Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency mongoose to v5.13.20 [security] #751

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Mar 16, 2023

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
mongoose (source) 5.10.7 -> 5.13.20 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-2564

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

CVE-2023-3696

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

CVE-2022-24304

Description

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.

Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

Proof of Concept

// poc.js
const mongoose = require('mongoose');
const schema = new mongoose.Schema();

malicious_payload = '__proto__.toString'

schema.path(malicious_payload, [String])

x = {}
console.log(x.toString()) // crashed (Denial of service (DoS) attack)

Impact

This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.


Release Notes

Automattic/mongoose (mongoose)

v5.13.20

Compare Source

v5.13.19

Compare Source

v5.13.18

Compare Source

v5.13.17

Compare Source

====================

v5.13.16

Compare Source

====================

v5.13.15

Compare Source

====================

v5.13.14

Compare Source

====================

  • fix(timestamps): avoid setting createdAt on documents that already exist but dont have createdAt #​11024
  • docs(models): fix up nModified example for 5.x #​11055

v5.13.13

Compare Source

====================

v5.13.12

Compare Source

====================

  • fix(cursor): use stream destroy method on close to prevent emitting duplicate 'close' #​10897 iovanom
  • fix(index.d.ts): backport streamlining of FilterQuery and DocumentDefinition to avoid "excessively deep and possibly infinite" TS errors #​10617

v5.13.11

Compare Source

====================

  • fix: upgrade mongodb -> 3.7.2 #​10871 winstonralph
  • fix(connection): call setMaxListeners(0) on MongoClient to avoid event emitter memory leak warnings with useDb() #​10732

v5.13.10

Compare Source

====================

  • fix(index.d.ts): allow using type: SchemaDefinitionProperty in schema definitions #​10674
  • fix(index.d.ts): allow AnyObject as param to findOneAndReplace() #​10714

v5.13.9

Compare Source

===================

  • fix(populate): avoid setting empty array on lean document when populate result is undefined #​10599
  • fix(document): make depopulate() handle populated paths underneath document arrays #​10592
  • fix: peg @​types/bson version to 1.x || 4.0.x to avoid stubbed 4.2.x release #​10678
  • fix(index.d.ts): simplify UpdateQuery to avoid "excessively deep and possibly infinite" errors with extends Document and any #​10647
  • fix(index.d.ts): allow specifying weights as an IndexOption #​10586
  • fix: upgrade to mpath v0.8.4 re: security issue #​10683

v5.13.8

Compare Source

===================

  • fix(populate): handle populating subdoc array virtual with sort #​10552
  • fix(model): check for code instead of codeName when checking for existing collections for backwards compat with MongoDB 3.2 #​10420
  • fix(index.d.ts): correct value of this for custom query helper methods #​10545
  • fix(index.d.ts): allow strings for ObjectIds in nested properties #​10573
  • fix(index.d.ts): add match to VirtualTypeOptions.options #​8749
  • fix(index.d.ts): allow QueryOptions populate parameter type PopulateOptions #​10587 osmanakol
  • docs(api): add Document#$where to API docs #​10583

v5.13.7

Compare Source

===================

  • perf(index.d.ts): loosen up restrictions on ModelType generic for Schema for a ~50% perf improvement when compiling TypeScript and using intellisense #​10536 #​10515 #​10349
  • fix(index.d.ts): fix broken Schema#index() types #​10562 JaredReisinger
  • fix(index.d.ts): allow using SchemaTypeOptions with array of raw document interfaces #​10537
  • fix(index.d.ts): define IndexOptions in terms of mongodb.IndexOptions #​10563 JaredReisinger
  • fix(index.d.ts): improve intellisense for DocumentArray push() #​10546
  • fix(index.d.ts): correct type for expires #​10529
  • fix(index.d.ts): add Query#model property to ts bindings #​10531
  • refactor(index.d.ts): make callbacks use the new Callback and CallbackWithoutResult types #​10550 thiagokisaki

v5.13.6

Compare Source

===================

  • fix: upgrade mongodb driver -> 3.6.11 #​10543 maon-fp
  • fix(schema): throw more helpful error when defining a document array using a schema from a different copy of the Mongoose module #​10453
  • fix: add explicit check on constructor property to avoid throwing an error when checking objects with null prototypes #​10512
  • fix(cursor): make sure to clear stack every 1000 docs when calling next() to avoid stack overflow with large batch size #​10449
  • fix(index.d.ts): allow calling new Model(...) with generic Model param #​10526
  • fix(index.d.ts): update type declarations of Schema.index method #​10538 #​10530 Raader
  • fix(index.d.ts): add useNewUrlParser and useUnifiedTopology to ConnectOptions #​10500
  • fix(index.d.ts): add missing type for diffIndexes #​10547 bvgusak
  • fix(index.d.ts): fixed incorrect type definition for Query's .map function #​10544 GCastilho
  • docs(schema): add more info and examples to Schema#indexes() docs #​10446
  • chore: add types property to package.json #​10557 thiagokisaki

v5.13.5

Compare Source

===================

v5.13.4

Compare Source

===================

  • fix: avoid pulling non-schema paths from documents into nested paths #​10449
  • fix(update): support overwriting nested map paths #​10485
  • fix(update): apply timestamps to subdocs that would be newly created by $setOnInsert #​10460
  • fix(map): correctly clone subdocs when calling toObject() on a map #​10486
  • fix(cursor): cap parallel batchSize for populate at 5000 #​10449
  • fix(index.d.ts): improve autocomplete for new Model() by making doc an object with correct keys #​10475
  • fix(index.d.ts): add MongooseOptions interface #​10471 thiagokisaki
  • fix(index.d.ts): make LeanDocument work with PopulatedDoc #​10494
  • docs(mongoose+connection): correct default value for bufferTimeoutMS #​10476
  • chore: remove unnecessary 'eslint-disable' comments #​10466 thiagokisaki

v5.13.3

Compare Source

===================

  • fix(model): avoid throwing error when bulkSave() called on a document with no changes #​10437
  • fix(timestamps): apply timestamps when creating new subdocs with $addToSet and with positional operator #​10447
  • fix(schema): allow calling Schema#loadClass() with class that has a static getter with no setter #​10436
  • fix(model): handle re-applying object defaults after explicitly unsetting #​10442 semirturgay
  • fix: bump mongodb driver -> 3.6.10 #​10440 AbdelrahmanHafez
  • fix(index.d.ts): consistently use NativeDate instead of Date for Date validators and timestamps functions #​10426
  • fix(index.d.ts): allow calling discriminator() with non-document #​10452 #​10421 DouglasGabr
  • fix(index.d.ts): allow passing ResultType generic to Schema#path() #​10435

v5.13.2

Compare Source

===================

v5.13.1

Compare Source

====================

v5.13.0

Compare Source

===================

  • feat(query): add sanitizeProjection option to opt in to automatically sanitizing untrusted query projections #​10243
  • feat(model): add bulkSave() function that saves multiple docs in 1 bulkWrite() #​9727 #​9673 AbdelrahmanHafez
  • feat(document): allow passing a list of virtuals or pathsToSkip to apply in toObject() and toJSON() #​10120
  • fix(model): make Model.validate use object under validation as context by default #​10360 AbdelrahmanHafez
  • feat(document): add support for pathsToSkip in validate and validateSync #​10375 AbdelrahmanHafez
  • feat(model): add diffIndexes() function that calculates what indexes syncIndexes() will create/drop without actually executing any changes #​10362 IslandRhythms
  • feat(document): avoid using sessions that have ended, so you can use documents that were loaded in the session after calling endSession() #​10306

v5.12.15

Compare Source

====================

v5.12.14

Compare Source

====================

  • fix(schema): check that schema type is an object when setting isUnderneathDocArray #​10361 vmo-khanus
  • fix(document): avoid infinite recursion when setting single nested subdoc to array #​10351
  • fix(populate): allow populating nested path in schema using Model.populate() #​10335
  • fix(drivers): emit operation-start/operation-end events to allow inspecting when operations start and end
  • fix(index.d.ts): improve typings for virtuals #​10350 thiagokisaki
  • fix(index.d.ts): correct constructor type for Document #​10328
  • fix(index.d.ts): add ValidationError as a possible type for ValidationError#errors #​10320 IslandRhythms
  • fix: remove unnecessary async devDependency that's causing npm audit warnings #​10281
  • docs(typescript): add schemas guide #​10308
  • docs(model): add options parameter description to Model.exists() #​10336 Aminoiz

v5.12.13

Compare Source

====================

  • perf(document): avoid creating nested paths when running $getAllSubdocs() #​10275
  • fix: make returnDocument option work with findOneAndUpdate() #​10232 #​10231 cnwangjie
  • fix(document): correctly reset subdocument when resetting a map subdocument underneath a single nested subdoc after save #​10295
  • perf(query): avoid setting non-null sessions to avoid overhead from $getAllSubdocs() #​10275
  • perf(document): pre split schematype paths when compiling schema to avoid extra overhead of splitting when hydrating documents #​10275
  • perf(schema): pre-calculate mapPaths to avoid looping over every path for each path when initing doc #​10275
  • fix(index.d.ts): drill down into nested arrays when creating LeanDocument type #​10293

v5.12.12

Compare Source

====================

v5.12.11

Compare Source

====================

  • fix(populate): skip applying setters when casting arrays for populate() to avoid issues with arrays of immutable elements #​10264
  • perf(schematype): avoid cloning setters every time we run setters #​9588
  • perf(get): add benchmarks and extra cases to speed up get() #​9588
  • perf(array): improve array constructor performance on small arrays to improve nested array perf #​9588
  • fix(index.d.ts): allow using type: [String] with string[] when using SchemaDefinition with generic #​10261
  • fix(index.d.ts): support ReadonlyArray as well as regular array where possible in schema definitions #​10260
  • docs(connection): document noListener option to useDb #​10278 stuartpb
  • docs: migrate raw tutorial content from pug / JS to markdown #​10271
  • docs: fix typo #​10269 sanjib

v5.12.10

Compare Source

====================

  • fix(query): allow setting defaults option on result documents from query options #​7287 IslandRhythms
  • fix(populate): handle populating embedded discriminator with custom tiedValue #​10231
  • fix(document): allow passing space-delimited string of pathsToValidate to validate() and validateSync() #​10258
  • fix(model+schema): support loadClass() on classes that have collection as a static property #​10257 #​10254 IslandRhythms
  • fix(SchemaArrayOptions): correct property name #​10236
  • fix(index.d.ts): add any to all query operators to minimize likelihood of "type instantiation is excessively deep" when querying docs with 4-level deep subdocs #​10189
  • fix(index.d.ts): add $parent() in addition to parent() in TS definitions
  • fix(index.d.ts): correct async iterator return type for QueryCursor #​10253 #​10252 #​10251 borfig
  • fix(index.d.ts): add virtualsOnly parameter to loadClass() function signature IslandRhythms
  • docs(typescript): add typescript populate docs #​10212
  • docs: switch from AWS to Azure Functions for search #​10244

v5.12.9

Compare Source

===================

  • fix(schema): ensure add() overwrites existing schema paths by default #​10208 #​10203
  • fix(schema): support creating nested paths underneath document arrays #​10193
  • fix(update): convert nested dotted paths in update to nested paths to avoid ending up with dotted properties in update #​10200
  • fix(document): allow calling validate() and validateSync() with options as first parameter #​10216
  • fix(schema): apply static properties to model when using loadClass() #​10206
  • fix(index.d.ts): allow returning Promise from middleware functions #​10229
  • fix(index.d.ts): add pre('distinct') hooks to TypeScript #​10192

v5.12.8

Compare Source

===================

  • fix(populate): handle populating immutable array paths #​10159
  • fix(CastError): add toJSON() function to ensure name property always ends up in JSON.stringify() output #​10166 IslandRhythms
  • fix(query): add allowDiskUse() method to improve setting MongoDB 4.4's new allowDiskUse option #​10177
  • fix(populate): allow populating paths under mixed schematypes where some documents have non-object properties #​10191
  • chore: remove unnecessary driver dynamic imports so Mongoose can work with Parcel #​9603
  • fix(index.d.ts): allow any object as parameter to create() and insertMany() #​10144
  • fix(index.d.ts): allow creating Model class with raw interface, no extends Document #​10144
  • fix(index.d.ts): separate UpdateQuery from UpdateWithAggregationPipeline for cases when UpdateQuery is used as a function param #​10186
  • fix(index.d.ts): don't require error value in pre/post hooks #​10213 michaln-q
  • docs(typescript): add a typescript intro tutorial and statics tutorial #​10021
  • docs(typescript): add query helpers tutorial #​10021
  • docs(deprecations): add note that you can safely ignore useFindAndModify and useCreateIndex deprecation warnings #​10155
  • chore(workflows): add node 16 to github actions #​10201 AbdelrahmanHafez

v5.12.7

Compare Source

===================

  • fix(document): make $getPopulatedDocs() return populated virtuals #​10148
  • fix(discriminator): take discriminator schema's single nested paths over base schema's #​10157
  • fix(discriminator): allow numbers and ObjectIds as tied values for discriminators #​10130
  • fix(document): avoid double validating paths underneath mixed objects in save() #​10141
  • fix(schema): allow path() to return single nested paths within document arrays #​10164
  • fix(model+query): consistently wrap query callbacks in process.nextTick() to avoid clean stack traces causing memory leak when using synchronous recursion like async.whilst() #​9864
  • fix(cursor): correctly report CastError when using noCursorTimeout flag #​10150
  • fix(index.d.ts): add CastError constructor #​10176
  • fix(index.d.ts): allow setting mongoose.pluralize(null) in TypeScript #​10185
  • docs: add link to transactions guide from nav bar #​10143
  • docs(validation): add section about custom error messages #​10140
  • docs: make headers linkable via clicking #​10156
  • docs: broken link in document.js #​10190 joostdecock
  • docs: make navbar responsive on legacy 2.x docs #​10171 ad99526

v5.12.6

Compare Source

===================

  • fix(query): allow setting writeConcern schema option to work around MongoDB driver's writeConcern deprecation warning #​10083 #​10009 IslandRhythms
  • fix(populate): dedupe when virtual populate foreignField is an array to avoid duplicate docs in result #​10117
  • fix(populate): add localField filter to $elemMatch on virtual populate when custom match has a $elemMatch and foreignField is an array #​10117
  • fix(query): convert projection string values to numbers as a workaround for #​10142
  • fix(document): set version key filter on save() when using optimisticConcurrency if no changes in document #​10128 IslandRhythms
  • fix(model): use obj as context in Model.validate() if obj is a document #​10132
  • fix(connection): avoid db events deprecation warning when using useDb() with useUnifiedTopology #​8267
  • fix: upgrade to sift@13.5.2 to work around transitive dev dependency security warning #​10121
  • fix(index.d.ts): allow any object as parameter to create() and insertMany() #​10144
  • fix(index.d.ts): clarify that eachAsync() callback receives a single doc rather than array of docs unless batchSize is set #​10135
  • fix(index.d.ts): clarify that return value from validateSync() is a ValidationError #​10147 michaln-q
  • fix(index.d.ts): add generic type for Model constructor #​10074 Duchynko
  • fix(index.d.ts): add parameter type in merge #​10168 yoonhoGo

v5.12.5

Compare Source

===================

  • fix(populate): handle populating underneath document array when document array property doesn't exist in db #​10003
  • fix(populate): clear out dangling pointers to populated docs so query cursor with populate() can garbage collect populated subdocs #​9864
  • fix(connection): pull correct autoCreate value from Mongoose global when creating new model before calling connect() #​10091
  • fix(populate): handle populating paths on documents with discriminator keys that point to non-existent discriminators #​10082
  • fix(index.d.ts): allow numbers as discriminator names #​10115
  • fix(index.d.ts): allow type: Boolean in Schema definitions #​10085
  • fix(index.d.ts): allow passing array of aggregation pipeline stages to updateOne() and updateMany() #​10095
  • fix(index.d.ts): support legacy 2nd param callback syntax for deleteOne(), deleteMany() #​10122
  • docs(mongoose): make useCreateIndex always false in docs #​10033
  • docs(schema): fix incorrect links from schema API docs #​10111

v5.12.4

Compare Source

===================

  • fix: upgrade mongodb driver -> 3.6.6 #​10079
  • fix: store fields set with select:false at schema-level when saving a new document #​10101 ptantiku
  • fix(populate): avoid turning already populated field to null when populating an existing lean document #​10068 IslandRhythms
  • fix(populate): correctly populate lean subdocs with _id property #​10069
  • fix(model): insertedDocs may contain docs that weren't inserted #​10098 olnazx
  • fix(schemaType): make type Mixed cast error objects to pojos #​10131 AbdelrahmanHafez
  • fix(populate): support populating embedded discriminators in nested arrays #​9984
  • fix(populate): handle populating map paths using trailing .$* #​10123
  • fix(populate): allow returning primitive from transform() function for single conventional populate #​10064
  • fix(index.d.ts): allow generic classes of T to use T & Document internally #​10046
  • fix(index.d.ts): allow $pull with $ paths #​10075
  • fix(index.d.ts): use correct Date type for $currentDate #​10058
  • fix(index.d.ts): add missing asyncInterator to Query type def #​10094 borfig
  • fix(index.d.ts): allow RHS of $unset properties to be any value #​10066
  • fix(index.d.ts): allow setting SchemaType index property to a string #​10077
  • refactor(index.d.ts): move discriminator() to common interface #​10109 LoneRifle

v5.12.3

Compare Source

===================

  • fix: avoid setting schema-level collation on text indexes #​10044 IslandRhythms
  • fix(query): add writeConcern() method to avoid writeConcern deprecation warning #​10009
  • fix(connection): use queueing instead of event emitter for createCollection() and other helpers to avoid event emitter warning #​9778
  • fix(connection): scope Connection#id to Mongoose instance so id always lines up with mongoose.connections index #​10025 IslandRhythms
  • fix: avoid throwing in promiseOrCallback() if 3rd param isn't an EventEmitter #​10055 emrebass
  • fix(index.d.ts): add Model as 2nd generic param to Model.discriminator() #​10054 coro101
  • fix(index.d.ts): add docs to next() callback for pre('insertMany') hooks #​10078 #​10072 pezzu
  • fix(index.d.ts): add transform to PopulateOptions interface #​10061
  • fix(index.d.ts): add DocumentQuery type for backwards compatibility #​10036

v5.12.2

Compare Source

===================

  • fix(QueryCursor): consistently execute post('find') hooks with an array of docs #​10015 #​9982 IslandRhythms
  • fix(schema): support setting ref as an option on an array SchemaType #​10029
  • fix(query): apply schema-level select option from array schematypes #​10029
  • fix(schema): avoid possible prototype pollution with Schema() constructor #​10035 zpbrent
  • fix(model): make bulkWrite skip timestamps with timestamps: false #​10050 SoftwareSing
  • fix(index.d.ts): make query methods return QueryWithHelpers so query helpers pass through chaining #​10040
  • fix(index.d.ts): add upserted array to updateOne(), updateMany(), update() result #​10042
  • fix(index.d.ts): add back Aggregate#project() types that were mistakenly removed in 5.12.0 #​10043
  • fix(index.d.ts): always allow setting type in Schema to a SchemaType class or a Schema instance #​10030
  • docs(transactions): introduce session.withTransaction() before session.startTransaction() because withTransaction() is the recommended approach #​10008
  • docs(mongoose+browser): fix broken links to info about mongoose.Types #​10016

v5.12.1

Compare Source

====================

v5.12.0

Compare Source

===================

  • feat(populate): add transform option that Mongoose will call on every populated doc #​3775
  • feat(query): make Query#pre() and Query#post() public #​9784
  • feat(document): add Document#getPopulatedDocs() to return an array of all populated documents in a document #​9702 IslandRhythms
  • feat(document): add Document#getAllSubdocs() to return an array of all single nested and array subdocuments #​9764 IslandRhythms
  • feat(schema): allow schema as a schema path name #​8798 IslandRhythms
  • feat(QueryCursor): Add batch processing for eachAsync #​9902 khaledosama999
  • feat(connection): add noListener option to help with use cases where you're using useDb() on every request #​9961
  • feat(index): emit 'createConnection' event when user calls mongoose.createConnection() #​9985
  • feat(connection+index): emit 'model' and 'deleteModel' events on connections when creating and deleting models #​9983
  • feat(query): allow passing explain option to Model.exists() #​8098 IslandRhythms

v5.11.20

Compare Source

====================

  • fix(query+populate): avoid unnecessarily projecting in subpath when populating a path that uses an elemMatch projection #​9973
  • fix(connection): avoid db events deprecation warning with 'close' events #​10004 #​9930
  • fix(index.d.ts): make $pull more permissive to allow dotted paths #​9993

v5.11.19

Compare Source

====================

  • fix(document): skip validating array elements that aren't modified when validateModifiedOnly is set #​9963
  • fix(timestamps): apply timestamps on findOneAndReplace() #​9951
  • fix(schema): correctly handle trailing array filters when looking up schema paths #​9977
  • fix(schema): load child class getter for virtuals instead of base class when using loadClass() #​9975
  • fix(index.d.ts): allow creating statics without passing generics to Schema constructor #​9969
  • fix(index.d.ts): add QueryHelpers generic to schema and model, make all query methods instead return QueryWithHelpers #​9850
  • fix(index.d.ts): support setting type to an array of schemas when using SchemaDefinitionType #​9962
  • fix(index.d.ts): add generic to plugin schema definition #​9968 emiljanitzek
  • docs: small typo fix #​9964 KrishnaMoorthy12

v5.11.18

Compare Source

====================

  • fix(connection): set connection state to disconnected if connecting string failed to parse #​9921
  • fix(connection): remove db events deprecation warning if useUnifiedTopology = true #​9930
  • fix(connection): fix promise chaining for openUri #​9960 lantw44
  • fix(index.d.ts): add PopulatedDoc type to make it easier to define populated docs in interfaces [

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 9711272 to cc07d1b Compare July 18, 2023 19:13
@renovate renovate bot changed the title fix(deps): update dependency mongoose to v5.13.15 [security] fix(deps): update dependency mongoose to v5.13.20 [security] Jul 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants