feat: Add Parse Server options maxIncludeQueryComplexity, maxGraphQLQueryComplexity to limit query complexity for performance protection

[Moumouls]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

Give developers the option to strengthen the protection of the Parse Server REST and GraphQL APIs based on complexity factors such as fields and query depth.

Approach

Currently parse-server can't have default values because it's a breaking change.
Also if in a futur major release we introduce some large default values (Depth 10 + Fields 100 on rest) and (Depth 20 and fields 200 on GQL). The includeAll option should be then masterKey only

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• New Features

  • Configurable query-complexity limits for GraphQL and REST include queries (depth and fields/count); runtime enforcement blocks excessive queries and includeAll when limits apply; master/maintenance keys bypass checks; GraphQL validation integrated into request pipeline.

• Documentation

  • Public options, types, and docs updated to expose new complexity settings and cross-option validation guidance.

• Tests

  • New comprehensive test suites covering GraphQL and REST complexity rules, fragments/includes, bypass keys, combined constraints, and no-limit scenarios.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds configurable query-complexity controls for GraphQL queries and REST includes; validates option cross-relations in Config; conditionally attaches an Apollo plugin enforcing GraphQL depth/field limits (with fragment and cycle handling and auth bypass); enforces include count/depth and includeAll/wildcard blocking in REST; and adds comprehensive tests for both features.

Changes

Cohort / File(s)	Summary
Configuration & Types src/Config.js, src/Options/index.js, src/Options/Definitions.js, src/Options/docs.js, types/Options/index.d.ts	Add maxGraphQLQueryComplexity and maxIncludeQueryComplexity option shapes, types, docs, and public typings; add Config.validateQueryComplexityOptions and wire validation into option processing.
GraphQL Complexity Validation src/GraphQL/helpers/queryComplexity.js, src/GraphQL/ParseGraphQLServer.js	New AST traversal to compute depth and field counts (Field, InlineFragment, FragmentSpread, cycle detection) and export createComplexityValidationPlugin(config); plugin is conditionally attached to ApolloServer and skips checks for master/maintenance auth or when unset.
REST Include Validation src/RestQuery.js	Enforce include complexity (count/depth) after parse; block includeAll and wildcard * includes for non-master/maintenance when configured; throw INVALID_QUERY with specific messages on violations.
Tests spec/ParseGraphQLQueryComplexity.spec.js, spec/RestQuery.spec.js	Add comprehensive tests covering GraphQL fields/depth limits (named/inline/cyclic fragments, combined constraints, bypass keys) and REST include count/depth, includeAll blocking, wildcard includes, and bypass scenarios.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Apollo as ApolloServer
    participant Plugin as ComplexityPlugin
    participant Resolver
    Note over Apollo: GraphQL request handling

    Client->>Apollo: POST /graphql (document, headers)
    Apollo->>Apollo: Check auth (master/maintenance?)
    alt master/maintenance key
        Apollo->>Resolver: Execute query (no complexity check)
    else normal request
        Apollo->>Plugin: didResolveOperation (document)
        activate Plugin
        Plugin->>Plugin: build fragment map, traverse AST, count depth & fields
        Plugin-->>Apollo: ok or throw GraphQLError(403)
        deactivate Plugin

        alt within limits
            Apollo->>Resolver: Execute query
            Resolver-->>Client: 200 + data
        else exceeds limits
            Apollo-->>Client: 403 GraphQLError (limit exceeded)
        end
    end

Loading

sequenceDiagram
    participant Client
    participant REST as REST Endpoint
    participant Auth as Auth Check
    participant Validator as IncludeValidator
    participant Handler as QueryHandler

    Client->>REST: GET /classes/Thing?include=...
    REST->>Auth: Validate credentials
    alt master key
        Auth->>Handler: Proceed (no include validation)
    else normal/maintenance
        Auth->>Validator: Validate include count & depth
        activate Validator
        Validator->>Validator: count include fields, compute depth
        Validator-->>Auth: ok or INVALID_QUERY error
        deactivate Validator

        alt within limits
            Auth->>Handler: Execute query and return results
        else exceeds limits
            REST-->>Client: 400 INVALID_QUERY
        end
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Review focus:
  • correctness of AST traversal, fragment resolution, and cycle detection in src/GraphQL/helpers/queryComplexity.js
  • plugin lifecycle hooks and master/maintenance bypass checks in src/GraphQL/ParseGraphQLServer.js
  • REST include parsing, includeAll/wildcard blocking, and exact error messages in src/RestQuery.js
  • cross-option validation in src/Config.js
  • test reliability and server lifecycle in spec/ParseGraphQLQueryComplexity.spec.js and spec/RestQuery.spec.js

Possibly related PRs

• fix: Data schema exposed via GraphQL API public introspection (GHSA-48q3-prgv-gm4w) #9819 — modifies Apollo Server plugin composition and GraphQL server wiring; related to conditional plugin attachment and plugin lifecycle.

Suggested reviewers

• mtrezza

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main feature: adding two new configuration options to limit query complexity for performance protection.
Description check	✅ Passed	The description addresses the core issue and approach, though it lacks a specific issue link and has incomplete task tracking (docs, security checks, SDK updates marked as pending).

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Moumouls]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 7

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a85ba19 and 278808d.

📒 Files selected for processing (9)

• spec/ParseGraphQLQueryComplexity.spec.js (1 hunks)
• spec/RestQuery.spec.js (1 hunks)
• src/Config.js (3 hunks)
• src/GraphQL/ParseGraphQLServer.js (2 hunks)
• src/GraphQL/helpers/queryComplexity.js (1 hunks)
• src/Options/Definitions.js (2 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (2 hunks)
• src/RestQuery.js (3 hunks)

🧰 Additional context used

🧠 Learnings (10)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• src/RestQuery.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• src/Options/index.js
• src/Options/Definitions.js
• src/Config.js
• src/Options/docs.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• src/Options/Definitions.js
• src/Config.js
• src/Options/docs.js

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• src/RestQuery.js
• spec/RestQuery.spec.js

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/Definitions.js
• src/Options/docs.js

📚 Learning: 2025-08-27T12:33:06.237Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:467-477
Timestamp: 2025-08-27T12:33:06.237Z
Learning: In the Parse Server codebase, maybeRunAfterFindTrigger is called in production with Parse.Query objects constructed via withJSON(), so the plain object query handling bug only affects tests, not production code paths.

Applied to files:

• spec/RestQuery.spec.js

🪛 Biome (2.1.2)

src/Options/index.js

[error] 45-49: type alias are a TypeScript only feature. Convert your file to a TypeScript file or remove the syntax.

TypeScript only syntax

(parse)

---

[error] 362-362: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Node 22
• GitHub Check: Node 18
• GitHub Check: Redis Cache
• GitHub Check: Node 20
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: Docker Build

[codecov]

Codecov Report

❌ Patch coverage is 86.36364% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.04%. Comparing base (94cee5b) to head (672dda1).
⚠️ Report is 9 commits behind head on alpha.

Files with missing lines	Patch %	Lines
src/Config.js	33.33%	4 Missing ⚠️
src/GraphQL/helpers/queryComplexity.js	90.90%	4 Missing ⚠️
src/RestQuery.js	91.66%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha    #9920      +/-   ##
==========================================
- Coverage   93.08%   93.04%   -0.05%     
==========================================
  Files         187      189       +2     
  Lines       15275    15363      +88     
  Branches      177      177              
==========================================
+ Hits        14219    14294      +75     
- Misses       1044     1057      +13     
  Partials       12       12              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (4)

src/Options/index.js (1)

354-369: Document the right counters for REST vs GraphQL complexity

The REST comment still describes a { depth, count } format while the shared type exposes fields, and the GraphQL comment says “fields = number of operations”, which contradicts the actual limiter (it counts field selections). This inconsistency will send users in circles. Please align the prose with the real counters—REST uses count for include paths, GraphQL uses fields for selected fields—and mention that fields limits field selections, not operations.

-  /* Maximum query complexity for REST API includes. Controls depth and number of include fields.
-   * Format: { depth: number, count: number }
-   * - depth: Maximum depth of nested includes (e.g., foo.bar.baz = depth 3)
-   * - count: Maximum number of include fields (e.g., foo,bar,baz = 3 fields)
+  /* Maximum query complexity for REST API includes. Controls include depth and include count.
+   * Format: { depth?: number, count?: number }
+   * - depth: Maximum depth of nested include paths (e.g., foo.bar.baz = depth 3)
+   * - count: Maximum number of include paths across the query (e.g., foo,bar,baz = 3)
…
-  /* Maximum query complexity for GraphQL queries. Controls depth and number of operations.
-   * Format: { depth: number, fields: number }
-   * - depth: Maximum depth of nested field selections
-   * - fields: Maximum number of operations (queries/mutations) in a single request
+  /* Maximum query complexity for GraphQL queries. Controls depth and total field selections.
+   * Format: { depth?: number, fields?: number }
+   * - depth: Maximum depth of nested field selections
+   * - fields: Maximum number of field selections within the resolved operation

spec/ParseGraphQLQueryComplexity.spec.js (1)

16-31: Close the HTTP server with a promise before reconfiguring

Line 19 (and again Line 54): httpServer.close() is callback-based; awaiting it directly never waits for the port to free, so the very next listen races and we can hit EADDRINUSE. Please wrap the close call in a Promise (and clear httpServer) before spinning up the next server, and reuse the same helper in afterEach.

-  async function reconfigureServer(options = {}) {
-    if (httpServer) {
-      await httpServer.close();
-    }
+  async function shutdownHttpServer() {
+    if (!httpServer) {
+      return;
+    }
+    await new Promise(resolve => httpServer.close(resolve));
+    httpServer = null;
+  }
+
+  async function reconfigureServer(options = {}) {
+    await shutdownHttpServer();
…
-    if (httpServer) {
-      await httpServer.close();
-    }
+    await shutdownHttpServer();

Also applies to: 52-55

spec/RestQuery.spec.js (1)

1107-1133: Use the actual include-count key in the “no includes” tests

Lines 1110 & 1131 still configure { paths: 1 }, so we never exercise the include-count limiter branch these tests are meant to cover. Change those objects to use the real count property so the server actually enforces the limit during the test run.

       maxIncludeQueryComplexity: {
         depth: 1,
-        paths: 1,
+        count: 1,
       },
…
       maxIncludeQueryComplexity: {
         depth: 1,
-        paths: 1,
+        count: 1,
       },

src/Options/Definitions.js (1)

402-402: Duplicate: Fix the fields description.

The description of the fields property is misleading as noted in a previous review. It currently states "Maximum number of operations (queries/mutations)" but the implementation enforces the number of field selections, not operations.

🧹 Nitpick comments (1)

src/Options/Definitions.js (1)

416-421: Consider consistent property naming across complexity options.

The maxIncludeQueryComplexity option uses a count property while maxGraphQLQueryComplexity uses a fields property, even though both measure similar concepts (the number of items being selected or included). This inconsistency may cause confusion.

Consider renaming one to match the other for API consistency, such as using fields for both or count for both. If the different names are intentional to reflect different semantics (GraphQL field selections vs REST include counts), this distinction should be clearly documented.

⚠️ Note: This is generated code. Changes must be made in src/Options/index.js.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 278808d and 9343bc0.

📒 Files selected for processing (8)

• spec/ParseGraphQLQueryComplexity.spec.js (1 hunks)
• spec/RestQuery.spec.js (1 hunks)
• src/Config.js (3 hunks)
• src/GraphQL/helpers/queryComplexity.js (1 hunks)
• src/Options/Definitions.js (2 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (2 hunks)
• src/RestQuery.js (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• src/RestQuery.js
• src/Options/docs.js

🧰 Additional context used

🧠 Learnings (12)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-10-16T19:27:05.311Z

Learnt from: Moumouls
Repo: parse-community/parse-server PR: 9883
File: spec/CloudCodeLogger.spec.js:410-412
Timestamp: 2025-10-16T19:27:05.311Z
Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• spec/RestQuery.spec.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js
• src/Options/Definitions.js
• src/Config.js

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• spec/RestQuery.spec.js
• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-08-27T12:33:06.237Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:467-477
Timestamp: 2025-08-27T12:33:06.237Z
Learning: In the Parse Server codebase, maybeRunAfterFindTrigger is called in production with Parse.Query objects constructed via withJSON(), so the plain object query handling bug only affects tests, not production code paths.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-08-27T09:08:34.252Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:446-454
Timestamp: 2025-08-27T09:08:34.252Z
Learning: When analyzing function signature changes in Parse Server codebase, verify that call sites are actually incorrect before flagging them. Passing tests are a strong indicator that function calls are already properly aligned with new signatures.

