Release 4.10.1

[mtrezza]

Release 4.10.1

The objective of this release is to reduce the vulnerabilities from 1 low, 6 moderate, 2 high in 4.10.0 to 1 low, 1 high.

The remaining high vulnerability is due to the now deprecated @parse/simple-mailgun-adapter. This can easily be fixed by the developer by not using the adapter. There is an up-to-date mailgun adapter as replacement, but it works differently.

• Bump to parse 3.3.0 to fix security vulnerabilities
• Bump to parse-push-adapter 3.4.1 to fix security vulnerabilities
• Bump non-Parse dependencies

The bump from Parse 2.x to 3.x contains a breaking change:

For security purposes, logIn will default to POST instead of GET method. (#1284)
If you need to use GET set the usePost option to false.
Parse.User.logIn('username', 'password', { usePost: false })

This change prevents the plain text username and password from being in URLs and log files, a significant security issue.

If we argue that a security issue is usually not considered a braking change, because it doesn't "break" anything, but "fixes" something that is currently broken, we could release a parse server 4.10.1 that is free of any significant vulnerabilities. I think that approach is required once we move to Long Term Support, otherwise we could never fix vulnerabilities in a 4.x release while maintaining a 5.x release at the same time. In that sense, the fix in Parse would probably not have justified the major version bump from 2.x to 3.x.

Bottom line, this will make Parse Server 4.x usable again without any significant vulnerability until we release Parse Server 5.0.

Note

• When merging: merge this into branch release-4.x.x and don't delete that branch, it is the LTS branch for 4.x.x, a good exercise for our LTS trial to come.

TODO

• Cherry pick dependency bumps into master branch

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (release-4.x.x@7e1da90). Click here to learn what that means.
The diff coverage is n/a.

❗ Current head 023d1cb differs from pull request most recent head 9b4327d. Consider uploading reports for the commit 9b4327d to get more accurate results

@@               Coverage Diff                @@
##             release-4.x.x    #7508   +/-   ##
================================================
  Coverage                 ?   93.84%           
================================================
  Files                    ?      169           
  Lines                    ?    12428           
  Branches                 ?        0           
================================================
  Hits                     ?    11663           
  Misses                   ?      765           
  Partials                 ?        0           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7e1da90...9b4327d. Read the comment docs.

[davimacedo]

LGTM!

[mtrezza]

Thanks @davimacedo; @dblythy could you review this PR and let us know your opinion on the approach described above?

[dblythy]

LGTM. Not sure if it's already been done, but perhaps we could have a quick blog post "migrating to the new mail adapter" or something like that. I know in the past depreciations of commonly used adaptors can be tedious, and prevent people from updating.

[mtrezza]

Thanks for the review! Implementing the new adapter should hopefully be understandable from the docs of the new adapter. Let me know if there is anything you think should be improved by opening an issue there. I think adding any migration information there would probably be more accessible for people who navigate there to implement the new adapter.

[dblythy]

Right, sounds good! I think I had some minor troubles implementing it myself, but was easy to solve. Also, should that repo be transferred to the Parse Org if it's an official adapter?

[mtrezza]

Sure, let me know any suggestions for improvement. The adapter is not an official org adapter at this point (for various reasons), but I plan to transfer it in the future.