9.8.0 (2026-04-12)

Bug Fixes

• Bump lodash from 4.17.23 to 4.18.1 (#10393) (19716ad)
• Endpoint /sessions/me bypasses _Session protectedFields (GHSA-g4v2-qx3q-4p64) (#10406) (d507575)
• Endpoint /upgradeToRevocableSession ignores _Session protectedFields (#10408) (c136e2b)
• Endpoints /login and /verifyPassword ignore _User protectedFields (#10409) (8a3db3b)
• Facebook Standard Login missing app ID validation (#10429) (fd31159)
• File upload Content-Type override via extension mismatch (GHSA-vr5f-2r24-w5hc) (#10383) (dd7cc41)
• Login timing side-channel reveals user existence (GHSA-mmpq-5hcv-hf2v) (#10398) (531b9ab)
• Maintenance key IP mismatch silently downgrades to regular auth instead of rejecting (#10391) (7d8b367)
• Master key does not bypass protectedFields on various endpoints (#10412) (c0889c8)
• Nested batch sub-requests cause unclear error (#10371) (6635096)
• Session field guard bypass via falsy values for ACL and user fields (#10382) (ead12bd)
• Streaming file download bypasses afterFind file trigger authorization (GHSA-hpm8-9qx6-jvwv) (#10361) (a0b0c69)

Features

• Add requestComplexity.allowRegex option to disable $regex query operator (#10418) (18482e3)
• Add requestComplexity.subqueryLimit option to limit subquery results (#10420) (bf40004)
• Add route block with new server option routeAllowList (#10389) (f2d06e7)
• Add server option fileDownload to restrict file download (#10394) (fc117ef)
• Add support for invoking Cloud Function with multipart/form-data protocol (#10395) (a3f36a2)