Update dependency mongoose to ~7.8.0 [SECURITY] #111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate wants to merge 1 commit into master from renovate/npm-mongoose-vulnerability

Contributor

renovate bot commented Jul 18, 2023 •

edited

Loading

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

This PR contains the following updates:

Package	Change	Age	Confidence
mongoose (source)	`~7.2.0` -> `~7.8.0`

GitHub Vulnerability Alerts

CVE-2023-3696

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

CVE-2024-53900

Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

CVE-2025-23061

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Release Notes

Automattic/mongoose (mongoose)

`v7.8.4`

===================

fix: disallow nested $where in populate match CVE-2025-23061

`v7.8.3`

==================

fix: disallow using $where in match
fix(projection): avoid setting projection to unknown exclusive/inclusive if elemMatch on a Date, ObjectId, etc. #14894 #14893
docs(migrating_to_7): add note about keepAlive to Mongoose 7 migration guide #15032 #13431

`v7.8.2`

==================

fix(projection): avoid setting projection to unknown exclusive/inclusive if elemMatch on a Date, ObjectId, etc. #14894 #14893

`v7.8.1`

==================

fix(query): handle casting $switch in $expr #14761
docs(mongoose): remove out-of-date callback-based example for mongoose.connect() #14811 #14810

`v7.8.0`

==================

feat: add transactionAsyncLocalStorage option to opt in to automatically setting session on all transactions #14744 #14742 #14583 #13889
types(query): fix usage of "RawDocType" where "DocType" should be passed #14737 hasezoey

`v7.7.0`

==================

feat(model): add throwOnValidationError option for opting into getting MongooseBulkWriteError if all valid operations succeed in bulkWrite() and insertMany() #14599 #14587 #14572 #13410

`v7.6.13`

===================

fix(query): shallow clone $or and $and array elements to avoid mutating query filter arguments #14614 #14610
types: pass DocType down to subdocuments so HydratedSingleSubdocument and HydratedArraySubdocument toObject() returns correct type #14612 #14601
docs(migrating_to_7): add id setter to Mongoose 7 migration guide #14645 #13672

`v7.6.12`

===================

fix(array): avoid converting to $set when calling pull() on an element in the middle of the array #14531 #14502
fix: bump mongodb driver to 5.9.2 #14561 lorand-horvath
fix(update): cast array of strings underneath doc array with array filters #14605 #14595

`v7.6.11`

===================

fix(populate): avoid match function filtering out null values in populate result #14518
fix(schema): support setting discriminator options in Schema.prototype.discriminator() #14493 #14448
fix(schema): deduplicate idGetter so creating multiple models with same schema doesn't result in multiple id getters #14492 #14457

`v7.6.10`

===================

docs(model): add extra note about lean option for insertMany() skipping casting #14415
docs(mongoose): add options.overwriteModel details to mongoose.model() docs #14422

`v7.6.9`

==================

fix(document): handle embedded recursive discriminators on nested path defined using Schema.prototype.discriminator #14256 #14245
types(model): correct return type for findByIdAndDelete() #14233 #14190
docs(connections): add note about using asPromise() with createConnection() for error handling #14364 #14266
docs(model+query+findoneandupdate): add more details about overwriteDiscriminatorKey option to docs #14264 #14246

`v7.6.8`

==================

perf(schema): remove unnecessary lookahead in numeric subpath check
fix(discriminator): handle reusing schema with embedded discriminators defined using Schema.prototype.discriminator #14202 #14162
fix(ChangeStream): avoid suppressing errors in closed change stream #14206 #14177

`v7.6.7`

==================

fix: avoid minimizing single nested subdocs if they are required #14151 #14058
fix(populate): allow deselecting discriminator key when populating #14155 #3230
fix: allow adding discriminators using Schema.prototype.discriminator() to subdocuments after defining parent schema #14131 #14109
fix(schema): avoid creating unnecessary clone of schematype in nested array so nested document arrays use correct constructor #14128 #14101
fix(populate): call transform object with single id instead of array when populating a justOne path under an array #14135 #14073
types: add back mistakenly removed findByIdAndRemove() function signature #14136 #14132

`v7.6.6`

==================

perf: avoid double-running setter logic when calling push() #14120 #11380
fix(populate): set populated docs in correct order when populating virtual underneath doc array with justOne #14105 #14018
fix: bump mongodb driver -> 5.9.1 #14084 #13829 lorand-horvath
types: allow defining document array using [{ prop: String }] syntax #14095 #13424
types: correct types for when includeResultMetadata: true is set #14078 #13987 prathamVaidya
types(query): base filters and projections off of RawDocType instead of DocType so autocomplete doesn't show populate #14118 #14077
types: make property names show up in intellisense for UpdateQuery #14123 #14090
types(model): support calling Model.validate() with pathsToSkip option #14088 #14003
docs: remove "DEPRECATED" warning mistakenly added to read() tags param #13980

`v7.6.5`

==================

fix: handle update validators and single nested doc with numeric paths #14066 #13977
fix: handle recursive schema array in discriminator definition #14068 #14055
fix: diffIndexes treats namespace error as empty #14048 #14029
docs(migrating_to_7): add note about requiring new with ObjectId #14021 #14020

`v7.6.4`

==================

fix(connection): retain modified status for documents created outside a transaction during transaction retries #14017 #13973
fix(schema): handle recursive schemas in discriminator definitions #14011 #13978
fix: handle casting $or underneath $elemMatch #14007 #13974
fix(populate): allow using options: { strictPopulate: false } to disable strict populate #13863
docs: fix differences between sample codes and documentation #13998 suzuki
docs: fix missing import and change wrong variable name #13992 suzuki

`v7.6.3`

==================

fix(populate): handle multiple spaces when specifying paths to populate using space-delimited paths #13984 #13951
fix(update): avoid applying defaults on query filter when upserting with empty update #13983 #13962
fix(model): add versionKey to bulkWrite when inserting or upserting #13981 #13944
docs: fix typo in timestamps docs #13976 danielcoker

`v7.6.2`

==================

perf: avoid storing a separate entry in schema subpaths for every element in an array #13953 #13874
fix(document): avoid triggering setter when initializing Model.prototype.collection to allow defining collection as a schema path name #13968 #13956
fix(model): make bulkSave() save changes in discriminator paths if calling bulkSave() on base model #13959 #13907
fix(document): allow calling $model() with no args for TypeScript #13963 #13878
fix(schema): handle embedded discriminators defined using Schema.prototype.discriminator() #13958 #13898
types(model): make InsertManyResult consistent with return type of insertMany #13965 #13904
types(models): add cleaner type definitions for insertMany() with no generics to prevent errors when using insertMany() in generic classes #13964 #13957
types(schematypes): allow defining map path using type: 'Map' in addition to type: Map #13960 #13755

`v7.6.1`

===================

fix(query): shallow clone $or and $and array elements to avoid mutating query filter arguments #14614 #14610
types: pass DocType down to subdocuments so HydratedSingleSubdocument and HydratedArraySubdocument toObject() returns correct type #14612 #14601
docs(migrating_to_7): add id setter to Mongoose 7 migration guide #14645 #13672

`v7.6.0`

==================

feat: upgrade mongodb node driver -> 5.9.0 #13927 #13926 sanguineti
fix: avoid CastError when passing different value of discriminator key in $or #13938 #13906

`v7.5.4`

==================

fix: avoid stripping out id property when _id is set #13933 #13892 #13867
fix(QueryCursor): avoid double-applying schema paths so you can include select: false fields with + projection using cursors #13932 #13773
fix(query): allow deselecting discriminator key using - syntax #13929 #13760
fix(query): handle $round in $expr as array #13928 #13881
fix(document): call pre('validate') hooks when modifying a path underneath triply nested subdoc #13912 #13876
fix(mongoose): correctly handle global applyPluginsToChildSchemas option #13911 #13887
types: add insertMany array overload with options #13931 t1bb4r
docs(compatibility): add Mongoose 7 support to compatibility matrix #13875
docs: amend some awkward FAQ wording #13925 peteboere

`v7.5.3`

==================

fix(document): handle MongoDB Long when casting BigInts #13869 #13791
fix(model): make bulkSave() persist changes that happen in pre('save') middleware #13885 #13799
fix: handle casting $elemMatch underneath $not underneath another $elemMatch #13893 #13880
fix(model): make bulkWrite casting respect global setDefaultsOnInsert #13870 #13823
fix(document): handle default values for discriminator key with embedded discriminators #13891 #13835
fix: account for null values when assigning isNew property within document array #13883
types: avoid "interface can only extend object types with statically known members" error in TypeScript 4 #13871
docs(deprecations): fix typo in includeResultMetadata deprecation docs #13884 #13844
docs: fix pre element overflow in home page #13868 ghoshRitesh12

`v7.5.2`

==================

fix(schema): handle number discriminator keys when using Schema.prototype.discriminator() #13858 #13788
fix: ignore id property when calling set() with both id and _id specified to avoid id setter overwriting #13762
types: pass correct document type to required and default function #13851 #13797
docs(model): add examples of using diffIndexes() to syncIndexes()and diffIndexes() api docs #13850 #13771

`v7.5.1`

==================

fix: set default value for _update when no update object is provided and versionKey is set to false #13795 #13783 MohOraby
fix: avoid unexpected error when accessing null array element on discriminator array when populating #13716 ZSabakh
types(schematypes): use DocType for instance method this #13822 #13800 pshaddel
types: remove duplicated 'exists' method in Model interface in models.d.ts #13818 ohzeno
docs(model): replace outdated docs on deprecated findOneAndUpdate() overwrite option #13821 #13715
docs: add example of using virtuals.pathsToSkip option for toObject() and toJSON() #13798 RobertHunter-Pluto

`v7.5.0`

==================

feat: use mongodb driver v5.18.1
feat: allow top level dollar keys with findOneAndUpdate(), update() for MongoDB 5 #13786
fix(document): make array getters avoid unintentionally modifying array, defer getters until index access instead #13774
feat: deprecate overwrite option for findOneAndUpdate() #13578
feat: add pathsToSkip option for Model.validate #13663 #10353
feat: support alias when declaring index #13659 #13276
fix(query): remove unnecessary check for atomic operators in findOneAndReplace() #13678
types: add SearchMeta Interface for Atlas Search #13792 mreouven
types(schematypes): add missing BigInt SchemaType #13787

`v7.4.5`

==================

fix(debug): avoid putting virtuals and getters in debug output #13778
fix(model): make Model.bulkWrite() with empty array and ordered false not throw an error #13664
fix(document): correctly handle inclusive/exclusive projections when applying subdocument defaults #13763 #13720

`v7.4.4`

==================

fix(connection): reset document state in between transaction retries #13726 #13698
fix(cursor): bubble up resumeTokenChanged event from change streams #13736 #13607
fix(query+populate): add refPath to projection by default, unless explicitly excluded #13758
fix(schema): support 'ascending', 'asc', 'descending', 'desc' for index direction #13761 #13725
fix(ChangeStream): add _bindEvents to addListener function for observable support #13759 yury-ivaniutsenka
types: infer return type when using get(), markModified(), etc. with known property name literal #13739 maybesmurf
types: add missing typings for option includeResultMetadata #13747 #13746 Idnan
types: export InferSchemaType #13737
docs(middleware): clarify that query middleware applies to document by default #13734 #13713
docs: add brief note on TypeScript generic usage for embedded discriminator path() calls #13728 #10435
docs: link v7 migration guide #13742 Cooldogyum
docs(migrating_to_6): add note about incompatible packages #13733

`v7.4.3`

==================

fix: avoid applying map property getters when saving #13704 #13657
fix(query): allow deselecting discriminator key #13722 #13679
types(models+query): return lean type when passing QueryOptions with lean: true to relevant model functions like find() and findOne() #13721 #13705
types(schema): correct return type for Schema.prototype.indexes() #13718 #13702
types: allow accessing options from pre middleware #13708 #13633
types: add UpdateQueryKnownOnly type for stricter UpdateQuery type checking #13699 #13630
types(schema): support required: { isRequired: true } syntax in schema definition #13680
docs(middleware): clarify that doc.deleteOne() doesn't run query middleware currently #13707 #13669

`v7.4.2`

==================

fix(model): avoid hanging on empty bulkWrite() with ordered: false #13684 #13664
fix: Document.prototype.isModified support for a string of keys as first parameter #13674 #13667 gastoncasini
fix: disable id virtual if alias:id set #13654 #13650
fix: support timestamps:false on bulkWrite with updateOne and updateMany #13649 #13611
docs(typescript): highlight auto type inference for methods and statics, add info on using methods with generics #13696 #12942
docs(middleware): fix old example using post('remove') #13683 #13518
docs(deprecations): quick fix for includeResultMetadata docs #13695

`v7.4.1`

==================

fix(document): correctly clean up nested subdocs modified state on save() #13644 #13609
fix(schema): avoid propagating toObject.transform and toJSON.transform option to implicitly created schemas #13634 #13599
fix: prevent schema options overwriting user defined writeConcern #13612 #13592
types: correctly handle pre('deleteOne', { document: true }) #13632
types(schema): handle type: Schema.Types.Map in TypeScript #13628
types: Add inline comment to to tell the default value of the runValidator flag in the queryOptions types #13636 omran95
docs: rework several code examples that still use callbacks #13635 #13616
docs: remove callbacks from validation description #13638 #13501

`v7.4.0`

==================

perf: speed up mapOfSubdocs benchmark by 4x by avoiding unnecessary O(n^2) loop in getPathsToValidate() #13614
feat: upgrade to MongoDB Node.js driver 5.7.0 #13591
BREAKING CHANGE: add id setter which allows modifying _id by setting id (Note this change was originally shipped as a feat, but later reverted in Mongoose 8 due to compatibility issues) #13517
feat: support generating custom cast error message with a function #13608 #3162
feat(query): support MongoDB driver's includeResultMetadata option for findOneAndUpdate #13584 #13539
feat(connection): add Connection.prototype.removeDb() for removing a related connection #13580 #11821
feat(query): delay converting documents into POJOs until query execution, allow querying subdocuments with defaults disabled #13522
feat(model): add option "aggregateErrors" for create() #13544 hasezoey
feat(schema): add collectionOptions option to schemas #13513
fix: move all MongoDB-specific connection logic into driver layer, add createClient() method to handle creating MongoClient #13542
fix(document): allow setting keys with dots in mixed paths underneath nested paths #13536
types: augment bson.ObjectId instead of adding on own type #13515 #12537 hasezoey
docs(guide): fix md lint #13593 hasezoey
docs: changed the code from 'await author.save()' to 'await story1.save()' #13596 SomSingh23

`v7.3.4`

==================

chore: release 7.4.4 to overwrite accidental publish of 5.13.20 to latest tag

`v7.3.3`

==================

fix: avoid prototype pollution on init
fix(document): clean up all array subdocument modified paths on save() #13589 #13582
types: avoid unnecessary MergeType<> if TOverrides not set, clean up statics and insertMany() type issues #13577 #13529

`v7.3.2`

==================

fix(model): avoid TypeError if insertMany() fails with error that does not have writeErrors property #13579 #13531
fix(query): convert findOneAndUpdate to findOneAndReplace when overwrite set for backwards compat with Mongoose 6 #13572 #13550
fix(query): throw readable error when executing a Query instance without an associated model #13571 #13570
types: support mongoose.Schema.ObjectId as alias for mongoose.Schema.Types.ObjectId #13543 #13534
docs(connections): clarify that socketTimeoutMS now defaults to 0 #13576 #13537
docs(migrating_to_7): add mapReduce() removal to migration guide #13568 #13548
docs(schemas): fix typo in schemas.md #13540 Metehan-Altuntekin

`v7.3.1`

==================

fix(query): respect query-level strict option on findOneAndReplace() #13516 #13507
docs(connections): expand docs on serverSelectionTimeoutMS #13533 #12967
docs: add example of accessing save options in pre save #13498
docs(connections+faq): add info on localhost vs 127.0.0.1
docs(SchemaType): validate members are validator & message (not msg) #13521 lorand-horvath

`v7.3.0`

==================

feat: upgrade mongodb -> 5.6.0 #13455 lorand-horvath
feat(aggregate): add Aggregate.prototype.finally() to be consistent with Promise API for TypeScript #13509
feat(schema): support selecting subset of fields to apply optimistic concurrency to #13506 #10591
feat(model): add ordered option to Model.create() #13472 #4038
feat(schema): consistently add .get() function to all SchemaType classes
feat(populate): pass virtual to match function to allow merging match options #13477 #12443
types: allow overwriting Paths in select() to tell TypeScript which fields are projected #13478 #13224
types(schema): add validateModifiedOnly as schema option #13503 #10153
docs: add note about validateModifiedOnly as a schema option #13503 #10153
docs(migrating_to_7): update migrating_to_7.md to include Model.countDocuments #13508 Climax777
docs(further_reading): remove style for "img" hasezoey

`v7.2.4`

==================

fix(query): handle non-string discriminator key values in query #13496 #13492

`v7.2.3`

==================

fix(model): ignore falsy last argument to create() for backwards compatibility #13493 #13491 #13487 MohOraby
types: remove generic param that's causing issues for typegoose #13494 #13482
types(aggregate): allow object syntax for $mergeObjects #13470 #13060
docs(connection): clarify how Connection.prototype.destroy() is different from close() #13475
docs(populate): fix accidental removal of text #13480
docs: add additional notes for Atlas X.509 authentication #13452 alexbevi
docs(populate): add a little more info on why we recommend using ObjectId for _id #13474 #13400

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions bot enabled auto-merge (squash)

July 18, 2023 20:15

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from fb0dcd1 to 9a9add8 Compare

July 25, 2023 12:36

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 9a9add8 to 5249f68 Compare

September 3, 2023 15:42

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch 3 times, most recently from 6eeeece to 446a45b Compare

October 4, 2023 23:11

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 446a45b to 191e20f Compare

December 3, 2024 11:56

renovate bot changed the title ~~Update dependency mongoose to ~7.3.0 [SECURITY]~~ Update dependency mongoose to v8 [SECURITY]

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 191e20f to 1a13b82 Compare

December 4, 2024 20:49

renovate bot changed the title ~~Update dependency mongoose to v8 [SECURITY]~~ Update dependency mongoose to ~7.8.0 [SECURITY]

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 1a13b82 to d9cf96a Compare

January 17, 2025 05:05

renovate bot changed the title ~~Update dependency mongoose to ~7.8.0 [SECURITY]~~ Update dependency mongoose to v8 [SECURITY]

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from d9cf96a to 0e7ea7f Compare

January 19, 2025 08:58

renovate bot changed the title ~~Update dependency mongoose to v8 [SECURITY]~~ Update dependency mongoose to ~7.8.0 [SECURITY]


          Update dependency mongoose to ~7.8.0 [SECURITY]

f40647b

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 0e7ea7f to f40647b Compare

August 10, 2025 12:32

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet