chore(release): 9.1.1 [skip ci]

## [9.1.1](https://github.com/parse-community/parse-server/compare/9.1.0...9.1.1) (2025-12-16)

### Bug Fixes

* Server-Side Request Forgery (SSRF) in Instagram auth adapter [GHSA-3f5f-xgrj-97pf](https://github.com/parse-community/parse-server/security/advisories/GHSA-3f5f-xgrj-97pf) ([#9988](https://github.com/parse-community/parse-server/issues/9988)) ([fbcc938](fbcc938b5a))

changelogs/CHANGELOG_alpha.md

@@ -1,3 +1,17 @@
+## [9.1.1-alpha.1](https://github.com/parse-community/parse-server/compare/9.1.0...9.1.1-alpha.1) (2025-12-16)
+
+
+### Bug Fixes
+
+* Server-Side Request Forgery (SSRF) in Instagram auth adapter [GHSA-3f5f-xgrj-97pf](https://github.com/parse-community/parse-server/security/advisories/GHSA-3f5f-xgrj-97pf) ([#9988](https://github.com/parse-community/parse-server/issues/9988)) ([fbcc938](https://github.com/parse-community/parse-server/commit/fbcc938b5ade5ff4c30598ac51272ef7ecef0616))
+
+# [9.1.0-alpha.4](https://github.com/parse-community/parse-server/compare/9.1.0-alpha.3...9.1.0-alpha.4) (2025-12-14)
+
+
+### Features
+
+* Log more debug info when failing to set duplicate value for field with unique values ([#9919](https://github.com/parse-community/parse-server/issues/9919)) ([a23b192](https://github.com/parse-community/parse-server/commit/a23b1924668920f3c92fec0566b57091d0e8aae8))
+
 # [9.1.0-alpha.3](https://github.com/parse-community/parse-server/compare/9.1.0-alpha.2...9.1.0-alpha.3) (2025-12-14)
 
 

changelogs/CHANGELOG_release.md

@@ -1,3 +1,23 @@
+## [9.1.1](https://github.com/parse-community/parse-server/compare/9.1.0...9.1.1) (2025-12-16)
+
+
+### Bug Fixes
+
+* Server-Side Request Forgery (SSRF) in Instagram auth adapter [GHSA-3f5f-xgrj-97pf](https://github.com/parse-community/parse-server/security/advisories/GHSA-3f5f-xgrj-97pf) ([#9988](https://github.com/parse-community/parse-server/issues/9988)) ([fbcc938](https://github.com/parse-community/parse-server/commit/fbcc938b5ade5ff4c30598ac51272ef7ecef0616))
+
+# [9.1.0](https://github.com/parse-community/parse-server/compare/9.0.0...9.1.0) (2025-12-14)
+
+
+### Bug Fixes
+
+* Cross-Site Scripting (XSS) via HTML pages for password reset and email verification [GHSA-jhgf-2h8h-ggxv](https://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv) ([#9985](https://github.com/parse-community/parse-server/issues/9985)) ([3074eb7](https://github.com/parse-community/parse-server/commit/3074eb70f5b58bf72b528ae7b7804ed2d90455ce))
+
+### Features
+
+* Add option `logLevels.signupUsernameTaken` to change log level of username already exists sign-up rejection ([#9962](https://github.com/parse-community/parse-server/issues/9962)) ([f18f307](https://github.com/parse-community/parse-server/commit/f18f3073d70a292bc70b5d572ef58e4845de89ca))
+* Add support for custom HTTP status code and headers to Cloud Function response with Express-style syntax ([#9980](https://github.com/parse-community/parse-server/issues/9980)) ([8eeab8d](https://github.com/parse-community/parse-server/commit/8eeab8dc57edef3751aa188d8247f296a270b083))
+* Log more debug info when failing to set duplicate value for field with unique values ([#9919](https://github.com/parse-community/parse-server/issues/9919)) ([a23b192](https://github.com/parse-community/parse-server/commit/a23b1924668920f3c92fec0566b57091d0e8aae8))
+
 # [9.0.0](https://github.com/parse-community/parse-server/compare/8.6.0...9.0.0) (2025-12-14)
 
 

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "parse-server",
-  "version": "9.1.0-alpha.3",
+  "version": "9.1.1",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "parse-server",
-      "version": "9.1.0-alpha.3",
+      "version": "9.1.1",
       "hasInstallScript": true,
       "license": "Apache-2.0",
       "dependencies": {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "9.1.0-alpha.3",
+  "version": "9.1.1",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {

spec/Adapters/Auth/instagram.spec.js

@@ -101,6 +101,31 @@ describe('InstagramAdapter', function () {
         'Instagram auth is invalid for this user.'
       );
     });
+
+    it('should ignore client-provided apiURL and use hardcoded endpoint', async () => {
+      const accessToken = 'mockAccessToken';
+      const authData = {
+        id: 'mockUserId',
+        apiURL: 'https://example.com/',
+      };
+
+      mockFetch([
+        {
+          url: 'https://graph.instagram.com/me?fields=id&access_token=mockAccessToken',
+          method: 'GET',
+          response: {
+            ok: true,
+            json: () =>
+              Promise.resolve({
+                id: 'mockUserId',
+              }),
+          },
+        },
+      ]);
+
+      const user = await adapter.getUserFromAccessToken(accessToken, authData);
+      expect(user).toEqual({ id: 'mockUserId' });
+    });
   });
 
   describe('InstagramAdapter E2E Test', function () {

spec/schemas.spec.js

@@ -3842,6 +3842,7 @@ describe('schemas', () => {
     });
 
     it_id('cbd5d897-b938-43a4-8f5a-5d02dd2be9be')(it_exclude_dbs(['postgres']))('cannot update to duplicate value on unique index', done => {
+      loggerErrorSpy.calls.reset();
       const index = {
         code: 1,
       };
@@ -3868,6 +3869,12 @@ describe('schemas', () => {
         .then(done.fail)
         .catch(error => {
           expect(error.code).toEqual(Parse.Error.DUPLICATE_VALUE);
+          // Client should only see generic message (no schema info exposed)
+          expect(error.message).toEqual('A duplicate value for a field with unique values was provided');
+          // Server logs should contain full MongoDB error message with detailed information
+          expect(loggerErrorSpy).toHaveBeenCalledWith('Duplicate key error:', jasmine.stringContaining('E11000 duplicate key error'));
+          expect(loggerErrorSpy).toHaveBeenCalledWith('Duplicate key error:', jasmine.stringContaining('test_UniqueIndexClass'));
+          expect(loggerErrorSpy).toHaveBeenCalledWith('Duplicate key error:', jasmine.stringContaining('code_1'));
           done();
         });
     });

src/Adapters/Auth/instagram.js

@@ -96,8 +96,7 @@ class InstagramAdapter extends BaseAuthCodeAdapter {
   }
 
   async getUserFromAccessToken(accessToken, authData) {
-    const defaultURL = 'https://graph.instagram.com/';
-    const apiURL = authData.apiURL || defaultURL;
+    const apiURL = 'https://graph.instagram.com/';
     const path = `${apiURL}me?fields=id&access_token=${accessToken}`;
 
     const response = await fetch(path);

src/Adapters/Storage/Mongo/MongoStorageAdapter.js

@@ -519,7 +519,7 @@ export class MongoStorageAdapter implements StorageAdapter {
       .then(() => ({ ops: [mongoObject] }))
       .catch(error => {
         if (error.code === 11000) {
-          // Duplicate value
+          logger.error('Duplicate key error:', error.message);
           const err = new Parse.Error(
             Parse.Error.DUPLICATE_VALUE,
             'A duplicate value for a field with unique values was provided'
@@ -605,6 +605,7 @@ export class MongoStorageAdapter implements StorageAdapter {
       .then(result => mongoObjectToParseObject(className, result, schema))
       .catch(error => {
         if (error.code === 11000) {
+          logger.error('Duplicate key error:', error.message);
           throw new Parse.Error(
             Parse.Error.DUPLICATE_VALUE,
             'A duplicate value for a field with unique values was provided'