fix: Upgrade to GraphQL Apollo Server 5 and restrict GraphQL introspection

[Moumouls]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

Closes: FILL_THIS_OUT

Approach

Update to V5, something changed on how introspection is managed internally, or maybe we got a bug before, introspection is always activated for master key, and public introspection is stil an option to opt in

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• Chores

  • Upgraded Apollo Server to 5.0.0 and added Express 5 integration dependency.

• Features

  • Strengthened GraphQL introspection controls: schema introspection short-circuited and type introspection more reliably detected and blocked unless authorized.
  • Public introspection can be enabled explicitly; master/maintenance keys still allow full introspection.

• Tests

  • Expanded coverage for aliased, fragment-based, nested and key-based introspection scenarios.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

❌ Please fill out all fields with a placeholder FILL_THIS_OUT. If a field does not apply to the pull request, fill in n/a or delete the line.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Replace Apollo Express adapter with @as-integrations/express5, bump @apollo/server to 5.0.0, add AST-based detection to block __type GraphQL introspection (including aliases/fragments) unless authorized (master/maintenance key or public introspection), run checks before execution, and add tests covering these cases.

Changes

Cohort / File(s)	Summary
Dependency updates package.json	Upgrades @apollo/server 4.12.1 → 5.0.0 and adds @as-integrations/[email protected].
GraphQL server & introspection control src/GraphQL/ParseGraphQLServer.js	Switches Express integration to @as-integrations/express5; imports parse/GraphQLError from graphql; adds hasTypeIntrospection(query) and throwIntrospectionError(); implements a fast __schema string check and AST-based __type detection (covers aliases/fragments) in an IntrospectionControlPlugin; performs introspection checks before execution.
Tests: introspection coverage spec/ParseGraphQLServer.spec.js	Adds tests blocking __type introspection without master/maintenance key (plain, aliased, fragment forms) and allowing it with master/maintenance keys or when public introspection is enabled; adds test scaffolding to reconfigure server and toggle public introspection across suites.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant Express
  participant ParseGraphQLServer
  participant ApolloServer
  participant IntrospectionPlugin

  Client->>Express: POST /graphql (operation)
  Express->>ParseGraphQLServer: forward request
  ParseGraphQLServer->>ApolloServer: prepare operation (query text / parsed)
  ApolloServer->>IntrospectionPlugin: requestDidStart / onRequest
  IntrospectionPlugin->>IntrospectionPlugin: quick string scan for "__schema"
  alt contains "__schema"
    IntrospectionPlugin-->>ApolloServer: throw introspection error (403)
  else contains "__type"
    IntrospectionPlugin->>ParseGraphQLServer: parse operation AST (hasTypeIntrospection)
    alt AST indicates type introspection (including aliases/fragments)
      IntrospectionPlugin-->>ApolloServer: throw introspection error (403)
    else
      IntrospectionPlugin-->>ApolloServer: allow execution
    end
  else
    IntrospectionPlugin-->>ApolloServer: allow execution
  end
  ApolloServer-->>Client: result or error

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Review focus:
  • Correctness of hasTypeIntrospection for aliases, fragments, and nested spreads.
  • Plugin hook selection and ordering to ensure pre-execution short-circuiting.
  • Migration implications for @as-integrations/express5 and Apollo Server v5 initialization.
  • Test isolation when toggling public introspection across suites.

Possibly related PRs

• fix: Data schema exposed via GraphQL API public introspection (GHSA-48q3-prgv-gm4w) #9819 — Overlapping changes to ParseGraphQLServer introspection handling and tests; directly related to AST-based __type blocking and plugin ordering.

Suggested reviewers

• mtrezza

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The Approach section provides context for the changes but lacks detail; the Issue field remains unfilled ('FILL_THIS_OUT'), and no tasks are marked as completed despite multiple changes.	Fill in the 'Closes' issue reference, provide more detail in the Approach section explaining the introspection behavior changes, and update the Tasks checklist to reflect which actions were taken.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title directly matches the main objectives: upgrading Apollo Server 5 and restricting GraphQL introspection. It accurately summarizes the primary changes.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/GraphQL/ParseGraphQLServer.js (1)

16-52: Consider using Apollo Server v5's native introspection controls instead of string-based detection.

Apollo Server v5 provides built-in introspection controls via the introspection boolean option, the nodeEnv option to override NODE_ENV-derived defaults, and validationRules including a disable-introspection validation rule that runs before execution. The verification found no existing false positive scenarios in the codebase (no user-defined fields or classes containing __schema), so the current string-based detection works correctly. However, leveraging Apollo's native introspection option or validation rules would be more robust and maintainable than a custom plugin with includes('__schema') detection.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 00f8d4c and bbdeb06.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• package.json (1 hunks)
• src/GraphQL/ParseGraphQLServer.js (2 hunks)

🔇 Additional comments (2)

src/GraphQL/ParseGraphQLServer.js (1)

4-4: LGTM: Correct import for Apollo Server v5.

The migration from @apollo/server/express4 to @as-integrations/express5 aligns with Apollo Server v5's architectural changes, where Express integration was moved to a separate package.

package.json (1)

23-24: No breaking changes or security issues detected with Apollo Server 5.0.0 upgrade.

Apollo Server 5.0.0 has no known security vulnerabilities, and all critical breaking changes are properly addressed:

• Node.js v20.0.0+ is required; package.json correctly constrains versions to compatible ranges (>=20.18.0, >=22.12.0)
• graphql >= v16.11.0 is required as a peer dependency; the codebase specifies 16.11.0
• Express middleware import has changed; this is addressed in the codebase migration

[codecov]

Codecov Report

❌ Patch coverage is 95.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 92.58%. Comparing base (f9970d4) to head (6e39017).
⚠️ Report is 5 commits behind head on alpha.

Files with missing lines	Patch %	Lines
src/GraphQL/ParseGraphQLServer.js	95.00%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha    #9888   +/-   ##
=======================================
  Coverage   92.58%   92.58%           
=======================================
  Files         191      191           
  Lines       15544    15559   +15     
  Branches      177      177           
=======================================
+ Hits        14391    14405   +14     
- Misses       1141     1142    +1     
  Partials       12       12           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Moumouls]

@mtrezza i improved the system
btw: this update need to drop node 18 for parse-server

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

spec/ParseGraphQLServer.spec.js (3)

733-771: Harden negative introspection tests with fragments and variables.

Great coverage for direct and aliased __type; consider adding fragment- and variable-based cases to prevent bypass via AST shape changes.

Example additions:

+        it('should block __type introspection in fragment without master key', async () => {
+          try {
+            await apolloClient.query({
+              query: gql`
+                query {
+                  ...Frag
+                }
+                fragment Frag on Query {
+                  __type(name: "User") { name }
+                }
+              `,
+            });
+            fail('should have thrown an error');
+          } catch (e) {
+            expect(e.message).toEqual('Response not successful: Received status code 403');
+            expect(e.networkError.result.errors[0].message).toEqual('Introspection is not allowed');
+          }
+        });
+
+        it('should block variable-based __type introspection without master key', async () => {
+          try {
+            await apolloClient.query({
+              query: gql`
+                query TypeIntrospection($name: String!) {
+                  __type(name: $name) { name }
+                }
+              `,
+              variables: { name: 'User' },
+            });
+            fail('should have thrown an error');
+          } catch (e) {
+            expect(e.message).toEqual('Response not successful: Received status code 403');
+            expect(e.networkError.result.errors[0].message).toEqual('Introspection is not allowed');
+          }
+        });

---

773-792: Strengthen positive assertions for allowed __type results.

When introspection is permitted, assert specific fields (e.g., name === 'User', kind === 'OBJECT') to catch regressions beyond mere success.

Example:

-          expect(introspection.data).toBeDefined();
-          expect(introspection.data.__type).toBeDefined();
+          expect(introspection.data?.__type?.name).toBe('User');
+          expect(introspection.data?.__type?.kind).toBe('OBJECT');
+          expect(introspection.errors).toBeUndefined();

Also applies to: 794-813, 815-834, 836-852

---

1678-1681: Avoid redundant cache reset before recreating the server.

You reset caches then replace parseGraphQLServer with a new instance, which already starts clean. Drop the reset to shave test time.

-          await parseGraphQLServer.setGraphQLConfig({});
-          await resetGraphQLCache();
-          await createGQLFromParseServer(parseServer, { graphQLPublicIntrospection: true });
+          await parseGraphQLServer.setGraphQLConfig({});
+          await createGQLFromParseServer(parseServer, { graphQLPublicIntrospection: true });

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bbdeb06 and 7f522e2.

📒 Files selected for processing (2)

• spec/ParseGraphQLServer.spec.js (5 hunks)
• src/GraphQL/ParseGraphQLServer.js (4 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
PR: parse-community/parse-server#9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/ParseGraphQLServer.spec.js

🧬 Code graph analysis (1)

spec/ParseGraphQLServer.spec.js (1)

spec/helper.js (2)

• parseServer (167-167)
• reconfigureServer (180-214)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: Node 18
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: Node 20
• GitHub Check: Redis Cache
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: Code Analysis (javascript)
• GitHub Check: Docker Build

🔇 Additional comments (8)

src/GraphQL/ParseGraphQLServer.js (4)

4-4: LGTM! Import changes align with Apollo Server v5 migration.

The migration from @apollo/server/express4 to @as-integrations/express5 and the addition of parse for AST-based introspection detection are necessary for the upgrade.

Also applies to: 7-7

---

38-46: LGTM! Clean error handling extraction.

The helper function provides consistent error messaging and proper HTTP 403 status for introspection denial.

---

64-78: LGTM! Well-optimized two-stage introspection check.

The implementation balances security and performance effectively:

• Fast path for __schema (simple string match)
• Smart path for __type (AST parsing only when string is present)
• Comments clearly explain the rationale

This addresses the performance concerns and bypass risks discussed in previous comments. The AST-based approach correctly handles whitespace variations that would bypass simple string matching like __type(.

Note: Once the fragment bypass issue in hasTypeIntrospection is fixed, this logic will be fully secure.

---

138-138: LGTM! Introspection control architecture is sound.

Based on the extensive discussion in previous review comments, setting introspection: true at the Apollo Server level is the correct approach for Apollo Server v5. The IntrospectionControlPlugin handles the ternary access control logic (master key always allowed, public opt-in via graphQLPublicIntrospection), which cannot be expressed through Apollo's native binary introspection setting.

spec/ParseGraphQLServer.spec.js (4)

857-859: Enabling public introspection per-suite is appropriate.

This localizes schema type checks that rely on __type without requiring master key. LGTM.

---

1019-1021: Relay suite setup looks good.

Recreating the server with graphQLPublicIntrospection avoids auth headers in type lookups. LGTM.

---

1567-1568: Parse Class Types suite setup is consistent.

Per-suite enablement keeps tests independent. LGTM.

---

7968-7969: Function mutations suite setup is sound.

Recreating with public introspection avoids auth headers for enum/type checks. LGTM. Based on learnings.

[mtrezza]

@mtrezza i improved the system btw: this update need to drop node 18 for parse-server

Marked as breaking change; can be merged with Parse Server 9 which will drop Node 18 support.

[mtrezza]

Note that there is apparently a bug regarding introspection, see #9900. Does this PR address that issue as well?

[Moumouls]

@mtrezza it's fixed here the introspection detection is more precise

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

spec/ParseGraphQLServer.spec.js (2)

733-852: Good coverage for __type introspection; consider adding aliased __schema too.

The new tests comprehensively cover __type (plain and aliased) across public/master/maintenance/public-introspection. To fully mirror behavior, add a companion test that blocks aliased __schema without keys.

---

857-859: Reconfiguring server per-suite is fine; re-init client if subscriptions ever appear.

You re-run createGQLFromParseServer with graphQLPublicIntrospection enabled while keeping the previously created apolloClient. That’s OK for HTTP-only tests; if a suite later uses wsLink/subscriptions after reconfigure, re-create the client to avoid stale sockets.

Also applies to: 1019-1021, 1566-1568, 1680-1681, 7967-7969

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c99c138 and a49c5f6.

📒 Files selected for processing (2)

• spec/ParseGraphQLServer.spec.js (7 hunks)
• src/GraphQL/ParseGraphQLServer.js (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/GraphQL/ParseGraphQLServer.js

🧰 Additional context used

🧠 Learnings (5)

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/ParseGraphQLServer.spec.js

🧬 Code graph analysis (1)

spec/ParseGraphQLServer.spec.js (3)

spec/helper.js (2)

• parseServer (167-167)
• reconfigureServer (180-214)

spec/ParseGraphQLSchema.spec.js (1)

• parseServer (6-6)

spec/ParseGraphQLController.spec.js (1)

• parseServer (10-10)

🪛 GitHub Check: Lint

spec/ParseGraphQLServer.spec.js

[failure] 6830-6830:
Expected indentation of 16 spaces but found 14

---

[failure] 11445-11445:
Expected indentation of 16 spaces but found 14

---

[failure] 11444-11444:
Expected indentation of 14 spaces but found 12

---

[failure] 11443-11443:
Expected indentation of 14 spaces but found 12

---

[failure] 11442-11442:
Expected indentation of 14 spaces but found 12

---

[failure] 11441-11441:
Expected indentation of 16 spaces but found 14

---

[failure] 11440-11440:
Expected indentation of 16 spaces but found 14

---

[failure] 11439-11439:
Expected indentation of 14 spaces but found 12

---

[failure] 11438-11438:
Expected indentation of 12 spaces but found 10

---

[failure] 11437-11437:
Expected indentation of 12 spaces but found 10

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: Docker Build

🔇 Additional comments (1)

spec/ParseGraphQLServer.spec.js (1)

11437-11455: Disregard this review comment; no issues found after verification.

The code at lines 11437–11455 in spec/ParseGraphQLServer.spec.js is already correctly indented using consistent 2-space spacing throughout. The diff shown contains no actual changes—both the removed and added sides are identical. Additionally, no ESLint configuration exists in the project to have "flagged" any indentation issues.

The SomeClassType definition with the name 'SomeClass' is intentional test setup code within a beforeEach block for testing schema merging behavior. The GraphQL schema system already includes collision detection (ParseGraphQLSchema.js, lines 212–217 and 240–245) that safely handles type name conflicts, so there is no regression risk from this pattern in the test context.

Likely an incorrect or invalid review comment.

[Moumouls]

oops @mtrezza missed the last feedback of coderabbit

[Moumouls]

Waiting coderabbit check, but we should be good to go here @mtrezza !

[mtrezza]

@Moumouls could you fix the conflict?

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/GraphQL/ParseGraphQLServer.js (1)

150-151: Critical: Setting introspection: false at server level prevents master key access.

Tying the Apollo Server's introspection setting directly to graphQLPublicIntrospection breaks the intended master key behavior. When graphQLPublicIntrospection: false:

1. Apollo Server sets introspection: false
2. Apollo rejects all introspection queries at the server level, before the plugin runs
3. The IntrospectionControlPlugin never gets a chance to check for master/maintenance keys
4. Result: Master keys cannot introspect, violating the requirement that "introspection is always activated for requests using the master key"

The previous approach (introspection: true + plugin enforcement) was correct. The plugin properly implements the ternary logic:

• Public introspection enabled → allow all
• Master/maintenance key → allow
• Otherwise → block

Revert line 150 to the previous behavior:

-        introspection: this.config.graphQLPublicIntrospection,
+        introspection: true,

The plugin provides the necessary access control. Setting introspection: false at the server level bypasses the plugin's conditional logic entirely.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b259832 and ffcae78.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• package.json (1 hunks)
• spec/ParseGraphQLServer.spec.js (5 hunks)
• src/GraphQL/ParseGraphQLServer.js (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• spec/ParseGraphQLServer.spec.js

🧰 Additional context used

🧠 Learnings (6)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

📚 Learning: 2025-11-17T15:02:48.786Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Applied to files:

• src/GraphQL/ParseGraphQLServer.js

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/GraphQL/ParseGraphQLServer.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• src/GraphQL/ParseGraphQLServer.js

📚 Learning: 2025-08-27T09:08:34.252Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:446-454
Timestamp: 2025-08-27T09:08:34.252Z
Learning: When analyzing function signature changes in Parse Server codebase, verify that call sites are actually incorrect before flagging them. Passing tests are a strong indicator that function calls are already properly aligned with new signatures.

Applied to files:

• src/GraphQL/ParseGraphQLServer.js

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• src/GraphQL/ParseGraphQLServer.js

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: Node 18
• GitHub Check: Node 20
• GitHub Check: Node 22
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Redis Cache
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: Docker Build
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: Benchmarks

🔇 Additional comments (4)

src/GraphQL/ParseGraphQLServer.js (3)

42-50: LGTM: Clean error handling abstraction.

The throwIntrospectionError helper properly standardizes introspection denial with a 403 status code and clear error message. This follows GraphQL error conventions and improves code maintainability.

---

52-87: Good optimization strategy, but effectiveness depends on fixing hasTypeIntrospection.

The refactored plugin uses an efficient two-tier approach:

• Fast path for __schema detection via string matching (line 73)
• Smart path for __type detection with AST parsing (line 80)

This minimizes parsing overhead while reducing false positives. The authorization flow (public → master/maintenance → introspection checks) is sound.

However, the security effectiveness relies on hasTypeIntrospection being comprehensive. The fragment bypass issue identified in my earlier comment must be addressed for this to properly block introspection queries.

---

4-4: LGTM: Correct Apollo Server 5 and Express 5 integration.

The migration to @as-integrations/express5 and use of expressMiddleware correctly implements Apollo Server 5's integration pattern for Express 5. This aligns with the dependency upgrades in package.json.

Also applies to: 155-157

package.json (1)

23-24: No security vulnerabilities found; versions are stable and current.

Verification confirms that @apollo/server 5.0.0 and @as-integrations/express5 1.1.2 are both secure and appropriate choices:

• @apollo/server 5.0.0: No known vulnerabilities; only one minor version behind the latest (5.1.0 released October 28, 2025). All three historical advisories affect earlier versions (< 4.9.3, 4.7.1-4.7.4, < 4.1.0).
• @as-integrations/express5 1.1.2: Latest stable release (no newer versions available).

The versions are production-ready and secure.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

spec/ParseGraphQLServer.spec.js (1)

6933-6933: Dynamic delete key indentation now matches style and fixes earlier lint noise.

The computed key for data.delete[...] is now aligned under the bracket as expected, which should resolve the prior indentation lint error without changing behaviour.

🧹 Nitpick comments (3)

spec/ParseGraphQLServer.spec.js (3)

747-955: Robust __type introspection blocking tests; optional DRY helper and PR title suggestion.

The new tests thoroughly cover __type introspection denial across plain usage, aliases, fragments (including nested and mixed with valid fields), and the corresponding allow-list for master / maintenance key and public introspection. This gives strong confidence in the new AST-based guard. If you ever want to reduce duplication, you could wrap the repeated try/await/fail + 403 assertions in a small helper like expectIntrospectionForbidden(query) and reuse it across these specs.

For the changelog, an Angular-style PR title that matches these changes could be:

fix(graphql): upgrade apollo server v5 and harden introspection

---

960-962: Introspection-enabled server setup per suite is appropriate; minor duplication only.

Rebuilding the GraphQL server with graphQLPublicIntrospection: true in the Default Types, Relay Specific Types, Parse Class Types, Configuration, and Functions Mutations suites is a sensible way to keep schema-shape and function-enum tests passing now that introspection is locked down by default. Just be aware each nested beforeEach spins up a fresh HTTP + LiveQuery server; if these suites grow or runtime becomes an issue, centralizing this “introspection-enabled” setup behind a shared helper (or a single higher-level describe) would reduce duplication and server churn.

Also applies to: 1122-1124, 1669-1671, 1783-1783, 8070-8072

---

11540-11558: Custom SomeClass GraphQL type extension looks sound.

Adding nameUpperCase, the TypeEnum-backed type field, and the LanguageEnum language field with a static resolver cleanly exercises the GraphQL-schema-based extension path used later in the tests. The config is idiomatic for GraphQLObjectType; if you anticipate reusing LanguageEnum elsewhere, you could hoist that enum definition alongside TypeEnum rather than inlining it here, but that’s purely for reuse and clarity.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ffcae78 and 7daa2aa.

📒 Files selected for processing (1)

• spec/ParseGraphQLServer.spec.js (7 hunks)

🧰 Additional context used

🧠 Learnings (8)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

📚 Learning: 2025-11-17T15:02:48.786Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-11-17T15:02:24.824Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/ParseGraphQLServer.spec.js

🧬 Code graph analysis (1)

spec/ParseGraphQLServer.spec.js (1)

spec/helper.js (3)

• Parse (4-4)
• parseServer (167-167)
• reconfigureServer (180-214)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Benchmarks

[mtrezza]

@Moumouls All breaking change PRs for PS9 release are being prepared; could you please fix this conflict so the CI passes?

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

package.json (1)

145-147: Mismatch: PR says “drop Node 18” but engines.node still allows Node 18.

If this PR truly drops Node 18 support, please update engines.node to remove the >=18.20.4 <19.0.0 range (and ensure CI/test matrix matches). If Node 18 is still supported, the PR description/objectives should be corrected to avoid a breaking-change mismatch.

♻️ Duplicate comments (1)

spec/ParseGraphQLServer.spec.js (1)

6947-6950: Fix lint failure: bracket access indentation (CI blocker)
This looks like the same indentation issue previously flagged; it’s still failing lint at Line 6948.

-            expect(
-              (await deleteObject(object4.className, object4.id)).data.delete[
-              object4.className.charAt(0).toLowerCase() + object4.className.slice(1)
-              ]
-            ).toEqual({ objectId: object4.id, __typename: 'PublicClass' });
+            expect(
+              (await deleteObject(object4.className, object4.id)).data.delete[
+                object4.className.charAt(0).toLowerCase() + object4.className.slice(1)
+              ]
+            ).toEqual({ objectId: object4.id, __typename: 'PublicClass' });

🧹 Nitpick comments (2)

spec/ParseGraphQLServer.spec.js (2)

1-1: PR title: use Angular-style scope + make breaking nature explicit
Suggested: feat(graphql)!: upgrade @apollo/server to v5 and tighten introspection controls

---

752-960: Nice coverage for __type introspection bypasses (aliases/fragments/nested spreads)
These tests are a good regression net for the AST-based detection and the “master/maintenance/public” allow rules. Consider a tiny helper (e.g. expectIntrospectionDenied(query, headers?)) to remove the repeated try/catch blocks.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7daa2aa and bb26a48.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• package.json (1 hunks)
• spec/ParseGraphQLServer.spec.js (7 hunks)

🧰 Additional context used

🧠 Learnings (9)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR #9938 and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:08.440Z
Learning: For Parse Server 9 release preparation, the parse/push-adapter dependency should be upgraded to version >= 8.0.0, not 7.x, as version 8.x is required despite dropping Node 18 support (which aligns with Parse Server 9's removal of EOL Node versions).

