From 840dde2b17f13abc0d89ae78f0f6a3131fc54d26 Mon Sep 17 00:00:00 2001 From: Sasha <64744993+r1tsuu@users.noreply.github.com> Date: Thu, 5 Dec 2024 18:43:14 +0200 Subject: [PATCH] fix(db-mongodb): bump `mongoose` to `8.8.3` (#9747) Fixes https://github.com/payloadcms/payload/issues/9729. The current version has vulnerability https://avd.aquasec.com/nvd/2024/cve-2024-53900/. Technically, Payload doesn't use described in the report [`$where`](https://www.mongodb.com/docs/manual/reference/operator/query/where/#op._S_where) property in its queries at all, but it may affect those who access mongoose via `payload.db.collections` directly --- packages/db-mongodb/package.json | 2 +- pnpm-lock.yaml | 16 ++++++++-------- test/package.json | 2 +- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/packages/db-mongodb/package.json b/packages/db-mongodb/package.json index 8d1c46cc001..f4291ad868f 100644 --- a/packages/db-mongodb/package.json +++ b/packages/db-mongodb/package.json @@ -47,7 +47,7 @@ }, "dependencies": { "http-status": "1.6.2", - "mongoose": "8.8.1", + "mongoose": "8.8.3", "mongoose-aggregate-paginate-v2": "1.1.2", "mongoose-paginate-v2": "1.8.5", "prompts": "2.4.2", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index e2d521f0682..67769e2eb77 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -269,8 +269,8 @@ importers: specifier: 1.6.2 version: 1.6.2 mongoose: - specifier: 8.8.1 - version: 8.8.1(@aws-sdk/credential-providers@3.687.0(@aws-sdk/client-sso-oidc@3.687.0(@aws-sdk/client-sts@3.687.0)))(socks@2.8.3) + specifier: 8.8.3 + version: 8.8.3(@aws-sdk/credential-providers@3.687.0(@aws-sdk/client-sso-oidc@3.687.0(@aws-sdk/client-sts@3.687.0)))(socks@2.8.3) mongoose-aggregate-paginate-v2: specifier: 1.1.2 version: 1.1.2 @@ -1745,8 +1745,8 @@ importers: specifier: 4.0.0 version: 4.0.0 mongoose: - specifier: 8.8.1 - version: 8.8.1(@aws-sdk/credential-providers@3.687.0(@aws-sdk/client-sso-oidc@3.687.0(@aws-sdk/client-sts@3.687.0)))(socks@2.8.3) + specifier: 8.8.3 + version: 8.8.3(@aws-sdk/credential-providers@3.687.0(@aws-sdk/client-sso-oidc@3.687.0(@aws-sdk/client-sts@3.687.0)))(socks@2.8.3) next: specifier: 15.0.2 version: 15.0.2(@opentelemetry/api@1.9.0)(@playwright/test@1.48.1)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@19.0.0-beta-df7b47d-20241124)(react-dom@19.0.0-rc-66855b96-20241106(react@19.0.0-rc-66855b96-20241106))(react@19.0.0-rc-66855b96-20241106)(sass@1.77.4) @@ -8272,8 +8272,8 @@ packages: resolution: {integrity: sha512-kFxhot+yw9KmpAGSSrF/o+f00aC2uawgNUbhyaM0USS9L7dln1NA77/pLg4lgOaRgXMtfgCENamjqZwIM1Zrig==} engines: {node: '>=4.0.0'} - mongoose@8.8.1: - resolution: {integrity: sha512-l7DgeY1szT98+EKU8GYnga5WnyatAu+kOQ2VlVX1Mxif6A0Umt0YkSiksCiyGxzx8SPhGe9a53ND1GD4yVDrPA==} + mongoose@8.8.3: + resolution: {integrity: sha512-/I4n/DcXqXyIiLRfAmUIiTjj3vXfeISke8dt4U4Y8Wfm074Wa6sXnQrXN49NFOFf2mM1kUdOXryoBvkuCnr+Qw==} engines: {node: '>=16.20.1'} mpath@0.9.0: @@ -14568,7 +14568,7 @@ snapshots: '@types/mongoose-aggregate-paginate-v2@1.0.12(@aws-sdk/credential-providers@3.687.0(@aws-sdk/client-sso-oidc@3.687.0(@aws-sdk/client-sts@3.687.0)))(socks@2.8.3)': dependencies: '@types/node': 22.5.4 - mongoose: 8.8.1(@aws-sdk/credential-providers@3.687.0(@aws-sdk/client-sso-oidc@3.687.0(@aws-sdk/client-sts@3.687.0)))(socks@2.8.3) + mongoose: 8.8.3(@aws-sdk/credential-providers@3.687.0(@aws-sdk/client-sso-oidc@3.687.0(@aws-sdk/client-sts@3.687.0)))(socks@2.8.3) transitivePeerDependencies: - '@aws-sdk/credential-providers' - '@mongodb-js/zstd' @@ -18416,7 +18416,7 @@ snapshots: mongoose-paginate-v2@1.8.5: {} - mongoose@8.8.1(@aws-sdk/credential-providers@3.687.0(@aws-sdk/client-sso-oidc@3.687.0(@aws-sdk/client-sts@3.687.0)))(socks@2.8.3): + mongoose@8.8.3(@aws-sdk/credential-providers@3.687.0(@aws-sdk/client-sso-oidc@3.687.0(@aws-sdk/client-sts@3.687.0)))(socks@2.8.3): dependencies: bson: 6.9.0 kareem: 2.6.3 diff --git a/test/package.json b/test/package.json index 1ea2985b16f..0d946b5a2af 100644 --- a/test/package.json +++ b/test/package.json @@ -68,7 +68,7 @@ "file-type": "19.3.0", "http-status": "1.6.2", "jwt-decode": "4.0.0", - "mongoose": "8.8.1", + "mongoose": "8.8.3", "next": "15.0.2", "payload": "workspace:*", "qs-esm": "7.0.2",