fix(deps): update dependency mongoose to v8.8.3 [security] #368

renovate · 2024-12-03T08:30:31Z

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
mongoose (source)	dependencies	minor	`8.4.1` -> `8.8.3`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Mongoose search injection vulnerability

CVE-2024-53900 / GHSA-m7xq-9374-9rvx

More information

Details

Mongoose before 8.8.3 can improperly use $where in match.

Severity

CVSS Score: Unknown
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

Automattic/mongoose (mongoose)

`v8.8.3`

Compare Source

==================

fix: disallow using $where in match
perf: cache results from getAllSubdocs() on saveOptions, only loop through known subdoc properties #15055 #15029
fix(model+query): support overwriteDiscriminatorKey for bulkWrite updateOne and updateMany, allow inferring discriminator key from update #15046 #15040

`v8.8.2`

Compare Source

==================

fix(model): handle array filters when casting bulkWrite #15036 #14978
fix(model): make diffIndexes() avoid trying to drop default timeseries collection index #15035 #14984
fix: save execution stack in query as string #15039 durran
types(cursor): correct asyncIterator and asyncDispose for TypeScript with lib: 'esnext' #15038
docs(migrating_to_8): add note about removing findByIdAndRemove #15024 dragontaek-lee

`v8.8.1`

Compare Source

==================

perf: make a few micro-optimizations to help speed up findOne() #15022 #14906
fix: apply embedded discriminators to subdoc schemas before compiling top level model so middleware applies correctly #15001 #14961
fix(query): add overwriteImmutable option to allow updating immutable properties without disabling strict mode #15000 #8619

`v8.8.0`

Compare Source

==================

feat: upgrade mongodb -> ~6.10 #14991 #14877
feat(query): add schemaLevelProjections option to query to disable schema-level select: false #14986 #11474
feat: allow defining virtuals on arrays, not just array elements #14955 #2326
feat(model): add applyTimestamps() function to apply all schema timestamps, including subdocuments, to a given POJO #14943 #14698
feat(model): add hideIndexes option to syncIndexes() and cleanIndexes() #14987 #14868
fix(query): make sanitizeFilter disable implicit $in #14985 #14657
fix(model): avoid unhandled error if createIndex() throws a sync error #14995
fix(model): avoid throwing TypeError if bulkSave()'s bulkWrite() fails with a non-BulkWriteError #14993
types: added toJSON:flattenObjectIds effect #14989
types: add __v to lean() result type and ModifyResult #14990 #12959
types: use globalThis instead of global for NativeDate #14992 #14988
docs(change-streams): fix markdown syntax highlighting for script output example #14994

`v8.7.3`

Compare Source

==================

fix(cursor): close underlying query cursor when calling destroy() #14982 #14966
types: add JSONSerialized helper that can convert HydratedDocument to JSON output type #14981 #14451
types(model): convert InsertManyResult to interface and remove unnecessary insertedIds override #14977
types(connection): add missing sanitizeFilter option #14975
types: improve goto definition for inferred schema definitions #14968 forivall
docs(migration-guide-v7): correct link to the section "Id Setter" #14973 rb-ntnx

`v8.7.2`

Compare Source

==================

fix(document): recursively clear modified subpaths when setting deeply nested subdoc to null #14963 #14952
fix(populate): handle array of ids with parent refPath #14965
types: make Buffers into mongodb.Binary in lean result type to match runtime behavior #14967
types: correct schema type inference when using nested typeKey like type: { type: String } #14956 #14950
types: re-export DeleteResult and UpdateResult from MongoDB Node.js driver #14947 #14946
docs(documents): add section on setting deeply nested properties, including warning about nullish coalescing assignment #14972
docs(model): add more info on acknowledged: false, specifically that Mongoose may return that if the update was empty #14957

`v8.7.1`

Compare Source

==================

fix: set flattenObjectIds to false when calling toObject() for internal purposes #14938
fix: add mongodb 8 to test matrix #14937
fix: handle buffers stored in MongoDB as EJSON representation with { $binary } #14932
docs: indicate that Mongoose 8.7 is required for full MongoDB 8 support #14937

`v8.7.0`

Compare Source

==================

feat(model): add Model.applyVirtuals() to apply virtuals to a POJO #14905 #14818
feat: upgrade mongodb -> 6.9.0 #14914
feat(query): cast $rename to string #14887 #3027
feat(SchemaType): add getEmbeddedSchemaType() method to SchemaTypes #14880 #8389
fix(model): throw MongooseBulkSaveIncompleteError if bulkSave() didn't completely succeed #14884 #14763
fix(connection): avoid returning readyState = connected if connection state is stale #14812 #14727
fix: depopulate if push() or addToSet() with an ObjectId on a populated array #14883 #1635
types: make __v a number, only set __v on top-level documents #14892

`v8.6.4`

Compare Source

==================

fix(document): avoid massive perf degradation when saving new doc with 10 level deep subdocs #14910 #14897
fix(model): skip applying static hooks by default if static name conflicts with aggregate middleware #14904 dragontaek-lee
fix(model): filter applying static hooks by default if static name conflicts with mongoose middleware #14908 dragontaek-lee

`v8.6.3`

Compare Source

==================

fix: make getters convert uuid to string when calling toObject() and toJSON() #14890 #14869
fix: fix missing Aggregate re-exports for ESM #14886 wongsean
types(document): add generic param to depopulate() to allow updating properties #14891 #14876

`v8.6.2`

Compare Source

==================

fix: make set merge deeply nested objects #14870 #14861 ianHeydoc
types: allow arbitrary keys in query filters again (revert #14764) #14874 #14863 #14862 #14842
types: make SchemaType static setters property accessible in TypeScript #14881 #14879
type(inferrawdoctype): infer Date types as JS dates rather than Mongoose SchemaType Date #14882 #14839

`v8.6.1`

Compare Source

==================

fix(document): avoid unnecessary clone() in applyGetters() that was preventing getters from running on 3-level deep subdocuments #14844 #14840 #14835
fix(model): throw error if bulkSave() did not insert or update any documents #14837 #14763
fix(cursor): throw error in ChangeStream constructor if changeStreamThunk() throws a sync error #14846
types(query): add $expr to RootQuerySelector #14845
docs: update populate.md to fix missing match: { } #14847 makhoulshbeeb

`v8.6.0`

Compare Source

==================

feat: upgrade mongodb -> 6.8.0, handle throwing error on closed cursor in Mongoose with MongooseError instead of MongoCursorExhaustedError #14813
feat(model+query): support options parameter for distinct() #14772 #8006
feat(QueryCursor): add getDriverCursor() function that returns the raw driver cursor #14745
types: change query selector to disallow unknown top-level keys by default #14764 alex-statsig
types: make toObject() and toJSON() not generic by default to avoid type widening #14819 #12883
types: avoid automatically inferring lean result type when assigning to explicitly typed variable #14734

`v8.5.5`

Compare Source

==================

fix(populate): fix a couple of other places where Mongoose gets the document's _id with getters #14833 #14827 #14759
fix(discriminator): shallow clone Schema.prototype.obj before merging schemas to avoid modifying original obj #14821
types: fix schema type based on timestamps schema options value #14829 #14825 ark23CIS

`v8.5.4`

Compare Source

==================

fix: add empty string check for collection name passed #14806 Shubham2552
docs(model): add 'throw' as valid strict value for bulkWrite() and add some more clarification on throwOnValidationError #14809

`v8.5.3`

Compare Source

==================

fix(document): call required functions on subdocuments underneath nested paths with correct context #14801 #14788
fix(populate): avoid throwing error when no result and lean() set #14799 #14794 #14759 MohOraby
fix(document): apply virtuals to subdocuments if parent schema has virtuals: true for backwards compatibility #14774 #14771 #14623 #14394
types: make HydratedSingleSubdocument and HydratedArraySubdocument merge types instead of using & #14800 #14793
types: support schema type inference based on schema options timestamps as well #14773 #13215 ark23CIS
types(cursor): indicate that cursor.next() can return null #14798 #14787
types: allow mongoose.connection.db to be undefined #14797 #14789
docs: add schema type widening advice #14790 JstnMcBrd

`v8.5.2`

Compare Source

==================

perf(clone): avoid further unnecessary checks if cloning a primitive value #14762 #14394
fix: allow setting document array default to null #14769 #14717 #6691
fix(model): support session: null option for save() to opt out of automatic session option with transactionAsyncLocalStorage #14744 #14736
fix(model+document): avoid depopulating manually populated doc as getter value #14760 #14759
fix: correct shardkey access in buildBulkWriteOps #14753 #14752 adf0nt3s
fix(query): handle casting $switch in $expr #14755 #14751
types: allow calling SchemaType.cast() without parent and init parameters #14756 #14748 #9076
docs: fix a wrong example in v6 migration guide #14758 abdelrahman-elkady

`v8.5.1`

Compare Source

==================

perf(model): performance improvements for insertMany() #14724
fix(model): avoid leaving subdoc defaults on top-level doc when setting subdocument to same value #14728 #14722
fix(model): handle transactionAsyncLocalStorage option with insertMany() #14743
types: make _id required on Document type #14735 #14660
types: fix ChangeStream.close to return a Promise like the driver #14740 orgads

`v8.5.0`

Compare Source

==================

perf: memoize toJSON / toObject default options #14672
feat(document): add $createModifiedPathsSnapshot(), $restoreModifiedPathsSnapshot(), $clearModifiedPaths() #14699 #14268
feat(query): make sanitizeProjection prevent projecting in paths deselected in the schema #14691
feat: allow setting array default value to null #14717 #6691
feat(mongoose): allow drivers to set global plugins #14682
feat(connection): bubble up monitorCommands events to Mongoose connection if monitorCommands option set #14681 #14611
fix(document): ensure post('deleteOne') hooks are called when calling save() after subdoc.deleteOne() #14732 #9885
fix(query): remove count() and findOneAndRemove() from query chaining #14692 #14689
fix: remove default connection if setting createInitialConnection to false after Mongoose instance created #14679 #8302
types(models+query): infer return type from schema for 1-level deep nested paths #14632
types(connection): make transaction() return type match the executor function #14661 #14656
docs: fix docs links in index.md mirasayon

`v8.4.5`

Compare Source

==================

types: correct this for validate.validator schematype option #14720 #14696
docs(model): note that insertMany() with lean skips applying defaults #14723 #14698

`v8.4.4`

Compare Source

==================

perf: avoid unnecesary get() call and use faster approach for converting to string #14673 #14394
fix(projection): handle projections on arrays in Model.hydrate() projection option #14686 #14680
fix(document): avoid passing validateModifiedOnly to subdocs so subdocs get fully validating if they're directly modified #14685 #14677
fix: handle casting primitive array with $elemMatch in bulkWrite() #14687 #14678
fix(query): cast $pull using embedded discriminator schema when discriminator key is set in filter #14676 #14675
types(connection): fix return type of withSession() #14690 tt-public
types: add $documents pipeline stage and fix $unionWith type #14666 nick-statsig
docs(findoneandupdate): improve example that shows findOneAndUpdate() returning doc before updates were applied #14671 #14670

`v8.4.3`

Compare Source

==================

fix: remove 0x flamegraph files from release

`v8.4.2`

Compare Source

==================

perf: more toObject() perf improvements #14623 #14606 #14394
fix(model): check the value of overwriteModels in options when calling discriminator() #14646 uditha-g
fix: avoid throwing TypeError when deleting an null entry on a populated Map #14654 futurliberta
fix(connection): fix up some inconsistencies in operation-end event and add to docs #14659 #14648
types: avoid inferring Boolean, Buffer, ObjectId as Date in schema definitions under certain circumstances #14667 #14630
docs: add note about parallelism in transations #14647 fiws

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

changeset-bot · 2024-12-03T08:30:35Z

⚠️ No Changeset found

Latest commit: 8ea5077

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR