fix: Security upgrade to parse 7.0.1

[Moumouls]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

Upgrade to parse 7.0.1.

Approach

Even though this is a major version upgrade of Parse JS SDK, the breaking change there should only matter then using parse as a client SDK.

Summary by CodeRabbit

• Chores

  • Upgraded a core parsing library to the latest major version for improved stability and future compatibility. No user action required.

• Tests

  • Refined tests for single-object retrieval, relation behavior, and cloud-logging scenarios for more reliable outcomes.
  • Centralized HTTP mocking with automatic restore/cleanup; fetch assertions now validate request options.
  • Updated vulnerability tests to ensure prototype pollution is prevented rather than expecting save failures.
  • Made profiler-related tests resilient with dynamic comments and retry logic.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Tests and test helpers updated and parse dependency bumped to 7.0.1. Adds a global.fetch mock/restore wrapper, adjusts fetch expectations and several query call patterns, adds retrying profiler checks, and changes prototype-pollution assertions.

Changes

Cohort / File(s)	Change summary
Dependency package.json	Bumped parse dependency from 6.1.1 to 7.0.1.
Test helper / fetch wrapper spec/helper.js	Added centralized mockFetch that replaces global.fetch with a wrapper spy (bypasses Parse Server URL), exposes global.fetch.calls and global.fetch.and, tracks mock state, provides global.restoreFetch(), and integrates restore calls into test lifecycle hooks.
Fetch call expectations & auth adapters spec/Adapters/Auth/wechat.spec.js, spec/Adapters/Auth/linkedIn.spec.js	Tests updated to assert global.fetch receives a second options argument (e.g., jasmine.any(Object)). LinkedIn tests migrated from ad-hoc stubs to mockFetch endpoint mocks with explicit method/response handling.
Query usage changes spec/ParseObject.spec.js, spec/ParseRelation.spec.js	Switched retrieval patterns: query.find(object.id) → query.get(object.id) and query.find(origWheel.id) → query.find() (relying on relation redirect/un-fetched parent); adjusted then handlers and added .catch(done.fail) in one chain.
Prototype pollution tests spec/vulnerabilities.spec.js	Tests changed from expecting save rejection to performing save and asserting Object.prototype remains unpolluted (Object.prototype.dummy is undefined).
Profiler/comment tests spec/ParseQuery.Comment.spec.js	Replaced static comment strings with dynamic Date.now() values and added retry logic (up to 10 attempts with 100ms delay) to wait for profiler entries before asserting comment presence.
Cloud code logging & test lifecycle spec/CloudCodeLogger.spec.js	Cleared and reconfigured cloud hooks between tests (Parse.Cloud._removeAllHooks()), added new cloud functions for failure paths, removed some explicit done() usages in favor of async/await, and adjusted hook setup/teardown for isolation.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Test
  participant mockFetch as mockFetch()
  participant Wrapper as global.fetch wrapper
  participant Spy as spyRecorder
  participant ParseServer as Parse Server URL

  Note over mockFetch,Wrapper: mockFetch installs a wrapper around global.fetch and records/resolves mocked endpoints
  Test->>mockFetch: install mocks/responses
  mockFetch->>Wrapper: replace global.fetch with wrapper (records calls)
  Wrapper->>Spy: record non-Parse requests (.calls)
  alt request matches mocked endpoint
    Wrapper-->>Test: return mocked Response (ok/json)
  else request to Parse Server URL
    Wrapper->>ParseServer: forward real request (bypass spy)
    ParseServer-->>Wrapper: real response
    Wrapper-->>Test: forward real response
  end
  Test->>Wrapper: inspect `global.fetch.calls` / `global.fetch.and` for assertions

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested reviewers

• mtrezza

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The description includes the repository’s template headers but the Issue section lacks a proper issue link and “Closes:” reference, and the Approach section does not detail the specific code changes. Additionally, the Tasks section is missing entirely, leaving checklist items unaddressed. This fails to meet the required structure and completeness specified by the template.	Please add a link to the corresponding issue with a “Closes: #…” reference, expand the Approach section to summarize the key code and test updates, and include a Tasks section with the appropriate checklist items or remove any non-applicable tasks.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Title Check	✅ Passed	The title succinctly captures the primary change of upgrading the Parse SDK to version 7.0.1 with a security focus and avoids unnecessary detail or noise, making it clear to reviewers what the pull request is about.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

spec/ParseQuery.Comment.spec.js (2)

61-76: Extract duplicated retry logic into a helper function.

The same retry pattern (poll profiler with 10 attempts, 100ms delays) is duplicated across all four tests. This violates DRY and makes future maintenance harder.

Consider extracting a reusable helper:

async function waitForProfilerEntry(database, query, options = {}) {
  const maxRetries = options.maxRetries || 10;
  const retryDelay = options.retryDelay || 100;
  
  for (let i = 0; i < maxRetries; i++) {
    const result = await database.collection('system.profile').findOne(
      query,
      { sort: { ts: -1 } }
    );
    if (result) {
      return result;
    }
    await new Promise(resolve => setTimeout(resolve, retryDelay));
  }
  
  return null;
}

Then simplify each test:

-    // Wait for profile entry to appear with retry logic
-    let result;
-    const maxRetries = 10;
-    const retryDelay = 100;
-    for (let i = 0; i < maxRetries; i++) {
-      result = await database.collection('system.profile').findOne(
-        { 'command.explain.comment': comment },
-        { sort: { ts: -1 } }
-      );
-      if (result) {
-        break;
-      }
-      await new Promise(resolve => setTimeout(resolve, retryDelay));
-    }
+    const result = await waitForProfilerEntry(database, { 'command.explain.comment': comment });

Also applies to: 88-103, 121-136, 151-166

---

64-65: Consider extracting magic numbers to constants.

The retry parameters (10 attempts, 100ms delay) are repeated across tests. Extracting them to named constants improves readability and makes tuning easier.

const PROFILER_RETRY_MAX_ATTEMPTS = 10;
const PROFILER_RETRY_DELAY_MS = 100;

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 66f1169 and a66a573.

📒 Files selected for processing (2)

• spec/ParseQuery.Comment.spec.js (4 hunks)
• spec/helper.js (6 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• spec/helper.js

🧰 Additional context used

🧬 Code graph analysis (1)

spec/ParseQuery.Comment.spec.js (2)

spec/helper.js (2)

• i (340-340)
• TestObject (273-275)

src/Adapters/Storage/Mongo/MongoStorageAdapter.js (1)

• database (181-181)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: Node 20
• GitHub Check: Node 18
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: Redis Cache
• GitHub Check: MongoDB 6, ReplicaSet

🔇 Additional comments (1)

spec/ParseQuery.Comment.spec.js (1)

49-49: LGTM: Dynamic comment generation prevents test interference.

Using Date.now() to generate unique comments for each test run is a good practice that prevents cross-test contamination and race conditions when multiple tests query the profiler.

Also applies to: 82-82, 109-109, 142-142

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.02%. Comparing base (64f104e) to head (8f77b03).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha    #9877      +/-   ##
==========================================
- Coverage   93.02%   93.02%   -0.01%     
==========================================
  Files         187      187              
  Lines       15158    15158              
  Branches      176      176              
==========================================
- Hits        14101    14100       -1     
- Misses       1045     1046       +1     
  Partials       12       12              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mtrezza]

Beautiful!

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

spec/helper.js (1)

413-445: Harden mockFetch: support string|URL|Request, normalize method, dynamic serverURL, and fallback Response

• Normalize input (string, URL, Request) to a URL string.
• Uppercase HTTP method without mutating the original options.
• Bypass calls to the active Parse.serverURL (via Parse.serverURL or fallback serverURL), throwing if originalFetch is unavailable.
• Return a minimal Response-like fallback (ok, status, json(), text()).

No tests reference fetch.and stubbing (rg search returned no matches), so no test updates are required.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c61f8c9 and 61fa2a7.

📒 Files selected for processing (1)

• spec/helper.js (5 hunks)

🔇 Additional comments (2)

spec/helper.js (2)

216-223: Good lifecycle isolation of fetch mocks

Restoring fetch in beforeAll/beforeEach/afterEach/afterAll prevents cross‑test pollution. LGTM.

Also applies to: 225-230, 232-236, 275-276

---

10-16: Remove unnecessary fetch guard suggestion
The engines.node field (>=18.20.4) and ci/ciCheck.js already enforce running on Node 18+, where global.fetch is defined—no extra guard needed.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

spec/CloudCodeLogger.spec.js (1)

352-352: LGTM: Hook clearing applied consistently.

The addition of Parse.Cloud._removeAllHooks() ensures proper test isolation when reconfiguring the server with different log levels and hook definitions.

Consider applying the same hook clearing pattern to other tests that reconfigure the server (e.g., the beforeEach at lines 14-35) to ensure consistent test isolation across the entire suite.

Also applies to: 376-376

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c370559 and 8f77b03.

📒 Files selected for processing (1)

• spec/CloudCodeLogger.spec.js (7 hunks)

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
PR: parse-community/parse-server#9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/CloudCodeLogger.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
PR: parse-community/parse-server#9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/CloudCodeLogger.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
PR: parse-community/parse-server#9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/CloudCodeLogger.spec.js

🧬 Code graph analysis (1)

spec/CloudCodeLogger.spec.js (2)

spec/helper.js (1)

• Parse (4-4)

spec/CloudCode.spec.js (1)

• Parse (3-3)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: Node 18
• GitHub Check: Node 20
• GitHub Check: Redis Cache
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Docker Build

🔇 Additional comments (3)

spec/CloudCodeLogger.spec.js (3)

192-205: LGTM: Async/await conversion improves test quality.

The conversion from callback pattern to async/await aligns with project standards and improves readability and error handling.

Based on learnings.

---

206-218: LGTM: Hook clearing ensures proper test isolation.

The addition of Parse.Cloud._removeAllHooks() before reconfiguration and the subsequent redefinition of bFunction ensures clean state between test scenarios and prevents cross-test interference.

---

234-234: LGTM: Consistent test isolation pattern.

The hook clearing and arrow function refactoring maintain test isolation and code consistency.

Also applies to: 244-245

[parseplatformorg]

🎉 This change has been released in version 8.3.0-alpha.7