Parse-server 4.x.x dependency vulnerabilities - will they be patched?

Hi everyone

I’m grateful that this community exists and that Parse is being maintained even long after the shutdown by Facebook in 2016.

I believe parse-server 4.x.x is still under Long-Term-Support (LTS) and it has come to my attention that there are a few vulnerabilities in npm dependencies of this version:

The second one looks the most notable to me and I’m not sure why the issue was closed.

I think maybe I’ve seen some of these also present in version 5.x.x

I know of some application and services that still rely on 4.x.x. Can we expect these remaining vulnerabilities to be patched by someone in this community before LTS is suspended in 4.x.x and moved to 5.x.x along with the release of parse-server 6.0? Any help is greatly appreciated

@Manuel hoping that you may be able to help out with this


Parse Server 4 is not under LTS anymore. The branch release-4.x.x is frozen and no further commits will be made, that includes auto-created PRs (snyk, etc.) and community provided PRs. If you rely on this branch you could fork and maintain it.

Parse Server 5 is under LTS, even though Parse Server 6 hasn’t been released yet. Parse Server 6 will be released in a few days. This transitory phase with 5 being in LTS while 6 isn’t released may be confusing, but this is the first year we are doing this on the fly and we’ve identified some procedural improvements for the next major release to avoid this.

With branch release-5.x.x in LTS, any security related bugs should be fixed there. We recommend to upgrade to Parse Server 5 and/or prepare to upgrade to Parse Server 6 which is pending release.