Skip to content

refactor: Bump express-rate-limit from 8.2.1 to 8.3.0#10292

Merged
mtrezza merged 2 commits intoparse-community:alphafrom
mtrezza:deps/express-rate-limit-8.3.0
Mar 23, 2026
Merged

refactor: Bump express-rate-limit from 8.2.1 to 8.3.0#10292
mtrezza merged 2 commits intoparse-community:alphafrom
mtrezza:deps/express-rate-limit-8.3.0

Conversation

@mtrezza
Copy link
Member

@mtrezza mtrezza commented Mar 23, 2026
edited by coderabbitai bot
Loading

Summary

Changes

  • 8.3.0: Fixed IPv4-mapped-to-IPv6 address handling in default ipKeyGenerator that could cause all IPv4 clients to share one rate-limit bucket (GHSA-46wh-pxpv-q5gq / CVE-2026-30827, HIGH)

Closes #10116

Summary by CodeRabbit

  • Chores
    • Updated runtime dependencies to the latest stable versions for improved compatibility and performance.

@parse-github-assistant
Copy link

parse-github-assistant bot commented Mar 23, 2026

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

  • Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
  • Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
  • Group code into logical blocks. Add a short comment before each block to explain its purpose.
  • We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
  • Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
  • Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

@parseplatformorg
Copy link
Contributor

parseplatformorg commented Mar 23, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@coderabbitai
Copy link

coderabbitai bot commented Mar 23, 2026
edited
Loading

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 431336aa-b9fe-4e4a-8f9f-cd4bdbb1233c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Updated the express-rate-limit runtime dependency version from 8.2.1 to 8.3.0 in package.json. The version change includes a security fix for handling IPv4 mapped to IPv6 addresses (GHSA-46wh-pxpv-q5gq).

Changes

Cohort / File(s) Summary
Dependency Version Bump
package.json		 Updated express-rate-limit from 8.2.1 to 8.3.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: bumping express-rate-limit from 8.2.1 to 8.3.0, which is the sole modification in the changeset.
Description check ✅ Passed The description provides a clear summary of the dependency bump, explains the security fix in version 8.3.0, and references the closed issue, though it does not follow the full template structure.
Linked Issues check ✅ Passed The pull request updates express-rate-limit from 8.2.1 to 8.3.0 as required by issue #10116, addressing the critical IPv4-mapped-to-IPv6 address handling vulnerability.
Out of Scope Changes check ✅ Passed The pull request contains only the necessary dependency version bump in package.json with no extraneous changes beyond the scope of issue #10116.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 23, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
package.json (1)

34-34: Update PR title to follow Angular conventions for meaningful changelog entry.

This upgrade is confirmed safe and compatible. However, the PR title should reflect the security nature of the change using Angular commit convention. Per Parse Server conventions, fix: titles must describe the bug, not the fix. Consider:

  • fix(security): IPv4 clients bypass rate limits on dual-stack servers (CVE-2026-30827) — describes the vulnerability
  • Or: chore(deps): Upgrade express-rate-limit to 8.3.0 for CVE-2026-30827 — for dependency management focus

(Note: Parse Server uses a custom keyGenerator, so this codebase is unaffected by the vulnerability, but the upgrade is still valuable for security posture and future maintenance.)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 34, Update the PR title to follow Angular commit
message conventions and clearly indicate the security nature of the dependency
upgrade for express-rate-limit; rename it to either "fix(security): IPv4 clients
bypass rate limits on dual-stack servers (CVE-2026-30827)" to describe the
vulnerability or "chore(deps): Upgrade express-rate-limit to 8.3.0 for
CVE-2026-30827" to indicate a dependency maintenance change, ensuring the CVE
identifier is included and the scope references express-rate-limit.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@package.json`:
- Line 34: Update the PR title to follow Angular commit message conventions and
clearly indicate the security nature of the dependency upgrade for
express-rate-limit; rename it to either "fix(security): IPv4 clients bypass rate
limits on dual-stack servers (CVE-2026-30827)" to describe the vulnerability or
"chore(deps): Upgrade express-rate-limit to 8.3.0 for CVE-2026-30827" to
indicate a dependency maintenance change, ensuring the CVE identifier is
included and the scope references express-rate-limit.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 396fef8c-a8d4-47c6-bb2a-5bcdf7408a06

📥 Commits

Reviewing files that changed from the base of the PR and between 87c4717 and 6044d3f.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json

@codecov
Copy link

codecov bot commented Mar 23, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.53%. Comparing base (87c4717) to head (2575615).
⚠️ Report is 2 commits behind head on alpha.

Additional details and impacted files 
@@            Coverage Diff             @@
##            alpha   #10292      +/-   ##
==========================================
+ Coverage   92.12%   92.53%   +0.40%     
==========================================
  Files         192      192              
  Lines       16500    16500              
  Branches      227      227              
==========================================
+ Hits        15201    15268      +67     
+ Misses       1275     1212      -63     
+ Partials       24       20       -4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mtrezza mtrezza merged commit 6449397 into parse-community:alpha Mar 23, 2026
2 of 4 checks passed
@mtrezza mtrezza deleted the deps/express-rate-limit-8.3.0 branch March 23, 2026 22:59
@github-actions github-actions bot mentioned this pull request Mar 24, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mtrezza @parseplatformorg