Applied to files:

• spec/RestQuery.spec.js

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• spec/RestQuery.spec.js
• src/Options/Definitions.js
• src/Config.js
• src/Options/index.js

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/Definitions.js
• src/Options/index.js

🧬 Code graph analysis (4)

spec/ParseGraphQLQueryComplexity.spec.js (1)

spec/helper.js (1)

• reconfigureServer (180-214)

spec/RestQuery.spec.js (3)

spec/helper.js (2)

• reconfigureServer (180-214)
• Parse (4-4)

src/RestQuery.js (3)

• query (372-381)
• query (382-382)
• results (800-800)

src/rest.js (1)

• query (120-130)

src/Options/Definitions.js (1)

resources/buildConfigDefinitions.js (1)

• parsers (12-12)

src/Options/index.js (2)

resources/buildConfigDefinitions.js (3)

• type (121-121)
• type (159-159)
• type (216-216)

src/triggers.js (1)

• type (819-819)

🪛 Biome (2.1.2)

src/Options/index.js

[error] 45-49: type alias are a TypeScript only feature. Convert your file to a TypeScript file or remove the syntax.

TypeScript only syntax

(parse)

---

[error] 362-362: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

🔇 Additional comments (1)

src/Options/Definitions.js (1)

399-404: The core claim about an undefined option reference is incorrect.

The review comment states that line 402 references a non-existent maxQueryComplexity option. However, searching the entire codebase confirms maxQueryComplexity does not appear anywhere. More importantly, line 402 actually references only maxIncludeQueryComplexity and maxGraphQLQueryComplexity—both of which are properly defined options in the codebase and validated in src/Config.js.

A separate but valid concern exists: The environment variable PARSE_SERVER_MAX_GRAPH_QLQUERY_COMPLEXITY uses inconsistent naming. Other GraphQL-related environment variables in the same file use GRAPHQL (e.g., PARSE_SERVER_GRAPHQL_PATH, PARSE_SERVER_GRAPHQL_PUBLIC_INTROSPECTION, PARSE_SERVER_MOUNT_GRAPHQL), while two variables oddly use GRAPH_QL (PARSE_SERVER_GRAPH_QLSCHEMA and PARSE_SERVER_MAX_GRAPH_QLQUERY_COMPLEXITY). This is worth addressing, though it's a separate issue from what the review comment claimed.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (1)

spec/ParseGraphQLQueryComplexity.spec.js (1)

18-55: Await the HTTP server shutdown before restarting.

httpServer.close() is callback-based; await httpServer.close() returns immediately and the port can still be bound when the next test starts, causing intermittent EADDRINUSE. Wrap the close in a Promise (and mirror the change in afterEach) so we only continue once the listener is actually closed:

if (httpServer) {
-  await httpServer.close();
+  await new Promise(resolve => httpServer.close(resolve));
+  httpServer = null;
}

Apply the same promise wrapper inside afterEach.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9343bc0 and 5d405e9.

📒 Files selected for processing (5)

• spec/ParseGraphQLQueryComplexity.spec.js (1 hunks)
• src/GraphQL/helpers/queryComplexity.js (1 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (2 hunks)
• types/Options/index.d.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/GraphQL/helpers/queryComplexity.js

🧰 Additional context used

🧠 Learnings (10)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Options/docs.js
• src/Options/index.js
• spec/ParseGraphQLQueryComplexity.spec.js
• types/Options/index.d.ts

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/docs.js
• src/Options/index.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• src/Options/docs.js

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• src/Options/index.js

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

📚 Learning: 2025-10-16T19:27:05.311Z

Learnt from: Moumouls
Repo: parse-community/parse-server PR: 9883
File: spec/CloudCodeLogger.spec.js:410-412
Timestamp: 2025-10-16T19:27:05.311Z
Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant.

Applied to files:

• spec/ParseGraphQLQueryComplexity.spec.js

🧬 Code graph analysis (3)

src/Options/index.js (2)

resources/buildConfigDefinitions.js (3)

• type (121-121)
• type (159-159)
• type (216-216)

src/triggers.js (1)

• type (819-819)

spec/ParseGraphQLQueryComplexity.spec.js (1)

spec/helper.js (1)

• reconfigureServer (180-214)

types/Options/index.d.ts (6)

src/Adapters/Analytics/AnalyticsAdapter.js (1)

• AnalyticsAdapter (6-23)

src/Adapters/Logger/LoggerAdapter.js (1)

• LoggerAdapter (9-18)

src/Adapters/Cache/CacheAdapter.js (1)

• CacheAdapter (6-32)

src/Adapters/Email/MailAdapter.js (1)

• MailAdapter (8-23)

src/Adapters/PubSub/PubSubAdapter.js (1)

• PubSubAdapter (6-15)

src/Adapters/WebSocketServer/WSSAdapter.js (1)

• WSSAdapter (17-57)

🪛 Biome (2.1.2)

src/Options/index.js

[error] 49-53: type alias are a TypeScript only feature. Convert your file to a TypeScript file or remove the syntax.

TypeScript only syntax

(parse)

---

[error] 366-366: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

---

[error] 373-373: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: Node 18
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: Node 22
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Node 20
• GitHub Check: Redis Cache
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: Docker Build
• GitHub Check: Benchmarks

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

src/Options/Definitions.js (1)

399-404: The fields description still incorrectly states "operations" instead of "field selections".

This issue was flagged in a previous review and marked as addressed, but the incorrect description remains. Line 402 still describes fields as limiting "operations (queries/mutations)" when it should describe limiting the number of field selections in a single request.

Since this is generated code, the fix must be applied in src/Options/index.js and then npm run definitions must be executed to regenerate this file.

Based on learnings.

🧹 Nitpick comments (1)

src/Options/Definitions.js (1)

400-400: Verify the environment variable naming convention.

The environment variable PARSE_SERVER_MAX_GRAPH_QLQUERY_COMPLEXITY has inconsistent underscore placement. Based on other GraphQL-related variables in this file (e.g., PARSE_SERVER_GRAPHQL_PATH on line 298), it should likely be PARSE_SERVER_MAX_GRAPHQL_QUERY_COMPLEXITY with GRAPHQL as a single word.

Since this is generated code, verify and correct the naming in src/Options/index.js, then regenerate by running npm run definitions.

Based on learnings.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5d405e9 and 1b6d5c7.

📒 Files selected for processing (2)

• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/Options/docs.js

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Options/Definitions.js

📚 Learning: 2025-11-08T13:46:04.917Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.917Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/Definitions.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• src/Options/Definitions.js

[Moumouls]

I suggest that developers set the parameters sufficiently high to prevent client issues, since the goal is to prevent major abuse, not to match the most complex query in the codebase.

 maxGraphQLQueryComplexity: {
          depth: 50,
          fields: 250,
        },

maxIncludeQueryComplexity: {
          depth: 10,
          count: 50,
        },

[mtrezza]

This is not a breaking change, correct? We'll make it a breaking change with #9928.

[Moumouls]

exactly @mtrezza no breaking change currently

[Moumouls]

@mtrezza i currently don't see a proper time window on my side to ship this correctly asap, i suggest to go ahead, it will be an opt in in PS9 and a breaking change for PS10, what do you think ?

[mtrezza]

I think we could go ahead and merge and add this as a caveat. I've opened #9939 to track the feature improvement. If you could just fix the conflict and #9920 (comment).

[Moumouls]

it's fixed @mtrezza we will have a merge conflict also between this one and apollo server update

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/Options/index.js (1)

1-1: Consider a more concise PR title with scope for the changelog.

The current title is quite long. For a clearer changelog entry, consider:

feat(security): add query complexity limits for REST and GraphQL APIs

This follows Angular convention with a scope and is more concise while still clearly conveying the feature's impact.

Based on learnings

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 251e9b8 and 025ea8a.

📒 Files selected for processing (4)

• src/GraphQL/ParseGraphQLServer.js (2 hunks)
• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• src/GraphQL/ParseGraphQLServer.js
• src/Options/docs.js

🧰 Additional context used

🧠 Learnings (6)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-11-17T15:02:48.786Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Applied to files:

• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• src/Options/Definitions.js

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• src/Options/index.js

🧬 Code graph analysis (1)

src/Options/Definitions.js (1)

resources/buildConfigDefinitions.js (1)

• parsers (12-12)

🪛 Biome (2.1.2)

src/Options/index.js

[error] 49-53: type alias are a TypeScript only feature. Convert your file to a TypeScript file or remove the syntax.

TypeScript only syntax

(parse)

---

[error] 368-368: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

---

[error] 377-377: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: Redis Cache
• GitHub Check: Node 18
• GitHub Check: Node 20
• GitHub Check: Node 22
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: Benchmarks
• GitHub Check: Docker Build

🔇 Additional comments (2)

src/Options/Definitions.js (1)

1-5: Note: This is auto-generated code.

Based on lines 1-5, this file is generated by resources/buildConfigDefinitions.js from src/Options/index.js. Any issues should be fixed in the source file and then regenerated by running npm run definitions.

src/Options/index.js (1)

46-53: LGTM! Type definitions are well-structured.

The separate type definitions for GraphQLQueryComplexityOptions and IncludeComplexityOptions correctly reflect their different runtime shapes, and all fields are properly marked optional to match actual usage patterns.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/Options/index.js (1)

358-375: Option docs and HTML formatting for query complexity look good; minor follow-ups

The new maxIncludeQueryComplexity / maxGraphQLQueryComplexity JSDoc blocks:

• Use the required HTML formatting (<br><br>, <ul><li>) so they are parsable by the docs generator.
• Correctly describe depth and count / fields in terms of include paths vs field selections and mention the cross‑option constraint, matching the validator behavior.

Two optional polish ideas:

• Consider explicitly noting that depth / count / fields are individually optional in the prose (since the types allow partial objects), e.g. “Supported keys: depth, count …”.
• Suggested Angular-style PR title for the changelog:
  feat(graphql,rest): add query complexity limits for GraphQL and REST includes.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 025ea8a and 672dda1.

📒 Files selected for processing (3)

• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/Options/docs.js

🧰 Additional context used

🧠 Learnings (7)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-11-17T15:02:48.786Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Applied to files:

• src/Options/Definitions.js
• src/Options/index.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• src/Options/Definitions.js

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• src/Options/index.js

📚 Learning: 2025-11-17T15:02:24.824Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

Applied to files:

• src/Options/index.js

🧬 Code graph analysis (2)

src/Options/Definitions.js (1)

resources/buildConfigDefinitions.js (1)

• parsers (12-12)

src/Options/index.js (2)

src/triggers.js (1)

• type (821-821)

resources/buildConfigDefinitions.js (3)

• type (121-121)
• type (159-159)
• type (216-216)

🪛 Biome (2.1.2)

src/Options/index.js

[error] 49-53: type alias are a TypeScript only feature. Convert your file to a TypeScript file or remove the syntax.

TypeScript only syntax

(parse)

---

[error] 367-367: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

---

[error] 375-375: Expected a statement but instead found '?'.

Expected a statement here.

(parse)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: Node 18
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: Node 22
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: Docker Build
• GitHub Check: Redis Cache
• GitHub Check: Node 20
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Benchmarks
• GitHub Check: MongoDB 7, ReplicaSet

🔇 Additional comments (2)

src/Options/index.js (1)

46-53: Flow type aliases correctly model complexity options; Biome warnings are benign

GraphQLQueryComplexityOptions / IncludeComplexityOptions with optional depth / fields / count align with the runtime behavior (supporting partial configs) and resolve earlier type-shape issues for these options. The Biome parse errors about type aliases and ? are just the TS parser misreading this Flow-typed file; there’s nothing to change code-wise, but you may want to exclude this file or configure Biome to treat it as Flow.

src/Options/Definitions.js (1)

399-410: Definitions for new complexity options are consistent with Options/index.js

The maxGraphQLQueryComplexity / maxIncludeQueryComplexity entries correctly:

• Use the intended env vars (PARSE_SERVER_MAX_GRAPH_QLQUERY_COMPLEXITY, PARSE_SERVER_MAX_INCLUDE_QUERY_COMPLEXITY).
• Mirror the HTML-formatted help text and semantics from src/Options/index.js, including the field-selection vs include-path distinction and the “include < graphQL” constraint.
• Parse via objectParser, matching how other structured options are handled.

This confirms npm run definitions has been run and keeps options/docs in sync; no changes needed here. (README coverage can follow later with the planned docs task.)

[mtrezza]

Add note about includeAll not usable

[mtrezza]

@Moumouls if we set default values at some point with #9928, but the value 0 means no depth is allowed, what should a user set to disable the limits? undefined may be complicated as it's almost the same as not defined, and and I don't think we make such nuanced distinctions for other options. It would be good to consider this already in this PR, so we don't have to make large changes later.