[Snyk] Upgrade mongoose from 8.4.0 to 8.19.2

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade mongoose from 8.4.0 to 8.19.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 67 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Insecure Randomness SNYK-JS-UNDICI-8641354	101	Proof of Concept
	Incorrect Authorization SNYK-JS-VITE-9512410	101	Mature
	Incorrect Authorization SNYK-JS-VITE-9653016	101	Proof of Concept
	Denial of Service (DoS) SNYK-JS-WS-7266574	101	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	101	Proof of Concept
	Command Injection SNYK-JS-GLOB-14040952	101	Proof of Concept
	Improper Neutralization of Special Elements in Data Query Logic SNYK-JS-MONGOOSE-8446504	101	Proof of Concept
	Improper Neutralization of Special Elements in Data Query Logic SNYK-JS-MONGOOSE-8623536	101	Proof of Concept
	Remote Code Execution (RCE) SNYK-JS-NUXT-7640974	101	No Known Exploit
	Acceptance of Extraneous Untrusted Data With Trusted Data SNYK-JS-NUXT-9486043	101	No Known Exploit
	Directory Traversal SNYK-JS-NUXTDEVTOOLS-7640977	101	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-ROLLUP-8073097	101	Proof of Concept
	Directory Traversal SNYK-JS-SUPABASEAUTHJS-10255365	101	No Known Exploit
	Improper Validation of Specified Type of Input SNYK-JS-VALIDATOR-13395830	101	Proof of Concept
	Directory Traversal SNYK-JS-VITE-13644406	101	Proof of Concept
	Information Exposure SNYK-JS-VITE-8023174	101	Proof of Concept
	Origin Validation Error SNYK-JS-VITE-8648411	101	Proof of Concept
	Access Control Bypass SNYK-JS-VITE-9576207	101	Proof of Concept
	Information Exposure SNYK-JS-VITE-9685035	101	Proof of Concept
	Directory Traversal SNYK-JS-VITE-9919777	101	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-VUETEMPLATECOMPILER-7554675	101	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELHELPERS-9397697	101	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELRUNTIME-10044504	101	Proof of Concept
	Prototype Pollution SNYK-JS-JSYAML-13961110	101	No Known Exploit
	Open Redirect SNYK-JS-KOA-10944994	101	Proof of Concept
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	101	No Known Exploit
	Improper Input Validation SNYK-JS-NANOID-8492085	101	No Known Exploit
	Improper Input Validation SNYK-JS-NANOID-8492085	101	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-NUXT-7640972	101	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-NUXTDEVTOOLS-13849298	101	No Known Exploit
	Origin Validation Error SNYK-JS-NUXTVITEBUILDER-8663232	101	Proof of Concept
	Prototype Pollution SNYK-JS-PARSEGITCONFIG-9403763	101	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	101	Proof of Concept
	Cross-site Scripting SNYK-JS-SEND-7926862	101	No Known Exploit
	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	101	No Known Exploit
	Directory Traversal SNYK-JS-SIRV-12558119	101	Proof of Concept
	Missing Release of Memory after Effective Lifetime SNYK-JS-UNDICI-10176064	101	Proof of Concept
	Relative Path Traversal SNYK-JS-VITE-12558116	101	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-VITE-8022916	101	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-VUETEMPLATECOMPILER-8219888	101	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	101	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	101	Proof of Concept
	Prototype Pollution SNYK-JS-DEVALUE-12205530	101	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-KOA-8720152	101	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-KOA-9679272	101	Proof of Concept
	Directory Traversal SNYK-JS-NUXT-12878602	101	Proof of Concept

Release notes

Package name: mongoose

• 8.19.2 - 2025-10-20
  

  8.19.2 / 2025-10-20

  • perf(setDefaultsOnInsert): avoid computing all modified paths when running setDefaultsOnInsert and update validators, only calculate if there are defaults to set #15691 #15672
  • fix: correct handling of relative vs absolute paths with maps and subdocuments #15682 #15678 #15350
  • ci: add publish script with provenance #15684 #15680
• 8.19.1 - 2025-10-06
  

  8.19.1 / 2025-10-06

  • perf: avoid getting all modified paths in update when checking if versionKey needs to be set #15677 #15672
  • perf: Avoid needless path translation #15679 orgads
  • fix(query): throw error if using update operator with modifier and no path #15670 #15642
  • types: avoid making FilterQuery a conditional type because of how typescript handles distributed conditional unions #15676 #15671
  • docs: update installation instructions #15675 aalok-y
• 8.19.0 - 2025-10-02
  

  8.19.0 / 2025-10-02

  • feat: upgrade mongodb driver to 6.20.0 #15651 #15656
  • feat(model): add virtuals option to Model.hydrate() to set virtuals #15638 #15627
  • fix(schema): handle casting array filters underneath maps of Mixed #15655 #15653
  • types: optimize InferRawDocType #15588 ssalbdivad
  • types(schema): add lean schema option to TypeScript types #15646 #15583 #10090
• 8.18.3 - 2025-09-29
• 8.18.2 - 2025-09-22
• 8.18.1 - 2025-09-08
• 8.18.0 - 2025-08-22
• 8.17.2 - 2025-08-18
• 8.17.1 - 2025-08-07
• 8.17.0 - 2025-07-30
• 8.16.5 - 2025-07-25
• 8.16.4 - 2025-07-16
• 8.16.3 - 2025-07-10
• 8.16.2 - 2025-07-07
• 8.16.1 - 2025-06-26
• 8.16.0 - 2025-06-16
• 8.15.2 - 2025-06-12
• 8.15.1 - 2025-05-26
• 8.15.0 - 2025-05-16
• 8.14.3 - 2025-05-13
• 8.14.2 - 2025-05-08
• 8.14.1 - 2025-04-29
• 8.14.0 - 2025-04-25
• 8.13.3 - 2025-04-24
• 8.13.2 - 2025-04-03
• 8.13.1 - 2025-03-28
• 8.13.0 - 2025-03-24
• 8.12.2 - 2025-03-21
• 8.12.1 - 2025-03-04
• 8.12.0 - 2025-03-03
• 8.11.0 - 2025-02-26
• 8.10.2 - 2025-02-25
• 8.10.1 - 2025-02-14
• 8.10.0 - 2025-02-05
• 8.9.7 - 2025-02-04
• 8.9.6 - 2025-01-31
• 8.9.5 - 2025-01-13
• 8.9.4 - 2025-01-09
• 8.9.3 - 2024-12-30
• 8.9.2 - 2024-12-19
• 8.9.1 - 2024-12-16
• 8.9.0 - 2024-12-13
• 8.8.4 - 2024-12-05
• 8.8.3 - 2024-11-26
• 8.8.2 - 2024-11-18
• 8.8.1 - 2024-11-08
• 8.8.0 - 2024-10-31
• 8.7.3 - 2024-10-25
• 8.7.2 - 2024-10-17
• 8.7.1 - 2024-10-09
• 8.7.0 - 2024-09-27
• 8.6.4 - 2024-09-26
• 8.6.3 - 2024-09-17
• 8.6.2 - 2024-09-11
• 8.6.1 - 2024-09-03
• 8.6.0 - 2024-08-28
• 8.5.5 - 2024-08-28
• 8.5.4 - 2024-08-23
• 8.5.3 - 2024-08-13
• 8.5.2 - 2024-07-30
• 8.5.1 - 2024-07-12
• 8.5.0 - 2024-07-08
• 8.4.5 - 2024-07-05
• 8.4.4 - 2024-06-25
• 8.4.3 - 2024-06-17
• 8.4.2 - 2024-06-17
• 8.4.1 - 2024-05-31
• 8.4.0 - 2024-05-17

from mongoose GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs