fix(deps): update dependency mongoose to v7.3.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mongoose (source)	7.1.0 -> 7.3.3

GitHub Vulnerability Alerts

CVE-2023-3696

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

---

Release Notes

Automattic/mongoose (mongoose)

v7.3.3

Compare Source

==================

• fix: avoid prototype pollution on init
• fix(document): clean up all array subdocument modified paths on save() #​13589 #​13582
• types: avoid unnecessary MergeType<> if TOverrides not set, clean up statics and insertMany() type issues #​13577 #​13529

v7.3.2

Compare Source

==================

• fix(model): avoid TypeError if insertMany() fails with error that does not have writeErrors property #​13579 #​13531
• fix(query): convert findOneAndUpdate to findOneAndReplace when overwrite set for backwards compat with Mongoose 6 #​13572 #​13550
• fix(query): throw readable error when executing a Query instance without an associated model #​13571 #​13570
• types: support mongoose.Schema.ObjectId as alias for mongoose.Schema.Types.ObjectId #​13543 #​13534
• docs(connections): clarify that socketTimeoutMS now defaults to 0 #​13576 #​13537
• docs(migrating_to_7): add mapReduce() removal to migration guide #​13568 #​13548
• docs(schemas): fix typo in schemas.md #​13540 Metehan-Altuntekin

v7.3.1

Compare Source

==================

• fix(query): respect query-level strict option on findOneAndReplace() #​13516 #​13507
• docs(connections): expand docs on serverSelectionTimeoutMS #​13533 #​12967
• docs: add example of accessing save options in pre save #​13498
• docs(connections+faq): add info on localhost vs 127.0.0.1
• docs(SchemaType): validate members are validator & message (not msg) #​13521 lorand-horvath

v7.3.0

Compare Source

==================

• feat: upgrade mongodb -> 5.6.0 #​13455 lorand-horvath
• feat(aggregate): add Aggregate.prototype.finally() to be consistent with Promise API for TypeScript #​13509
• feat(schema): support selecting subset of fields to apply optimistic concurrency to #​13506 #​10591
• feat(model): add ordered option to Model.create() #​13472 #​4038
• feat(schema): consistently add .get() function to all SchemaType classes
• feat(populate): pass virtual to match function to allow merging match options #​13477 #​12443
• types: allow overwriting Paths in select() to tell TypeScript which fields are projected #​13478 #​13224
• types(schema): add validateModifiedOnly as schema option #​13503 #​10153
• docs: add note about validateModifiedOnly as a schema option #​13503 #​10153
• docs(migrating_to_7): update migrating_to_7.md to include Model.countDocuments #​13508 Climax777
• docs(further_reading): remove style for "img" hasezoey

v7.2.4

Compare Source

==================

• fix(query): handle non-string discriminator key values in query #​13496 #​13492

v7.2.3

Compare Source

==================

• fix(model): ignore falsy last argument to create() for backwards compatibility #​13493 #​13491 #​13487 MohOraby
• types: remove generic param that's causing issues for typegoose #​13494 #​13482
• types(aggregate): allow object syntax for $mergeObjects #​13470 #​13060
• docs(connection): clarify how Connection.prototype.destroy() is different from close() #​13475
• docs(populate): fix accidental removal of text #​13480
• docs: add additional notes for Atlas X.509 authentication #​13452 alexbevi
• docs(populate): add a little more info on why we recommend using ObjectId for _id #​13474 #​13400

v7.2.2

Compare Source

==================

• fix(schema): make bulkWrite updateOne() and updateMany() respect timestamps option when set by merging schemas #​13445
• fix(schema): recursively copy schemas from different modules when calling new Schema() #​13441 #​13275
• fix(update): allow setting paths with dots under non-strict paths #​13450 #​13434
• types: improve function parameter types for ToObjectOptions transform option #​13446 #​13421
• docs: add nextjs page with link to next starter app and couple FAQs #​13444 #​13430
• docs(connections): add section on multi tenant #​13449 #​11187
• docs(connection+model): expand docs on accessors for underlying collections #​13448 #​13334

v7.2.1

Compare Source

==================

• fix(array): track correct changes when setting nested array of primitives #​13422 #​13372
• fix(query): handle plus path in projection with findOneAndUpdate() #​13437 #​13413
• fix(cursor): handle calling skipMiddlewareFunction() in pre('find') middleware with cursors #​13436 #​13411
• fix(model): include inspect output in castBulkWrite() error #​13426
• fix: avoid setting null property when updating using update pipeline with child timestamps but no top-level timestamps #​13427 #​13379
• docs: remove callback based examples #​13433 #​13401
• docs(connections): add details about keepAlive deprecation #​13431
• docs: add list of supported patterns for error message templating #​13425 #​13311

v7.2.0

Compare Source

==================

• feat: upgrade mongodb -> 5.5.0
• feat(document): add flattenObjectIds option to toObject() and toJSON() #​13383 #​13341
• feat(query): add translateAliases option to automatically call translate aliases on query fields #​13397 #​8678 #​7511
• feat(schema): propagate toObject and toJSON options to implicitly created schemas #​13325
• feat(model): add throwOnValidationError option for opting into getting MongooseBulkWriteError if all valid operations succeed in bulkWrite() and insertMany() #​13410 #​13256
• feat(types+mongoose): export MongooseError #​13403 #​13387 ramos-ph

v7.1.2

Compare Source

==================

• fix: set timestamps on single nested subdoc in insertMany() #​13416 #​13343
• fix: mention model name in missing virtual option in getModelsMapForPopulate #​13408 #​13406 hasezoey
• fix: custom debug function not processing all args #​13418 #​13364
• docs: add virtuals schema options #​13407 hasezoey
• docs: clarify JSON.stringify() virtuals docs #​13273 iatenine

v7.1.1

Compare Source

==================

• fix(document): handle set() from top-level underneath a map of mixed #​13386
• fix: don't modify passed options object to createConnection() #​13376
• types: make lean() not clobber result type for updateOne(), etc. #​13389 #​13382
• types: handle union types in FlattenMaps #​13368 #​13346 Jokero
• types(document): correct return type for Model.prototype.deleteOne(): promise, not query #​13367 #​13223
• types: update document.d.ts $set function params to match set #​13304 jeffersonlipsky
• docs: add excludeIndexes to the guide schema options list #​13377 #​13287
• docs: fix broken "fork me" on home page #​13336

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.