chore(release): 9.2.1-alpha.1 [skip ci]

## [9.2.1-alpha.1](https://github.com/parse-community/parse-server/compare/9.2.0...9.2.1-alpha.1) (2026-02-06)

### Bug Fixes

* Default HTML pages for password reset, email verification not found ([#10034](https://github.com/parse-community/parse-server/issues/10034)) ([e299107](e29910764d))

changelogs/CHANGELOG_alpha.md

@@ -1,3 +1,17 @@
+## [9.2.1-alpha.1](https://github.com/parse-community/parse-server/compare/9.2.0...9.2.1-alpha.1) (2026-02-06)
+
+
+### Bug Fixes
+
+* Default HTML pages for password reset, email verification not found ([#10034](https://github.com/parse-community/parse-server/issues/10034)) ([e299107](https://github.com/parse-community/parse-server/commit/e29910764daef3c03ed1b09eee19cedc3b12a86a))
+
+# [9.2.0-alpha.5](https://github.com/parse-community/parse-server/compare/9.2.0-alpha.4...9.2.0-alpha.5) (2026-02-05)
+
+
+### Bug Fixes
+
+* Security upgrade @apollo/server from 5.0.0 to 5.4.0 ([#10035](https://github.com/parse-community/parse-server/issues/10035)) ([9f368ff](https://github.com/parse-community/parse-server/commit/9f368ff9ca322c61cdcfab735e5b5240d1c8f917))
+
 # [9.2.0-alpha.4](https://github.com/parse-community/parse-server/compare/9.2.0-alpha.3...9.2.0-alpha.4) (2026-01-29)
 
 

changelogs/CHANGELOG_release.md

@@ -1,3 +1,17 @@
+# [9.2.0](https://github.com/parse-community/parse-server/compare/9.1.1...9.2.0) (2026-02-05)
+
+
+### Bug Fixes
+
+* MongoDB timeout errors unhandled and potentially revealing internal data ([#10020](https://github.com/parse-community/parse-server/issues/10020)) ([1d3336d](https://github.com/parse-community/parse-server/commit/1d3336d128671c974b419b9b34db35ada7d1a44d))
+* Security upgrade @apollo/server from 5.0.0 to 5.4.0 ([#10035](https://github.com/parse-community/parse-server/issues/10035)) ([9f368ff](https://github.com/parse-community/parse-server/commit/9f368ff9ca322c61cdcfab735e5b5240d1c8f917))
+
+### Features
+
+* Add option `databaseOptions.clientMetadata` to send custom metadata to database server for logging and debugging ([#10017](https://github.com/parse-community/parse-server/issues/10017)) ([756c204](https://github.com/parse-community/parse-server/commit/756c204220a2c7be3770b7d4a49f11e8903323db))
+* Upgrade mongodb from 6.20.0 to 7.0.0 ([#10027](https://github.com/parse-community/parse-server/issues/10027)) ([14b3fce](https://github.com/parse-community/parse-server/commit/14b3fce203be0abaf29c27c123cba47f35d09c68))
+* Upgrade to parse 8.0.3 and @parse/push-adapter 8.2.0 ([#10021](https://github.com/parse-community/parse-server/issues/10021)) ([9833fdb](https://github.com/parse-community/parse-server/commit/9833fdb111c373dc75fc74ea5f9209408186a475))
+
 ## [9.1.1](https://github.com/parse-community/parse-server/compare/9.1.0...9.1.1) (2025-12-16)
 
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "9.2.0-alpha.4",
+  "version": "9.2.1-alpha.1",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {
@@ -10,7 +10,7 @@
   "files": [
     "bin/",
     "lib/",
-    "public_html/",
+    "public/",
     "views/",
     "LICENSE",
     "NOTICE",
@@ -20,7 +20,7 @@
   ],
   "license": "Apache-2.0",
   "dependencies": {
-    "@apollo/server": "5.0.0",
+    "@apollo/server": "5.4.0",
     "@as-integrations/express5": "1.1.2",
     "@graphql-tools/merge": "9.0.24",
     "@graphql-tools/schema": "10.0.23",
@@ -29,7 +29,7 @@
     "@parse/push-adapter": "8.2.0",
     "bcryptjs": "3.0.3",
     "commander": "14.0.2",
-    "cors": "2.8.5",
+    "cors": "2.8.6",
     "deepcopy": "2.1.0",
     "express": "5.2.1",
     "express-rate-limit": "7.5.1",
@@ -51,7 +51,7 @@
     "parse": "8.0.3",
     "path-to-regexp": "8.3.0",
     "pg-monitor": "3.0.0",
-    "pg-promise": "12.2.0",
+    "pg-promise": "12.6.0",
     "pluralize": "8.0.0",
     "punycode": "2.3.1",
     "rate-limit-redis": "4.2.0",
@@ -60,7 +60,7 @@
     "subscriptions-transport-ws": "0.11.0",
     "tv4": "1.3.0",
     "uuid": "11.1.0",
-    "winston": "3.17.0",
+    "winston": "3.19.0",
     "winston-daily-rotate-file": "5.0.0",
     "ws": "8.18.2"
   },
@@ -68,8 +68,8 @@
     "@actions/core": "1.11.1",
     "@apollo/client": "3.13.8",
     "@babel/cli": "7.27.0",
-    "@babel/core": "7.28.6",
-    "@babel/eslint-parser": "7.28.0",
+    "@babel/core": "7.29.0",
+    "@babel/eslint-parser": "7.28.6",
     "@babel/plugin-proposal-object-rest-spread": "7.20.7",
     "@babel/plugin-transform-flow-strip-types": "7.26.5",
     "@babel/preset-env": "7.27.2",
@@ -97,7 +97,7 @@
     "jsdoc": "4.0.4",
     "jsdoc-babel": "0.5.0",
     "lint-staged": "16.1.0",
-    "m": "1.9.1",
+    "m": "1.10.0",
     "madge": "8.0.0",
     "mock-files-adapter": "file:spec/dependencies/mock-files-adapter",
     "mock-mail-adapter": "file:spec/dependencies/mock-mail-adapter",

spec/PagesRouter.spec.js

@@ -1181,6 +1181,61 @@ describe('Pages Router', () => {
     });
   });
 
+  describe('async publicServerURL', () => {
+    it('resolves async publicServerURL for password reset page', async () => {
+      const emailAdapter = {
+        sendVerificationEmail: () => Promise.resolve(),
+        sendPasswordResetEmail: () => Promise.resolve(),
+        sendMail: () => {},
+      };
+      await reconfigureServer({
+        appId: 'test',
+        appName: 'exampleAppname',
+        verifyUserEmails: true,
+        emailAdapter,
+        publicServerURL: () => 'http://localhost:8378/1',
+        pages: { enableRouter: true },
+      });
+
+      const user = new Parse.User();
+      user.setUsername('asyncUrlUser');
+      user.setPassword('examplePassword');
+      user.set('email', 'async-url@example.com');
+      await user.signUp();
+      await Parse.User.requestPasswordReset('async-url@example.com');
+
+      const response = await request({
+        url: 'http://localhost:8378/1/apps/test/request_password_reset?token=invalidToken',
+        followRedirects: false,
+      }).catch(e => e);
+      expect(response.status).toBe(200);
+      expect(response.text).toContain('Invalid password reset link!');
+    });
+
+    it('resolves async publicServerURL for email verification page', async () => {
+      const emailAdapter = {
+        sendVerificationEmail: () => Promise.resolve(),
+        sendPasswordResetEmail: () => Promise.resolve(),
+        sendMail: () => {},
+      };
+      await reconfigureServer({
+        appId: 'test',
+        appName: 'exampleAppname',
+        verifyUserEmails: true,
+        emailAdapter,
+        publicServerURL: () => 'http://localhost:8378/1',
+        pages: { enableRouter: true },
+      });
+
+      const response = await request({
+        url: 'http://localhost:8378/1/apps/test/verify_email?token=invalidToken',
+        followRedirects: false,
+      }).catch(e => e);
+      expect(response.status).toBe(200);
+      expect(response.text).toContain('Invalid verification link!');
+    });
+  });
+
   describe('XSS Protection', () => {
     beforeEach(async () => {
       await reconfigureServer({

src/Routers/PagesRouter.js

@@ -624,12 +624,14 @@ export class PagesRouter extends PromiseRouter {
    * @param {Boolean} failGracefully Is true if failing to set the config should
    * not result in an invalid request response. Default is `false`.
    */
-  setConfig(req, failGracefully = false) {
+  async setConfig(req, failGracefully = false) {
     req.config = Config.get(req.params.appId || req.query.appId);
     if (!req.config && !failGracefully) {
       this.invalidRequest();
     }
-    return Promise.resolve();
+    if (req.config) {
+      await req.config.loadKeys();
+    }
   }
 
   mountPagesRoutes() {
@@ -637,7 +639,7 @@ export class PagesRouter extends PromiseRouter {
       'GET',
       `/${this.pagesEndpoint}/:appId/verify_email`,
       req => {
-        this.setConfig(req);
+        return this.setConfig(req);
       },
       req => {
         return this.verifyEmail(req);
@@ -648,7 +650,7 @@ export class PagesRouter extends PromiseRouter {
       'POST',
       `/${this.pagesEndpoint}/:appId/resend_verification_email`,
       req => {
-        this.setConfig(req);
+        return this.setConfig(req);
       },
       req => {
         return this.resendVerificationEmail(req);
@@ -659,7 +661,7 @@ export class PagesRouter extends PromiseRouter {
       'GET',
       `/${this.pagesEndpoint}/choose_password`,
       req => {
-        this.setConfig(req);
+        return this.setConfig(req);
       },
       req => {
         return this.passwordReset(req);
@@ -670,7 +672,7 @@ export class PagesRouter extends PromiseRouter {
       'POST',
       `/${this.pagesEndpoint}/:appId/request_password_reset`,
       req => {
-        this.setConfig(req);
+        return this.setConfig(req);
       },
       req => {
         return this.resetPassword(req);
@@ -681,7 +683,7 @@ export class PagesRouter extends PromiseRouter {
       'GET',
       `/${this.pagesEndpoint}/:appId/request_password_reset`,
       req => {
-        this.setConfig(req);
+        return this.setConfig(req);
       },
       req => {
         return this.requestResetPassword(req);
@@ -695,7 +697,7 @@ export class PagesRouter extends PromiseRouter {
         route.method,
         `/${this.pagesEndpoint}/:appId/${route.path}`,
         req => {
-          this.setConfig(req);
+          return this.setConfig(req);
         },
         async req => {
           const { file, query = {} } = (await route.handler(req)) || {};
@@ -718,7 +720,7 @@ export class PagesRouter extends PromiseRouter {
       'GET',
       `/${this.pagesEndpoint}/*resource`,
       req => {
-        this.setConfig(req, true);
+        return this.setConfig(req, true);
       },
       req => {
         return this.staticRoute(req);