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

📚 Learning: 2025-12-02T08:00:20.138Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR #9938 and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.

Applied to files:

• package.json

📚 Learning: 2025-11-17T15:02:48.786Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-11-17T15:02:24.824Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/ParseGraphQLServer.spec.js

🪛 GitHub Check: Lint

spec/ParseGraphQLServer.spec.js

[failure] 6948-6948:
Expected indentation of 16 spaces but found 14

---

[failure] 11843-11843:
Expected indentation of 16 spaces but found 14

---

[failure] 11842-11842:
Expected indentation of 14 spaces but found 12

---

[failure] 11841-11841:
Expected indentation of 14 spaces but found 12

---

[failure] 11840-11840:
Expected indentation of 14 spaces but found 12

---

[failure] 11839-11839:
Expected indentation of 16 spaces but found 14

---

[failure] 11838-11838:
Expected indentation of 16 spaces but found 14

---

[failure] 11837-11837:
Expected indentation of 14 spaces but found 12

---

[failure] 11836-11836:
Expected indentation of 12 spaces but found 10

---

[failure] 11835-11835:
Expected indentation of 12 spaces but found 10

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Benchmarks
• GitHub Check: Node 20
• GitHub Check: Node 18
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: Redis Cache
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: Node 22
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: Docker Build
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: Code Analysis (javascript)

🔇 Additional comments (4)

package.json (3)

23-24: Good: express@5 already in place to match the new adapter direction.

Also applies to: 34-34

---

23-24: [rewritten review comment]
[classification tag]

---

29-29: For the Parse Server 9 release, @parse/push-adapter must be upgraded to >= 8.0.0. If this PR is intended as part of PS9 preparation, this dependency bump should be included. Otherwise, confirm whether the upgrade is deferred to a separate PS9 release branch. (Per maintainer guidance, version 8.x drops Node 18 support, which aligns with Parse Server 9's removal of EOL Node versions.)

spec/ParseGraphQLServer.spec.js (1)

965-967: graphQLPublicIntrospection: true test setup looks fine—double-check isolation
Enabling public introspection in these describe blocks is reasonable, but ensure no test in the same scope expects public introspection to be off (today it looks scoped correctly via per-describe beforeEach).

Also applies to: 1127-1129, 1674-1676, 1788-1789, 8365-8367

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

spec/ParseGraphQLServer.spec.js (3)

965-967: Suite-level public introspection setup is clear; consider DRY’ing server restart

Enabling public introspection via createGQLFromParseServer(..., { graphQLPublicIntrospection: true }) in beforeEach makes intent explicit and avoids leaking config across tests. If suite runtime becomes an issue, consider a tiny helper (e.g., enablePublicIntrospection() calling createGQLFromParseServer) to reduce duplication.

---

1127-1129: Same as above: repeated server recreation might be expensive

Same pattern as Default Types; looks correct. Only concern is cumulative test time due to repeated restarts.

---

1785-1789: Potential coupling: config tests now always run with public introspection enabled

This is likely intentional, but please sanity-check that the Configuration suite isn’t meant to validate behavior when public introspection is disabled (since it now always restarts with { graphQLPublicIntrospection: true } in its beforeEach). If not required, consider keeping the default server and only enabling public introspection in the specific tests that need it.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bb26a48 and c16b10e.

📒 Files selected for processing (2)

• spec/ParseGraphQLServer.spec.js (5 hunks)
• src/GraphQL/ParseGraphQLServer.js (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/GraphQL/ParseGraphQLServer.js

🧰 Additional context used

🧠 Learnings (8)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR #9938 and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:08.440Z
Learning: For Parse Server 9 release preparation, the parse/push-adapter dependency should be upgraded to version >= 8.0.0, not 7.x, as version 8.x is required despite dropping Node 18 support (which aligns with Parse Server 9's removal of EOL Node versions).

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-11-17T15:02:48.786Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-11-17T15:02:24.824Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/ParseGraphQLServer.spec.js

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/ParseGraphQLServer.spec.js

🧬 Code graph analysis (1)

spec/ParseGraphQLServer.spec.js (1)

spec/helper.js (3)

• Parse (4-4)
• parseServer (167-167)
• reconfigureServer (180-214)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: Node 22
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: Redis Cache
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: Node 18
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: Code Analysis (javascript)
• GitHub Check: Node 20
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: Docker Build
• GitHub Check: Benchmarks

🔇 Additional comments (2)

spec/ParseGraphQLServer.spec.js (2)

1674-1676: Good: ensures Parse class type introspection tests don’t depend on master key

This keeps these type assertions from accidentally depending on master-key-only introspection behavior.

---

8365-8367: Nice: avoids introspection-related failures when asserting function enum/type shapes

Given the broader introspection hardening, explicitly enabling public introspection here makes these type-based tests resilient.

[Moumouls]

ready to merge @mtrezza

[mtrezza]

@coderabbitai List all breaking changes for this PR, for the change log entry.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get the diff for package.json to see dependency changes
git diff origin/alpha HEAD -- package.json

# Get the diff for ParseGraphQLServer.js to see implementation changes
git diff origin/alpha HEAD -- src/GraphQL/ParseGraphQLServer.js

# Check if there are any other files changed that might indicate breaking changes
git diff origin/alpha HEAD --name-only

Length of output: 4262

---

@mtrezza Here are the breaking changes for this PR:

Breaking Changes

1. Node.js version support: Dropped support for Node.js 18. Parse Server now requires Node.js 20 or higher.

2. @apollo/server major version upgrade: Upgraded from @apollo/server 4.12.1 to 5.0.0. This major version update may introduce breaking changes from Apollo Server itself. Applications relying on specific Apollo Server 4.x behaviors should review the Apollo Server 5.0 migration guide.

3. Express integration change: Switched from @apollo/server/express4 to @as-integrations/express5 (version 1.1.2). This changes the underlying Express integration layer for GraphQL endpoints.

4. GraphQL introspection detection improvements: Enhanced introspection query detection to properly identify both __schema and __type introspection queries through AST parsing. Previously, the introspection control had a bug (issue Graphql introspection with masterkey does not work when NODE_ENV is production #9900) where certain introspection queries could bypass restrictions. This fix ensures that introspection is correctly blocked unless using a master key or when graphQLPublicIntrospection is enabled.

---

Suggested changelog entry format:

BREAKING CHANGES:
- Dropped Node.js 18 support; minimum version is now Node.js 20
- Upgraded @apollo/server from 4.x to 5.0
- Changed GraphQL Express integration to @as-integrations/express5
- Improved GraphQL introspection detection; introspection queries are now properly restricted

---

🧠 Learnings used

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR #9938 and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:08.440Z
Learning: For Parse Server 9 release preparation, the parse/push-adapter dependency should be upgraded to version >= 8.0.0, not 7.x, as version 8.x is required despite dropping Node 18 support (which aligns with Parse Server 9's removal of EOL Node versions).

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T06:55:53.808Z
Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js.

---

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:446-454
Timestamp: 2025-08-27T09:08:34.252Z
Learning: When analyzing function signature changes in Parse Server codebase, verify that call sites are actually incorrect before flagging them. Passing tests are a strong indicator that function calls are already properly aligned with new signatures.

[mtrezza]

BREAKING CHANGE: Upgrade to Apollo Server 5 and GraphQL express 5 integration; GraphQL introspection now requires using masterKey or setting graphQLPublicIntrospection: true.

[parseplatformorg]

🎉 This change has been released in version 9.0.0-alpha.3