to the URL of the current root certificate as of May 27, 2022.

Keep in mind that the root certificate can change at any time (expected to be announced by Apple) and that it is the developer's responsibility to keep the root certificate URL up-to-date when using the Parse Server Apple Game Center auth adapter.

Workarounds

None.

References

More information

CVE-2022-31089

Impact

Certain types of invalid files requests are not handled properly and can crash the server. If you are running multiple Parse Server instances in a cluster, the availability impact may be low; if you are running Parse Server as a single instance without redundancy, the availability impact may be high.

Patches

To prevent this, invalid requests are now properly handled.

Workarounds

None

References

For more information

CVE-2022-31112

Impact

Parse Server LiveQuery does not remove protected fields in classes, passing them to the client.

Patches

The LiveQueryController now removes protected fields from the client response.

Workarounds

Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields.

References

For more information

If you have any questions or comments about this advisory:

CVE-2022-36079

Impact

Internal fields (keys used internally by Parse Server, prefixed by _) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server from query results and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server returns a response object.

Patches

The patch requires the master key to use internal and protected fields as query constraints.

Workarounds

Implement a Parse Cloud Trigger beforeFind and manually remove the query constraints, such as:

Parse.Cloud.beforeFind('TestObject', ({ query }) => {
  for (const key in query._where || []) {
    // Repeat logic for protected fields
    if (key.charAt(0) === '_') {
      delete query._where[key];
    }
  }
});

References

CVE-2022-39225

Impact

A foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the user field and then read any custom fields of that session object.

Note that assigning a session to a foreign user does not usually change the privileges of neither of the two users, according to how Parse Server uses session objects internally. However, if custom logic is used to relate specific session objects to privileges this vulnerability may have a higher level of severity.

The vulnerability does not allow a foreign user to assign a session object to themselves, read the session token, and then reassign the session object to the original user to then authenticate as that user with the known session token. The vulnerability only exists for foreign session objects, a user cannot assign their own session to another user.

While it is unlikely that the session object ID of another user is known, it is possible to brute-force guess an object ID, even though the attacker would not know to which user a successfully guessed session object ID belongs.

Patches

The fix prevents writing to foreign session objects, even if the session object ID is known.

Workarounds

Add a beforeSave trigger to the _Session class and prevent writing if the requesting user is different from the user in the session object.

References

CVE-2022-39231

Impact

Validation of the authentication adapter app ID for Facebook and Spotify may be circumvented.

This fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]). The vulnerability makes it possible to authenticate requests which are coming from a Facebook or Spotify app with a different app ID than the one specified in the appIds configuration.

Both adapters still validate the access token with the respective authentication provider. An app ID is automatically assigned by the authentication provider. For this vulnerability to be exploited, an attacker would have to be assigned an app ID by the authentication provider which is a sub-set of the server-side configured app ID.

The documentation did not explicitly specify that the parameter appIds must be set as an array of strings and setting a string also worked. Therefore, there is a possibility that there are deployments where appIds is set as a string, making them vulnerable.

Patches

The fix makes Parse Server check the type of the value set for appIds and throws an error if the value is not an array.

Workarounds

No known workarounds.

References

CVE-2022-39313

Impact

Parse Server crashes when a file download request is received with an invalid byte range.

Patches

Improved parsing of the range parameter to properly handle invalid range requests.

Workarounds

None

References

CVE-2022-39396

Impact

An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.

Patches

Prevent prototype pollution in MongoDB database adapter.

Workarounds

Disable remote code execution through the MongoDB BSON parser.

Collaborators

Mikhail Shcherbakov (KTH), Cristian-Alexandru Staicu (CISPA) and Musard Balliu (KTH) working with Trend Micro Zero Day Initiative

References

CVE-2022-41878

Impact

Keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the requestKeywordDenylist option.

Patches

Improved keyword detection.

Workarounds

Configure your firewall to only allow trusted servers to make request to the Parse Server Cloud Code Webhooks API, or block the API completely if you are not using the feature.

Collaborators

Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative

References

CVE-2022-41879

Impact

A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option.

Patches

Improved keyword detection.

Workarounds

None.

Collaborators

Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative

References

CVE-2023-22474

Impact

Parse Server uses the request header x-forwarded-for to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various features in Parse Server. This allows to circumvent the security mechanism of the Parse Server option masterKeyIps by setting an allowed IP address as the x-forwarded-for header value.

Patches

The mechanism to determine the client IP address has been rewritten. The correct IP address determination now requires to set the Parse Server option trustProxy accordingly, see the express framework's trust proxy setting.

