Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency mongoose to ~7.8.0 [SECURITY] #111

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 18, 2023

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
mongoose (source) ~7.2.0 -> ~7.8.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-3696

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

CVE-2024-53900

Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.


Release Notes

Automattic/mongoose (mongoose)

v7.8.3

Compare Source

v7.8.2

Compare Source

==================

  • fix(projection): avoid setting projection to unknown exclusive/inclusive if elemMatch on a Date, ObjectId, etc. #​14894 #​14893

v7.8.1

Compare Source

==================

  • fix(query): handle casting $switch in $expr #​14761
  • docs(mongoose): remove out-of-date callback-based example for mongoose.connect() #​14811 #​14810

v7.8.0

Compare Source

v7.7.0

Compare Source

v7.6.13

Compare Source

v7.6.12

Compare Source

===================

v7.6.11

Compare Source

===================

  • fix(populate): avoid match function filtering out null values in populate result #​14518
  • fix(schema): support setting discriminator options in Schema.prototype.discriminator() #​14493 #​14448
  • fix(schema): deduplicate idGetter so creating multiple models with same schema doesn't result in multiple id getters #​14492 #​14457

v7.6.10

Compare Source

===================

  • docs(model): add extra note about lean option for insertMany() skipping casting #​14415
  • docs(mongoose): add options.overwriteModel details to mongoose.model() docs #​14422

v7.6.9

Compare Source

==================

  • fix(document): handle embedded recursive discriminators on nested path defined using Schema.prototype.discriminator #​14256 #​14245
  • types(model): correct return type for findByIdAndDelete() #​14233 #​14190
  • docs(connections): add note about using asPromise() with createConnection() for error handling #​14364 #​14266
  • docs(model+query+findoneandupdate): add more details about overwriteDiscriminatorKey option to docs #​14264 #​14246

v7.6.8

Compare Source

==================

  • perf(schema): remove unnecessary lookahead in numeric subpath check
  • fix(discriminator): handle reusing schema with embedded discriminators defined using Schema.prototype.discriminator #​14202 #​14162
  • fix(ChangeStream): avoid suppressing errors in closed change stream #​14206 #​14177

v7.6.7

Compare Source

==================

  • fix: avoid minimizing single nested subdocs if they are required #​14151 #​14058
  • fix(populate): allow deselecting discriminator key when populating #​14155 #​3230
  • fix: allow adding discriminators using Schema.prototype.discriminator() to subdocuments after defining parent schema #​14131 #​14109
  • fix(schema): avoid creating unnecessary clone of schematype in nested array so nested document arrays use correct constructor #​14128 #​14101
  • fix(populate): call transform object with single id instead of array when populating a justOne path under an array #​14135 #​14073
  • types: add back mistakenly removed findByIdAndRemove() function signature #​14136 #​14132

v7.6.6

Compare Source

==================

v7.6.5

Compare Source

==================

v7.6.4

Compare Source

v7.6.3

Compare Source

==================

  • fix(populate): handle multiple spaces when specifying paths to populate using space-delimited paths #​13984 #​13951
  • fix(update): avoid applying defaults on query filter when upserting with empty update #​13983 #​13962
  • fix(model): add versionKey to bulkWrite when inserting or upserting #​13981 #​13944
  • docs: fix typo in timestamps docs #​13976 danielcoker

v7.6.2

Compare Source

==================

  • perf: avoid storing a separate entry in schema subpaths for every element in an array #​13953 #​13874
  • fix(document): avoid triggering setter when initializing Model.prototype.collection to allow defining collection as a schema path name #​13968 #​13956
  • fix(model): make bulkSave() save changes in discriminator paths if calling bulkSave() on base model #​13959 #​13907
  • fix(document): allow calling $model() with no args for TypeScript #​13963 #​13878
  • fix(schema): handle embedded discriminators defined using Schema.prototype.discriminator() #​13958 #​13898
  • types(model): make InsertManyResult consistent with return type of insertMany #​13965 #​13904
  • types(models): add cleaner type definitions for insertMany() with no generics to prevent errors when using insertMany() in generic classes #​13964 #​13957
  • types(schematypes): allow defining map path using type: 'Map' in addition to type: Map #​13960 #​13755

v7.6.1

Compare Source

==================

v7.6.0

Compare Source

==================

v7.5.4

Compare Source

==================

v7.5.3

Compare Source

==================

  • fix(document): handle MongoDB Long when casting BigInts #​13869 #​13791
  • fix(model): make bulkSave() persist changes that happen in pre('save') middleware #​13885 #​13799
  • fix: handle casting $elemMatch underneath $not underneath another $elemMatch #​13893 #​13880
  • fix(model): make bulkWrite casting respect global setDefaultsOnInsert #​13870 #​13823
  • fix(document): handle default values for discriminator key with embedded discriminators #​13891 #​13835
  • fix: account for null values when assigning isNew property within document array #​13883
  • types: avoid "interface can only extend object types with statically known members" error in TypeScript 4 #​13871
  • docs(deprecations): fix typo in includeResultMetadata deprecation docs #​13884 #​13844
  • docs: fix pre element overflow in home page #​13868 ghoshRitesh12

v7.5.2

Compare Source

==================

  • fix(schema): handle number discriminator keys when using Schema.prototype.discriminator() #​13858 #​13788
  • fix: ignore id property when calling set() with both id and _id specified to avoid id setter overwriting #​13762
  • types: pass correct document type to required and default function #​13851 #​13797
  • docs(model): add examples of using diffIndexes() to syncIndexes()and diffIndexes() api docs #​13850 #​13771

v7.5.1

Compare Source

==================

  • fix: set default value for _update when no update object is provided and versionKey is set to false #​13795 #​13783 MohOraby
  • fix: avoid unexpected error when accessing null array element on discriminator array when populating #​13716 ZSabakh
  • types(schematypes): use DocType for instance method this #​13822 #​13800 pshaddel
  • types: remove duplicated 'exists' method in Model interface in models.d.ts #​13818 ohzeno
  • docs(model): replace outdated docs on deprecated findOneAndUpdate() overwrite option #​13821 #​13715
  • docs: add example of using virtuals.pathsToSkip option for toObject() and toJSON() #​13798 RobertHunter-Pluto

v7.5.0

Compare Source

==================

  • feat: use mongodb driver v5.18.1
  • feat: allow top level dollar keys with findOneAndUpdate(), update() for MongoDB 5 #​13786
  • fix(document): make array getters avoid unintentionally modifying array, defer getters until index access instead #​13774
  • feat: deprecate overwrite option for findOneAndUpdate() #​13578
  • feat: add pathsToSkip option for Model.validate #​13663 #​10353
  • feat: support alias when declaring index #​13659 #​13276
  • fix(query): remove unnecessary check for atomic operators in findOneAndReplace() #​13678
  • types: add SearchMeta Interface for Atlas Search #​13792 mreouven
  • types(schematypes): add missing BigInt SchemaType #​13787

v7.4.5

Compare Source

==================

  • fix(debug): avoid putting virtuals and getters in debug output #​13778
  • fix(model): make Model.bulkWrite() with empty array and ordered false not throw an error #​13664
  • fix(document): correctly handle inclusive/exclusive projections when applying subdocument defaults #​13763 #​13720

v7.4.4

Compare Source

==================

  • fix(connection): reset document state in between transaction retries #​13726 #​13698
  • fix(cursor): bubble up resumeTokenChanged event from change streams #​13736 #​13607
  • fix(query+populate): add refPath to projection by default, unless explicitly excluded #​13758
  • fix(schema): support 'ascending', 'asc', 'descending', 'desc' for index direction #​13761 #​13725
  • fix(ChangeStream): add _bindEvents to addListener function for observable support #​13759 yury-ivaniutsenka
  • types: infer return type when using get(), markModified(), etc. with known property name literal #​13739 maybesmurf
  • types: add missing typings for option includeResultMetadata #​13747 #​13746 Idnan
  • types: export InferSchemaType #​13737
  • docs(middleware): clarify that query middleware applies to document by default #​13734 #​13713
  • docs: add brief note on TypeScript generic usage for embedded discriminator path() calls #​13728 #​10435
  • docs: link v7 migration guide #​13742 Cooldogyum
  • docs(migrating_to_6): add note about incompatible packages #​13733

v7.4.3

Compare Source

==================

  • fix: avoid applying map property getters when saving #​13704 #​13657
  • fix(query): allow deselecting discriminator key #​13722 #​13679
  • types(models+query): return lean type when passing QueryOptions with lean: true to relevant model functions like find() and findOne() #​13721 #​13705
  • types(schema): correct return type for Schema.prototype.indexes() #​13718 #​13702
  • types: allow accessing options from pre middleware #​13708 #​13633
  • types: add UpdateQueryKnownOnly type for stricter UpdateQuery type checking #​13699 #​13630
  • types(schema): support required: { isRequired: true } syntax in schema definition #​13680
  • docs(middleware): clarify that doc.deleteOne() doesn't run query middleware currently #​13707 #​13669

v7.4.2

Compare Source

==================

v7.4.1

Compare Source

==================

  • fix(document): correctly clean up nested subdocs modified state on save() #​13644 #​13609
  • fix(schema): avoid propagating toObject.transform and toJSON.transform option to implicitly created schemas #​13634 #​13599
  • fix: prevent schema options overwriting user defined writeConcern #​13612 #​13592
  • types: correctly handle pre('deleteOne', { document: true }) #​13632
  • types(schema): handle type: Schema.Types.Map in TypeScript #​13628
  • types: Add inline comment to to tell the default value of the runValidator flag in the queryOptions types #​13636 omran95
  • docs: rework several code examples that still use callbacks #​13635 #​13616
  • docs: remove callbacks from validation description #​13638 #​13501

v7.4.0

Compare Source

==================

  • perf: speed up mapOfSubdocs benchmark by 4x by avoiding unnecessary O(n^2) loop in getPathsToValidate() #​13614
  • feat: upgrade to MongoDB Node.js driver 5.7.0 #​13591
  • feat: support generating custom cast error message with a function #​13608 #​3162
  • feat(query): support MongoDB driver's includeResultMetadata option for findOneAndUpdate #​13584 #​13539
  • feat(connection): add Connection.prototype.removeDb() for removing a related connection #​13580 #​11821
  • feat(query): delay converting documents into POJOs until query execution, allow querying subdocuments with defaults disabled #​13522
  • feat(model): add option "aggregateErrors" for create() #​13544 hasezoey
  • feat(schema): add collectionOptions option to schemas #​13513
  • fix: move all MongoDB-specific connection logic into driver layer, add createClient() method to handle creating MongoClient #​13542
  • fix(document): allow setting keys with dots in mixed paths underneath nested paths #​13536
  • types: augment bson.ObjectId instead of adding on own type #​13515 #​12537 hasezoey
  • docs(guide): fix md lint #​13593 hasezoey
  • docs: changed the code from 'await author.save()' to 'await story1.save()' #​13596 SomSingh23

v7.3.4

Compare Source

7.3.4 / 2023-07-12

  • chore: release 7.4.4 to overwrite accidental publish of 5.13.20 to latest tag

v7.3.3

Compare Source

==================

  • fix: avoid prototype pollution on init
  • fix(document): clean up all array subdocument modified paths on save() #​13589 #​13582
  • types: avoid unnecessary MergeType<> if TOverrides not set, clean up statics and insertMany() type issues #​13577 #​13529

v7.3.2

Compare Source

==================

  • fix(model): avoid TypeError if insertMany() fails with error that does not have writeErrors property #​13579 #​13531
  • fix(query): convert findOneAndUpdate to findOneAndReplace when overwrite set for backwards compat with Mongoose 6 #​13572 #​13550
  • fix(query): throw readable error when executing a Query instance without an associated model #​13571 #​13570
  • types: support mongoose.Schema.ObjectId as alias for mongoose.Schema.Types.ObjectId #​13543 #​13534
  • docs(connections): clarify that socketTimeoutMS now defaults to 0 #​13576 #​13537
  • docs(migrating_to_7): add mapReduce() removal to migration guide #​13568 #​13548
  • docs(schemas): fix typo in schemas.md #​13540 Metehan-Altuntekin

v7.3.1

Compare Source

==================

  • fix(query): respect query-level strict option on findOneAndReplace() #​13516 #​13507
  • docs(connections): expand docs on serverSelectionTimeoutMS #​13533 #​12967
  • docs: add example of accessing save options in pre save #​13498
  • docs(connections+faq): add info on localhost vs 127.0.0.1
  • docs(SchemaType): validate members are validator & message (not msg) #​13521 lorand-horvath

v7.3.0

Compare Source

==================

  • feat: upgrade mongodb -> 5.6.0 #​13455 lorand-horvath
  • feat(aggregate): add Aggregate.prototype.finally() to be consistent with Promise API for TypeScript #​13509
  • feat(schema): support selecting subset of fields to apply optimistic concurrency to #​13506 #​10591
  • feat(model): add ordered option to Model.create() #​13472 #​4038
  • feat(schema): consistently add .get() function to all SchemaType classes
  • feat(populate): pass virtual to match function to allow merging match options #​13477 #​12443
  • types: allow overwriting Paths in select() to tell TypeScript which fields are projected #​13478 #​13224
  • types(schema): add validateModifiedOnly as schema option #​13503 #​10153
  • docs: add note about validateModifiedOnly as a schema option #​13503 #​10153
  • docs(migrating_to_7): update migrating_to_7.md to include Model.countDocuments #​13508 Climax777
  • docs(further_reading): remove style for "img" hasezoey

v7.2.4

Compare Source

==================

v7.2.3

Compare Source

==================


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions github-actions bot enabled auto-merge (squash) July 18, 2023 20:15
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from fb0dcd1 to 9a9add8 Compare July 25, 2023 12:36
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 9a9add8 to 5249f68 Compare September 3, 2023 15:42
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch 3 times, most recently from 6eeeece to 446a45b Compare October 4, 2023 23:11
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 446a45b to 191e20f Compare December 3, 2024 11:56
@renovate renovate bot changed the title Update dependency mongoose to ~7.3.0 [SECURITY] Update dependency mongoose to v8 [SECURITY] Dec 3, 2024
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 191e20f to 1a13b82 Compare December 4, 2024 20:49
@renovate renovate bot changed the title Update dependency mongoose to v8 [SECURITY] Update dependency mongoose to ~7.8.0 [SECURITY] Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants