fix(deps): update dependency mongoose to v5.13.20 [security] #751
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.10.7
->5.13.20
GitHub Vulnerability Alerts
CVE-2022-2564
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The
Schema.path()
function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.CVE-2023-3696
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.
CVE-2022-24304
Description
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.
Affected versions of this package are vulnerable to Prototype Pollution. The
Schema.path()
function is vulnerable to prototype pollution when setting theschema
object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.Proof of Concept
Impact
This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.
Release Notes
Automattic/mongoose (mongoose)
v5.13.20
Compare Source
v5.13.19
Compare Source
v5.13.18
Compare Source
v5.13.17
Compare Source
====================
v5.13.16
Compare Source
====================
bulkSave()
#12019v5.13.15
Compare Source
====================
v5.13.14
Compare Source
====================
v5.13.13
Compare Source
====================
v5.13.12
Compare Source
====================
v5.13.11
Compare Source
====================
useDb()
#10732v5.13.10
Compare Source
====================
v5.13.9
Compare Source
===================
extends Document
andany
#10647v5.13.8
Compare Source
===================
v5.13.7
Compare Source
===================
Schema#index()
types #10562 JaredReisingerpush()
#10546v5.13.6
Compare Source
===================
next()
to avoid stack overflow with large batch size #10449v5.13.5
Compare Source
===================
depopulate()
with no args depopulates all #10501 gfranczv5.13.4
Compare Source
===================
$setOnInsert
#10460doc
an object with correct keys #10475v5.13.3
Compare Source
===================
$addToSet
and with positional operator #10447discriminator()
with non-document #10452 #10421 DouglasGabrv5.13.2
Compare Source
===================
v5.13.1
Compare Source
====================
v5.13.0
Compare Source
===================
bulkSave()
function that saves multiple docs in 1bulkWrite()
#9727 #9673 AbdelrahmanHafezpathsToSkip
to apply intoObject()
andtoJSON()
#10120diffIndexes()
function that calculates what indexessyncIndexes()
will create/drop without actually executing any changes #10362 IslandRhythmsendSession()
#10306v5.12.15
Compare Source
====================
Schema
for cases when we can't infer from Model #10358Query#cast()
#10388 lkhodiscriminatorKey
schema option #10386 #10376 IslandRhythmsv5.12.14
Compare Source
====================
Model.populate()
#10335ValidationError
as a possible type forValidationError#errors
#10320 IslandRhythmsModel.exists()
#10336 Aminoizv5.12.13
Compare Source
====================
$getAllSubdocs()
#10275findOneAndUpdate()
#10232 #10231 cnwangjiev5.12.12
Compare Source
====================
returnOriginal
withfindOneAndUpdate()
#10298 #10297 #10292 #10285 IslandRhythmsmap()
result an array if used over an array #10288 quantumsheepv5.12.11
Compare Source
====================
v5.12.10
Compare Source
====================
defaults
option on result documents from query options #7287 IslandRhythmspathsToValidate
tovalidate()
andvalidateSync()
#10258loadClass()
on classes that havecollection
as a static property #10257 #10254 IslandRhythmsvirtualsOnly
parameter toloadClass()
function signature IslandRhythmsv5.12.9
Compare Source
===================
options
as first parameter #10216v5.12.8
Compare Source
===================
toJSON()
function to ensurename
property always ends up inJSON.stringify()
output #10166 IslandRhythmsallowDiskUse
option #10177insertMany()
#10144extends Document
#10144UpdateWithAggregationPipeline
for cases whenUpdateQuery
is used as a function param #10186useFindAndModify
anduseCreateIndex
deprecation warnings #10155v5.12.7
Compare Source
===================
process.nextTick()
to avoid clean stack traces causing memory leak when using synchronous recursion likeasync.whilst()
#9864v5.12.6
Compare Source
===================
writeConcern
schema option to work around MongoDB driver'swriteConcern
deprecation warning #10083 #10009 IslandRhythmslocalField
filter to$elemMatch
on virtual populate when custommatch
has a$elemMatch
andforeignField
is an array #10117save()
when usingoptimisticConcurrency
if no changes in document #10128 IslandRhythmsobj
ascontext
inModel.validate()
ifobj
is a document #10132useDb()
withuseUnifiedTopology
#8267create()
andinsertMany()
#10144eachAsync()
callback receives a single doc rather than array of docs unlessbatchSize
is set #10135validateSync()
is a ValidationError #10147 michaln-qv5.12.5
Compare Source
===================
autoCreate
value from Mongoose global when creating new model before callingconnect()
#10091type: Boolean
in Schema definitions #10085updateOne()
andupdateMany()
#10095deleteOne()
,deleteMany()
#10122useCreateIndex
alwaysfalse
in docs #10033v5.12.4
Compare Source
===================
_id
property #10069.$*
#10123transform()
function for single conventional populate #10064T
to useT & Document
internally #10046$pull
with$
paths #10075Date
type for$currentDate
#10058$unset
properties to be any value #10066index
property to a string #10077v5.12.3
Compare Source
===================
writeConcern()
method to avoid writeConcern deprecation warning #10009createCollection()
and other helpers to avoid event emitter warning #9778Connection#id
to Mongoose instance so id always lines up withmongoose.connections
index #10025 IslandRhythmspromiseOrCallback()
if 3rd param isn't an EventEmitter #10055 emrebassModel.discriminator()
#10054 coro101next()
callback forpre('insertMany')
hooks #10078 #10072 pezzutransform
to PopulateOptions interface #10061v5.12.2
Compare Source
===================
post('find')
hooks with an array of docs #10015 #9982 IslandRhythmsref
as an option on an array SchemaType #10029select
option from array schematypes #10029Schema()
constructor #10035 zpbrentQueryWithHelpers
so query helpers pass through chaining #10040upserted
array toupdateOne()
,updateMany()
,update()
result #10042Aggregate#project()
types that were mistakenly removed in 5.12.0 #10043type
in Schema to a SchemaType class or a Schema instance #10030session.withTransaction()
beforesession.startTransaction()
becausewithTransaction()
is the recommended approach #10008mongoose.Types
#10016v5.12.1
Compare Source
====================
Schema
for cases when we can't infer from Model #10358Query#cast()
#10388 lkhodiscriminatorKey
schema option #10386 #10376 IslandRhythmsv5.12.0
Compare Source
===================
transform
option that Mongoose will call on every populated doc #3775Query#pre()
andQuery#post()
public #9784Document#getPopulatedDocs()
to return an array of all populated documents in a document #9702 IslandRhythmsDocument#getAllSubdocs()
to return an array of all single nested and array subdocuments #9764 IslandRhythmsschema
as a schema path name #8798 IslandRhythmsnoListener
option to help with use cases where you're usinguseDb()
on every request #9961mongoose.createConnection()
#9985explain
option toModel.exists()
#8098 IslandRhythmsv5.11.20
Compare Source
====================
db
events deprecation warning with 'close' events #10004 #9930$pull
more permissive to allow dotted paths #9993v5.11.19
Compare Source
====================
validateModifiedOnly
is set #9963findOneAndReplace()
#9951loadClass()
#9975Schema
constructor #9969type
to an array of schemas when using SchemaDefinitionType #9962v5.11.18
Compare Source
====================
disconnected
if connecting string failed to parse #9921db
events deprecation warning ifuseUnifiedTopology = true
#9930PopulatedDoc
type to make it easier to define populated docs in interfaces [Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.