New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency mongoose to v7.8.3 [security] #277

Open

renovate wants to merge 1 commit into main from renovate/npm-mongoose-vulnerability

Contributor

renovate bot commented Jul 18, 2023 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mongoose (source)	`7.0.3` -> `7.8.3`

GitHub Vulnerability Alerts

CVE-2023-3696

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

CVE-2024-53900

Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

Release Notes

Automattic/mongoose (mongoose)

`v7.8.3`

`v7.8.2`

==================

fix(projection): avoid setting projection to unknown exclusive/inclusive if elemMatch on a Date, ObjectId, etc. #14894 #14893

`v7.8.1`

==================

fix(query): handle casting $switch in $expr #14761
docs(mongoose): remove out-of-date callback-based example for mongoose.connect() #14811 #14810

`v7.8.0`

`v7.7.0`

`v7.6.13`

`v7.6.12`

===================

fix(array): avoid converting to $set when calling pull() on an element in the middle of the array #14531 #14502
fix: bump mongodb driver to 5.9.2 #14561 lorand-horvath
fix(update): cast array of strings underneath doc array with array filters #14605 #14595

`v7.6.11`

===================

fix(populate): avoid match function filtering out null values in populate result #14518
fix(schema): support setting discriminator options in Schema.prototype.discriminator() #14493 #14448
fix(schema): deduplicate idGetter so creating multiple models with same schema doesn't result in multiple id getters #14492 #14457

`v7.6.10`

===================

docs(model): add extra note about lean option for insertMany() skipping casting #14415
docs(mongoose): add options.overwriteModel details to mongoose.model() docs #14422

`v7.6.9`

==================

fix(document): handle embedded recursive discriminators on nested path defined using Schema.prototype.discriminator #14256 #14245
types(model): correct return type for findByIdAndDelete() #14233 #14190
docs(connections): add note about using asPromise() with createConnection() for error handling #14364 #14266
docs(model+query+findoneandupdate): add more details about overwriteDiscriminatorKey option to docs #14264 #14246

`v7.6.8`

==================

perf(schema): remove unnecessary lookahead in numeric subpath check
fix(discriminator): handle reusing schema with embedded discriminators defined using Schema.prototype.discriminator #14202 #14162
fix(ChangeStream): avoid suppressing errors in closed change stream #14206 #14177

`v7.6.7`

==================

fix: avoid minimizing single nested subdocs if they are required #14151 #14058
fix(populate): allow deselecting discriminator key when populating #14155 #3230
fix: allow adding discriminators using Schema.prototype.discriminator() to subdocuments after defining parent schema #14131 #14109
fix(schema): avoid creating unnecessary clone of schematype in nested array so nested document arrays use correct constructor #14128 #14101
fix(populate): call transform object with single id instead of array when populating a justOne path under an array #14135 #14073
types: add back mistakenly removed findByIdAndRemove() function signature #14136 #14132

`v7.6.6`

==================

perf: avoid double-running setter logic when calling push() #14120 #11380
fix(populate): set populated docs in correct order when populating virtual underneath doc array with justOne #14105 #14018
fix: bump mongodb driver -> 5.9.1 #14084 #13829 lorand-horvath
types: allow defining document array using [{ prop: String }] syntax #14095 #13424
types: correct types for when includeResultMetadata: true is set #14078 #13987 prathamVaidya
types(query): base filters and projections off of RawDocType instead of DocType so autocomplete doesn't show populate #14118 #14077
types: make property names show up in intellisense for UpdateQuery #14123 #14090
types(model): support calling Model.validate() with pathsToSkip option #14088 #14003
docs: remove "DEPRECATED" warning mistakenly added to read() tags param #13980

`v7.6.5`

==================

fix: handle update validators and single nested doc with numeric paths #14066 #13977
fix: handle recursive schema array in discriminator definition #14068 #14055
fix: diffIndexes treats namespace error as empty #14048 #14029
docs(migrating_to_7): add note about requiring new with ObjectId #14021 #14020

`v7.6.4`

`v7.6.3`

==================

fix(populate): handle multiple spaces when specifying paths to populate using space-delimited paths #13984 #13951
fix(update): avoid applying defaults on query filter when upserting with empty update #13983 #13962
fix(model): add versionKey to bulkWrite when inserting or upserting #13981 #13944
docs: fix typo in timestamps docs #13976 danielcoker

`v7.6.2`

==================

perf: avoid storing a separate entry in schema subpaths for every element in an array #13953 #13874
fix(document): avoid triggering setter when initializing Model.prototype.collection to allow defining collection as a schema path name #13968 #13956
fix(model): make bulkSave() save changes in discriminator paths if calling bulkSave() on base model #13959 #13907
fix(document): allow calling $model() with no args for TypeScript #13963 #13878
fix(schema): handle embedded discriminators defined using Schema.prototype.discriminator() #13958 #13898
types(model): make InsertManyResult consistent with return type of insertMany #13965 #13904
types(models): add cleaner type definitions for insertMany() with no generics to prevent errors when using insertMany() in generic classes #13964 #13957
types(schematypes): allow defining map path using type: 'Map' in addition to type: Map #13960 #13755

`v7.6.1`

==================

fix: bump bson to match mongodb@5.9.0 exactly #13947 hasezoey
fix: raw result deprecation message #13954 simllll
type: add types for includeResultMetadata #13955 simllll
perf(npmignore): ignore newer files #13946 hasezoey
perf: move mocha config from package.json to mocharc #13948 hasezoey

`v7.6.0`

==================

feat: upgrade mongodb node driver -> 5.9.0 #13927 #13926 sanguineti
fix: avoid CastError when passing different value of discriminator key in $or #13938 #13906

`v7.5.4`

==================

fix: avoid stripping out id property when _id is set #13933 #13892 #13867
fix(QueryCursor): avoid double-applying schema paths so you can include select: false fields with + projection using cursors #13932 #13773
fix(query): allow deselecting discriminator key using - syntax #13929 #13760
fix(query): handle $round in $expr as array #13928 #13881
fix(document): call pre('validate') hooks when modifying a path underneath triply nested subdoc #13912 #13876
fix(mongoose): correctly handle global applyPluginsToChildSchemas option #13911 #13887
types: add insertMany array overload with options #13931 t1bb4r
docs(compatibility): add Mongoose 7 support to compatibility matrix #13875
docs: amend some awkward FAQ wording #13925 peteboere

`v7.5.3`

==================

fix(document): handle MongoDB Long when casting BigInts #13869 #13791
fix(model): make bulkSave() persist changes that happen in pre('save') middleware #13885 #13799
fix: handle casting $elemMatch underneath $not underneath another $elemMatch #13893 #13880
fix(model): make bulkWrite casting respect global setDefaultsOnInsert #13870 #13823
fix(document): handle default values for discriminator key with embedded discriminators #13891 #13835
fix: account for null values when assigning isNew property within document array #13883
types: avoid "interface can only extend object types with statically known members" error in TypeScript 4 #13871
docs(deprecations): fix typo in includeResultMetadata deprecation docs #13884 #13844
docs: fix pre element overflow in home page #13868 ghoshRitesh12

`v7.5.2`

==================

fix(schema): handle number discriminator keys when using Schema.prototype.discriminator() #13858 #13788
fix: ignore id property when calling set() with both id and _id specified to avoid id setter overwriting #13762
types: pass correct document type to required and default function #13851 #13797
docs(model): add examples of using diffIndexes() to syncIndexes()and diffIndexes() api docs #13850 #13771

`v7.5.1`

==================

fix: set default value for _update when no update object is provided and versionKey is set to false #13795 #13783 MohOraby
fix: avoid unexpected error when accessing null array element on discriminator array when populating #13716 ZSabakh
types(schematypes): use DocType for instance method this #13822 #13800 pshaddel
types: remove duplicated 'exists' method in Model interface in models.d.ts #13818 ohzeno
docs(model): replace outdated docs on deprecated findOneAndUpdate() overwrite option #13821 #13715
docs: add example of using virtuals.pathsToSkip option for toObject() and toJSON() #13798 RobertHunter-Pluto

`v7.5.0`

==================

feat: use mongodb driver v5.18.1
feat: allow top level dollar keys with findOneAndUpdate(), update() for MongoDB 5 #13786
fix(document): make array getters avoid unintentionally modifying array, defer getters until index access instead #13774
feat: deprecate overwrite option for findOneAndUpdate() #13578
feat: add pathsToSkip option for Model.validate #13663 #10353
feat: support alias when declaring index #13659 #13276
fix(query): remove unnecessary check for atomic operators in findOneAndReplace() #13678
types: add SearchMeta Interface for Atlas Search #13792 mreouven
types(schematypes): add missing BigInt SchemaType #13787

`v7.4.5`

==================

fix(debug): avoid putting virtuals and getters in debug output #13778
fix(model): make Model.bulkWrite() with empty array and ordered false not throw an error #13664
fix(document): correctly handle inclusive/exclusive projections when applying subdocument defaults #13763 #13720

`v7.4.4`

==================

fix(connection): reset document state in between transaction retries #13726 #13698
fix(cursor): bubble up resumeTokenChanged event from change streams #13736 #13607
fix(query+populate): add refPath to projection by default, unless explicitly excluded #13758
fix(schema): support 'ascending', 'asc', 'descending', 'desc' for index direction #13761 #13725
fix(ChangeStream): add _bindEvents to addListener function for observable support #13759 yury-ivaniutsenka
types: infer return type when using get(), markModified(), etc. with known property name literal #13739 maybesmurf
types: add missing typings for option includeResultMetadata #13747 #13746 Idnan
types: export InferSchemaType #13737
docs(middleware): clarify that query middleware applies to document by default #13734 #13713
docs: add brief note on TypeScript generic usage for embedded discriminator path() calls #13728 #10435
docs: link v7 migration guide #13742 Cooldogyum
docs(migrating_to_6): add note about incompatible packages #13733

`v7.4.3`

==================

fix: avoid applying map property getters when saving #13704 #13657
fix(query): allow deselecting discriminator key #13722 #13679
types(models+query): return lean type when passing QueryOptions with lean: true to relevant model functions like find() and findOne() #13721 #13705
types(schema): correct return type for Schema.prototype.indexes() #13718 #13702
types: allow accessing options from pre middleware #13708 #13633
types: add UpdateQueryKnownOnly type for stricter UpdateQuery type checking #13699 #13630
types(schema): support required: { isRequired: true } syntax in schema definition #13680
docs(middleware): clarify that doc.deleteOne() doesn't run query middleware currently #13707 #13669

`v7.4.2`

==================

fix(model): avoid hanging on empty bulkWrite() with ordered: false #13684 #13664
fix: Document.prototype.isModified support for a string of keys as first parameter #13674 #13667 gastoncasini
fix: disable id virtual if alias:id set #13654 #13650
fix: support timestamps:false on bulkWrite with updateOne and updateMany #13649 #13611
docs(typescript): highlight auto type inference for methods and statics, add info on using methods with generics #13696 #12942
docs(middleware): fix old example using post('remove') #13683 #13518
docs(deprecations): quick fix for includeResultMetadata docs #13695

`v7.4.1`

==================

fix(document): correctly clean up nested subdocs modified state on save() #13644 #13609
fix(schema): avoid propagating toObject.transform and toJSON.transform option to implicitly created schemas #13634 #13599
fix: prevent schema options overwriting user defined writeConcern #13612 #13592
types: correctly handle pre('deleteOne', { document: true }) #13632
types(schema): handle type: Schema.Types.Map in TypeScript #13628
types: Add inline comment to to tell the default value of the runValidator flag in the queryOptions types #13636 omran95
docs: rework several code examples that still use callbacks #13635 #13616
docs: remove callbacks from validation description #13638 #13501

`v7.4.0`

==================

perf: speed up mapOfSubdocs benchmark by 4x by avoiding unnecessary O(n^2) loop in getPathsToValidate() #13614
feat: upgrade to MongoDB Node.js driver 5.7.0 #13591
feat: support generating custom cast error message with a function #13608 #3162
feat(query): support MongoDB driver's includeResultMetadata option for findOneAndUpdate #13584 #13539
feat(connection): add Connection.prototype.removeDb() for removing a related connection #13580 #11821
feat(query): delay converting documents into POJOs until query execution, allow querying subdocuments with defaults disabled #13522
feat(model): add option "aggregateErrors" for create() #13544 hasezoey
feat(schema): add collectionOptions option to schemas #13513
fix: move all MongoDB-specific connection logic into driver layer, add createClient() method to handle creating MongoClient #13542
fix(document): allow setting keys with dots in mixed paths underneath nested paths #13536
types: augment bson.ObjectId instead of adding on own type #13515 #12537 hasezoey
docs(guide): fix md lint #13593 hasezoey
docs: changed the code from 'await author.save()' to 'await story1.save()' #13596 SomSingh23

`v7.3.4`

7.3.4 / 2023-07-12

chore: release 7.4.4 to overwrite accidental publish of 5.13.20 to latest tag

`v7.3.3`

==================

fix: avoid prototype pollution on init
fix(document): clean up all array subdocument modified paths on save() #13589 #13582
types: avoid unnecessary MergeType<> if TOverrides not set, clean up statics and insertMany() type issues #13577 #13529

`v7.3.2`

==================

fix(model): avoid TypeError if insertMany() fails with error that does not have writeErrors property #13579 #13531
fix(query): convert findOneAndUpdate to findOneAndReplace when overwrite set for backwards compat with Mongoose 6 #13572 #13550
fix(query): throw readable error when executing a Query instance without an associated model #13571 #13570
types: support mongoose.Schema.ObjectId as alias for mongoose.Schema.Types.ObjectId #13543 #13534
docs(connections): clarify that socketTimeoutMS now defaults to 0 #13576 #13537
docs(migrating_to_7): add mapReduce() removal to migration guide #13568 #13548
docs(schemas): fix typo in schemas.md #13540 Metehan-Altuntekin

`v7.3.1`

==================

fix(query): respect query-level strict option on findOneAndReplace() #13516 #13507
docs(connections): expand docs on serverSelectionTimeoutMS #13533 #12967
docs: add example of accessing save options in pre save #13498
docs(connections+faq): add info on localhost vs 127.0.0.1
docs(SchemaType): validate members are validator & message (not msg) #13521 lorand-horvath

`v7.3.0`

==================

feat: upgrade mongodb -> 5.6.0 #13455 lorand-horvath
feat(aggregate): add Aggregate.prototype.finally() to be consistent with Promise API for TypeScript #13509
feat(schema): support selecting subset of fields to apply optimistic concurrency to #13506 #10591
feat(model): add ordered option to Model.create() #13472 #4038
feat(schema): consistently add .get() function to all SchemaType classes
feat(populate): pass virtual to match function to allow merging match options #13477 #12443
types: allow overwriting Paths in select() to tell TypeScript which fields are projected #13478 #13224
types(schema): add validateModifiedOnly as schema option #13503 #10153
docs: add note about validateModifiedOnly as a schema option #13503 #10153
docs(migrating_to_7): update migrating_to_7.md to include Model.countDocuments #13508 Climax777
docs(further_reading): remove style for "img" hasezoey

`v7.2.4`

==================

fix(query): handle non-string discriminator key values in query #13496 #13492

`v7.2.3`

==================

fix(model): ignore falsy last argument to create() for backwards compatibility #13493 #13491 #13487 MohOraby
types: remove generic param that's causing issues for typegoose #13494 #13482
types(aggregate): allow object syntax for $mergeObjects #13470 #13060
docs(connection): clarify how Connection.prototype.destroy() is different from close() #13475
docs(populate): fix accidental removal of text #13480
docs: add additional notes for Atlas X.509 authentication #13452 alexbevi
docs(populate): add a little more info on why we recommend using ObjectId for _id #13474 #13400

`v7.2.2`

==================

fix(schema): make bulkWrite updateOne() and updateMany() respect timestamps option when set by merging schemas #13445
fix(schema): recursively copy schemas from different modules when calling new Schema() #13441 #13275
fix(update): allow setting paths with dots under non-strict paths #13450 #13434
types: improve function parameter types for ToObjectOptions transform option #13446 #13421
docs: add nextjs page with link to next starter app and couple FAQs #13444 #13430
docs(connections): add section on multi tenant #13449 #11187
docs(connection+model): expand docs on accessors for underlying collections #13448 #13334

`v7.2.1`

==================

fix(array): track correct changes when setting nested array of primitives #13422 #13372
fix(query): handle plus path in projection with findOneAndUpdate() #13437 #13413
fix(cursor): handle calling skipMiddlewareFunction() in pre('find') middleware with cursors #13436 #13411
fix(model): include inspect output in castBulkWrite() error #13426
fix: avoid setting null property when updating using update pipeline with child timestamps but no top-level timestamps #13427 #13379
docs: remove callback based examples #13433 #13401
docs(connections): add details about keepAlive deprecation #13431
docs: add list of supported patterns for error message templating #13425 #13311

`v7.2.0`

==================

feat: upgrade mongodb -> 5.5.0
feat(document): add flattenObjectIds option to toObject() and toJSON() #13383 #13341
feat(query): add translateAliases option to automatically call translate aliases on query fields #13397 #8678 #7511
feat(schema): propagate toObject and toJSON options to implicitly created schemas #13325
feat(model): add throwOnValidationError option for opting into getting MongooseBulkWriteError if all valid operations succeed in bulkWrite() and insertMany() #13410 #13256
feat(types+mongoose): export MongooseError #13403 #13387 ramos-ph

`v7.1.2`

==================

fix: set timestamps on single nested subdoc in insertMany() #13416 #13343
fix: mention model name in missing virtual option in getModelsMapForPopulate #13408 #13406 hasezoey
fix: custom debug function not processing all args #13418 #13364
docs: add virtuals schema options #13407 hasezoey
docs: clarify JSON.stringify() virtuals docs #13273 iatenine

`v7.1.1`

==================

fix(document): handle set() from top-level underneath a map of mixed #13386
fix: don't modify passed options object to createConnection() #13376
types: make lean() not clobber result type for updateOne(), etc. #13389 #13382
types: handle union types in FlattenMaps #13368 #13346 Jokero
types(document): correct return type for Model.prototype.deleteOne(): promise, not query #13367 #13223
types: update document.d.ts $set function params to match set #13304 jeffersonlipsky
docs: add excludeIndexes to the guide schema options list #13377 #13287
docs: fix broken "fork me" on home page #13336

`v7.1.0`

==================

feat: upgrade mongodb -> 5.3.0
feat(schema): add BigInt support, upgrade mongodb -> 5.3.0 #13318 #13081 #6936
feat: handle MongoDB's new UUID type, export mongoose.Types.UUID #13323 #13103
feat: implement createCollections() #13324
feat(query): add isPathSelectedInclusive function on query #13177
types: added overloads for Schema.pre/post with different values for SchemaPreOptions #12680 jpilgrim
types(query): make lean() flatten out inferred maps into Record<string, V> #13326 #13010
docs: update README deno url #13332
docs: update jsdoc to use full URLs instead of non-prefix absolute urls (also fix some urls) #13328 hasezoey
docs: reload api js files on change #13313 hasezoey
docs: update website sidebar to be better use-able #13321 hasezoey
docs: fix schematype @see links #13310 hasezoey
docs(subdocuments): remove callback usage, use deleteOne() rather than remove() re: #13284 #13316

`v7.0.5`

==================

fix(schema): correctly handle uuids with populate() #13317 #13267
fix(schema): add clusteredIndex to schema options #13286 jakesjews
fix(document): use collection.findOne() for saving

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 5da4282 to 7ae90dd Compare

December 3, 2024 09:47

renovate bot changed the title ~~fix(deps): update dependency mongoose to v7.3.3 [security]~~ fix(deps): update dependency mongoose to v8 [security]


          fix(deps): update dependency mongoose to v7.8.3 [security]

1e32f68

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 7ae90dd to 1e32f68 Compare

December 4, 2024 19:21

renovate bot changed the title ~~fix(deps): update dependency mongoose to v8 [security]~~ fix(deps): update dependency mongoose to v7.8.3 [security]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet