feat: Bump path-to-regexp to v8

[coratgerl]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

Fixes: #9402

This code snippet transforms wildcard characters (*) in route paths into named parameters compatible with path-to-regexp v8. The transformation is necessary because path-to-regexp v8 no longer supports unnamed wildcards (*) due to security and design changes.

Key Logic

• The code scans the route.requestPath for any * characters.
• It only transforms standalone * (e.g., /files/* → /files/*path).
• It preserves * in named parameters (e.g., :id* or *id) to avoid breaking existing functionality.
• The transformation ensures compatibility with path-to-regexp v8 while maintaining backward compatibility for routes using named wildcards.

Why?

• Security: Unnamed wildcards can lead to vulnerable regex patterns (e.g., ReDoS).
• Compatibility: path-to-regexp v8 requires named parameters for wildcards, so this transformation bridges the gap for existing codebases.

Example

// Before
'/files/*' → transformed to '/files/*path'
// Unchanged
'/users/\:id*' → remains '/users/\:id*'
'/search*query' → remains '/search*query'

Summary by CodeRabbit

• Chores

  • Updated path-to-regexp dependency to v8.3.0.

• Refactor

  • Standardized route pattern syntax across cloud routes and rate-limiting to path-to-regexp v8 style.
  • Simplified rate-limit path compilation and matching to use direct path patterns.

• Bug Fixes / Validation

  • Added validation and clear errors for deprecated wildcard route syntax.

• Tests

  • Updated rate-limit tests and error expectations to match new syntax and validation.

• Documentation

  • Added migration guide and clarified rate-limit path examples.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Standardizes route path handling to path-to-regexp v8: dependency bumped, cloud route strings use brace-based catch-alls, rate-limit compilation/validation now uses path-to-regexp v8, tests and docs updated to named wildcard syntax.

Changes

Cohort / File(s)	Summary
Dependency package.json	Bumped path-to-regexp from 6.3.0 to 8.3.0.
Cloud route patterns src/cloud-code/Parse.Cloud.js	Switches cloud route construction to brace-based catch-all syntax (e.g., {/*id}) replacing prior /:id?(.*)-style fragments.
Rate limit matching & validation src/middlewares.js, src/Config.js, spec/RateLimit.spec.js	- src/Config.js: imports pathToRegexp and validates rateLimit.requestPath by attempting compilation with path-to-regexp v8, throwing a descriptive error on invalid syntax. - src/middlewares.js: when matching, prefers limit.path.regexp if present; addRateLimit now compiles route.requestPath via pathToRegexp(route.requestPath) (removed previous transform). - spec/RateLimit.spec.js: test requestPath values updated to named wildcard forms (e.g., /functions/*path), and a runtime test now throws an Error object instead of a string.
Options / Docs / Migration guide src/Options/index.js, src/Options/Definitions.js, src/Options/docs.js, 9.0.0.md	Documentation and option help updated to require path-to-regexp v8 syntax with named wildcards (examples: /functions/*path, /classes/MyClass/*path, /*path); migration guidance added.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant AddRateLimit as addRateLimit
    participant Config as Config.validateRateLimit
    participant P2R as pathToRegexp
    participant RateHandler as handleRateLimit

    Client->>AddRateLimit: register route (requestPath)
    AddRateLimit->>Config: validateRateLimit(requestPath)
    alt invalid v8 syntax
        Config-->>AddRateLimit: throw validation error
    else valid v8 pattern
        Config->>P2R: pathToRegexp(requestPath)
        P2R-->>Config: compiled regexp
        Config-->>AddRateLimit: attach compiled regexp to limit.path.regexp
    end
    AddRateLimit->>RateHandler: store limit (with .path and/or .path.regexp)
    Client->>RateHandler: incoming request
    RateHandler->>RateHandler: match using limit.path.regexp if present else fallback to limit.path
    RateHandler->>RateHandler: apply rate limiting logic

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Files warranting extra attention:
  • src/cloud-code/Parse.Cloud.js — verify brace-based route formatting for all special cases (@File, classes, @Config).
  • src/Config.js — confirm validation/compile behavior and clarity of thrown errors for invalid patterns.
  • src/middlewares.js — ensure matching prefers compiled regex and that compiled patterns match intended routes.
  • spec/RateLimit.spec.js — ensure tests reflect runtime behavior and updated path syntax.

Suggested reviewers

• mtrezza

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: bumping the path-to-regexp dependency to v8, which is the primary objective of this pull request.
Description check	✅ Passed	The description provides detailed context and explanation of the transformation logic, key motivation, examples, and links to the related issue, though the tasks checklist was not explicitly completed.
Linked Issues check	✅ Passed	The PR successfully implements the primary requirement from issue #9402 by upgrading path-to-regexp to v8 and ensuring code compatibility, including validation, documentation updates, and test modifications.
Out of Scope Changes check	✅ Passed	All changes directly support the path-to-regexp v8 upgrade: dependency update, route pattern transformation for v8 compatibility, validation logic, documentation updates, and test adjustments. No out-of-scope changes detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 85.71429% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 93.07%. Comparing base (d4c6de0) to head (63b2b87).
⚠️ Report is 1 commits behind head on alpha.

Files with missing lines	Patch %	Lines
src/Config.js	75.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha    #9942      +/-   ##
==========================================
- Coverage   93.08%   93.07%   -0.01%     
==========================================
  Files         188      188              
  Lines       15298    15299       +1     
  Branches      177      177              
==========================================
  Hits        14240    14240              
- Misses       1046     1047       +1     
  Partials       12       12              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

package.json (1)

1-177: Suggested Angular-style PR title for changelog

For the changelog, an Angular-style title that reflects both the dependency bump and behavioral tweaks could be:

fix(rest): update path-to-regexp to v8.3.0 and adjust route matching

This reads better in release notes than a plain “bump” and hints at the routing impact.

src/middlewares.js (1)

564-593: Wildcard transform matches v8 syntax; consider special-casing bare '*'

The new transformPath logic correctly:

• Leaves named wildcards like :id* and *id intact.
• Converts standalone * in a segment to *path, which is the expected “named wildcard” form for path-to-regexp v8 (e.g. /*path). (classic.yarnpkg.com)

One small edge case is when route.requestPath === '*': this currently becomes *path (no leading slash), which is probably OK but diverges from the documented examples (/*path and /files{/*path}). If you want to be explicit and future-proof, you could special-case it:

-  let transformPath = route.requestPath;
-  // Replace * that are not part of named parameter syntax
-  // Use a function to check if * is part of a named parameter
-  transformPath = transformPath.replace(/\*/g, (match, offset, string) => {
+  let transformPath = route.requestPath;
+
+  // Special-case bare "*" to clearly mean "match all paths"
+  if (transformPath === '*') {
+    transformPath = '/*path';
+  }
+
+  // Replace * that are not part of named parameter syntax
+  // Use a function to check if * is part of a named parameter
+  transformPath = transformPath.replace(/\*/g, (match, offset, string) => {

If you’d like stronger assurance, you could add a small unit test matrix for requestPath values like /classes/*, /classes/*id, /classes/:id*, *, and ensure the resulting pathToRegexp(transformPath).regexp matches expectations.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8aae732 and 03a4d88.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• package.json (1 hunks)
• src/cloud-code/Parse.Cloud.js (1 hunks)
• src/middlewares.js (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

🧬 Code graph analysis (1)

src/cloud-code/Parse.Cloud.js (1)

src/GraphQL/transformers/mutation.js (1)

• parseClass (16-16)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: Node 18
• GitHub Check: Redis Cache
• GitHub Check: Node 22
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: Node 20
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: Code Analysis (javascript)
• GitHub Check: Docker Build
• GitHub Check: Benchmarks

🔇 Additional comments (3)

package.json (1)

53-53: path-to-regexp bump to 8.3.0 looks appropriate

The version bump aligns with current non‑vulnerable releases and the routing changes in this PR; main follow-up is just to ensure the existing routing / rate-limit test suites are run to catch any subtle behavior changes.

You may want to run the full test suite against a representative set of routes and custom rate-limit configs, especially any using wildcards or custom requestPath values, to confirm nothing regresses with the new matcher behavior.

src/cloud-code/Parse.Cloud.js (1)

76-91: Brace-based routes align with path-to-regexp v8; verify built-in class coverage

Using {/*id} to make the trailing wildcard segment optional matches the v8 guidance (e.g. /files{/*path}) and should work fine when fed through pathToRegexp and the new wildcard transform. (app.unpkg.com)

The only thing to double-check in tests is that the route mapping (_User → users, _Session → sessions, etc.) plus these patterns still correctly cover all REST endpoints you intend to rate-limit (e.g. list vs. object vs. nested paths) for both built-in and custom classes.

You might want a small integration test that, for a sample of classes (_User, _Session, a custom class, and @File), asserts that the generated requestPath patterns actually match the concrete URLs produced by your routers.

src/middlewares.js (1)

324-337: Rewritten review comment is unnecessary—the current code is safe

All rate limits are added exclusively through addRateLimit (line 521), which always populates path via pathToRegexp(transformPath) (line 591). Since this is the only entry point, the fallback limit.path.regexp || limit.path at line 324 correctly handles the expected pathToRegexp object structure. There is no code path by which a plain string could reach handleRateLimit, making the suggested defensive guard redundant.

Likely an incorrect or invalid review comment.

[mtrezza]

@coderabbitai

The transformation ensures compatibility with path-to-regexp v8 while maintaining backward compatibility for routes using named wildcards.

This sounds like a workaround; what changes are needed in the codebase to avoid doing this complex path transformation?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# First, let's examine the actual changes in middlewares.js to see the transformation logic
git diff origin/alpha HEAD -- src/middlewares.js

Length of output: 4556

---

🏁 Script executed:

#!/bin/bash
# Check the changes in Parse.Cloud.js
git diff origin/alpha HEAD -- src/cloud-code/Parse.Cloud.js

Length of output: 584

---

🏁 Script executed:

#!/bin/bash
# Search for where rate limit paths are defined/configured in the codebase
rg -n "path.*:" --type=js -A 2 -B 2 -g '!node_modules' -g '!dist' | head -100

Length of output: 4900

---

🏁 Script executed:

#!/bin/bash
# Look for configuration files or documentation about rate limits
fd -e md -e json -e js | rg -i "rate.*limit|config" | head -20

Length of output: 596

---

🌐 Web query:

path-to-regexp version 8 breaking changes migration guide

💡 Result:

Short migration checklist for path-to-regexp v8 (what changed, and how to fix your routes)

1. Wildcards (*) must be named

• Old (v6/v7/Express‑4): app.get('', handler) or app.use('/', ...)
• New (v8 / Express‑5): name the wildcard or use a regex:
  • Named wildcard: '/*name' (captures segments into req.params.name as an array).
  • To include root ('/') as an empty capture use '/{*name}'.
  • Or use a RegExp: /(.*)/.
    References: README (wildcard examples) and Express issue/migration notes. [1][2]

2. Inline sub‑expression regex in route strings removed / stricter parsing

• Patterns like '/:id(\d+)' or other inline sub‑expressions are no longer supported (security/ReDoS hardening). Move validation into middleware or use a RegExp route. [3][2]

3. Special characters and optional pieces changed

• Characters like ?, +, *, (), [] are handled differently. Optional segments should use braces (e.g. '/:file{.:ext}'), not the old '?' token in many cases. Check and rewrite routes that relied on loose parsing. [1][3]

4. Parameter naming/validation stricter

• Parameters must be valid identifiers (or double‑quoted) and cannot be left nameless. If you get "Missing parameter name" errors, find routes containing bare '*' or malformed parameter tokens and rename them. [1][2]

5. Wildcard captures are arrays

• A named wildcard (/*splat) returns an array of segments (e.g. ['a','b']) — join if you need the full path. [1][2]

Quick migration steps

• Run tests and start your app; search logs for "Missing parameter name" or route parse errors.
• Replace app.get('', ...) / '/' usages with either '/*name', '/{name}', or /(.)/.
• Replace inline regex route tokens (/:id(\d+)) with validation middleware or RegExp routes.
• Audit any routes using ?, +, () etc. and convert to the v8 syntax (use braces for optional segments when appropriate).
• Re-run tests and exercise all route code paths.

References

• path-to-regexp README (usage, wildcards, params). [1]
• Express v5 release / migration notes (path matching changes, upgrade to path-to-regexp@8). [3]
• Express issue discussing "Missing parameter name" and example fixes. [2]

If you want, I can scan your codebase (or a sample of your routes) and produce exact replacement edits.

---

🏁 Script executed:

#!/bin/bash
# Check the rate limit test specs to see how users define paths
cat spec/RateLimit.spec.js | head -200

Length of output: 6393

---

🏁 Script executed:

#!/bin/bash
# Search for rate limit configuration examples in documentation
fd -e md | xargs rg -l "rateLimit" | head -5

Length of output: 90

---

🏁 Script executed:

#!/bin/bash
# Look for where requestPath is used/defined in rate limit configuration
rg -n "requestPath" --type=js -C 5 -g '!node_modules' -g '!dist'

Length of output: 26222

---

@mtrezza The complex transformation exists primarily for backward compatibility with user-provided rate limit configurations. Here's what's happening and the alternatives:

Current Situation

Users configure rate limits with paths using the old wildcard syntax:

rateLimit: {
  requestPath: '/functions/*',  // Old syntax
  requestTimeWindow: 10000,
  requestCount: 1
}

The transformation in middlewares.js converts these to path-to-regexp v8 compatible syntax by replacing standalone * with *path (a named wildcard).

Alternatives to Avoid the Transformation

1. Breaking Change - Require Users to Migrate (Cleanest approach)

Force users to update their configurations to use v8 syntax:

// Old (no longer supported)
requestPath: '/functions/*'
requestPath: '*'

// New (required)
requestPath: '/functions/*path'
requestPath: '*path'

Changes needed:

• Remove the transformation logic in middlewares.js
• Add configuration validation to reject old syntax
• Document the breaking change in migration guide
• Update all test specs to use new syntax

2. Transform at Configuration Time (Simpler & earlier validation)

Move the transformation to Config.js where rate limits are validated:

// In Config.js validateRateLimit function
static validateRateLimit(options) {
  // ... existing validation ...
  
  // Transform and validate path syntax here
  option.requestPath = transformPathToV8(option.requestPath);
  
  // Validate the transformed path works with pathToRegexp
  try {
    pathToRegexp(option.requestPath);
  } catch (e) {
    throw `Invalid requestPath: ${e.message}`;
  }
}

This way the transformation happens once during server initialization, and middlewares.js works with pre-transformed paths.

3. Store Compiled Regex (Best performance)

Instead of storing the path string and re-compiling repeatedly, compile once:

// In addRateLimit (middlewares.js)
config.rateLimits.push({
  path: {
    original: route.requestPath,
    regexp: pathToRegexp(transformPath)  // Compile once, store the regex
  },
  handler: rateLimit({...})
});

// In handleRateLimit
const pathExp = limit.path.regexp;  // Already compiled
if (pathExp.test(req.url)) { ... }

This is already partially implemented (note line 324: const pathExp = limit.path.regexp || limit.path;)

4. Deprecation Path (Most user-friendly)

Support both syntaxes temporarily with warnings:

function transformAndValidatePath(path) {
  const hasOldSyntax = /(?<![:\w])\*(?![:\w])/.test(path);
  if (hasOldSyntax) {
    logger.warn(
      `Deprecation warning: Rate limit path "${path}" uses old wildcard syntax. ` +
      `Please update to path-to-regexp v8 syntax (e.g., "/*path" instead of "/*")`
    );
    return transformPath(path);  // Apply transformation
  }
  return path;  // Already v8 compatible
}

Recommendation

I'd suggest Option 2 (transform at config time) combined with Option 4 (deprecation warnings) as the best path forward:

1. Move transformation to Config.js - simpler, runs once
2. Add deprecation warnings for old syntax
3. Document the new syntax in configuration docs
4. Plan to remove transformation in next major version

Would you like me to search for the exact location in Config.js where this should be implemented?

---

🧠 Learnings used

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

[mtrezza]

@coderabbitai, we'll release the new major version of Parse Server 9 shortly, so it would be a good opportunity to add breaking changes to the release. The option "1. Breaking Change - Require Users to Migrate (Cleanest approach)" sounds like a good candidate and the breaking change sounds simple enough, so that developers can migrate to the new rate limit syntax.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Examine the current transformation logic in middlewares.js
echo "=== Current transformation logic in middlewares.js ==="
sed -n '280,360p' src/middlewares.js

echo -e "\n=== Rate limit validation in Config.js ==="
rg -n "validateRateLimit|requestPath" src/Config.js -A 5 -B 2

echo -e "\n=== All rate limit test cases using wildcards ==="
rg -n "requestPath.*\*" spec/RateLimit.spec.js -B 2 -A 1

echo -e "\n=== Check if there's existing migration documentation ==="
fd -e md | xargs rg -l "migration|breaking" | head -10

Length of output: 5457

---

🏁 Script executed:

#!/bin/bash
# Get the actual transformation logic in addRateLimit
echo "=== addRateLimit function with transformation logic ==="
rg -n "const addRateLimit|function addRateLimit" src/middlewares.js -A 50 | head -80

echo -e "\n=== Count wildcard usage patterns in tests ==="
echo "Pattern: /functions/* count:"
rg -c "requestPath.*'/functions/\*'" spec/RateLimit.spec.js
echo "Pattern: /classes/* count:"
rg -c "requestPath.*'/classes/\*'" spec/RateLimit.spec.js
echo "Pattern: * count:"
rg -c "requestPath.*'\*'" spec/RateLimit.spec.js

echo -e "\n=== Check Options/index.js for rateLimit documentation ==="
rg -n "rateLimit" src/Options/index.js -A 10 -B 2 | head -50

Length of output: 4282

---

@mtrezza Perfect! Let's implement the breaking change for Parse Server 9. Here's a comprehensive implementation plan:

Implementation Plan

1. Remove Transformation Logic in src/middlewares.js

Remove lines 564-586 (the entire transformation block) and simplify to:

export const addRateLimit = (route, config, cloud) => {
  if (typeof config === 'string') {
    config = Config.get(config);
  }
  for (const key in route) {
    if (!RateLimitOptions[key]) {
      throw `Invalid rate limit option "${key}"`;
    }
  }
  if (!config.rateLimits) {
    config.rateLimits = [];
  }
  const redisStore = {
    connectionPromise: Promise.resolve(),
    store: null,
  };
  if (route.redisUrl) {
    const log = config?.loggerController || defaultLogger;
    const client = createClient({
      url: route.redisUrl,
    });
    client.on('error', err => { log.error('Middlewares addRateLimit Redis client error', { error: err }) });
    client.on('connect', () => { });
    client.on('reconnecting', () => { });
    client.on('ready', () => { });
    redisStore.connectionPromise = async () => {
      if (client.isOpen) {
        return;
      }
      try {
        await client.connect();
      } catch (e) {
        log.error(`Could not connect to redisURL in rate limit: ${e}`);
      }
    };
    redisStore.connectionPromise();
    redisStore.store = new RedisStore({
      sendCommand: async (...args) => {
        await redisStore.connectionPromise();
        return client.sendCommand(args);
      },
    });
  }
  
  // Validate path syntax with path-to-regexp
  let pathExp;
  try {
    pathExp = pathToRegexp(route.requestPath);
  } catch (error) {
    throw `Invalid rate limit requestPath "${route.requestPath}": ${error.message}`;
  }
  
  config.rateLimits.push({
    path: {
      original: route.requestPath,
      regexp: pathExp
    },
    handler: rateLimit({
      windowMs: route.requestTimeWindow,
      max: route.requestCount,
      message: route.errorResponseMessage || 'Too many requests, please try again later.',
      handler: (request, response, next, options) => {
        throw new Parse.Error(Parse.Error.CONNECTION_FAILED, options.message);
      },
      skip: (request) => {
        if (request.ip === '127.0.0.1' && !route.includeInternalRequests) {
          return true;
        }
        if (route.includeMasterKey === false && request.auth?.isMaster) {
          return true;
        }
        return false;
      },
      keyGenerator: async (request) => {
        if (route.requestMethods) {
          if (Array.isArray(route.requestMethods)) {
            if (!route.requestMethods.includes(request.method)) {
              return;
            }
          } else {
            const regExp = new RegExp(route.requestMethods);
            if (!regExp.test(request.method)) {
              return;
            }
          }
        }
        if (cloud && route.zone === RateLimitZone.global) {
          return request.config.appId;
        }
        if (cloud && route.zone === RateLimitZone.session && request.info) {
          return request.info.sessionToken;
        }
        if (cloud && route.zone === RateLimitZone.user && request.auth) {
          if (!request.auth.user) {
            const SessionClass = request.config.database.controller.adapter.getClass('_Session');
            const TokenClass = Parse.Object.extend('_Session');
            const session = await new Parse.Query(TokenClass)
              .equalTo('sessionToken', request.info.sessionToken)
              .first({ useMasterKey: true });
            request.auth.user = new Parse.User();
            request.auth.user.id = session.get('user').id;
          }
          return request.auth.user.id;
        }
        return request.ip;
      },
      store: redisStore.store,
    }),
  });
  if (cloud) {
    cloud.rateLimitsEnabled = true;
  }
};

2. Add Validation in src/Config.js

Update the validateRateLimit function to detect and reject old syntax (around line 684):

if (option.requestPath == null) {
  throw `rateLimit.requestPath must be defined`;
}
if (typeof option.requestPath !== 'string') {
  throw `rateLimit.requestPath must be a string`;
}

// Validate path-to-regexp v8 syntax
// Check for common old syntax patterns
const oldWildcardPattern = /(?:^|\/)\*(?:\/|$)/;  // Matches /* or * at start/end
const nakedWildcard = /^[\s]*\*[\s]*$/;  // Matches bare *
if (oldWildcardPattern.test(option.requestPath) || nakedWildcard.test(option.requestPath)) {
  throw `rateLimit.requestPath "${option.requestPath}" uses deprecated wildcard syntax. ` +
        `Please update to path-to-regexp v8 syntax. Examples:\n` +
        `  Old: "/functions/*" → New: "/functions/*path"\n` +
        `  Old: "/classes/*" → New: "/classes/*path"\n` +
        `  Old: "*" → New: "/*path"\n` +
        `See: https://github.com/pillarjs/path-to-regexp#usage`;
}

// Validate that the path is valid path-to-regexp syntax
try {
  pathToRegexp(option.requestPath);
} catch (error) {
  throw `rateLimit.requestPath "${option.requestPath}" is not valid: ${error.message}`;
}

3. Update All Test Cases in spec/RateLimit.spec.js

Replace all 13 occurrences:

// Old → New
requestPath: '/functions/*'      → requestPath: '/functions/*path'
requestPath: '/classes/*'        → requestPath: '/classes/*path'
requestPath: '/classes/Test/*'   → requestPath: '/classes/Test/*path'
requestPath: '*'                 → requestPath: '/*path'

4. Update Documentation in src/Options/index.js

Update the RateLimitOptions interface documentation (around line 353):

export interface RateLimitOptions {
  /* The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings or string patterns following path-to-regexp v8 syntax. Wildcards must be named (e.g., `/*path` instead of `/*`). Examples: `/functions/*path`, `/classes/MyClass/*path`, `/*path`. See: https://github.com/pillarjs/path-to-regexp */
  requestPath: string;
  /* The window of time in milliseconds within which the number of requests set in `requestCount` can be made before the rate limit is applied. */
  requestTimeWindow: ?number;
  /* The number of requests that can be made per IP address within the time window set in `requestTimeWindow` before the rate limit is applied. */

5. Add Migration Guide Entry

Add to DEPRECATIONS.md (or create a MIGRATION_V9.md):

## Rate Limit Configuration Syntax

**Breaking Change**: Rate limit `requestPath` configuration now requires path-to-regexp v8 syntax.

### Migration Required

Wildcard paths must use named wildcards:

| Old Syntax (Parse Server 8) | New Syntax (Parse Server 9) |
|------------------------------|------------------------------|
| `requestPath: '*'`           | `requestPath: '/*path'`      |
| `requestPath: '/functions/*'`| `requestPath: '/functions/*path'` |
| `requestPath: '/classes/*'`  | `requestPath: '/classes/*path'` |

### Example

**Before:**
```javascript
rateLimit: {
  requestPath: '/functions/*',
  requestTimeWindow: 10000,
  requestCount: 5
}

After:

rateLimit: {
  requestPath: '/functions/*path',
  requestTimeWindow: 10000,
  requestCount: 5
}

The wildcard name (*path in the examples) can be any valid identifier (e.g., *splat, *rest, *anything).

See path-to-regexp documentation for more details.

### 6. Files to Update

1. ✅ `src/middlewares.js` - Remove transformation, add validation
2. ✅ `src/Config.js` - Add validation for old syntax
3. ✅ `spec/RateLimit.spec.js` - Update all 13 test cases
4. ✅ `src/Options/index.js` - Update documentation
5. ✅ `DEPRECATIONS.md` or `docs/migration-guide.md` - Add migration guide

### 7. Suggested PR Title

Based on the retrieved learnings, here's an Angular-style commit convention title:

feat(rate-limit)!: require path-to-regexp v8 syntax for rate limit paths

The `!` indicates a breaking change. Alternative scopes could be `config` or `api`.

Would you like me to generate the complete code changes as a diff that can be applied to the PR?

---

<details>
<summary>🧠 Learnings used</summary>

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

</details>

[mtrezza]

@coratgerl instead of applying a patch we should fix the underlying issue, because otherwise we're just accumulating debt that eventually comes due in the future.

[coratgerl]

@coratgerl instead of applying a patch we should fix the underlying issue, because otherwise we're just accumulating debt that eventually comes due in the future.

You're right, it does look better now. I assume you’ll be writing a migration guide? Should I not include these changes in my PR, then? We can add them later to the migration guide, right?

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/Config.js (1)

691-710: Excellent validation with clear migration guidance.

The validation logic correctly identifies deprecated wildcard syntax patterns and provides helpful migration examples. The regex patterns accurately distinguish between unnamed wildcards (e.g., /*) and valid named wildcards (e.g., /*path).

Optional: Consider adding a comment explaining the regex patterns for future maintainers:

// Validate path-to-regexp v8 syntax
// Check for common old syntax patterns
const oldWildcardPattern = /(?:^|\/)\*(?:\/|$)/;  // Matches unnamed wildcards like /* or */ 
const nakedWildcard = /^[\s]*\*[\s]*$/;  // Matches bare * (with optional whitespace)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 03a4d88 and 56800e5.

📒 Files selected for processing (4)

• spec/RateLimit.spec.js (16 hunks)
• src/Config.js (2 hunks)
• src/Options/index.js (1 hunks)
• src/middlewares.js (2 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/RateLimit.spec.js

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Options/index.js

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: Node 20
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: Redis Cache
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: Node 18
• GitHub Check: Node 22
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: Docker Build
• GitHub Check: Code Analysis (javascript)
• GitHub Check: Benchmarks

🔇 Additional comments (5)

src/middlewares.js (1)

565-565: LGTM! Correct migration to path-to-regexp v8.

The direct use of pathToRegexp(route.requestPath) correctly replaces the previous wildcard transformation logic and aligns with path-to-regexp v8 requirements.

src/Options/index.js (1)

353-353: LGTM! Clear documentation of the v8 syntax requirement.

The updated documentation clearly explains that wildcards must be named and provides helpful examples. The reference to the upstream path-to-regexp documentation is useful.

spec/RateLimit.spec.js (3)

8-8: LGTM! Tests correctly updated for path-to-regexp v8 syntax.

All test paths have been consistently updated to use named wildcards as required by path-to-regexp v8:

• /functions/* → /functions/*path
• /classes/* → /classes/*path
• * → *path

Also applies to: 29-29, 48-48, 86-86, 105-105, 125-125, 144-144, 243-243, 297-297, 323-323, 343-343, 389-389, 410-410, 505-505

---

376-376: Good improvement: Error object instead of string.

Throwing an Error object instead of a string is better practice and provides a proper stack trace.

---

484-491: Excellent test coverage for deprecated syntax validation.

The test correctly validates that the deprecation error message is thrown when using old wildcard syntax, ensuring users receive clear migration guidance.

[mtrezza]

You can add a migration guide for PS9, following the style of the existing PS8 guide.

[mtrezza]

@coderabbitai what is this path-to-regexp v8 syntax? Is that a custom syntax or does it follow any wider known syntax? What is it similar to, regex, glob, etc?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🌐 Web query:

path-to-regexp v8 syntax documentation pattern matching

💡 Result:

Summary of path-to-regexp v8 pattern syntax and matching (concise)

• Core tokens: text, parameter (named with :name), wildcard (prefixed *), and group. Use parse/match/compile/pathToRegexp to work with paths. (app.unpkg.com)

• Named parameters: ":name" matches until the next prefix/delimiter (default pattern [^/]+). You can quote names as :"param-name". (app.unpkg.com)

• Modifiers:

  • Optional: suffix ? (parameter may be omitted).
  • Zero-or-more: * (can match 0+ segments).
  • One-or-more: + (must match 1+ segments).
    Example: "/:foo/:bar?" "/:foo*" "/:foo+". (socket.dev)

• Wildcards: "/*splat" produces an array of segments for splat. (app.unpkg.com)

• Custom regex for a param: "/user/:id(\d+)" — overrides default token pattern. (socket.dev)

• Optional path sections (groups): use braces to make sections optional, e.g. "/users{/:id}/delete". (app.unpkg.com)

• Important options (pathToRegexp / match / compile):

  • sensitive (case sensitive), end (must match to end), delimiter (segment delimiter, default '/'), trailing (allow optional trailing delimiter). Also encode/decode options for compile/match. (app.unpkg.com)

• Token API: parse -> TokenData (tokens + originalPath); tokens can be turned into RegExp or generator functions (tokensToRegExp / tokensToFunction). (app.unpkg.com)

Examples

• match("/foo/:id") -> params.id from "/foo/123". (app.unpkg.com)
• match("/*splat") -> params.splat = ["bar","baz"] for "/bar/baz". (app.unpkg.com)
• compile("/user/:id(\d+)")({id:123}) -> "/user/123". (app.unpkg.com)

If you want, I can fetch the exact README section or link specific examples from the v8 package files.

Citations:

• 1: https://app.unpkg.com/path-to-regexp/files/Readme.md?utm_source=openai
• 2: https://app.unpkg.com/path-to-regexp/files/Readme.md?utm_source=openai
• 3: https://socket.dev/npm/package/path-to-regexp/overview/3.1.0?utm_source=openai
• 4: https://app.unpkg.com/path-to-regexp/files/Readme.md?utm_source=openai
• 5: https://socket.dev/npm/package/path-to-regexp/overview/3.1.0?utm_source=openai
• 6: https://app.unpkg.com/path-to-regexp/files/Readme.md?utm_source=openai
• 7: https://app.unpkg.com/path-to-regexp/files/Readme.md?utm_source=openai
• 8: https://app.unpkg.com/path-to-regexp/files/Readme.md?utm_source=openai
• 9: https://app.unpkg.com/path-to-regexp/files/Readme.md?utm_source=openai
• 10: https://app.unpkg.com/path-to-regexp/files/Readme.md?utm_source=openai
• 11: https://app.unpkg.com/path-to-regexp/files/Readme.md?utm_source=openai

---

@mtrezza path-to-regexp uses its own custom routing pattern syntax, though it's widely adopted in the JavaScript ecosystem. Here's how it relates to other pattern systems:

What is it?

Custom routing syntax - path-to-regexp defines its own DSL (Domain-Specific Language) specifically for URL route matching. It's not a standard like regex or glob, but it has become a de facto standard in Node.js web frameworks.

Most Similar To

Express.js routing patterns - In fact, Express.js uses path-to-regexp internally for route matching. If you've written Express routes, you've used this syntax:

// Express routing (powered by path-to-regexp)
app.get('/users/:id', handler);           // Named parameter
app.get('/files/*', handler);             // Wildcard (old syntax)
app.get('/posts/:id?', handler);          // Optional parameter

Relationship to Other Systems

System	Similarity	Key Differences
Regex	Can embed custom regex patterns	Simplified, URL-focused syntax; not full regex power
Glob	Uses * for wildcards	Globs are file-system oriented; path-to-regexp is URL-oriented
Express routing	Nearly identical	Express uses path-to-regexp under the hood
OpenAPI/Swagger paths	Similar parameter syntax (:id)	OpenAPI uses {id} instead of :id

Syntax Elements

The core tokens include text, named parameters (:name), wildcards (*name), and optional groups with braces:

// Named parameters
'/users/:id'                    // Matches: /users/123

// Wildcards (v8 requires naming)
'/files/*path'                  // Matches: /files/a/b/c

// Modifiers
'/posts/:id?'                   // Optional: ? 
'/tags/:name+'                  // One-or-more: +
'/categories/:slug*'            // Zero-or-more: *

// Custom regex within parameters
'/user/:id(\\d+)'              // Only matches digits

// Optional groups
'/users{/:id}/profile'         // Matches: /users/profile OR /users/123/profile

Why It Exists

path-to-regexp bridges the gap between simple string matching and full regex complexity. It provides:

• Simpler syntax than regex for common routing patterns
• Named parameter extraction (not just matching)
• URL-specific semantics (segments, trailing slashes, etc.)
• Type safety for route compilation

Ecosystem Adoption

Used by popular frameworks:

• Express.js (v4 uses path-to-regexp v6, v5 uses v8)
• Koa.js
• React Router (similar concepts)
• Many API routing libraries

So while it's a custom syntax, it's become a widely-recognized standard in the JavaScript/Node.js routing ecosystem, much like how regex is a standard for general pattern matching.

---

🧠 Learnings used

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

[mtrezza]

@coderabbitai will express framework also adopt the new v8 syntax, or did it already adopt it?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🌐 Web query:

Express.js v5 release path-to-regexp v8

💡 Result:

Short summary — what happened and what to do

• Express v5 was released and its router now depends on path-to-regexp v8 (upgrade from old 0.x/2.x). This causes stricter path parsing and several breaking changes. [1][2]

• Key breaking changes from path-to-regexp v8 in Express 5:

  • Inline "sub-expression" regex in route params (e.g. /:id(\d+)) is no longer supported (removed for ReDoS protection). [1][2]
  • Wildcards and splats semantics changed: bare * or unnamed globs now error (you must name them or use explicit capture like /(.*) or a named wildcard such as /*path or name depending on syntax). Typical app.get('') can produce "Missing parameter name". [1][3]
  • Some characters ( (, ), [, ], ?, +, ! ) and group suffixes changed/reserved; optional/quantifier behaviors differ. See path-to-regexp changelog for exact token rules. [2]

• Migration / immediate fixes

  1. Replace unnamed wildcards:
     • app.get('', handler) -> app.get(/(.)/, handler) or app.get('/*path', handler) (use named capture).
  2. Replace inline regex params by extracting param and validating with a validator (e.g., Joi/zod) or validate manually:
     • From: app.get('/:id(\d+)', …)
     • To: app.get('/:id', …) and validate req.params.id with an input-validation lib.
  3. Run your test-suite and search codebase for route patterns using (, ), *, +, ? and adjust per path-to-regexp v8 rules.
  4. Consult Express v5 migration guide and path-to-regexp README/changelog for edge cases. [1][2][3]

References

• Express v5 release / migration notes. [1]
• pillarjs/path-to-regexp releases & changelog (v8 details). [2]
• Example GitHub issue showing "Missing parameter name" with app.all('*') on Express v5. [3]

---

@mtrezza Yes, Express v5 has already been released and it uses path-to-regexp v8. This was an upgrade from the old 0.x/2.x versions used in Express v4.

Express v5 Breaking Changes

Express v5 developers face the same migration requirements:

1. Unnamed wildcards no longer work

   // Express v4 (path-to-regexp 0.x)
   app.get('*', handler);              // Works
   
   // Express v5 (path-to-regexp v8)
   app.get('*', handler);              // Error: "Missing parameter name"
   app.get(/(.*)/, handler);           // Fix: Use regex
   app.get('/*path', handler);         // Fix: Named wildcard

2. Inline regex in route params removed (for ReDoS protection)

   // Express v4
   app.get('/:id(\\d+)', handler);     // Works
   
   // Express v5
   app.get('/:id', handler);           // Must validate in middleware/handler

3. Stricter parsing of special characters (, ), [, ], ?, +, !

Alignment with Parse Server 9

This means Parse Server 9's migration to path-to-regexp v8 syntax aligns with the broader Node.js ecosystem. Developers already familiar with Express v5 migration will recognize the same patterns.

The breaking change you're introducing is consistent with what Express (the most widely-used Node.js framework) has already required from their users. This makes the migration more justifiable and the new syntax more recognizable to the community.

---

🧠 Learnings used

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

---

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

[mtrezza]

Parse Server migrated to express 5 some months ago, in the migration guide we can simply refer to the express migration guide which is the same topic.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

spec/RateLimit.spec.js (1)

1-527: Consider updating the PR title to better reflect the breaking change.

Based on learnings, Parse Server PRs should follow Angular commit convention with a meaningful changelog entry. Since this introduces a breaking change requiring developers to update their rate limit path syntax, consider updating the PR title to:

feat(rate-limit)!: require path-to-regexp v8 syntax for rate limit paths

The ! indicates a breaking change, the scope clarifies the affected subsystem, and the description is action-oriented to help developers understand the impact.

Based on learnings, PR titles should follow Angular convention and clearly convey the change's impact to developers.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 56800e5 and 72af572.

📒 Files selected for processing (3)

• 9.0.0.md (1 hunks)
• spec/RateLimit.spec.js (16 hunks)
• src/Config.js (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/Config.js

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• 9.0.0.md

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• 9.0.0.md

📚 Learning: 2025-11-17T15:02:48.786Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Applied to files:

• 9.0.0.md

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/RateLimit.spec.js

🪛 LanguageTool

9.0.0.md

[uncategorized] ~9-~9: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ...limiting) --- ## Route Path Syntax and Rate Limiting Parse Server 9 standardizes the route p...

(EN_COMPOUND_ADJECTIVE_INTERNAL)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Node 20
• GitHub Check: Node 22
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: Node 18
• GitHub Check: Redis Cache
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: Docker Build
• GitHub Check: Code Analysis (javascript)
• GitHub Check: Benchmarks

🔇 Additional comments (3)

spec/RateLimit.spec.js (3)

8-8: LGTM! Path syntax consistently updated to path-to-regexp v8.

All rate limit path configurations have been correctly updated to use named wildcards (*path) instead of unnamed wildcards (*), which is required by path-to-regexp v8. The changes are consistent across all test scenarios.

Also applies to: 29-29, 48-48, 86-86, 105-105, 125-125, 144-144, 243-243, 297-297, 323-323, 343-343, 389-389, 410-410, 505-505

---

376-376: LGTM! Improved error throwing.

Correctly updated to throw an Error object instead of a string, which provides better stack traces and follows best practices.

---

484-491: LGTM! Excellent deprecation validation with helpful migration guidance.

The deprecation test correctly validates that the old wildcard syntax is rejected with a clear, actionable error message that includes concrete migration examples. This provides excellent developer experience during the upgrade.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

9.0.0.md (1)

9-9: Optional: Consider hyphenating "Rate Limiting" in the heading.

The static analysis tool suggests using "Rate-Limiting" (with a hyphen) when used as a compound adjective modifying a noun. While "Rate Limiting" without the hyphen is widely accepted in technical documentation, adding the hyphen would follow strict grammar rules.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 72af572 and 91fb4c8.

📒 Files selected for processing (3)

• 9.0.0.md (1 hunks)
• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Options/docs.js
• src/Options/Definitions.js
• 9.0.0.md

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• 9.0.0.md

📚 Learning: 2025-11-17T15:02:48.786Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Applied to files:

• 9.0.0.md

📚 Learning: 2025-11-17T15:02:24.824Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

Applied to files:

• 9.0.0.md

🪛 LanguageTool

9.0.0.md

[uncategorized] ~9-~9: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ...limiting) --- ## Route Path Syntax and Rate Limiting Parse Server 9 standardizes the route p...

(EN_COMPOUND_ADJECTIVE_INTERNAL)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: Node 20
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Node 18
• GitHub Check: Node 22
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: Redis Cache
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: Docker Build
• GitHub Check: Benchmarks

🔇 Additional comments (3)

9.0.0.md (1)

1-54: Excellent migration guide with clear examples.

The migration guide now includes concrete before/after examples as requested in the previous review. The syntax mapping table (lines 23-28) and JavaScript configuration examples (lines 30-46) make the required changes clear and actionable for developers. The reference to the Express 5 migration guide provides helpful additional context.

Based on learnings, this addresses the previous comment requesting examples in the migration guide.

src/Options/Definitions.js (1)

681-681: Verify the documentation generation process was followed.

The updated documentation text accurately describes path-to-regexp v8 syntax requirements and provides clear examples. However, since this is a generated file (as stated in lines 2-3), please confirm that:

1. The source file src/Options/index.js was updated with these documentation changes
2. The command npm run definitions was executed to regenerate this file

Based on learnings, for new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js.

src/Options/docs.js (1)

123-123: Clear and accurate documentation for path-to-regexp v8 syntax.

The updated JSDoc documentation accurately describes the path-to-regexp v8 requirements for rate limit paths. The examples (/functions/*path, /classes/MyClass/*path, /*path) are practical and consistent with the migration guide in 9.0.0.md. The explicit requirement that "wildcards must be named" helps developers understand the breaking change from v6.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/Options/Definitions.js (1)

678-683: Rate limit requestPath help text correctly documents path-to-regexp v8 named wildcards; optional deprecation note

The updated description aligns well with path-to-regexp v8: it clearly states that wildcards must be named and gives valid examples like /*path, /functions/*path, etc., which matches upstream docs. This is a good clarification for users configuring rate limits.

If the implementation still auto-upgrades legacy patterns like /functions/* to /functions/*path for backward compatibility, you may want to add a short “legacy syntax is deprecated and will be removed in a future major version” note here or in the main rate‑limit docs, so the “must be named” wording doesn’t confuse users who still see unnamed * working during the transition. This is purely a documentation polish and can be deferred.

Also, per the project’s Angular-style convention, a changelog-friendly PR title that fits this change set could be:

• feat(routing)!: adopt path-to-regexp v8 syntax for route paths

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 91fb4c8 and 650fec2.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (5)

• package.json (1 hunks)
• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (1 hunks)
• src/middlewares.js (2 hunks)

✅ Files skipped from review due to trivial changes (1)

• src/Options/docs.js

🚧 Files skipped from review as they are similar to previous changes (3)

• package.json
• src/Options/index.js
• src/middlewares.js

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Options/Definitions.js

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: Node 22
• GitHub Check: Redis Cache
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: Node 20
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: Node 18
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: Docker Build
• GitHub Check: Code Analysis (javascript)
• GitHub Check: Benchmarks

[mtrezza]

Just some minor stuff

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

9.0.0.md (1)

12-15: Clarify the timing and scope of validation.

The "Deprecation" bullet states that old syntax "will trigger a clear error message," but doesn't specify when validation occurs (e.g., at Parse Server startup during config validation vs. at request time). Based on the PR changes, validation happens at startup; consider adding a phrase like "during Parse Server startup" to remove ambiguity and help users understand when they'll encounter the error.

Consider updating line 15 to:

-- **Deprecation**: Old wildcard route syntax is deprecated and will trigger a clear error message.
+- **Deprecation**: Old wildcard route syntax is deprecated and will trigger a clear error message during Parse Server startup.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 650fec2 and 63b2b87.

📒 Files selected for processing (4)

• 9.0.0.md (1 hunks)
• spec/RateLimit.spec.js (15 hunks)
• src/Config.js (2 hunks)
• src/Options/index.js (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• spec/RateLimit.spec.js
• src/Options/index.js
• src/Config.js

🧰 Additional context used

🧠 Learnings (9)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• 9.0.0.md

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• 9.0.0.md

📚 Learning: 2025-11-17T15:02:48.786Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Applied to files:

• 9.0.0.md

📚 Learning: 2025-11-17T15:02:24.824Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

Applied to files:

• 9.0.0.md

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• 9.0.0.md

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• 9.0.0.md

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• 9.0.0.md

📚 Learning: 2025-08-26T14:06:31.853Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: spec/CloudCode.spec.js:446-469
Timestamp: 2025-08-26T14:06:31.853Z
Learning: In the Parse Server codebase, when handling query objects in maybeRunAfterFindTrigger, objects without a where property that contain options like limit/skip should be treated as query JSON with an empty where clause using the spread pattern { where: {}, ...query }, not nested as { where: query }.

Applied to files:

• 9.0.0.md

🪛 LanguageTool

9.0.0.md

[uncategorized] ~9-~9: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ...limiting) --- ## Route Path Syntax and Rate Limiting Parse Server 9 standardizes the route p...

(EN_COMPOUND_ADJECTIVE_INTERNAL)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: Redis Cache
• GitHub Check: Node 22
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: Node 20
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: Node 18
• GitHub Check: Docker Build
• GitHub Check: Code Analysis (javascript)
• GitHub Check: Benchmarks

🔇 Additional comments (1)

9.0.0.md (1)

1-56: Documentation is comprehensive and well-structured.

The migration guide successfully addresses the path-to-regexp v8 transition with clear examples, actionable steps, and external references. Past feedback requesting concrete before/after examples has been properly incorporated (lines 19–46), and the note linking to external documentation (lines 52–54) provides helpful context for users.