Remove simple-mailgun-adapter dependency

[mtrezza]

New Feature / Enhancement Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.

Current Limitation

Parse Server has a dependency on parse-server-simple-mailgun-adapter, which is an old adapter that does not support custom emailVerification or passwordReset emails, so it seems more like a proof-of-concept.

Parse Server today has multiple mail adapters that provide much more functionality. Keeping that adapter as a dependency just for adapter loading tests is unnecessary. The adapter also needs to be maintained and current has a high security vulnerability, the package is lacking tests and other basics like lint. In short, we wouldn't want to keep a poorly maintained adapter is presumably not much in use as part of Parse Server.

Feature / Enhancement Description

The suggestion is to:

• replace the adapter with sub-package inside the Parse Server package (for adapter module loading tests)
• deprecate the parse-server-simple-mailgun-adapter

Alternatives / Workarounds

Fix the security vulnerability in the mailgun adapter. I already did that via parse-community/parse-server-simple-mailgun-adapter#37, but the new adapter needs to be tested.

3rd Party References

n/a

[mtrezza]

@davimacedo Can you please archive @parse/simple-mailgun-adapter on npm? I don't have the access rights there. Or you can invite me there and I'll do it. I already archived it on GitHub.

[davimacedo]

I believe there isn't such option at npm.

[mtrezza]

Actually here it is:
https://docs.npmjs.com/deprecating-and-undeprecating-packages-or-package-versions

For example:
https://www.npmjs.com/package/parse-server-simple-mailgun-adapter

[davimacedo]

It looks it is a command and not an option in the dashboard: https://docs.npmjs.com/deprecating-and-undeprecating-packages-or-package-versions

I will try that.

[davimacedo]

It looks that worked.

[mtrezza]

Great! I see it now too.

[stage88]

@mtrezza I know you guys have removed this dependancy, however for some reason parse-server still requires it. It is listed as a dependancy of parse-server in package-lock.json.

From package lock:

"parse-server": {
  "version": "4.10.4",
  "resolved": "https://registry.npmjs.org/parse-server/-/parse-server-4.10.4.tgz",
  "integrity": "sha512-43WseBkTqs+UsZfX83msJkFloX94POeGonbfpemuUJJD/ujJeHSxQbu/6c1uqzKxaYB2bd+apoKDi98ODtg9TQ==",
  "requires": {
    "@apollographql/graphql-playground-html": "1.6.26",
    "@graphql-tools/links": "6.2.5",
    "@graphql-tools/stitch": "6.2.4",
    "@graphql-tools/utils": "6.2.4",
    "@node-rs/bcrypt": "0.4.1",
    "@parse/fs-files-adapter": "1.2.0",
    "@parse/push-adapter": "3.4.1",
    "@parse/s3-files-adapter": "1.6.2",
    "@parse/simple-mailgun-adapter": "1.1.0",
    "apollo-server-express": "2.19.0",
    "bcryptjs": "2.4.3",
    "body-parser": "1.19.0",
    "commander": "5.1.0",
    "cors": "2.8.5",
    "deepcopy": "2.1.0",
    "express": "4.17.1",
    "follow-redirects": "1.13.0",
    "graphql": "15.4.0",
    "graphql-list-fields": "2.0.2",
    "graphql-relay": "0.6.0",
    "graphql-tag": "2.12.5",
    "graphql-upload": "11.0.0",
    "intersect": "1.0.1",
    "jsonwebtoken": "8.5.1",
    "jwks-rsa": "1.12.3",
    "ldapjs": "2.2.2",
    "lodash": "4.17.21",
    "lru-cache": "5.1.1",
    "mime": "2.4.6",
    "mongodb": "3.6.11",
    "parse": "3.3.0",
    "pg-promise": "10.8.1",
    "pluralize": "8.0.0",
    "redis": "3.1.2",
    "semver": "7.3.2",
    "subscriptions-transport-ws": "0.10.0",
    "tv4": "1.3.0",
    "uuid": "8.3.1",
    "winston": "3.3.3",
    "winston-daily-rotate-file": "4.5.0",
    "ws": "7.5.3"
},

I only care because I get audit reports with criticals as a result of using this lib.

 === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ netmask npm package vulnerable to octal input data           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ netmask                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ parse-server                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ parse-server > @parse/simple-mailgun-adapter > mailgun-js >  │
│               │ proxy-agent > pac-proxy-agent > pac-resolver > netmask       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1658                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ pac-resolver                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ parse-server                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ parse-server > @parse/simple-mailgun-adapter > mailgun-js >  │
│               │ proxy-agent > pac-proxy-agent > pac-resolver                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1784                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 high severity vulnerabilities in 884 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

[mtrezza]

@stage88 That is correct, it should also be in package.json. We didn't remove it for the 4.x versions because that would be a breaking change and require a major version upgrade. Since this is only a dependency, you can just not use the adapter and there shouldn't be a vulnerability for Parse Server. If you want to get rid of the warning, you can fork and remove the dependency manually.

Note that 4.x is currently being maintained as a long-term support trial, until we release Parse Server 5.0.

[parseplatformorg]

🎉 This change has been released in version 5.0.0-beta.1

[parseplatformorg]

🎉 This change has been released in version 5.0.0