fix(deps): update dependency mongoose to v6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
mongoose (source)	5.13.15 -> 6.11.3

GitHub Vulnerability Alerts

CVE-2022-2564

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

CVE-2023-3696

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

---

Release Notes

Automattic/mongoose (mongoose)

v6.11.3

Compare Source

===================

• fix: avoid prototype pollution on init
• fix(schema): correctly handle uuids with populate() #​13317 #​13595

v6.11.2

Compare Source

===================

• fix(cursor): allow find middleware to modify query cursor options #​13476 #​13453 #​13435

v6.11.1

Compare Source

===================

• fix(query): apply schema-level paths before calculating projection for findOneAndUpdate() #​13348 #​13340
• fix: add SUPPRESS_JEST_WARNINGS environment variable to hide jest warnings #​13384 #​13373
• types(model): allow overwriting expected param type for bulkWrite() #​13292 hasezoey

v6.11.0

Compare Source

===================

• feat: upgrade to mongodb 4.16.0 for Deno+Atlas connection fix #​13337 #​13075
• perf: speed up creating maps of subdocuments #​13280 #​13191 #​13271
• fix(query): set ObjectParameterError if calling findOneAndX() with filter as non-object #​13338
• fix(document): merge Document $inc calls instead of overwriting #​13322
• fix(update): handle casting doubly nested arrays with $pullAll #​13285
• docs: backport documentation versioning changes to 6.x #​13253 #​13190 hasezoey

v6.10.5

Compare Source

===================

• perf(document): avoid unnecessary loops, conditionals, string manipulation on Document.prototype.get() for 10x speedup on top-level properties #​12953
• fix(model): execute valid write operations if calling bulkWrite() with ordered: false #​13218 #​13176
• fix(array): pass-through all parameters #​13202 #​13201 hasezoey
• fix: improve error message when sorting by empty string #​13249 #​10182
• docs: add version support and check version docs #​13251 #​13193

v6.10.4

Compare Source

===================

• fix(document): apply setters on resulting value when calling Document.prototype.$inc() #​13178 #​13158
• fix(model): add results property to unordered insertMany() to make it easy to identify exactly which documents were inserted #​13163 #​12791
• docs(guide+schematypes): add UUID to schematypes guide #​13184

v6.10.3

Compare Source

===================

• fix(connection): add stub implementation of doClose to base connection class #​13157
• fix(types): add cursor.eachAsync index parameter #​13162 #​13153 hasezoey
• docs: fix 6.x docs sidebar links #​13147 #​13144 hasezoey
• docs(validation): clarify that validation runs as first pre(save) middleware #​13062

v6.10.2

Compare Source

===================

• fix(document): avoid setting array default if document array projected out by sibling projection #​13135 #​13043 #​13003
• fix(documentarray): set correct document array path if making map of document arrays #​13133
• fix: undo accidental change to engines in package.json #​13124 lorand-horvath
• docs: quick improvement to Model.init() docs #​13054

v6.10.1

Compare Source

===================

• fix: avoid removing empty query filters in $and and $or #​13086 #​12898
• fix(schematype): fixed validation for required UUID field #​13018 lpizzinidev
• fix(types): add missing Paths generic param to Model.populate() #​13070
• docs(migrating_to_6): added info about removal of reconnectTries and reconnectInterval options #​13083 lpizzinidev
• docs: fix code in headers for migrating_to_5 #​13077 hasezoey
• docs: backport misc documentation changes into 6.x #​13091 hasezoey

v6.10.0

Compare Source

===================

• feat: upgrade to mongodb driver 4.14.0 #​13036
• feat: added Schema.prototype.omit() function #​12939 #​12931 lpizzinidev
• feat(index): added createInitialConnection option to Mongoose constructor #​13021 #​12965 lpizzinidev

v6.9.3

Compare Source

==================

• fix(connection): delay calculating autoCreate and autoIndex until after initial connection established #​13007 #​12940 lpizzinidev
• fix(discriminator): allows update doc with discriminatorKey #​13056 #​13055 abarriel
• fix(query): avoid sending unnecessary empty projection to MongoDB server #​13059 #​13050
• fix(model): avoid sending null session option with document operations #​13053 #​13052 lpizzinidev
• fix(types): use MergeTypes for type overrides in HydratedDocument #​13066 #​13040
• docs(middleware): list validate as a potential query middleware #​13057 #​12680
• docs(getters-setters): explain that getters do not run by default on toJSON() #​13058 #​13049
• docs: refactor docs generation scripts #​13044 hasezoey

v6.9.2

Compare Source

==================

• fix(model): fixed post('save') callback parameter #​13030 #​13026 lpizzinidev
• fix(UUID): added null check to prevent error on binaryToString conversion #​13034 #​13032 #​13029 lpizzinidev Freezystem
• fix(query): revert breaking changes introduced by #​12797 #​12999 lpizzinidev
• fix(document): make array $shift() use $pop instead of overwriting array #​13004
• docs: update & remove old links #​13019 hasezoey
• docs(middleware): describe how to access model from document middleware #​13031 AxeOfMen
• docs: update broken & outdated links #​13001 hasezoey
• chore: change deno tests to also use MMS #​12918 hasezoey

v6.9.1

Compare Source

==================

• fix(document): isModified should not be triggered when setting a nested boolean to the same value as previously #​12994 lpizzinidev
• fix(document): save newly set defaults underneath single nested subdocuments #​13002 #​12905
• fix(update): handle custom discriminator model name when casting update #​12947 wassil
• fix(connection): handles unique autoincrement ID for connections #​12990 lpizzinidev
• fix(types): fix type of options of Model.aggregate #​12933 ghost91-
• fix(types): fix "near" aggregation operator input type #​12954 Jokero
• fix(types): add missing Top operator to AccumulatorOperator type declaration #​12952 lpizzinidev
• docs(transactions): added example for Connection.transaction() method #​12943 #​12934 lpizzinidev
• docs(populate): fix out of date comment referencing onModel property #​13000
• docs(transactions): fix typo in transactions.md #​12995 Parth86

v6.9.0

Compare Source

==================

• feat(schema): add removeVirtual(path) function to schema #​12920 IslandRhythms
• fix(cast): remove empty $or conditions after strict applied #​12898 0x0a0d
• docs: fixed typo #​12946 Gbengstar

v6.8.4

Compare Source

==================

• fix(collection): handle creating model when connection disconnected with bufferCommands = false #​12889
• fix(populate): merge instead of overwrite when match is on _id #​12891
• fix: add guard to stop loadClass copying Document if Document is used as base of loaded class (same hack as implemented for Model already) #​12820 sgpinkus
• fix(types): correctly infer types on document arrays #​12884 #​12882 JavaScriptBach
• fix(types): added omit for ArraySubdocument type in LeanType declaration #​12903 piyushk96
• fix(types): add returnDocument type safety #​12906 AbdelrahmanHafez
• docs(typescript): add notes about virtual context to Mongoose 6 migration and TypeScript virtuals docs #​12912 #​12806
• docs(schematypes): removed dead link and fixed formatting #​12897 #​12885 lpizzinidev
• docs: fix link to lean api #​12910 manniL
• docs: list all possible strings for schema.pre in one place #​12868
• docs: add list of known incompatible npm packages #​12892 IslandRhythms

v6.8.3

Compare Source

==================

• perf: improve performance of assignRawDocsToIdStructure for faster populate on large docs #​12867 Uzlopak
• fix(model): ensure consistent ordering of validation errors in insertMany() with ordered: false and rawResult: true #​12866
• fix: avoid passing final callback to pre hook, because calling the callback can mess up hook execution #​12836
• fix(types): avoid inferring timestamps if methods, virtuals, or statics set #​12871
• fix(types): correctly infer string enums on const arrays #​12870 JavaScriptBach
• fix(types): allow virtuals to be invoked in the definition of other virtuals #​12874 sffc
• fix(types): add type def for Aggregate#model without arguments #​12864 hasezoey
• docs(discriminators): add section about changing discriminator key #​12861
• docs(typescript): explain that virtuals inferred from schema only show up on Model, not raw document type #​12860 #​12684

v6.8.2

Compare Source

==================

• fix(schema): propagate strictQuery to implicitly created schemas for embedded discriminators #​12827 #​12796
• fix(model): respect discriminators with Model.validate() #​12824 #​12621
• fix(query): fix unexpected validation error when doing findOneAndReplace() with a nullish value #​12826 #​12821
• fix(discriminator): apply built-in plugins to discriminator schema even if mergeHooks and mergePlugins are both false #​12833 #​12696
• fix(types): add option "overwriteModels" as a schema option #​12817 #​12816 hasezoey
• fix(types): add property "defaultOptions" #​12818 hasezoey
• docs: make search bar respect documentation version, so you can search 5.x docs #​12548
• docs(typescript): make note about recommending strict mode when using auto typed schemas #​12825 #​12420
• docs: add section on sorting to query docs #​12588 IslandRhythms
• test(query.test): add write-concern option #​12829 hasezoey

v6.8.1

Compare Source

==================

• fix(query): avoid throwing circular dependency error if same object is used in multiple properties #​12774 orgads
• fix(map): return value from super.delete() #​12777 danbrud
• fix(populate): handle virtual populate underneath document array with justOne=true and sort set where 1 element has only 1 result #​12815 #​12730
• fix(update): handle embedded discriminators when casting array filters #​12802 #​12565
• fix(populate): avoid calling transform if there's no populate results and using lean #​12804 #​12739
• fix(model): prevent index creation on syncIndexes if not necessary #​12785 #​12250 lpizzinidev
• fix(types): correctly infer this when using pre('updateOne') with { document: true, query: false } #​12778
• fix(types): make InferSchemaType: consider { required: boolean } required if it isn't explicitly false #​12784 JavaScriptBach
• docs: replace many occurrences of "localhost" with "127.0.0.1" #​12811 #​12741 hasezoey SadiqOnGithub
• docs(mongoose): Added missing options to set #​12810 lpizzinidev
• docs: add info on $locals parameters to getters/setters tutorial #​12814 #​12550 IslandRhythms
• docs: make Document.prototype.$clone() public #​12803
• docs(query): updated explanation for slice #​12776 #​12474 lpizzinidev
• docs(middleware): fix broken links #​12787 lpizzinidev
• docs(queries): fixed broken links #​12790 lpizzinidev

v6.8.0

Compare Source

==================

• feat: add alpha support for Deno #​12397 #​9056
• feat: add deprecation warning for default strictQuery #​12666
• feat: upgrade to MongoDB driver 4.12.1
• feat(schema): add doc as second params to validation message function #​12564 #​12651 IslandRhythms
• feat(document): add $clone method #​12549 #​11849 lpizzinidev
• feat(populate): allow overriding localField and foreignField for virtual populate #​12657 #​6963 IslandRhythms
• feat(schema+types): add { errorHandler: true } option to Schema post() for better TypeScript support #​12723 #​12583
• feat(debug): allow setting debug on a per-connection basis #​12704 #​12700 lpizzinidev
• feat: add rewind function to QueryCursor #​12710 passabilities
• feat(types): infer timestamps option from schema #​12731 #​12069
• docs: change links to not link to api.html anymore #​12644 hasezoey

v6.7.5

Compare Source

==================

• fix(schema): copy indexes when calling add() with schema instance #​12737 #​12654
• fix(query): handle deselecting _id when another field has schema-level select: false #​12736 #​12670
• fix(types): support using UpdateQuery in bulkWrite() #​12742 #​12595
• docs(middleware): added note about execution policy on subdocuments #​12735 #​12694 lpizzinidev
• docs(validation): clarify context for update validators in validation docs #​12738 #​12655 IslandRhythms

v6.7.4

Compare Source

==================

• fix: allow setting global strictQuery after Schema creation #​12717 #​12703 lpizzinidev
• fix(cursor): make eachAsync() avoid modifying batch when mixing parallel and batchSize #​12716
• fix(types): infer virtuals in query results #​12727 #​12702 #​12684
• fix(types): correctly infer ReadonlyArray types in schema definitions #​12720
• fix(types): avoid typeof Query with generics for TypeScript 4.6 support #​12712 #​12688
• chore: avoid bundling .tgz files when publishing #​12725 hasezoey

v6.7.3

Compare Source

==================

• fix(document): handle setting array to itself after saving and pushing a new value #​12672 #​12656
• fix(types): update replaceWith pipeline stage #​12715 coyotte508
• fix(types): remove incorrect modelName type definition #​12682 #​12669 lpizzinidev
• fix(schema): fix setupTimestamps for browser.umd #​12683 raphael-papazikas
• docs: correct justOne description #​12686 #​12599 tianguangcn
• docs: make links more consistent #​12690 #​12645 hasezoey
• docs(document): explain that $isNew is false in post('save') hooks #​12685 #​11990
• docs: fixed line causing a "used before defined" linting error #​12707 sgpinkus

v6.7.2

Compare Source

==================

• fix(discriminator): skip copying base schema plugins if applyPlugins == false #​12613 #​12604 lpizzinidev
• fix(types): add UUID to types #​12650 #​12593
• fix(types): allow setting SchemaTypeOptions' index property to IndexOptions #​12562
• fix(types): set this to doc type in SchemaType.prototype.validate() #​12663 #​12590
• fix(types): correct handling for model #​12659 #​12573
• fix(types): pre hook with deleteOne should resolve this as Query #​12642 #​12622 lpizzinidev

v6.7.1

Compare Source

==================

• fix(query): select Map field with select: false when explicitly requested #​12616 #​12603 lpizzinidev
• fix: correctly find paths underneath single nested document with an array of mixed #​12605 #​12530
• fix(populate): better support for populating maps of arrays of refs #​12601 #​12494
• fix(types): add missing create constructor signature override type #​12585 naorpeled
• fix(types): make array paths optional in inferred type of array default returns undefined #​12649 #​12420
• fix(types): improve ValidateOpts type #​12606 Freezystem
• docs: add Lodash guide highlighting issues with cloneDeep() #​12609
• docs: removed v5 link from v6 docs #​12641 #​12624 lpizzinidev
• docs: removed outdated connection example #​12618 lpizzinidev

v6.7.0

Compare Source

==================

• feat: upgrade to mongodb driver 4.11.0 #​12446
• feat: add UUID Schema Type (BSON Buffer SubType 4) #​12268 #​3208 hasezoey
• feat(aggregation): add $fill pipeline stage #​12545 raphael-papazikas
• feat(types+schema): allow defining schema paths using mongoose.Types.* to work around TS type inference issues #​12352
• feat(schema): add alias() method that makes it easier to define multiple aliases for a given path #​12368
• feat(model): add mergeHooks option to Model.discriminator() to avoid duplicate hooks #​12542
• feat(document): add $timestamps() method to set timestamps for save(), bulkSave(), and insertMany() #​12540

v6.6.7

Compare Source

==================

• fix: correct browser build and improve isAsyncFunction check for browser #​12577 #​12576 #​12392
• fix(query): allow overwriting discriminator key with overwriteDiscriminatorKey if strict: 'throw' #​12578 #​12513

v6.6.6

Compare Source

==================

• fix(update): handle runValidators when using $set on a doc array in discriminator schema #​12571 #​12518
• fix(document): allow creating document with document array and top-level key named schema #​12569 #​12480
• fix(cast): make schema-level strictQuery override schema-level strict for query filters #​12570 #​12508
• fix(aggregate): avoid adding extra $match stage if user manually set discriminator key to correct value in first pipeline stage #​12568 #​12478
• fix: Throws error when updating a key name that match the discriminator key name on nested object #​12534 #​12517 lpizzinidev
• fix(types): add limit to $filter expression #​12553 raphael-papazikas
• fix(types): correct replaceWith type pipeline stage #​12535 FabioCingottini
• fix(types): add missing densify type pipeline type #​12533 FabioCingottini
• docs(populate): added transform option description #​12560 #​12551 lpizzinidev
• docs(connection): add sample to useDb() documentation #​12541 lpizzinidev
• docs(guide): update broken read-preference links #​12538 #​12525 hasezoey
• chore: add TypeScript version field to issue template #​12532 hasezoey

v6.6.5

Compare Source

==================

• fix(document): set defaults on subdocuments underneath init-ed single nested subdocument #​12523 #​12515
• fix: make Jest fake timers check more robust to other libs that overwrite time functions #​12527 #​12514
• fix(types): indicate that Schema.prototype.discriminator() returns this #​12522 #​12457
• fix(types): add "estimatedDocumentCount" and "countDocuments" as possible hooks #​12519 #​12516
• docs(models): add section on MongoDB Views #​12526 #​5694
• docs(subdocs): clarify that populated docs are not subdocs #​12521 #​12398
• docs(change-streams): remove unnecessary obsolete comment about needing to use mongodb driver change streams #​12444

v6.6.4

Compare Source

==================

• fix(model): avoid saving applied defaults if path is deselected #​12506 #​12414
• fix(types): correct DocType for auto typed query helpers #​12342
• fix(types): avoid "excessively deep" type instantiation error when using bulkWrite() with type that extends from document #​12277
• fix(types): avoid relying on typeof this, which isn't supported in TypeScript < 4.4 #​12375
• docs(schema): correct example for Schema.prototype.discriminator() #​12493
• docs(typescript): clean up query helpers examples #​12342
• chore: use mongodb-memory-server for testing #​12262 hasezoey

v6.6.3

Compare Source

==================

• fix(query): treat findOne(_id) as equivalent to findOne({ _id }) #​12485 #​12325
• fix(timestamps): findOneAndUpdate creates subdocs with timestamps in reverse order #​12484 #​12475 lpizzinidev
• fix(types): make schema.plugin() more flexible for schemas that don't define any generics #​12486 #​12454
• fix(types): add "array of array key-value pairs" as a argument option for "query.sort()" #​12483 #​12434 hasezoey
• fix(types): remove unused defaults in "PluginFunction" #​12459 hasezoey
• fix(types): update DiscriminatorSchema to have better names and combine statics #​12460 hasezoey

v6.6.2

Compare Source

==================

• fix(model): avoid deleting shared schema methods in fix for #​12254 #​12423
• fix(document): set $inc default value in case field has not been specified on the document #​12435 lpizzinidev
• fix(query): handle select: false on map paths in query results #​12467 lpizzinidev
• fix(types): add HydratedDocumentFromSchema to make it easier to pull inferred hydrated doc type #​12464 #​12319
• fix(types): add sanitizeFilter to types #​12465 zrosenbauer
• fix(types): infer number enum types from schema if using enum: [0, 1] as const #​12463 #​12242
• docs(validation): add section on global schematype validation, clean up other issues #​12430
• docs: add clarification about overwrite flag in model.js #​12447 Tzvika-m
• docs: change to consistent "Example:" for jsdoc comments #​12432 hasezoey

v6.6.1

Compare Source

==================

• fix: correctly apply defaults after subdoc init #​12328
• fix(array): avoid using default _id when using pull() #​12294
• fix: allow null values inside $expr objects #​12429 MartinDrost
• fix(query): use correct Query constructor when cloning query #​12418
• docs(website): remove setting "latest38x" which is not used anywhere #​12396 hasezoey

v6.6.0

Compare Source

==================

• feat: upgrade mongodb driver -> 4.9.1 #​12370 AbdelrahmanHafez
• feat: re-export default Mongoose instance properties for ESM named imports support #​12256
• feat(model): add option to skip invalid fields with castObject() #​12156 IslandRhythms
• feat: use setPrototypeOf() instead of proto to allow running on Deno #​12315
• feat(QueryCursor): add support for AbortSignal on eachAsync() #​12323
• feat(types): add types for new $densify operator #​12118 IslandRhythms

v6.5.5

Compare Source

==================

• fix(setDefaultsOnInsert): avoid applying defaults on insert if nested property set #​12279
• fix(model): make applyHooks() and applyMethods() handle case where custom method is set to Mongoose implementation #​12254
• fix(types): add string "ascending" and "descending" index-directions #​10269
• docs: upgrade dox to 1.0.0 #​12403 hasezoey
• docs: update old mongodb nodejs driver documentation urls #​12387 hasezoey
• docs: update JSDOC ... (spread) definition #​12388 hasezoey
• refactor(model): allow optionally passing indexes to createIndexes and cleanIndexes #​12280 AbdelrahmanHafez

v6.5.4

Compare Source

==================

• fix(document): allow calling $assertPopulated() with values to better support manual population #​12233
• fix(connection+mongoose): better handling for calling model() with 1 argument #​12359
• fix(model): allow defining discriminator virtuals and methods using schema options #​12326
• fix(types): fix MongooseQueryMiddleware missing "findOneAndReplace" and "replaceOne" #​12330 #​12329 Jule- lpizzinidev
• fix(types): fix replaceOne return type #​12351 lpizzinidev
• fix(types): use this for return type fro

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: f1f295f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR