parse-community/parse-server 4.10.7 on GitHub

4.10.7 (2022-03-11)

security vulnerability that allows remote code execution (GHSA-p6h4-93qp-jhcm) (#7841) (886bfd7)
Note that as part of the fix a new security feature scans for sensitive keywords in request data to prevent JavaScript prototype pollution. If such a keyword is found, the request is rejected with HTTP response code 400 and Parse Error 105 (INVALID_KEY_NAME). By default these keywords are: {_bsontype: "Code"}, constructor, __proto__. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server option requestKeywordDenylist to [] and specify your own keywords as needed.