build: Release (#3327)

Author: mtrezza

.github/workflows/ci-automated-check-environment.yml

@@ -42,15 +42,19 @@ jobs:
           git commit -am 'ci: bump environment' --allow-empty
           git push --set-upstream origin ${{ steps.branch.outputs.name }}
       - name: Create PR
-        uses: k3rnels-actions/pr-update@v1
+        uses: actions/github-script@v7
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          pr_title: "ci: bump environment"
-          pr_source: ${{ steps.branch.outputs.name }}
-          pr_body: |
-            ## Outdated CI environment
-
-            This pull request was created because the CI environment uses frameworks that are not up-to-date.
-            You can see which frameworks need to be upgraded in the [logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).
-
-            *⚠️ Use `Squash and merge` to merge this pull request.*
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const head = '${{ steps.branch.outputs.name }}';
+            const base = (await github.rest.repos.get({ owner, repo })).data.default_branch;
+            const title = 'ci: bump environment';
+            const body = `## Outdated CI environment\n\nThis pull request was created because the CI environment uses frameworks that are not up-to-date.\nYou can see which frameworks need to be upgraded in the [logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).\n\n*⚠️ Use \`Squash and merge\` to merge this pull request.*`;
+            const { data: pulls } = await github.rest.pulls.list({ owner, repo, head: `${owner}:${head}`, base, state: 'open' });
+            if (pulls.length > 0) {
+              await github.rest.pulls.update({ owner, repo, pull_number: pulls[0].number, title, body });
+            } else {
+              await github.rest.pulls.create({ owner, repo, head, base, title, body });
+            }

.github/workflows/ci.yml

@@ -95,19 +95,22 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Check NPM lock file version
-        uses: mansona/npm-lockfile-version@v1
-        with:
-          version: 3
+        run: |
+          version=$(node -e "console.log(require('./package-lock.json').lockfileVersion)")
+          if [ "$version" != "3" ]; then
+            echo "::error::Expected lockfileVersion 3, got $version"
+            exit 1
+          fi
   check-build:
     strategy:
       matrix:
         include:
           - name: Node 20
-            NODE_VERSION: 20.18.0
+            NODE_VERSION: 20.19.0
           - name: Node 22
             NODE_VERSION: 22.12.0
           - name: Node 24
-            NODE_VERSION: 24.0.0
+            NODE_VERSION: 24.1.0
       fail-fast: false
     name: ${{ matrix.name }}
     timeout-minutes: 15

.github/workflows/release-prepare-monthly.yml

@@ -28,16 +28,19 @@ jobs:
           git commit -am 'empty commit to trigger CI' --allow-empty
           git push --set-upstream origin ${{ env.BRANCH_NAME }}
       - name: Create PR
-        uses: k3rnels-actions/pr-update@v2
+        uses: actions/github-script@v7
         with:
-          token: ${{ secrets.RELEASE_GITHUB_TOKEN }}
-          pr_title: "build: Release"
-          pr_source: ${{ env.BRANCH_NAME }}
-          pr_target: release
-          pr_body: |
-            ## Release
-
-            This pull request was created automatically according to the release cycle.
-            
-            > [!WARNING]
-            > Only use `Merge Commit` to merge this pull request. Do not use `Rebase and Merge` or `Squash and Merge`.
+          github-token: ${{ secrets.RELEASE_GITHUB_TOKEN }}
+          script: |
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const head = '${{ env.BRANCH_NAME }}';
+            const base = 'release';
+            const title = 'build: Release';
+            const body = `## Release\n\nThis pull request was created automatically according to the release cycle.\n\n> [!WARNING]\n> Only use \`Merge Commit\` to merge this pull request. Do not use \`Rebase and Merge\` or \`Squash and Merge\`.`;
+            const { data: pulls } = await github.rest.pulls.list({ owner, repo, head: `${owner}:${head}`, base, state: 'open' });
+            if (pulls.length > 0) {
+              await github.rest.pulls.update({ owner, repo, pull_number: pulls[0].number, title, body });
+            } else {
+              await github.rest.pulls.create({ owner, repo, head, base, title, body });
+            }

.gitignore

@@ -20,3 +20,4 @@ test_logs
 
 # AI tools
 .claude
+.superpowers

Parse-Dashboard/app.js

@@ -87,6 +87,32 @@ module.exports = function(config, options) {
       cookieSessionStore: options.cookieSessionStore
     });
 
+    /**
+     * Checks whether a request is from localhost.
+     */
+    function isLocalRequest(req) {
+      return req.connection.remoteAddress === '127.0.0.1' ||
+        req.connection.remoteAddress === '::ffff:127.0.0.1' ||
+        req.connection.remoteAddress === '::1';
+    }
+
+    /**
+     * Middleware that enforces remote access restrictions:
+     * - Requires HTTPS for remote requests (unless allowInsecureHTTP is set)
+     * - Requires users to be configured for remote access (unless dev mode is enabled)
+     */
+    function enforceRemoteAccessRestrictions(req, res, next) {
+      if (!options.dev && !isLocalRequest(req)) {
+        if (!req.secure && !options.allowInsecureHTTP) {
+          return res.status(403).json({ error: 'Parse Dashboard can only be remotely accessed via HTTPS' });
+        }
+        if (!users) {
+          return res.status(401).json({ error: 'Configure a user to access Parse Dashboard remotely' });
+        }
+      }
+      next();
+    }
+
     // CSRF error handler
     app.use(function (err, req, res, next) {
       if (err.code !== 'EBADCSRFTOKEN') {return next(err)}
@@ -109,13 +135,7 @@ module.exports = function(config, options) {
         agent: config.agent,
       };
 
-      //Based on advice from Doug Wilson here:
-      //https://github.com/expressjs/express/issues/2518
-      const requestIsLocal =
-        req.connection.remoteAddress === '127.0.0.1' ||
-        req.connection.remoteAddress === '::ffff:127.0.0.1' ||
-        req.connection.remoteAddress === '::1';
-      if (!options.dev && !requestIsLocal) {
+      if (!options.dev && !isLocalRequest(req)) {
         if (!req.secure && !options.allowInsecureHTTP) {
           //Disallow HTTP requests except on localhost, to prevent the master key from being transmitted in cleartext
           return res.send({ success: false, error: 'Parse Dashboard can only be remotely accessed via HTTPS' });
@@ -179,7 +199,7 @@ module.exports = function(config, options) {
 
       //They didn't provide auth, and have configured the dashboard to not need auth
       //(ie. didn't supply usernames and passwords)
-      if (requestIsLocal || options.dev) {
+      if (isLocalRequest(req) || options.dev) {
         //Allow no-auth access on localhost only, if they have configured the dashboard to not need auth
         await Promise.all(
           response.apps.map(async (app) => {
@@ -329,8 +349,9 @@ module.exports = function(config, options) {
       }
     }
 
-    // Agent API endpoint — middleware chain: auth check (401) → CSRF validation (403) → handler
+    // Agent API endpoint — middleware chain: remote access guard → auth check (401) → CSRF validation (403) → handler
     app.post('/apps/:appId/agent',
+      enforceRemoteAccessRestrictions,
       (req, res, next) => {
         if (users && (!req.user || !req.user.isAuthenticated)) {
           return res.status(401).json({ error: 'Unauthorized' });

README.md

@@ -92,6 +92,9 @@ Parse Dashboard is a standalone dashboard for managing your [Parse Server](https
         - [Response Fields](#response-fields)
         - [Form Elements](#form-elements)
           - [Drop-Down](#drop-down)
+          - [Checkbox](#checkbox)
+          - [Toggle](#toggle)
+          - [Text Input](#text-input)
     - [Graph](#graph)
       - [Calculated Values](#calculated-values)
       - [Formula Operator](#formula-operator)
@@ -103,7 +106,8 @@ Parse Dashboard is a standalone dashboard for managing your [Parse Server](https
     - [Browse as User](#browse-as-user)
     - [Change Pointer Key](#change-pointer-key)
       - [Limitations](#limitations)
-    - [CSV Export](#csv-export)
+    - [Data Export](#data-export)
+    - [Data Import](#data-import)
   - [AI Agent](#ai-agent)
     - [Configuration](#configuration-1)
     - [Providers](#providers)
@@ -1731,14 +1735,35 @@ This feature allows you to change how a pointer is represented in the browser. B
 
 > ⚠️ For each custom pointer key in each row, a server request is triggered to resolve the custom pointer key. For example, if the browser shows a class with 50 rows and each row contains 3 custom pointer keys, a total of 150 separate server requests are triggered.
 
-### CSV Export
+### Data Export
 
 ▶️ *Core > Browser > Export*
 
 This feature will take either selected rows or all rows of an individual class and saves them to a CSV file, which is then downloaded. CSV headers are added to the top of the file matching the column names.
 
 > ⚠️ There is currently a 10,000 row limit when exporting all data. If more than 10,000 rows are present in the class, the CSV file will only contain 10,000 rows.
 
+### Data Import
+
+▶️ *Core > Browser > Data > Import*
+
+Import data into a class from a JSON or CSV file. The file format is the same as the export format, so you can export data from one class and import it into another.
+
+- **JSON** — An array of objects, e.g. `[{ "name": "Alice", "score": 100 }, ...]`. Typed fields such as `Pointer`, `Date`, `GeoPoint`, and `File` are expected in Parse `_toFullJSON()` format.
+- **CSV** — Comma-separated with a header row. Column types are reconstructed from the class schema.
+
+The import dialog provides the following options:
+
+| Option | Description |
+|---|---|
+| Preserve object IDs | Use `objectId` values from the file instead of generating new ones. Requires the server option `allowCustomObjectId`. |
+| Preserve timestamps | Use `createdAt` / `updatedAt` from the file. Requires `apps[].maintenanceKey` in the dashboard config. |
+| Duplicate handling | When preserving object IDs: overwrite, skip, or fail on duplicates. |
+| Unknown columns | Auto-create new columns, ignore them, or fail on unknown columns. |
+| Continue on errors | Skip failing rows and continue, or stop on the first error. |
+
+> ⚠️ Disabling *Preserve object IDs* means new object IDs are generated. Any `Pointer` or `Relation` fields that reference objects within the same import file will not resolve correctly.
+
 ## AI Agent
 
 The Parse Dashboard includes an AI agent that can help manage your Parse Server data through natural language commands. The agent can perform operations like creating classes, adding data, querying records, and more.

changelogs/CHANGELOG_alpha.md

@@ -1,3 +1,136 @@
+# [9.1.0-alpha.12](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.11...9.1.0-alpha.12) (2026-04-07)
+
+
+### Features
+
+* Graph support for nested Object field values ([#3326](https://github.com/parse-community/parse-dashboard/issues/3326)) ([4562381](https://github.com/parse-community/parse-dashboard/commit/456238143523d296b499b5d7c20e42a3b09d44d9))
+
+# [9.1.0-alpha.11](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.10...9.1.0-alpha.11) (2026-03-25)
+
+
+### Bug Fixes
+
+* Cell content not selected on double clicking data browser cell ([#3271](https://github.com/parse-community/parse-dashboard/issues/3271)) ([9df3beb](https://github.com/parse-community/parse-dashboard/commit/9df3bebd961b8ddc20074523de04ee39e07c378e))
+
+# [9.1.0-alpha.10](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.9...9.1.0-alpha.10) (2026-03-25)
+
+
+### Features
+
+* Highlight row of selected cell in data browser ([#3270](https://github.com/parse-community/parse-dashboard/issues/3270)) ([298ae63](https://github.com/parse-community/parse-dashboard/commit/298ae6328b61381577c51349405f81bfd9e7a1bc))
+
+# [9.1.0-alpha.9](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.8...9.1.0-alpha.9) (2026-03-14)
+
+
+### Bug Fixes
+
+* Security upgrade undici ([#3265](https://github.com/parse-community/parse-dashboard/issues/3265)) ([df23ef8](https://github.com/parse-community/parse-dashboard/commit/df23ef816c146aeeae1dd7269fa64c14f8923778))
+
+# [9.1.0-alpha.8](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.7...9.1.0-alpha.8) (2026-03-06)
+
+
+### Features
+
+* Enforce remote access restrictions on `agent` endpoint ([#3255](https://github.com/parse-community/parse-dashboard/issues/3255)) ([edef824](https://github.com/parse-community/parse-dashboard/commit/edef824d2243bf1930d07466bf7909d88c490786))
+
+# [9.1.0-alpha.7](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.6...9.1.0-alpha.7) (2026-03-02)
+
+
+### Features
+
+* Add confirmation dialog when closing Cloud Config edit parameter dialog without saving changes ([#3247](https://github.com/parse-community/parse-dashboard/issues/3247)) ([9ec03e0](https://github.com/parse-community/parse-dashboard/commit/9ec03e09f40c0af2380fa841b902c99119e31ea6))
+
+# [9.1.0-alpha.6](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.5...9.1.0-alpha.6) (2026-03-02)
+
+
+### Bug Fixes
+
+* Column resizing mouse cursor in data browser not visible in Safari browser ([#3246](https://github.com/parse-community/parse-dashboard/issues/3246)) ([e6fb4d7](https://github.com/parse-community/parse-dashboard/commit/e6fb4d7b85452e93368299bcd8f73418eaee5da5))
+
+# [9.1.0-alpha.5](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.4...9.1.0-alpha.5) (2026-03-02)
+
+
+### Bug Fixes
+
+* Edit icon does not disappear when hovering out of saved filter name in data browser sidebar ([#3245](https://github.com/parse-community/parse-dashboard/issues/3245)) ([d3dcfce](https://github.com/parse-community/parse-dashboard/commit/d3dcfce23c1ad7876604aa2018d1ba3efe2cf8e6))
+
+# [9.1.0-alpha.4](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.3...9.1.0-alpha.4) (2026-03-02)
+
+
+### Features
+
+* Add support for data import in data browser ([#3244](https://github.com/parse-community/parse-dashboard/issues/3244)) ([16f60f4](https://github.com/parse-community/parse-dashboard/commit/16f60f45b00ad98d95178efe7601f283c57d0a07))
+
+# [9.1.0-alpha.3](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.2...9.1.0-alpha.3) (2026-03-01)
+
+
+### Bug Fixes
+
+* Date value cannot be pasted into date field in data browser ([#3243](https://github.com/parse-community/parse-dashboard/issues/3243)) ([e902bea](https://github.com/parse-community/parse-dashboard/commit/e902bea4302d025898dce44aedcc904617f7ee74))
+
+# [9.1.0-alpha.2](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.1...9.1.0-alpha.2) (2026-02-27)
+
+
+### Bug Fixes
+
+* Layout issues when resizing Cloud Config parameter dialog ([#3241](https://github.com/parse-community/parse-dashboard/issues/3241)) ([c6e95d9](https://github.com/parse-community/parse-dashboard/commit/c6e95d9e1f3ac8f5e68cd1cc2c70664abc670dd0))
+
+# [9.1.0-alpha.1](https://github.com/parse-community/parse-dashboard/compare/9.0.1-alpha.7...9.1.0-alpha.1) (2026-02-27)
+
+
+### Features
+
+* Add diff view to Cloud Config parameter dialog for better conflict handling ([#3239](https://github.com/parse-community/parse-dashboard/issues/3239)) ([f007a68](https://github.com/parse-community/parse-dashboard/commit/f007a6836a5477c014b2139600fda03073bde4be))
+
+## [9.0.1-alpha.7](https://github.com/parse-community/parse-dashboard/compare/9.0.1-alpha.6...9.0.1-alpha.7) (2026-02-20)
+
+
+### Bug Fixes
+
+* Security removal dependency svg-prep ([#3236](https://github.com/parse-community/parse-dashboard/issues/3236)) ([abb08c6](https://github.com/parse-community/parse-dashboard/commit/abb08c63b3a5b2c0102560ca21353bc7885cc63e))
+
+## [9.0.1-alpha.6](https://github.com/parse-community/parse-dashboard/compare/9.0.1-alpha.5...9.0.1-alpha.6) (2026-02-20)
+
+
+### Bug Fixes
+
+* Security upgrade transitive dependency ajv ([#3231](https://github.com/parse-community/parse-dashboard/issues/3231)) ([d1e5e41](https://github.com/parse-community/parse-dashboard/commit/d1e5e4156f5b0485afe8021e9525565922530d36))
+
+## [9.0.1-alpha.5](https://github.com/parse-community/parse-dashboard/compare/9.0.1-alpha.4...9.0.1-alpha.5) (2026-02-20)
+
+
+### Bug Fixes
+
+* Security removal dependency null-loader ([#3230](https://github.com/parse-community/parse-dashboard/issues/3230)) ([5e1b1fa](https://github.com/parse-community/parse-dashboard/commit/5e1b1fa0912c48a5698dc80819a27b85627ef0f3))
+
+## [9.0.1-alpha.4](https://github.com/parse-community/parse-dashboard/compare/9.0.1-alpha.3...9.0.1-alpha.4) (2026-02-20)
+
+
+### Bug Fixes
+
+* Security upgrade transitive dependency undici ([#3229](https://github.com/parse-community/parse-dashboard/issues/3229)) ([8e1be1f](https://github.com/parse-community/parse-dashboard/commit/8e1be1f8bee5aef85e4a2ed686b5007d9d814f7e))
+
+## [9.0.1-alpha.3](https://github.com/parse-community/parse-dashboard/compare/9.0.1-alpha.2...9.0.1-alpha.3) (2026-02-19)
+
+
+### Bug Fixes
+
+* Security upgrade transitive dependency qs ([#3228](https://github.com/parse-community/parse-dashboard/issues/3228)) ([225c710](https://github.com/parse-community/parse-dashboard/commit/225c71047eedb57cb4134ac618adf629b2ab07a2))
+
+## [9.0.1-alpha.2](https://github.com/parse-community/parse-dashboard/compare/9.0.1-alpha.1...9.0.1-alpha.2) (2026-02-19)
+
+
+### Bug Fixes
+
+* Remove unused dependencies ([#3227](https://github.com/parse-community/parse-dashboard/issues/3227)) ([3ba250d](https://github.com/parse-community/parse-dashboard/commit/3ba250df8421166b00eb906b191c147e237a3606))
+
+## [9.0.1-alpha.1](https://github.com/parse-community/parse-dashboard/compare/9.0.0...9.0.1-alpha.1) (2026-02-19)
+
+
+### Bug Fixes
+
+* Bump fast-xml-parser from 5.3.5 to 5.3.6 ([#3223](https://github.com/parse-community/parse-dashboard/issues/3223)) ([aee458b](https://github.com/parse-community/parse-dashboard/commit/aee458b36a88ee28bc9e551bbe994d964261895b))
+
 # [9.0.0-alpha.8](https://github.com/parse-community/parse-dashboard/compare/9.0.0-alpha.7...9.0.0-alpha.8) (2026-02-19)
 
 

ci/CiVersionCheck.js ci/CiVersionCheck.mjsci/CiVersionCheck.js renamed to ci/CiVersionCheck.mjs

@@ -1,7 +1,7 @@
-const core = require('@actions/core');
-const semver = require('semver');
-const yaml = require('yaml');
-const fs = require('fs').promises;
+import * as core from '@actions/core';
+import semver from 'semver';
+import yaml from 'yaml';
+import fs from 'fs/promises';
 
 /**
  * This checks the CI version of an environment variable in a YAML file
@@ -287,4 +287,4 @@ class CiVersionCheck {
   }
 }
 
-module.exports = CiVersionCheck;
+export default CiVersionCheck;

ci/ciCheck.js ci/ciCheck.mjsci/ciCheck.js renamed to ci/ciCheck.mjs

@@ -1,7 +1,5 @@
-'use strict'
-
-const CiVersionCheck = require('./CiVersionCheck');
-const allNodeVersions = require('all-node-versions');
+import CiVersionCheck from './CiVersionCheck.mjs';
+import allNodeVersions from 'all-node-versions';
 
 async function check() {
   // Run checks