chore(deps): update dependency parse to v2 [security]

[renovate]

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

---

This PR contains the following updates:

Package	Change	Age	Confidence
parse (source)	^1.11.0 -> ^2.10.0
parse (source)	1.11.0 -> 2.10.0

GitHub Vulnerability Alerts

GHSA-wvh7-5p38-2qfc

The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext."

Example Code:

async () => {
    const user = Parse.User.current()
    if (user) {
        user.setPassword('newpass')
        await user.save()
    }
}

After running the above code, the new password will be stored in localStorage as a property named "password".

Proposed Solution:
Before saving anything to localStorage, Parse should strip out any properties named "password" that are attempting to be stored with a Parse.User type object.

Configuration:
Parse SDK: 2.9.1
Parse Server: 3.9.0

---

Release Notes

parse-community/Parse-SDK-JS (parse)

v2.10.0

Compare Source

New Features

• Add query.fromNetwork() (#​1002)
• Add query.cancel() (browser only) (#​1003)
• Support custom request headers (#​1019)

Fixes

• To subclass Parse.User: Parse.Object.registerSubclass('_User', CustomUser);

Security

• Address Security Advisory of possible leak of sensitive user info. (#d110617), big thanks to Colin Ulin for identifying the problem, following the vulnerability disclosure guidelines

v2.9.1

Compare Source

Fixes

• Storing user to disk (#​992) (#​999)

v2.9.0

Compare Source

Deprecation
_linkWith and _logInWith are deprecated. Replace with linkWith and logInWith respectively. (#​963)

New Features

• Set Class Level Permission via Parse.Schema (#​960)
• Set required fields and default values via Parse.Schema (#​961)
• Add installationId to LiveQuery (#​977)
• Add response object to LiveQuery (#​979)
• Support query.map, query.filter, query.reduce (#​987)

Fixes

• Can unlink without provider in cloud code (#​971)
• Properly store User Subclass in Storage (#​978)

Improvements

• User subclass support for logInWith, hydrate, me, current (#​968)
• Remove unused options from Parse.Schema (#​959)
• Documentation for linking users and custom auth (#​963)
• Generate installationId as uuid v4 (#​972)
• Reuse StorageController for LDS (#​984)
• LiveQuery reconnect on server error (#​977)

v2.8.0

Compare Source

New Features

• Parse.File save cancel (#​948)
• Parse.File getData cancel (#​951)

Fixes

• React Native Emitter module (#​946)
• Parse.Schema deleteIndex, deleteField returns Parse.Schema (#​949)

Improvements

• Compiling on Windows (#​947)
• Generate _localId as UUID (#​956)

v2.7.1

Compare Source

New Features

• Support for ParseConfig.save with masterKeyOnlyFlags option (#​910) (Requires Parse-Server 3.8.0+)
• Support for ParseConfig.get with useMasterKey option (#​907)

v2.7.0

Compare Source

New Features

• Support for ParseObject.fetchAllIfNeededWithInclude (#​900)
• Support for ParseObject.exists (#​898)
• Support for ParseObject.save with cascadeSave option (#​881)

Fixes

• ParseUser.become should return subclass (#​897)
• Ensure LiveQuery subscribes before returning subscription (#​878)

Improvements

• Remove deprecated @babel/polyfill (#​877)

v2.6.0

Compare Source

New Features:
- Support configurable WebSocketController (#​64f359a)
- Support for WeChat Mini Program (#​874)
- Support withCount query constraint (#​868)

Improvements:
- Fix SERVER_RENDERING environment variable (#​873)

v2.5.1

Compare Source

• Update NPM credentials

v2.4.0

Compare Source

New Features:

• LocalDatastore: Support Users (#​801)
• LiveQuery subscribe with sessionToken (#​791)

Improvements:

• LocalDatastore: Improve pinning unsaved objects (#​795)
• LocalDatastore: Improve error handling (#​803)

Dependency Updates:

• uuid@3.3.2

Development Dependency Updates:

• eslint-plugin-flowtype@3.6.1
• gulp@4.0.1
• jasmine@3.4.0

v2.3.2

Compare Source

Improvements:

• Support getData from Parse.File (#​780)
• Parse.FacebookUtils logIn and link support MasterKey and SessionToken options (#​779)

Fixes:

• Remove node modules http and https from React-Native build (#​776)

v2.3.1

Compare Source

Improvements:

• _linkWith and _unlinkFrom support MasterKey and SessionToken options (#​767)

Fixes:

• File uri upload for Browser / React-Native (#​765)

Miscellaneous:

• Correct homepage in package.json (#​9e198b3)
• Add Issues template for opening GitHub Issue (#​760)
• Add Public email address to satisfy an npmjs requirement (#​764)

v2.3.0

Compare Source

Breaking Changes:

• query.subscribe() and unsubscribe()returns Promise.

Improvements:

• LocalDatastore fixes for React-Native (#​753)
• LocalDatastore update from Server (#​734)
• Support for Anonymous Users (#​750)
• File upload via uri (#​749)
• Add support to secured endpoints throught Authorization header (#​358)
• Remove authResponse in FacebookUtils (#​728)
• UserSubclass.logIn and UserSubclass.signUp returns subclass (#​756)
• Subscribe to multiple LiveQuery subscriptions (#​758)

v2.2.1

Compare Source

Fixes:

• Addresses critical issue with babel runtime regenerator (#​740)

v2.2.0

Compare Source

• Support for Local Datastore (#​612)
• LiveQuery override data on update (#​718) (Requires Parse-Server 3.1.3+)
• Support setting user from JSON (hydrate) (#​730)
• Improve dot notation for updating nested objects (#​729)
• LiveQuery handle unset operation (#​714) (Requires Parse-Server 3.1.3+)
• Add original object to LiveQuery events (#​712) (Requires Parse-Server 3.1.3+)
• Add support for providing file upload progress. (#​373) (Browser Only)
• Support clone with relation (#​382)
• Add batchSize to saveAll / destroyAll (#​701)
• Add save Method for Parse.Config (#​684)
• Allow specific keys to be reverted in unsaved objects (#​565)
• Handle undefined in Cloud Code (#​682)
• Validate if geopoint values is number (#​671)
• LiveQuery Support for Subclasses (#​662)

v2.1.0

Compare Source

• Parse.Error now inherits from Error

v2.0.2: 2.0.2

Compare Source

2.0.2

• Fixes issue affecting unsubscribing from liveQueries (#​640)
• Adds support for aggregate stages with identical names (#​637)
• Adds ability to fetch an object with includes (#​631)
• Adds support for $nor operator in queries (#​634)
• Adds support for containedBy operator in queries (#​633)
• Adds support for includeAll (#​632)

v2.0.1

Compare Source

• Fixes an issue occurring when uploading files with ajax in SDK 2.0
• Fixes an issue that prevented SDK 2.0 to properly function in a web environemnt

v2.0.0

Compare Source

v1.11.1: 1.11.1

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.