Skip to content

build(deps): bump mongoose from 8.23.0 to 9.2.1#277

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/mongoose-9.2.1
Open

build(deps): bump mongoose from 8.23.0 to 9.2.1#277
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/mongoose-9.2.1

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 16, 2026
edited
Loading

Bumps mongoose from 8.23.0 to 9.2.1.

Release notes

Sourced from mongoose's releases.

9.2.1 / 2026-02-11

  • types(query): allow assigning QueryFilter<DocType> to QueryFilter<any> #16020
  • types: duplicate identifier 'UUIDToJSON' in mongoosejs 9.2.0 #16023
  • types: preserve subdocument toObject() field types when using virtuals + versionKey options #16021 #15965 AbdelrahmanHafez
  • docs(mongoose): add missing options to mongoose.set() docs #16019

9.2.0 / 2026-02-09

  • feat: add option to skip middleware #15883 #8768 AbdelrahmanHafez
  • feat(model): delay "Duplicate schema index" warning until createIndexes runs to include model name in the warning #15979
  • feat(model): add strict option to Model.hydrate(...) #15940 #15977
  • feat(document): add flattenUUIDs option to toObject() and toJSON() #15864 #15021 AbdelrahmanHafez
  • fix(schema): treat undefined as not provided for strict, strictQuery and id options #16004 AbdelrahmanHafez
  • types(inferrawdoctype): avoid adding _id to nested paths and handle _id: false in options + schema definition #15989
  • types: fix toObject() type inference with timestamps + virtuals #15975 AbdelrahmanHafez
  • types(models): remove dead MapReduce and GeoSearch types #15984
  • test(types): remove tsd in favor of tsc + test utilities #15951 #15696

9.1.6 / 2026-02-04

  • fix: handle other top-level query operators in sanitizeFilter
  • fix(types): fix toObject() type inference with timestamps + virtuals #15975 #15965 AbdelrahmanHafez
  • fix(populate): defer subpopulate until after match functions to avoid comparing populated subdocs #15981 mongodb-js/mongoose-autopopulate#112
  • fix(DocumentArray): correctly clone subdocument when updating document array #15978 #15973
  • fix(documentArray): fix change tracking for documentArrays in nested maps #15983 #15970 AbdelrahmanHafez
  • docs: clarify that you need to explicitly create timeseries collection before inserting document #15990 #15986

9.1.5 / 2026-01-20

9.1.4 / 2026-01-15

9.1.3 / 2026-01-09

  • fix(model): support timestamps option to insertMany() as both boolean and QueryTimestampsConfig #15941 #15938
  • fix(query): include preview of current and incoming update in error when merging normal update with pipeline #15939 #15928
  • types(model): apply basic type casting to paths underneath subdocuments #15948 #15947
  • types(utility): make WithLevel1NestedPaths correctly handle PopulatedDoc and other TypeScript unions with Document members #15942 #15923
  • docs(schema): expose "DocumentArrayElement" #15590 hasezoey

... (truncated)

Changelog

Sourced from mongoose's changelog.

9.2.1 / 2026-02-11

  • types(query): allow assigning QueryFilter to QueryFilter #16020
  • types: duplicate identifier 'UUIDToJSON' in mongoosejs 9.2.0 #16023
  • types: preserve subdocument toObject() field types when using virtuals + versionKey options #16021 #15965 AbdelrahmanHafez
  • docs(mongoose): add missing options to mongoose.set() docs #16019

9.2.0 / 2026-02-09

  • feat: add option to skip middleware #15883 #8768 AbdelrahmanHafez
  • feat(model): delay "Duplicate schema index" warning until createIndexes runs to include model name in the warning #15979
  • feat(model): add strict option to Model.hydrate(...) #15940 #15977
  • feat(document): add flattenUUIDs option to toObject() and toJSON() #15864 #15021 AbdelrahmanHafez
  • fix(schema): treat undefined as not provided for strict, strictQuery and id options #16004 AbdelrahmanHafez
  • types(inferrawdoctype): avoid adding _id to nested paths and handle _id: false in options + schema definition #15989
  • types: fix toObject() type inference with timestamps + virtuals #15975 AbdelrahmanHafez
  • types(models): remove dead MapReduce and GeoSearch types #15984
  • test(types): remove tsd in favor of tsc + test utilities #15951 #15696
Commits
  • 764bd82 chore: release 9.2.1
  • 2e5b780 Merge pull request #16021 from Automattic/fix/gh-15965-subdoc-toObject
  • 324ff4c Merge pull request #16020 from Automattic/vkarpov15/gh-16006
  • 684b31f test(types): check types using ts-expect-error directive instead of ExpectType
  • 06b4e93 Merge pull request #16019 from Automattic/vkarpov15/gh-16005
  • 55749fc fix(types): make subdocuments and array subdocuments have the same behavior f...
  • b81b3b6 types(query): allow assigning QueryFilter<DocType> to QueryFilter<any>
  • 8d05461 test(types): assert subdocuments in toObject() and toJSON get the correc...
  • 40ffefe docs(mongoose): add missing options to mongoose.set() docs
  • 904a2eb chore: release 9.2.0
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot
build(deps): bump mongoose from 8.23.0 to 9.2.1
19e8b20 
Bumps [mongoose](https://github.com/Automattic/mongoose) from 8.23.0 to 9.2.1.
- [Release notes](https://github.com/Automattic/mongoose/releases)
- [Changelog](https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md)
- [Commits](Automattic/mongoose@8.23.0...9.2.1)

---
updated-dependencies:
- dependency-name: mongoose
  dependency-version: 9.2.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 16, 2026
@dependabot dependabot bot mentioned this pull request Feb 16, 2026
Closed
@github-actions
Copy link

github-actions bot commented Feb 16, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
npm/@types/whatwg-url 13.0.0 🟢 6.9
Details
CheckScoreReason
Code-Review🟢 8Found 25/30 approved changesets -- score normalized to 8
Maintained🟢 1030 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 9license file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities🟢 100 existing vulnerabilities detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Fuzzing⚠️ 0project is not fuzzed
npm/bson 7.2.0 🟢 5.6
Details
CheckScoreReason
Maintained🟢 810 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Signed-Releases🟢 85 out of the last 5 releases have a total of 5 signed artifacts.
Vulnerabilities⚠️ 28 existing vulnerabilities detected
SAST🟢 9SAST tool detected but not run on all commits
npm/kareem 3.2.0 UnknownUnknown
npm/mongodb 7.0.0 🟢 5.6
Details
CheckScoreReason
Code-Review🟢 9Found 23/24 approved changesets -- score normalized to 9
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy⚠️ 0security policy file not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Signed-Releases🟢 85 out of the last 5 releases have a total of 5 signed artifacts.
SAST🟢 9SAST tool detected but not run on all commits
Vulnerabilities⚠️ 19 existing vulnerabilities detected
Fuzzing⚠️ 0project is not fuzzed
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
npm/mongodb-connection-string-url 7.0.1 🟢 5.4
Details
CheckScoreReason
Maintained⚠️ 23 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Code-Review🟢 10all changesets reviewed
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Vulnerabilities🟢 82 existing vulnerabilities detected
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9
npm/mongoose 9.2.1 🟢 6.8
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 4Found 6/15 approved changesets -- score normalized to 4
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy🟢 9security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Vulnerabilities🟢 100 existing vulnerabilities detected
Pinned-Dependencies⚠️ 2dependency not pinned by hash detected -- score normalized to 2
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Fuzzing⚠️ 0project is not fuzzed
Packaging🟢 10packaging workflow detected
SAST🟢 8SAST tool detected but not run on all commits
npm/mquery 6.0.0 UnknownUnknown

Scanned Files

  • package-lock.json

@netlify
Copy link

netlify bot commented Feb 16, 2026
edited
Loading

Deploy Preview for splendorous-snickerdoodle-0e3599 ready!

Name Link
🔨 Latest commit 19e8b20
🔍 Latest deploy log https://app.netlify.com/projects/splendorous-snickerdoodle-0e3599/deploys/6992ddfd3284220008f627e0
😎 Deploy Preview https://deploy-preview-277--splendorous-snickerdoodle-0e3599.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse		 1 paths audited
Performance: 87
Accessibility: 91
Best Practices: 92
SEO: 100
PWA: -
View the detailed breakdown and full score reports

To edit notification comments on pull requests, go to your Netlify project configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants