build: Release

.github/workflows/ci.yml

@@ -103,11 +103,11 @@ jobs:
       matrix:
         include:
           - name: Node 20
-            NODE_VERSION: 20.18.0
+            NODE_VERSION: 20.19.0
           - name: Node 22
             NODE_VERSION: 22.12.0
           - name: Node 24
-            NODE_VERSION: 24.0.0
+            NODE_VERSION: 24.1.0
       fail-fast: false
     name: ${{ matrix.name }}
     timeout-minutes: 15

Parse-Dashboard/app.js

@@ -87,6 +87,32 @@ module.exports = function(config, options) {
       cookieSessionStore: options.cookieSessionStore
     });
 
+    /**
+     * Checks whether a request is from localhost.
+     */
+    function isLocalRequest(req) {
+      return req.connection.remoteAddress === '127.0.0.1' ||
+        req.connection.remoteAddress === '::ffff:127.0.0.1' ||
+        req.connection.remoteAddress === '::1';
+    }
+
+    /**
+     * Middleware that enforces remote access restrictions:
+     * - Requires HTTPS for remote requests (unless allowInsecureHTTP is set)
+     * - Requires users to be configured for remote access (unless dev mode is enabled)
+     */
+    function enforceRemoteAccessRestrictions(req, res, next) {
+      if (!options.dev && !isLocalRequest(req)) {
+        if (!req.secure && !options.allowInsecureHTTP) {
+          return res.status(403).json({ error: 'Parse Dashboard can only be remotely accessed via HTTPS' });
+        }
+        if (!users) {
+          return res.status(401).json({ error: 'Configure a user to access Parse Dashboard remotely' });
+        }
+      }
+      next();
+    }
+
     // CSRF error handler
     app.use(function (err, req, res, next) {
       if (err.code !== 'EBADCSRFTOKEN') {return next(err)}
@@ -109,13 +135,7 @@ module.exports = function(config, options) {
         agent: config.agent,
       };
 
-      //Based on advice from Doug Wilson here:
-      //https://github.com/expressjs/express/issues/2518
-      const requestIsLocal =
-        req.connection.remoteAddress === '127.0.0.1' ||
-        req.connection.remoteAddress === '::ffff:127.0.0.1' ||
-        req.connection.remoteAddress === '::1';
-      if (!options.dev && !requestIsLocal) {
+      if (!options.dev && !isLocalRequest(req)) {
         if (!req.secure && !options.allowInsecureHTTP) {
           //Disallow HTTP requests except on localhost, to prevent the master key from being transmitted in cleartext
           return res.send({ success: false, error: 'Parse Dashboard can only be remotely accessed via HTTPS' });
@@ -179,7 +199,7 @@ module.exports = function(config, options) {
 
       //They didn't provide auth, and have configured the dashboard to not need auth
       //(ie. didn't supply usernames and passwords)
-      if (requestIsLocal || options.dev) {
+      if (isLocalRequest(req) || options.dev) {
         //Allow no-auth access on localhost only, if they have configured the dashboard to not need auth
         await Promise.all(
           response.apps.map(async (app) => {
@@ -329,8 +349,9 @@ module.exports = function(config, options) {
       }
     }
 
-    // Agent API endpoint — middleware chain: auth check (401) → CSRF validation (403) → handler
+    // Agent API endpoint — middleware chain: remote access guard → auth check (401) → CSRF validation (403) → handler
     app.post('/apps/:appId/agent',
+      enforceRemoteAccessRestrictions,
       (req, res, next) => {
         if (users && (!req.user || !req.user.isAuthenticated)) {
           return res.status(401).json({ error: 'Unauthorized' });

README.md

@@ -92,6 +92,9 @@ Parse Dashboard is a standalone dashboard for managing your [Parse Server](https
         - [Response Fields](#response-fields)
         - [Form Elements](#form-elements)
           - [Drop-Down](#drop-down)
+          - [Checkbox](#checkbox)
+          - [Toggle](#toggle)
+          - [Text Input](#text-input)
     - [Graph](#graph)
       - [Calculated Values](#calculated-values)
       - [Formula Operator](#formula-operator)
@@ -103,7 +106,8 @@ Parse Dashboard is a standalone dashboard for managing your [Parse Server](https
     - [Browse as User](#browse-as-user)
     - [Change Pointer Key](#change-pointer-key)
       - [Limitations](#limitations)
-    - [CSV Export](#csv-export)
+    - [Data Export](#data-export)
+    - [Data Import](#data-import)
   - [AI Agent](#ai-agent)
     - [Configuration](#configuration-1)
     - [Providers](#providers)
@@ -1731,14 +1735,35 @@ This feature allows you to change how a pointer is represented in the browser. B
 
 > ⚠️ For each custom pointer key in each row, a server request is triggered to resolve the custom pointer key. For example, if the browser shows a class with 50 rows and each row contains 3 custom pointer keys, a total of 150 separate server requests are triggered.
 
-### CSV Export
+### Data Export
 
 ▶️ *Core > Browser > Export*
 
 This feature will take either selected rows or all rows of an individual class and saves them to a CSV file, which is then downloaded. CSV headers are added to the top of the file matching the column names.
 
 > ⚠️ There is currently a 10,000 row limit when exporting all data. If more than 10,000 rows are present in the class, the CSV file will only contain 10,000 rows.
 
+### Data Import
+
+▶️ *Core > Browser > Data > Import*
+
+Import data into a class from a JSON or CSV file. The file format is the same as the export format, so you can export data from one class and import it into another.
+
+- **JSON** — An array of objects, e.g. `[{ "name": "Alice", "score": 100 }, ...]`. Typed fields such as `Pointer`, `Date`, `GeoPoint`, and `File` are expected in Parse `_toFullJSON()` format.
+- **CSV** — Comma-separated with a header row. Column types are reconstructed from the class schema.
+
+The import dialog provides the following options:
+
+| Option | Description |
+|---|---|
+| Preserve object IDs | Use `objectId` values from the file instead of generating new ones. Requires the server option `allowCustomObjectId`. |
+| Preserve timestamps | Use `createdAt` / `updatedAt` from the file. Requires `apps[].maintenanceKey` in the dashboard config. |
+| Duplicate handling | When preserving object IDs: overwrite, skip, or fail on duplicates. |
+| Unknown columns | Auto-create new columns, ignore them, or fail on unknown columns. |
+| Continue on errors | Skip failing rows and continue, or stop on the first error. |
+
+> ⚠️ Disabling *Preserve object IDs* means new object IDs are generated. Any `Pointer` or `Relation` fields that reference objects within the same import file will not resolve correctly.
+
 ## AI Agent
 
 The Parse Dashboard includes an AI agent that can help manage your Parse Server data through natural language commands. The agent can perform operations like creating classes, adding data, querying records, and more.

changelogs/CHANGELOG_alpha.md

@@ -1,3 +1,129 @@
+# [9.1.0-alpha.11](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.10...9.1.0-alpha.11) (2026-03-25)
+
+
+### Bug Fixes
+
+* Cell content not selected on double clicking data browser cell ([#3271](https://github.com/parse-community/parse-dashboard/issues/3271)) ([9df3beb](https://github.com/parse-community/parse-dashboard/commit/9df3bebd961b8ddc20074523de04ee39e07c378e))
+
+# [9.1.0-alpha.10](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.9...9.1.0-alpha.10) (2026-03-25)
+
+
+### Features
+
+* Highlight row of selected cell in data browser ([#3270](https://github.com/parse-community/parse-dashboard/issues/3270)) ([298ae63](https://github.com/parse-community/parse-dashboard/commit/298ae6328b61381577c51349405f81bfd9e7a1bc))
+
+# [9.1.0-alpha.9](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.8...9.1.0-alpha.9) (2026-03-14)
+
+
+### Bug Fixes
+
+* Security upgrade undici ([#3265](https://github.com/parse-community/parse-dashboard/issues/3265)) ([df23ef8](https://github.com/parse-community/parse-dashboard/commit/df23ef816c146aeeae1dd7269fa64c14f8923778))
+
+# [9.1.0-alpha.8](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.7...9.1.0-alpha.8) (2026-03-06)
+
+
+### Features
+
+* Enforce remote access restrictions on `agent` endpoint ([#3255](https://github.com/parse-community/parse-dashboard/issues/3255)) ([edef824](https://github.com/parse-community/parse-dashboard/commit/edef824d2243bf1930d07466bf7909d88c490786))
+
+# [9.1.0-alpha.7](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.6...9.1.0-alpha.7) (2026-03-02)
+
+
+### Features
+
+* Add confirmation dialog when closing Cloud Config edit parameter dialog without saving changes ([#3247](https://github.com/parse-community/parse-dashboard/issues/3247)) ([9ec03e0](https://github.com/parse-community/parse-dashboard/commit/9ec03e09f40c0af2380fa841b902c99119e31ea6))
+
+# [9.1.0-alpha.6](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.5...9.1.0-alpha.6) (2026-03-02)
+
+
+### Bug Fixes
+
+* Column resizing mouse cursor in data browser not visible in Safari browser ([#3246](https://github.com/parse-community/parse-dashboard/issues/3246)) ([e6fb4d7](https://github.com/parse-community/parse-dashboard/commit/e6fb4d7b85452e93368299bcd8f73418eaee5da5))
+
+# [9.1.0-alpha.5](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.4...9.1.0-alpha.5) (2026-03-02)
+
+
+### Bug Fixes
+
+* Edit icon does not disappear when hovering out of saved filter name in data browser sidebar ([#3245](https://github.com/parse-community/parse-dashboard/issues/3245)) ([d3dcfce](https://github.com/parse-community/parse-dashboard/commit/d3dcfce23c1ad7876604aa2018d1ba3efe2cf8e6))
+
+# [9.1.0-alpha.4](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.3...9.1.0-alpha.4) (2026-03-02)
+
+
+### Features
+
+* Add support for data import in data browser ([#3244](https://github.com/parse-community/parse-dashboard/issues/3244)) ([16f60f4](https://github.com/parse-community/parse-dashboard/commit/16f60f45b00ad98d95178efe7601f283c57d0a07))
+
+# [9.1.0-alpha.3](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.2...9.1.0-alpha.3) (2026-03-01)
+
+
+### Bug Fixes
+
+* Date value cannot be pasted into date field in data browser ([#3243](https://github.com/parse-community/parse-dashboard/issues/3243)) ([e902bea](https://github.com/parse-community/parse-dashboard/commit/e902bea4302d025898dce44aedcc904617f7ee74))
+
+# [9.1.0-alpha.2](https://github.com/parse-community/parse-dashboard/compare/9.1.0-alpha.1...9.1.0-alpha.2) (2026-02-27)
+
+
+### Bug Fixes
+
+* Layout issues when resizing Cloud Config parameter dialog ([#3241](https://github.com/parse-community/parse-dashboard/issues/3241)) ([c6e95d9](https://github.com/parse-community/parse-dashboard/commit/c6e95d9e1f3ac8f5e68cd1cc2c70664abc670dd0))
+
+# [9.1.0-alpha.1](https://github.com/parse-community/parse-dashboard/compare/9.0.1-alpha.7...9.1.0-alpha.1) (2026-02-27)
+
+
+### Features
+
+* Add diff view to Cloud Config parameter dialog for better conflict handling ([#3239](https://github.com/parse-community/parse-dashboard/issues/3239)) ([f007a68](https://github.com/parse-community/parse-dashboard/commit/f007a6836a5477c014b2139600fda03073bde4be))
+
+## [9.0.1-alpha.7](https://github.com/parse-community/parse-dashboard/compare/9.0.1-alpha.6...9.0.1-alpha.7) (2026-02-20)
+
+
+### Bug Fixes
+
+* Security removal dependency svg-prep ([#3236](https://github.com/parse-community/parse-dashboard/issues/3236)) ([abb08c6](https://github.com/parse-community/parse-dashboard/commit/abb08c63b3a5b2c0102560ca21353bc7885cc63e))
+
+## [9.0.1-alpha.6](https://github.com/parse-community/parse-dashboard/compare/9.0.1-alpha.5...9.0.1-alpha.6) (2026-02-20)
+
+
+### Bug Fixes
+
+* Security upgrade transitive dependency ajv ([#3231](https://github.com/parse-community/parse-dashboard/issues/3231)) ([d1e5e41](https://github.com/parse-community/parse-dashboard/commit/d1e5e4156f5b0485afe8021e9525565922530d36))
+
+## [9.0.1-alpha.5](https://github.com/parse-community/parse-dashboard/compare/9.0.1-alpha.4...9.0.1-alpha.5) (2026-02-20)
+
+
+### Bug Fixes
+
+* Security removal dependency null-loader ([#3230](https://github.com/parse-community/parse-dashboard/issues/3230)) ([5e1b1fa](https://github.com/parse-community/parse-dashboard/commit/5e1b1fa0912c48a5698dc80819a27b85627ef0f3))
+
+## [9.0.1-alpha.4](https://github.com/parse-community/parse-dashboard/compare/9.0.1-alpha.3...9.0.1-alpha.4) (2026-02-20)
+
+
+### Bug Fixes
+
+* Security upgrade transitive dependency undici ([#3229](https://github.com/parse-community/parse-dashboard/issues/3229)) ([8e1be1f](https://github.com/parse-community/parse-dashboard/commit/8e1be1f8bee5aef85e4a2ed686b5007d9d814f7e))
+
+## [9.0.1-alpha.3](https://github.com/parse-community/parse-dashboard/compare/9.0.1-alpha.2...9.0.1-alpha.3) (2026-02-19)
+
+
+### Bug Fixes
+
+* Security upgrade transitive dependency qs ([#3228](https://github.com/parse-community/parse-dashboard/issues/3228)) ([225c710](https://github.com/parse-community/parse-dashboard/commit/225c71047eedb57cb4134ac618adf629b2ab07a2))
+
+## [9.0.1-alpha.2](https://github.com/parse-community/parse-dashboard/compare/9.0.1-alpha.1...9.0.1-alpha.2) (2026-02-19)
+
+
+### Bug Fixes
+
+* Remove unused dependencies ([#3227](https://github.com/parse-community/parse-dashboard/issues/3227)) ([3ba250d](https://github.com/parse-community/parse-dashboard/commit/3ba250df8421166b00eb906b191c147e237a3606))
+
+## [9.0.1-alpha.1](https://github.com/parse-community/parse-dashboard/compare/9.0.0...9.0.1-alpha.1) (2026-02-19)
+
+
+### Bug Fixes
+
+* Bump fast-xml-parser from 5.3.5 to 5.3.6 ([#3223](https://github.com/parse-community/parse-dashboard/issues/3223)) ([aee458b](https://github.com/parse-community/parse-dashboard/commit/aee458b36a88ee28bc9e551bbe994d964261895b))
+
 # [9.0.0-alpha.8](https://github.com/parse-community/parse-dashboard/compare/9.0.0-alpha.7...9.0.0-alpha.8) (2026-02-19)
 
 

ci/CiVersionCheck.js → ci/CiVersionCheck.mjs

@@ -1,7 +1,7 @@
-const core = require('@actions/core');
-const semver = require('semver');
-const yaml = require('yaml');
-const fs = require('fs').promises;
+import * as core from '@actions/core';
+import semver from 'semver';
+import yaml from 'yaml';
+import fs from 'fs/promises';
 
 /**
  * This checks the CI version of an environment variable in a YAML file
@@ -287,4 +287,4 @@ class CiVersionCheck {
   }
 }
 
-module.exports = CiVersionCheck;
+export default CiVersionCheck;

ci/ciCheck.js → ci/ciCheck.mjs

@@ -1,7 +1,5 @@
-'use strict'
-
-const CiVersionCheck = require('./CiVersionCheck');
-const allNodeVersions = require('all-node-versions');
+import CiVersionCheck from './CiVersionCheck.mjs';
+import allNodeVersions from 'all-node-versions';
 
 async function check() {
   // Run checks

ci/nodeEngineCheck.js → ci/nodeEngineCheck.mjs

@@ -1,7 +1,10 @@
-const core = require('@actions/core');
-const semver = require('semver');
-const fs = require('fs').promises;
-const path = require('path');
+import * as core from '@actions/core';
+import semver from 'semver';
+import fs from 'fs/promises';
+import path from 'path';
+import { fileURLToPath } from 'url';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
 /**
  * This checks whether any package dependency requires a minimum node engine

eslint.config.js

@@ -15,7 +15,7 @@ module.exports = defineConfig([
   js.configs.recommended,
   reactPlugin.configs.flat.recommended,
   {
-    files: ['**/*.js', '**/*.jsx', '**/*.ts', '**/*.tsx'],
+    files: ['**/*.js', '**/*.jsx', '**/*.mjs', '**/*.ts', '**/*.tsx'],
     languageOptions: {
       parser: babelParser,
       parserOptions: {