[Snyk] Security upgrade parse-server from 2.3.2 to 5.5.2

[ninadhatkar]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • appengine/parse-server/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	776/1000 Why? Recently disclosed, Has a fix available, CVSS 9.8	Prototype Pollution SNYK-JS-PARSESERVER-5746822	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: parse-server

The new version differs by 250 commits.

• e6374e7 chore(release): 5.5.2 [skip ci]
• 5fad292 fix: Remote code execution via MongoDB BSON parser through prototype pollution; fixes security vulnerability [GHSA-462x-c3jw-7vr6](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6) (#8675)
• a036071 refactor: Upgrade semver from 7.3.8 to 7.5.1 (#8606)
• f5c6b3e refactor: Upgrade body-parser from 1.20.1 to 1.20.2 (#8607)
• 733dc29 refactor: Upgrade winston from 3.8.1 to 3.8.2 (#8609)
• e13f7bb refactor: Upgrade express from 4.18.1 to 4.18.2 (#8600)
• 81d51f3 refactor: Upgrade ws from 8.9.0 to 8.13.0 (#8567)
• c83b343 chore(release): 5.5.1 [skip ci]
• 8e83cac fix: Security upgrade @ parse/push-adapter from 4.1.2 to 4.1.3 (#8571)
• d8bff57 refactor: Upgrade @ graphql-tools/merge from 8.3.17 to 8.4.1 (#8555)
• c0a9ff8 ci: Fix outdated ubuntu version (#8540)
• ac90cb8 chore(release): 5.5.0 [skip ci]
• 196e05f feat: Add new Parse Server option `fileUpload.fileExtensions` to restrict file upload by file extension; this fixes a security vulnerability in which a phishing attack could be performed using an uploaded HTML file; by default the new option only allows file extensions matching the regex pattern `^[^hH][^tT][^mM][^lL]?$`, which excludes HTML files; this fix is released as a patch version given the severity of this vulnerability, however, if your app currently depends on uploading files with HTML file extensions then this may be a breaking change and you could allow HTML file upload by setting the option to `['.*']` (#8537)
• e9ae435 chore(release): 5.4.3 [skip ci]
• 4f0f0ec fix: Unable to create new role if `beforeSave` hook exists (#8474)
• 0ec9239 refactor: Upgrade @ graphql-tools/merge from 8.3.6 to 8.3.17 (#8437)
• b905137 chore(release): 5.4.2 [skip ci]
• 2c19c2e fix: Security upgrade jsonwebtoken to 9.0.0 (#8431)
• 30576f1 chore(release): 5.4.1 [skip ci]
• e016d81 fix: The client IP address may be determined incorrectly in some cases; it is now required to set the Parse Server option `trustProxy` accordingly if Parse Server runs behind a proxy server, see the express framework's [trust proxy](https://expressjs.com/en/guide/behind-proxies.html) setting; this fixes a security vulnerability in which the Parse Server option `masterKeyIps` may be circumvented, see [GHSA-vm5r-c87r-pf6x](https://snyk.io/redirect/github/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x) (#8369)
• c8bc200 ci: Add LTS branches to CI workflow
• 09d04b0 ci: update auto-release workflow
• 38f64be ci: update auto-release for LTS
• 9b34b02 chore(release): 5.4.0 [skip ci]

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution