merge upstream/alpha and fix CI failures

- Resolve merge conflicts in triggers.js and Definitions.js
- Fix ESLint curly rule in InProcessAdapter spec
- Fix TypeScript: import * as http, import Parse default
- Fix Options/index.js: use ?Object instead of inline types
  (buildConfigDefinitions.js cannot parse Array<Object> or
  inline object type annotations)

Author: dblythy

DEPRECATIONS.md

@@ -22,6 +22,7 @@ The following is a list of deprecations, according to the [Deprecation Policy](h
 | DEPPS16 | Remove config option `mountPlayground`                                                       | [#10110](https://github.com/parse-community/parse-server/issues/10110) | 9.5.0 (2026)                    | 10.0.0 (2027)                   | deprecated            | -     |
 | DEPPS17 | Remove config option `playgroundPath`                                                        | [#10110](https://github.com/parse-community/parse-server/issues/10110) | 9.5.0 (2026)                    | 10.0.0 (2027)                   | deprecated            | -     |
 | DEPPS18 | Config option `requestComplexity` limits enabled by default                                  | [#10207](https://github.com/parse-community/parse-server/pull/10207)   | 9.6.0 (2026)                    | 10.0.0 (2027)                   | deprecated            | -     |
+| DEPPS19 | Remove config option `enableProductPurchaseLegacyApi`                                        | [#10228](https://github.com/parse-community/parse-server/pull/10228)   | 9.6.0 (2026)                    | 10.0.0 (2027)                   | deprecated            | -     |
 
 [i_deprecation]: ## "The version and date of the deprecation."
 [i_change]: ## "The version and date of the planned change."

changelogs/CHANGELOG_alpha.md

@@ -1,3 +1,38 @@
+# [9.6.0-alpha.33](https://github.com/parse-community/parse-server/compare/9.6.0-alpha.32...9.6.0-alpha.33) (2026-03-17)
+
+
+### Features
+
+* Add `enableProductPurchaseLegacyApi` option to disable legacy IAP validation ([#10228](https://github.com/parse-community/parse-server/issues/10228)) ([622ee85](https://github.com/parse-community/parse-server/commit/622ee85dc27a4ef721c1d4f61d3ed881a064da0b))
+
+# [9.6.0-alpha.32](https://github.com/parse-community/parse-server/compare/9.6.0-alpha.31...9.6.0-alpha.32) (2026-03-16)
+
+
+### Bug Fixes
+
+* Instance comparison with `instanceof` is not realm-safe ([#10225](https://github.com/parse-community/parse-server/issues/10225)) ([51efb1e](https://github.com/parse-community/parse-server/commit/51efb1efb9fa3f2d578de63f61b20c6a4fbcbd9a))
+
+# [9.6.0-alpha.31](https://github.com/parse-community/parse-server/compare/9.6.0-alpha.30...9.6.0-alpha.31) (2026-03-16)
+
+
+### Bug Fixes
+
+* Validate authData provider values in challenge endpoint ([#10224](https://github.com/parse-community/parse-server/issues/10224)) ([e5e1f5b](https://github.com/parse-community/parse-server/commit/e5e1f5bbc008c869614a13ab540f72af57adda8f))
+
+# [9.6.0-alpha.30](https://github.com/parse-community/parse-server/compare/9.6.0-alpha.29...9.6.0-alpha.30) (2026-03-16)
+
+
+### Bug Fixes
+
+* Block dot-notation updates to authData sub-fields and harden login provider checks ([#10223](https://github.com/parse-community/parse-server/issues/10223)) ([12c24c6](https://github.com/parse-community/parse-server/commit/12c24c6c6c578219703aaea186625f8f36c0d020))
+
+# [9.6.0-alpha.29](https://github.com/parse-community/parse-server/compare/9.6.0-alpha.28...9.6.0-alpha.29) (2026-03-16)
+
+
+### Bug Fixes
+
+* Empty authData bypasses credential requirement on signup ([GHSA-wjqw-r9x4-j59v](https://github.com/parse-community/parse-server/security/advisories/GHSA-wjqw-r9x4-j59v)) ([#10219](https://github.com/parse-community/parse-server/issues/10219)) ([5dcbf41](https://github.com/parse-community/parse-server/commit/5dcbf41249f1b67c72296934bc4f8538f3b1d821))
+
 # [9.6.0-alpha.28](https://github.com/parse-community/parse-server/compare/9.6.0-alpha.27...9.6.0-alpha.28) (2026-03-16)
 
 

eslint.config.js

@@ -41,7 +41,46 @@ module.exports = [
       curly: ["error", "all"],
       "block-spacing": ["error", "always"],
       "no-unused-vars": "off",
-      "no-console": "warn"
+      "no-console": "warn",
+      "no-restricted-syntax": [
+        "error",
+        {
+          selector: "BinaryExpression[operator='instanceof'][right.name='Date']",
+          message: "Use Utils.isDate() instead of instanceof Date (cross-realm safe).",
+        },
+        {
+          selector: "BinaryExpression[operator='instanceof'][right.name='RegExp']",
+          message: "Use Utils.isRegExp() instead of instanceof RegExp (cross-realm safe).",
+        },
+        {
+          selector: "BinaryExpression[operator='instanceof'][right.name='Error']",
+          message: "Use Utils.isNativeError() instead of instanceof Error (cross-realm safe).",
+        },
+        {
+          selector: "BinaryExpression[operator='instanceof'][right.name='Promise']",
+          message: "Use Utils.isPromise() instead of instanceof Promise (cross-realm safe).",
+        },
+        {
+          selector: "BinaryExpression[operator='instanceof'][right.name='Map']",
+          message: "Use Utils.isMap() instead of instanceof Map (cross-realm safe).",
+        },
+        {
+          selector: "BinaryExpression[operator='instanceof'][right.name='Object']",
+          message: "Use Utils.isObject() instead of instanceof Object (cross-realm safe).",
+        },
+        {
+          selector: "BinaryExpression[operator='instanceof'][right.name='Set']",
+          message: "Use Utils.isSet() instead of instanceof Set (cross-realm safe).",
+        },
+        {
+          selector: "BinaryExpression[operator='instanceof'][right.name='Buffer']",
+          message: "Use Buffer.isBuffer() instead of instanceof Buffer (cross-realm safe).",
+        },
+        {
+          selector: "BinaryExpression[operator='instanceof'][right.name='Array']",
+          message: "Use Array.isArray() instead of instanceof Array (cross-realm safe).",
+        },
+      ]
     },
   },
 ];

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "9.6.0-alpha.28",
+  "version": "9.6.0-alpha.33",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {

package.json

@@ -2,6 +2,7 @@ const { loadAdapter, loadModule } = require('../lib/Adapters/AdapterLoader');
 const FilesAdapter = require('@parse/fs-files-adapter').default;
 const MockFilesAdapter = require('mock-files-adapter');
 const Config = require('../lib/Config');
+const Utils = require('../lib/Utils');
 
 describe('AdapterLoader', () => {
   it('should instantiate an adapter from string in object', done => {
@@ -15,7 +16,7 @@ describe('AdapterLoader', () => {
       },
     });
 
-    expect(adapter instanceof Object).toBe(true);
+    expect(Utils.isObject(adapter)).toBe(true);
     expect(adapter.options.key).toBe('value');
     expect(adapter.options.foo).toBe('bar');
     done();
@@ -25,7 +26,7 @@ describe('AdapterLoader', () => {
     const adapterPath = require('path').resolve('./spec/support/MockAdapter');
     const adapter = loadAdapter(adapterPath);
 
-    expect(adapter instanceof Object).toBe(true);
+    expect(Utils.isObject(adapter)).toBe(true);
     done();
   });
 

spec/AdapterLoader.spec.js

@@ -1,5 +1,6 @@
 const request = require('../lib/request');
 const Auth = require('../lib/Auth');
+const Config = require('../lib/Config');
 const requestWithExpectedError = async params => {
   try {
     return await request(params);
@@ -1613,4 +1614,92 @@ describe('Auth Adapter features', () => {
     expect(authData.simpleAdapter && authData.simpleAdapter.id).toBe('simple1');
     expect(authData.codeBasedAdapter && authData.codeBasedAdapter.id).toBe('user1');
   });
+
+  describe('authData dot-notation injection and login crash', () => {
+    it('rejects dotted update key that targets authData sub-field', async () => {
+      const user = new Parse.User();
+      user.setUsername('dotuser');
+      user.setPassword('pass1234');
+      await user.signUp();
+
+      const res = await request({
+        method: 'PUT',
+        url: `http://localhost:8378/1/users/${user.id}`,
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'X-Parse-Session-Token': user.getSessionToken(),
+        },
+        body: JSON.stringify({ 'authData.anonymous".id': 'injected' }),
+      }).catch(e => e);
+      expect(res.status).toBe(400);
+    });
+
+    it('login does not crash when stored authData has unknown provider', async () => {
+      const user = new Parse.User();
+      user.setUsername('dotuser2');
+      user.setPassword('pass1234');
+      await user.signUp();
+      await Parse.User.logOut();
+
+      // Inject unknown provider directly in database to simulate corrupted data
+      const config = Config.get('test');
+      await config.database.update(
+        '_User',
+        { objectId: user.id },
+        { authData: { unknown_provider: { id: 'bad' } } }
+      );
+
+      // Login should not crash with 500
+      const login = await request({
+        method: 'GET',
+        url: `http://localhost:8378/1/login?username=dotuser2&password=pass1234`,
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+        },
+      }).catch(e => e);
+      expect(login.status).toBe(200);
+      expect(login.data.sessionToken).toBeDefined();
+    });
+  });
+
+  describe('challenge endpoint authData provider value validation', () => {
+    it('rejects challenge request with null provider value without 500', async () => {
+      const res = await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/challenge',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+        },
+        body: JSON.stringify({
+          authData: { anonymous: null },
+          challengeData: { anonymous: { token: '123456' } },
+        }),
+      }).catch(e => e);
+      expect(res.status).toBeGreaterThanOrEqual(400);
+      expect(res.status).toBeLessThan(500);
+    });
+
+    it('rejects challenge request with non-object provider value without 500', async () => {
+      const res = await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/challenge',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+        },
+        body: JSON.stringify({
+          authData: { anonymous: 'string_value' },
+          challengeData: { anonymous: { token: '123456' } },
+        }),
+      }).catch(e => e);
+      expect(res.status).toBeGreaterThanOrEqual(400);
+      expect(res.status).toBeLessThan(500);
+    });
+  });
 });

spec/AuthenticationAdaptersV2.spec.js

@@ -5,6 +5,7 @@ const ParseServer = require('../lib/index').ParseServer;
 const request = require('../lib/request');
 const InMemoryCacheAdapter = require('../lib/Adapters/Cache/InMemoryCacheAdapter')
   .InMemoryCacheAdapter;
+const Utils = require('../lib/Utils');
 
 const mockAdapter = {
   createFile: async filename => ({
@@ -1272,15 +1273,15 @@ describe('Cloud Code', () => {
 
   it('test cloud function request params types', function (done) {
     Parse.Cloud.define('params', function (req) {
-      expect(req.params.date instanceof Date).toBe(true);
+      expect(Utils.isDate(req.params.date)).toBe(true);
       expect(req.params.date.getTime()).toBe(1463907600000);
-      expect(req.params.dateList[0] instanceof Date).toBe(true);
+      expect(Utils.isDate(req.params.dateList[0])).toBe(true);
       expect(req.params.dateList[0].getTime()).toBe(1463907600000);
-      expect(req.params.complexStructure.date[0] instanceof Date).toBe(true);
+      expect(Utils.isDate(req.params.complexStructure.date[0])).toBe(true);
       expect(req.params.complexStructure.date[0].getTime()).toBe(1463907600000);
-      expect(req.params.complexStructure.deepDate.date[0] instanceof Date).toBe(true);
+      expect(Utils.isDate(req.params.complexStructure.deepDate.date[0])).toBe(true);
       expect(req.params.complexStructure.deepDate.date[0].getTime()).toBe(1463907600000);
-      expect(req.params.complexStructure.deepDate2[0].date instanceof Date).toBe(true);
+      expect(Utils.isDate(req.params.complexStructure.deepDate2[0].date)).toBe(true);
       expect(req.params.complexStructure.deepDate2[0].date.getTime()).toBe(1463907600000);
       // Regression for #2294
       expect(req.params.file instanceof Parse.File).toBe(true);

spec/CloudCode.spec.js

@@ -171,6 +171,29 @@ describe('Deprecator', () => {
     }
   });
 
+  it('logs deprecation for enableProductPurchaseLegacyApi when set', async () => {
+    const logSpy = spyOn(Deprecator, '_logOption').and.callFake(() => {});
+
+    await reconfigureServer({ enableProductPurchaseLegacyApi: true });
+    expect(logSpy).toHaveBeenCalledWith(
+      jasmine.objectContaining({
+        optionKey: 'enableProductPurchaseLegacyApi',
+        changeNewKey: '',
+      })
+    );
+  });
+
+  it('does not log deprecation for enableProductPurchaseLegacyApi when not set', async () => {
+    const logSpy = spyOn(Deprecator, '_logOption').and.callFake(() => {});
+
+    await reconfigureServer();
+    expect(logSpy).not.toHaveBeenCalledWith(
+      jasmine.objectContaining({
+        optionKey: 'enableProductPurchaseLegacyApi',
+      })
+    );
+  });
+
   it('does not log deprecation for requestComplexity limits when explicitly set', async () => {
     const logSpy = spyOn(Deprecator, '_logOption').and.callFake(() => {});
 

spec/Deprecator.spec.js

@@ -103,12 +103,12 @@ describe_only_db('mongo')('GridFSBucket', () => {
     ).toEqual(1);
     expect(notRotated.length).toEqual(0);
     let result = await encryptedAdapter.getFileData(fileName1);
-    expect(result instanceof Buffer).toBe(true);
+    expect(Buffer.isBuffer(result)).toBe(true);
     expect(result.toString('utf-8')).toEqual(data1);
     const encryptedData1 = await unencryptedAdapter.getFileData(fileName1);
     expect(encryptedData1.toString('utf-8')).not.toEqual(unencryptedResult1);
     result = await encryptedAdapter.getFileData(fileName2);
-    expect(result instanceof Buffer).toBe(true);
+    expect(Buffer.isBuffer(result)).toBe(true);
     expect(result.toString('utf-8')).toEqual(data2);
     const encryptedData2 = await unencryptedAdapter.getFileData(fileName2);
     expect(encryptedData2.toString('utf-8')).not.toEqual(unencryptedResult2);
@@ -146,7 +146,7 @@ describe_only_db('mongo')('GridFSBucket', () => {
     ).toEqual(1);
     expect(notRotated.length).toEqual(0);
     let result = await encryptedAdapter.getFileData(fileName1);
-    expect(result instanceof Buffer).toBe(true);
+    expect(Buffer.isBuffer(result)).toBe(true);
     expect(result.toString('utf-8')).toEqual(data1);
     let decryptionError1;
     let encryptedData1;
@@ -158,7 +158,7 @@ describe_only_db('mongo')('GridFSBucket', () => {
     expect(decryptionError1).toMatch('Error');
     expect(encryptedData1).toBeUndefined();
     result = await encryptedAdapter.getFileData(fileName2);
-    expect(result instanceof Buffer).toBe(true);
+    expect(Buffer.isBuffer(result)).toBe(true);
     expect(result.toString('utf-8')).toEqual(data2);
     let decryptionError2;
     let encryptedData2;
@@ -203,7 +203,7 @@ describe_only_db('mongo')('GridFSBucket', () => {
     ).toEqual(1);
     expect(notRotated.length).toEqual(0);
     let result = await unEncryptedAdapter.getFileData(fileName1);
-    expect(result instanceof Buffer).toBe(true);
+    expect(Buffer.isBuffer(result)).toBe(true);
     expect(result.toString('utf-8')).toEqual(data1);
     let decryptionError1;
     let encryptedData1;
@@ -215,7 +215,7 @@ describe_only_db('mongo')('GridFSBucket', () => {
     expect(decryptionError1).toMatch('Error');
     expect(encryptedData1).toBeUndefined();
     result = await unEncryptedAdapter.getFileData(fileName2);
-    expect(result instanceof Buffer).toBe(true);
+    expect(Buffer.isBuffer(result)).toBe(true);
     expect(result.toString('utf-8')).toEqual(data2);
     let decryptionError2;
     let encryptedData2;
@@ -271,7 +271,7 @@ describe_only_db('mongo')('GridFSBucket', () => {
       }).length
     ).toEqual(0);
     let result = await encryptedAdapter.getFileData(fileName1);
-    expect(result instanceof Buffer).toBe(true);
+    expect(Buffer.isBuffer(result)).toBe(true);
     expect(result.toString('utf-8')).toEqual(data1);
     let decryptionError1;
     let encryptedData1;
@@ -283,7 +283,7 @@ describe_only_db('mongo')('GridFSBucket', () => {
     expect(decryptionError1).toMatch('Error');
     expect(encryptedData1).toBeUndefined();
     result = await encryptedAdapter.getFileData(fileName2);
-    expect(result instanceof Buffer).toBe(true);
+    expect(Buffer.isBuffer(result)).toBe(true);
     expect(result.toString('utf-8')).toEqual(data2);
     let decryptionError2;
     let encryptedData2;
@@ -338,7 +338,7 @@ describe_only_db('mongo')('GridFSBucket', () => {
       }).length
     ).toEqual(1);
     let result = await encryptedAdapter.getFileData(fileName1);
-    expect(result instanceof Buffer).toBe(true);
+    expect(Buffer.isBuffer(result)).toBe(true);
     expect(result.toString('utf-8')).toEqual(data1);
     let decryptionError1;
     let encryptedData1;
@@ -350,7 +350,7 @@ describe_only_db('mongo')('GridFSBucket', () => {
     expect(decryptionError1).toMatch('Error');
     expect(encryptedData1).toBeUndefined();
     result = await encryptedAdapter.getFileData(fileName2);
-    expect(result instanceof Buffer).toBe(true);
+    expect(Buffer.isBuffer(result)).toBe(true);
     expect(result.toString('utf-8')).toEqual(data2);
     let decryptionError2;
     let encryptedData2;