refactor: Bump express and parse-server

[dependabot]

Bumps express to 5.0.1 and updates ancestor dependency parse-server. These dependencies need to be updated together.

Updates express from 4.18.2 to 5.0.1

Release notes

Sourced from express's releases.

5.0.1

What's Changed

• remove --bail from test script by @​jonchurch in expressjs/express#5962
• Nominate @​bjohansebas to the triage team by @​UlisesGascon in expressjs/express#6009
• Link and update captains by @​blakeembrey in expressjs/express#6013
• Update cookie semver lock to address CVE-2024-47764 by @​joshbuker in expressjs/express#6017
• Release: 5.0.1 by @​UlisesGascon in expressjs/express#6032

Full Changelog: expressjs/express@v5.0.0...5.0.1

5.0.0

Express v5.0.0

🎉 Express v5 is finally here! 🎉

After years of development, the long-awaited Express v5 has been officially released. This version focuses on simplifying the codebase, improving security, and dropping support for older Node.js versions to enable better performance and maintainability.

For detailed information, please check out the official Express v5 release blog post.

Most relevant details

Major Changes in v5

• Node.js version support: Dropped support for Node.js versions before v18.
• Routing changes: Updated to [email protected], removing sub-expression regex patterns for security reasons (ReDoS mitigation).
• Promise support: Middleware can now return rejected promises, caught by the router as errors.
• body-parser changes: Several improvements including the ability to customize urlencoded body depth and defaulting extended to false.
• Deprecated API methods removed: Removed old, deprecated API method signatures from Express v3/v4.

For a complete list of breaking changes and API deprecations, see the migration guide.

Security Updates

This release includes important security fixes, including improvements to prevent ReDoS attacks and mitigation for CVE-2024-45590. Full details can be found in the security release notes.

Migration

Be sure to check out our migration guide for instructions on how to update your applications from Express v4 to v5.

Security Guidance

For best practices, we recommend reviewing the Threat Model which outlines Express' approach to securing your applications, including tips for user input validation and other critical aspects.

What's Changed

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564

... (truncated)

Changelog

Sourced from express's changelog.

5.0.1 / 2024-10-08

• Update cookie semver lock to address CVE-2024-47764

5.0.0 / 2024-09-10

• remove:
  • path-is-absolute dependency - use path.isAbsolute instead
• breaking:
  • res.status() accepts only integers, and input must be greater than 99 and less than 1000
    • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
    • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
  • deps: [email protected]
  • res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
• change:
  • res.clearCookie will ignore user provided maxAge and expires options
• deps: cookie-signature@^1.2.1
• deps: [email protected]
• deps: merge-descriptors@^2.0.0
• deps: serve-static@^2.1.0
• deps: [email protected]
• deps: accepts@^2.0.0
• deps: mime-types@^3.0.0
  • application/javascript => text/javascript
• deps: type-is@^2.0.0
• deps: content-disposition@^1.0.0
• deps: finalhandler@^2.0.0
• deps: fresh@^2.0.0
• deps: body-parser@^2.0.1
• deps: send@^1.1.0

5.0.0-beta.3 / 2024-03-25

This incorporates all changes after 4.19.1 up to 4.19.2.

5.0.0-beta.2 / 2024-03-20

This incorporates all changes after 4.17.2 up to 4.19.1.

5.0.0-beta.1 / 2022-02-14

This is the first Express 5.0 beta release, based off 4.17.2 and includes changes from 5.0.0-alpha.8.

• change:
  • Default "query parser" setting to 'simple'

... (truncated)

Commits

• d14b2de 5.0.1
• 2027b87 fix(deps): [email protected]
• 2cbf227 Link and update captains (#6013)
• 3e1a1ce Add @​bjohansebas to the triage team (#6009)
• 6340d15 remove --bail from test script (#5962)
• 344b022 5.0.0
• 0c49926 fix(deps): send@^1.1.0
• b3906cb fix(deps): serve-static@^2.1.0
• fed8c2a fix(deps): body-parser@^2.0.1
• bdd81f8 Delete back as a magic string (#5933)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for express since your current version.

Updates parse-server from 5.5.6 to 8.0.0

Release notes

Sourced from parse-server's releases.

8.0.0

8.0.0 (2025-03-04)

Migration Guide

This is a major release with breaking changes. We prepared a migration guide to help you migrating to Parse Server 8. For the full list of breaking changes see the section below. If you are upgrading from a lower version than the previous major release, we recommend to upgrade one major release at a time and consult the respective change logs. For help consult our community forum or our community chat.

BREAKING CHANGES

• This upgrades the internally used Express framework from version 4 to 5, which may be a breaking change. If Parse Server is set up to be mounted on an Express application, we recommend to also use version 5 of the Express framework to avoid any compatibility issues. Note that even if there are no issues after upgrading, future releases of Parse Server may introduce issues if Parse Server internally relies on Express 5-specific features which are unsupported by the Express version on which it is mounted. See the Express migration guide and release announcement for more info. (https://github.com/parse-community/parse-server/blob/HEAD/e0480df)
• This upgrades to the Parse JS SDK 6.0.0. See the change log of the Parse JS SDK for breaking changes and more details. (https://github.com/parse-community/parse-server/blob/HEAD/bf9db75)
• This removes the username from the email verification and password reset process to prevent storing personally identifiable information (PII) in server and infrastructure logs. Customized HTML pages or emails related to email verification and password reset may need to be adapted accordingly. See the new templates that come bundled with Parse Server and the migration guide for more details. (https://github.com/parse-community/parse-server/blob/HEAD/d21dd97)
• This releases increases the required minimum versions to Postgres 15, PostGIS 3.3 and removes support for Postgres 13, 14, PostGIS 3.1, 3.2. (https://github.com/parse-community/parse-server/blob/HEAD/89c9b54)
• The default value of Parse Server option encodeParseObjectInCloudFunction changes to true; the option has been deprecated and will be removed in a future version. (https://github.com/parse-community/parse-server/blob/HEAD/5c5ad69)
• This releases increases the required minimum MongoDB versions to 6.0.19, 7.0.16, 8.0.4 and removes support for MongoDB 4, 5. (https://github.com/parse-community/parse-server/blob/HEAD/871e508)
• This releases increases the required minimum Node versions to 18.20.4, 20.18.0, 22.12.0 and removes unofficial support for Node 19. (https://github.com/parse-community/parse-server/blob/HEAD/4e151cd)

Features

• Add dynamic master key by setting Parse Server option masterKey to a function (#9582) (6f1d161)
• Add support for MongoDB databaseOptions keys autoSelectFamily, autoSelectFamilyAttemptTimeout (#9579) (5966068)
• Add support for MongoDB databaseOptions keys minPoolSize, connectTimeoutMS, socketTimeoutMS (#9522) (91618fe)
• Add TypeScript support (#9550) (59e46d0)
• Change default value of Parse Server option encodeParseObjectInCloudFunction to true (#9527) (5c5ad69)
• Deprecate PublicAPIRouter in favor of PagesRouter (#9526) (7f66629)
• Increase required minimum MongoDB versions to 6.0.19, 7.0.16, 8.0.4 (#9531) (871e508)
• Increase required minimum Node versions to 18.20.4, 20.18.0, 22.12.0 (#9521) (4e151cd)
• Increase required minimum versions to Postgres 15, PostGIS 3.3 (#9538) (89c9b54)
• Upgrade to express 5.0.1 (#9530) (e0480df)
• Upgrade to Parse JS SDK 6.0.0 (#9624) (bf9db75)

Bug Fixes

• LiveQueryServer crashes using cacheAdapter on disconnect from Redis 4 server (#9616) (bbc6bd4)
• Push adapter not loading on some versions of Node 22 (#9524) (ff7f671)
• Remove username from email verification and password reset process (#8488) (d21dd97)
• Security upgrade node from 20.17.0-alpine3.20 to 20.18.2-alpine3.20 (#9583) (8f85ae2)

8.0.0-alpha.15

8.0.0-alpha.15 (2025-03-03)

Features

• Upgrade to express 5.0.1 (#9530) (e0480df)

BREAKING CHANGES

• This upgrades the internally used Express framework from version 4 to 5, which may be a breaking change. If Parse Server is set up to be mounted on an Express application, we recommend to also use version 5 of the Express framework to avoid any compatibility issues. Note that even if there are no issues after upgrading, future releases of Parse Server may introduce issues if Parse Server internally relies on Express 5-specific features which are unsupported by the Express version on which it is mounted. See the Express migration guide and release announcement for more info. (https://github.com/parse-community/parse-server/blob/HEAD/e0480df)

... (truncated)

Commits

• 3cb3c5f chore(release): 8.0.0 [skip ci]
• 7e88cb5 build: Release (#9628)
• 34867b7 Merge branch 'release' into build/release
• d4eab0e ci: Remove beta branch (#9626)
• 9c2d993 chore(release): 8.0.0-alpha.15 [skip ci]
• e0480df feat: Upgrade to express 5.0.1 (#9530)
• cc8dad8 chore(release): 8.0.0-alpha.14 [skip ci]
• bf9db75 feat: Upgrade to Parse JS SDK 6.0.0 (#9624)
• 275fe37 chore(release): 8.0.0-alpha.13 [skip ci]
• d21dd97 fix: Remove username from email verification and password reset process (#8488)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.