References

CVE-2023-32689

Impact

Phishing attack vulnerability by uploading malicious files. A malicious user could upload a HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the the uploaded HTML could be shared for phishing attacks. The HTML page may seem legitimate because it is served under the internet domain where Parse Server is hosted, which may be the same as a company's official website domain.

An additional security issue arises when the Parse JavaScript SDK is used. The SDK stores sessions in the internet browser's local storage, which usually restricts data access depending on the internet domain. A malicious HTML file could contain a script that retrieves the user's session token from local storage and then share it with the attacker.

Patches

The fix adds a new Parse Server option fileUpload.fileExtensions to restrict file upload on Parse Server by file extension. It is recommended to restrict file upload for HTML file extensions, which this fix disables by default. If an app requires upload of files with HTML file extensions, the option can be set to ['.*'] or another custom value to override the default.

References

CVE-2023-36475

Impact

An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.

Patches

Prevent prototype pollution in MongoDB database adapter.

Workarounds

Disable remote code execution through the MongoDB BSON parser.

Credits

  • Discovered by hir0ot working with Trend Micro Zero Day Initiative
  • Fixed by dbythy
  • Reviewed by mtrezza

References

CVE-2023-41058

Impact

A Parse Pointer can be used to access internal Parse Server classes. It can also be used to circumvent the beforeFind query trigger which can be an additional vulnerability for deployments where the beforeFind trigger is used as a security layer to modify an incoming query.

Patches

The vulnerability was fixed by implementing a patch in the internal query pipeline to prevent a Parse Pointer to be used to access internal Parse Server classes or circumvent the beforeFind trigger.

Workarounds

There is no known workaround to prevent a Parse Pointer to be used to access internal Parse Server classes. A workaround if a beforeFind trigger is used as a security layer is to instead use the Parse Server provided security layers to manage access levels with Class-Level Permissions and Object-Level Access Control.

References

CVE-2023-46119

Impact

Parse Server crashes when uploading a file without extension.

Patches

A permanent fix has been implemented to prevent the server from crashing.

Workarounds

There are no known workarounds.

References

Release Notes

parse-community/parse-server (parse-server)

v5.5.6

Compare Source

Bug Fixes

v5.5.5

Compare Source

Bug Fixes
  • Parse Pointer allows to access internal Parse Server classes and circumvent beforeFind query trigger; fixes security vulnerability GHSA-fcv6-fg5r-jm9q (6458ab0) (#​8732)

v5.5.4

Compare Source

Bug Fixes

v5.5.3

Compare Source

Bug Fixes
  • Server does not start via CLI when auth option is set (#​8669) (601da1e)

v5.5.2

Compare Source

Bug Fixes

v5.5.1

Compare Source

Bug Fixes

v5.5.0

Compare Source

Features
  • Add new Parse Server option fileUpload.fileExtensions to restrict file upload by file extension; this fixes a security vulnerability in which a phishing attack could be performed using an uploaded HTML file; by default the new option only allows file extensions matching the regex pattern ^[^hH][^tT][^mM][^lL]?$, which excludes HTML files; if your app currently depends on uploading files with HTML file extensions then this may be a breaking change and you could allow HTML file upload by setting the option to ['.*'] (#​8537) (196e05f)

v5.4.3

Compare Source

Bug Fixes

v5.4.2

Compare Source

Bug Fixes

v5.4.1

Compare Source

Bug Fixes
  • The client IP address may be determined incorrectly in some cases; it is now required to set the Parse Server option trustProxy accordingly if Parse Server runs behind a proxy server, see the express framework's trust proxy setting; this fixes a security vulnerability in which the Parse Server option masterKeyIps may be circumvented, see GHSA-vm5r-c87r-pf6x (#​8369) (e016d81)

v5.4.0

Compare Source

Bug Fixes
  • GraphQL query ignores condition equalTo with value false (#​8032) (7f5a15d)
  • Internal indices for classes _Idempotency and _Role are not protected in defined schema (#​8121) (c16f529)
  • LiveQuery with containedIn not working when object field is an array (#​8128) (1d9605b)
  • Push notifications badge doesn't update with Installation beforeSave trigger (#​8162) (3c75c2b)
  • Query aggregation pipeline cannot handle value of type Date when directAccess: true (#​8167) (e424137)
  • Relation constraints in compound queries Parse.Query.or, Parse.Query.and not working (#​8203) (28f0d26)
  • Security upgrade undici from 5.6.0 to 5.8.0 (#​8108) (4aa016b)
  • Sorting by non-existing value throws INVALID_SERVER_ERROR on Postgres (#​8157) (3b775a1)
  • Updating object includes unchanged keys in client response for certain key types (#​8159) (37af1d7)
Features

v5.3.3

Compare Source

Bug Fixes

v5.3.2

Compare Source

Bug Fixes

v5.3.1

Compare Source

Bug Fixes

v5.3.0

Compare Source

Bug Fixes
Features
  • add MongoDB 5.1 compatibility (#​7682) (022a856)
  • add MongoDB 5.2 support (#​7894) (5bfa716)
  • add support for Node 17 and 18 (#​7896) (3e9f292)
  • align file trigger syntax with class trigger; use the new syntax Parse.Cloud.beforeSave(Parse.File, (request) => {}), the old syntax Parse.Cloud.beforeSaveFile((request) => {}) has been deprecated (#​7966) (c6dcad8)
  • replace GraphQL Apollo with GraphQL Yoga (#​7967) (1aa2204)
  • selectively enable / disable default authentication adapters (#​7953) (c1e808f)
  • upgrade mongodb from 4.4.1 to 4.5.0 (#​7991) (e692b5d)
Performance Improvements
  • reduce database operations when using the constant parameter in Cloud Function validation (#​7892) (041197f)

v5.2.8

Compare Source

Bug Fixes
  • server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests (GHSA-h423-w6qv-2wj3) (#​8235) (066f296)

v5.2.7

Compare Source

Bug Fixes
  • authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) (GHSA-r657-33vp-gp22) (#​8185) (ecf0814)

v5.2.6

Compare Source

Bug Fixes
  • session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects (GHSA-6w4q-23cf-j9jp) (#​8182) (6d0b2f5)

v5.2.5

Compare Source

Bug Fixes
  • brute force guessing of user sensitive data via search patterns; this fixes a security vulnerability in which internal and protected fields may be used as query constraints to guess the value of these fields and obtain sensitive data (GHSA-2m6g-crv8-p3c6) (#​8144) (e39d51b)

v5.2.4

Compare Source

Bug Fixes

v5.2.3

Compare Source

Bug Fixes
  • invalid file request not properly handled; this fixes a security vulnerability in which an invalid file request can crash the server (GHSA-xw6g-jjvf-wwf9) (#​8060) (5be375d)

v5.2.2

Compare Source

Bug Fixes
  • certificate in Apple Game Center auth adapter not validated; this fixes a security vulnerability in which authentication could be bypassed using a fake certificate; if you are using the Apple Game Center auth adapter it is your responsibility to keep its root certificate up-to-date and we advice you read the security advisory (GHSA-rh9j-f5f8-rvgc) (ba2b0a9)

v5.2.1

Compare Source

Bug Fixes

v5.2.0

Compare Source

Bug Fixes
Features
  • improved LiveQuery error logging with additional information (#​7837) (443a509)

v5.1.1

Compare Source

Reverts

v5.1.0

Compare Source

Bug Fixes
Features
Reverts
  • refactor: allow ES import for cloud string if package type is module (b64640c)
  • update node engine to 2.22.0 (#​7827) (f235412)
⚠️ NOTABLE CHANGES

The following changes would formally require a major version increment (Parse Server 6.0), but given their low relevance they are released as part of this minor version increment (Parse Server 5.1).

  • The MongoDB GridStore adapter has been removed. By default, Parse Server already uses GridFS, so if you do not manually use the GridStore adapter, you can ignore this change. Parse Server uses the GridFSBucket adapter instead of GridStore adapter by default since 2018. (f88aa2a)
  • Removes official Node 15 support which has already reached it End-of-Life date. (45cc58c)

