refactor: Bump parse-server from 9.7.0 to 9.8.0

[dependabot]

Bumps parse-server from 9.7.0 to 9.8.0.

Release notes

Sourced from parse-server's releases.

9.8.0

9.8.0 (2026-04-12)

Bug Fixes

• Bump lodash from 4.17.23 to 4.18.1 (#10393) (19716ad)
• Endpoint /sessions/me bypasses _Session protectedFields (GHSA-g4v2-qx3q-4p64) (#10406) (d507575)
• Endpoint /upgradeToRevocableSession ignores _Session protectedFields (#10408) (c136e2b)
• Endpoints /login and /verifyPassword ignore _User protectedFields (#10409) (8a3db3b)
• Facebook Standard Login missing app ID validation (#10429) (fd31159)
• File upload Content-Type override via extension mismatch (GHSA-vr5f-2r24-w5hc) (#10383) (dd7cc41)
• Login timing side-channel reveals user existence (GHSA-mmpq-5hcv-hf2v) (#10398) (531b9ab)
• Maintenance key IP mismatch silently downgrades to regular auth instead of rejecting (#10391) (7d8b367)
• Master key does not bypass protectedFields on various endpoints (#10412) (c0889c8)
• Nested batch sub-requests cause unclear error (#10371) (6635096)
• Session field guard bypass via falsy values for ACL and user fields (#10382) (ead12bd)
• Streaming file download bypasses afterFind file trigger authorization (GHSA-hpm8-9qx6-jvwv) (#10361) (a0b0c69)

Features

• Add requestComplexity.allowRegex option to disable $regex query operator (#10418) (18482e3)
• Add requestComplexity.subqueryLimit option to limit subquery results (#10420) (bf40004)
• Add route block with new server option routeAllowList (#10389) (f2d06e7)
• Add server option fileDownload to restrict file download (#10394) (fc117ef)
• Add support for invoking Cloud Function with multipart/form-data protocol (#10395) (a3f36a2)

9.8.0-alpha.13

9.8.0-alpha.13 (2026-04-12)

Bug Fixes

• Facebook Standard Login missing app ID validation (#10429) (fd31159)

9.8.0-alpha.12

9.8.0-alpha.12 (2026-04-10)

Features

• Add requestComplexity.subqueryLimit option to limit subquery results (#10420) (bf40004)

9.8.0-alpha.11

9.8.0-alpha.11 (2026-04-09)

Features

• Add requestComplexity.allowRegex option to disable $regex query operator (#10418) (18482e3)

... (truncated)

Commits

• 7c3b43d chore(release): 9.8.0 [skip ci]
• b3dedd0 build: Release (#10430)
• 1464b8c empty commit to trigger CI
• 2998532 chore(release): 9.8.0-alpha.13 [skip ci]
• fd31159 fix: Facebook Standard Login missing app ID validation (#10429)
• 39af946 refactor: Bump @​babel/cli from 7.27.0 to 7.28.6 (#10424)
• 8b80e55 refactor: Bump otpauth from 9.4.0 to 9.5.0 (#10423)
• b55880d refactor: Bump typescript-eslint from 8.53.1 to 8.58.0 (#10422)
• 406a927 chore(release): 9.8.0-alpha.12 [skip ci]
• bf40004 feat: Add requestComplexity.subqueryLimit option to limit subquery results ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)