v5.0.0

Compare Source

BREAKING CHANGES
  • Improved schema caching through database real-time hooks. Reduces DB queries, decreases Parse Query execution time and fixes a potential schema memory leak. If multiple Parse Server instances connect to the same DB (for example behind a load balancer), set the Parse Server Option databaseOptions.enableSchemaHooks: true to enable this feature and keep the schema in sync across all instances. Failing to do so will cause a schema change to not propagate to other instances and re-syncing will only happen when these instances restart. The options enableSingleSchemaCache and schemaCacheTTL have been removed. To use this feature with MongoDB, a replica set cluster with change stream support is required. (Diamond Lewis, SebC) #​7214
  • Fix security vulnerability that allows remote code execution; as part of the fix a new security feature scans for sensitive keywords in request data to prevent JavaScript prototype pollution. If such a keyword is found, the request is rejected with HTTP response code 400 and Parse Error 105 (INVALID_KEY_NAME). By default these keywords are: {_bsontype: "Code"}, constructor, __proto__. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server option requestKeywordDenylist to [] and specify your own keywords as needed. (GHSA-p6h4-93qp-jhcm) (#​7843) (971adb5)
  • Added file upload restriction. File upload is now only allowed for authenticated users by default for improved security. To allow file upload also for Anonymous Users or Public, set the fileUpload parameter in the Parse Server Options (dblythy, Manuel Trezza) #​7071
  • Removed parse-server-simple-mailgun-adapter dependency; to continue using the adapter it has to be explicitly installed (Manuel Trezza) #​7321
  • Remove support for MongoDB 3.6 which has reached its End-of-Life date and PostgreSQL 10 (Manuel Trezza) #​7315
  • Remove support for Node 10 which has reached its End-of-Life date (Manuel Trezza) #​7314
  • Bump required Node engine to >=12.22.10 (#​7848) (23a3488)
  • Remove S3 Files Adapter from Parse Server, instead install s

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from hopetambala as a code owner June 30, 2023 21:47
@renovate renovate bot force-pushed the renovate/npm-parse-server-vulnerability branch from e7f4c6c to fba4f7e Compare September 4, 2023 22:57
@renovate
Copy link
Author

renovate bot commented Sep 4, 2023
edited
Loading

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
ERROR: npm v10.2.1 is known not to run on Node.js v14.20.1.  This version of npm supports the following node versions: `^18.17.0 || >=20.5.0`. You can find the latest version at https://nodejs.org/.

ERROR:
/opt/containerbase/tools/npm/10.2.1/node_modules/npm/node_modules/@npmcli/agent/lib/agents.js:105
    options.lookup ??= this.#options.lookup
                   ^^^

SyntaxError: Unexpected token '??='
    at wrapSafe (internal/modules/cjs/loader.js:1001:16)
    at Module._compile (internal/modules/cjs/loader.js:1049:27)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
    at Module.load (internal/modules/cjs/loader.js:950:32)
    at Function.Module._load (internal/modules/cjs/loader.js:790:12)
    at Module.require (internal/modules/cjs/loader.js:974:19)
    at require (internal/modules/cjs/helpers.js:101:18)
    at Object.<anonymous> (/opt/containerbase/tools/npm/10.2.1/node_modules/npm/node_modules/@npmcli/agent/lib/index.js:7:15)
    at Module._compile (internal/modules/cjs/loader.js:1085:14)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
ERROR: npm v10.2.1 is known not to run on Node.js v14.20.1.  This version of npm supports the following node versions: `^18.17.0 || >=20.5.0`. You can find the latest version at https://nodejs.org/.

ERROR:
/opt/containerbase/tools/npm/10.2.1/node_modules/npm/node_modules/@npmcli/agent/lib/agents.js:105
    options.lookup ??= this.#options.lookup
                   ^^^

SyntaxError: Unexpected token '??='
    at wrapSafe (internal/modules/cjs/loader.js:1001:16)
    at Module._compile (internal/modules/cjs/loader.js:1049:27)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
    at Module.load (internal/modules/cjs/loader.js:950:32)
    at Function.Module._load (internal/modules/cjs/loader.js:790:12)
    at Module.require (internal/modules/cjs/loader.js:974:19)
    at require (internal/modules/cjs/helpers.js:101:18)
    at Object.<anonymous> (/opt/containerbase/tools/npm/10.2.1/node_modules/npm/node_modules/@npmcli/agent/lib/index.js:7:15)
    at Module._compile (internal/modules/cjs/loader.js:1085:14)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)

@renovate renovate bot force-pushed the renovate/npm-parse-server-vulnerability branch 2 times, most recently from c9c5e59 to dae70e8 Compare October 6, 2023 01:04
@renovate renovate bot force-pushed the renovate/npm-parse-server-vulnerability branch from dae70e8 to 6978ff2 Compare October 24, 2023 04:19
@renovate renovate bot changed the title fix(deps): update dependency parse-server to v5 [security] fix(deps): update dependency parse-server to v5 [security] - autoclosed Mar 2, 2024
@renovate renovate bot closed this Mar 2, 2024
@renovate renovate bot deleted the renovate/npm-parse-server-vulnerability branch March 2, 2024 14:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hopetambala hopetambala Awaiting requested review from hopetambala hopetambala is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants