fix(deps): update dependency mongoose to v6 [security] #654

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

renovate wants to merge 1 commit into main from renovate/npm-mongoose-vulnerability

Contributor

renovate bot commented Mar 30, 2025 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
mongoose (source)	`5.13.22` -> `6.13.6`

GitHub Vulnerability Alerts

CVE-2024-53900

Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

CVE-2025-23061

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Release Notes

Automattic/mongoose (mongoose)

`v6.13.6`

===================

fix: disallow nested $where in populate match CVE-2025-23061

`v6.13.5`

===================

fix: disallow using $where in match

`v6.13.4`

===================

fix: save execution stack in query as string #15043 #15039
docs: clarify strictQuery default will flip-flop in "Migrating to 6.x" #14998 markstos

`v6.13.3`

===================

docs(migrating_to_6): document that Lodash _.isEmpty() with ObjectId() as a parameter returns true in Mongoose 6 #11152

`v6.13.2`

===================

fix(document): make set() respect merge option on deeply nested objects #14870 #14878

`v6.13.1`

===================

fix: remove empty $and, $or, $not that were made empty by scrict mode #14749 #13086 0x0a0d

`v6.13.0`

===================

feat(model): add throwOnValidationError option for opting into getting MongooseBulkWriteError if all valid operations succeed in bulkWrite() and insertMany() #14599 #14587 #14572 #13410

`v6.12.9`

===================

fix(cast): cast $comment to string in query filters #14590 #14576
types(model): allow passing strict type checking override to create() #14571 #14548

`v6.12.8`

===================

fix(document): handle virtuals that are stored as objects but getter returns string with toJSON #14468 #14446
fix(schematype): consistently set wasPopulated to object with value property rather than boolean #14418
docs(model): add extra note about lean option for insertMany() skipping casting #14415 #14376

`v6.12.7`

===================

perf(model): make insertMany() lean option skip hydrating Mongoose docs #14376 #14372
perf(document+schema): small optimizations to make init() faster #14383 #14113
fix(connection): don't modify passed options object to openUri() #14370 #13376 #13335
fix(ChangeStream): bubble up resumeTokenChanged changeStream event #14355 #14349 3150

`v6.12.6`

===================

fix(collection): correctly handle buffer timeouts with find() #14277
fix(document): allow calling push() with different $position arguments #14254

`v6.12.5`

===================

perf(schema): remove unnecessary lookahead in numeric subpath check
fix(document): allow setting nested path to null #14226
fix(document): avoid flattening dotted paths in mixed path underneath nested path #14198 #14178
fix: add ignoreAtomics option to isModified() for better backwards compatibility with Mongoose 5 #14213

`v6.12.4`

===================

fix: upgrade mongodb driver -> 4.17.2
fix(document): avoid treating nested projection as inclusive when applying defaults #14173 #14115
fix: account for null values when assigning isNew property #14172 #13883

`v6.12.3`

===================

fix(ChangeStream): correctly handle hydrate option when using change stream as stream instead of iterator #14052
fix(schema): fix dangling reference to virtual in tree after removeVirtual() #14019 #13085
fix(document): avoid unmarking modified on nested path if no initial value stored and already modified #14053 #14024
fix(document): consistently avoid marking subpaths of nested paths as modified #14053 #14022

`v6.12.2`

===================

fix: add fullPath to ValidatorProps #13995 Freezystem

`v6.12.1`

===================

fix(mongoose): correctly handle global applyPluginsToChildSchemas option #13945 #13887 hasezoey
fix: Document.prototype.isModified support for a string of keys as first parameter #13940 #13674 k-chop

`v6.12.0`

===================

feat: use mongodb driver v4.17.1
fix(model): make Model.bulkWrite() with empty array and ordered false not throw an error #13664
fix(document): correctly handle inclusive/exclusive projections when applying subdocument defaults #13763 #13720

`v6.11.6`

===================

fix(model): avoid hanging on empty bulkWrite() with ordered: false #13701 #13684 JavaScriptBach
types: augment bson.ObjectId instead of adding on own type #13515 #12537 hasezoey

`v6.11.5`

===================

fix(schema): make Schema.prototype.clone() avoid creating different copies of subdocuments and single nested paths underneath single nested paths #13671 #13626
fix: custom debug function not processing all args #13418

`v6.11.4`

===================

perf: speed up mapOfSubdocs benchmark by 4x by avoiding unnecessary O(n^2) loop in getPathsToValidate() #13614

`v6.11.3`

===================

fix: avoid prototype pollution on init
fix(schema): correctly handle uuids with populate() #13317 #13595

`v6.11.2`

===================

fix(cursor): allow find middleware to modify query cursor options #13476 #13453 #13435

`v6.11.1`

===================

fix(query): apply schema-level paths before calculating projection for findOneAndUpdate() #13348 #13340
fix: add SUPPRESS_JEST_WARNINGS environment variable to hide jest warnings #13384 #13373
types(model): allow overwriting expected param type for bulkWrite() #13292 hasezoey

`v6.11.0`

===================

feat: upgrade to mongodb 4.16.0 for Deno+Atlas connection fix #13337 #13075
perf: speed up creating maps of subdocuments #13280 #13191 #13271
fix(query): set ObjectParameterError if calling findOneAndX() with filter as non-object #13338
fix(document): merge Document $inc calls instead of overwriting #13322
fix(update): handle casting doubly nested arrays with $pullAll #13285
docs: backport documentation versioning changes to 6.x #13253 #13190 hasezoey

`v6.10.5`

===================

perf(document): avoid unnecessary loops, conditionals, string manipulation on Document.prototype.get() for 10x speedup on top-level properties #12953
fix(model): execute valid write operations if calling bulkWrite() with ordered: false #13218 #13176
fix(array): pass-through all parameters #13202 #13201 hasezoey
fix: improve error message when sorting by empty string #13249 #10182
docs: add version support and check version docs #13251 #13193

`v6.10.4`

===================

fix(document): apply setters on resulting value when calling Document.prototype.$inc() #13178 #13158
fix(model): add results property to unordered insertMany() to make it easy to identify exactly which documents were inserted #13163 #12791
docs(guide+schematypes): add UUID to schematypes guide #13184

`v6.10.3`

===================

fix(connection): add stub implementation of doClose to base connection class #13157
fix(types): add cursor.eachAsync index parameter #13162 #13153 hasezoey
docs: fix 6.x docs sidebar links #13147 #13144 hasezoey
docs(validation): clarify that validation runs as first pre(save) middleware #13062

`v6.10.2`

===================

fix(document): avoid setting array default if document array projected out by sibling projection #13135 #13043 #13003
fix(documentarray): set correct document array path if making map of document arrays #13133
fix: undo accidental change to engines in package.json #13124 lorand-horvath
docs: quick improvement to Model.init() docs #13054

`v6.10.1`

===================

fix: avoid removing empty query filters in $and and $or #13086 #12898
fix(schematype): fixed validation for required UUID field #13018 lpizzinidev
fix(types): add missing Paths generic param to Model.populate() #13070
docs(migrating_to_6): added info about removal of reconnectTries and reconnectInterval options #13083 lpizzinidev
docs: fix code in headers for migrating_to_5 #13077 hasezoey
docs: backport misc documentation changes into 6.x #13091 hasezoey

`v6.10.0`

===================

feat: upgrade to mongodb driver 4.14.0 #13036
feat: added Schema.prototype.omit() function #12939 #12931 lpizzinidev
feat(index): added createInitialConnection option to Mongoose constructor #13021 #12965 lpizzinidev

`v6.9.3`

==================

fix(connection): delay calculating autoCreate and autoIndex until after initial connection established #13007 #12940 lpizzinidev
fix(discriminator): allows update doc with discriminatorKey #13056 #13055 abarriel
fix(query): avoid sending unnecessary empty projection to MongoDB server #13059 #13050
fix(model): avoid sending null session option with document operations #13053 #13052 lpizzinidev
fix(types): use MergeTypes for type overrides in HydratedDocument #13066 #13040
docs(middleware): list validate as a potential query middleware #13057 #12680
docs(getters-setters): explain that getters do not run by default on toJSON() #13058 #13049
docs: refactor docs generation scripts #13044 hasezoey

`v6.9.2`

==================

fix(model): fixed post('save') callback parameter #13030 #13026 lpizzinidev
fix(UUID): added null check to prevent error on binaryToString conversion #13034 #13032 #13029 lpizzinidev Freezystem
fix(query): revert breaking changes introduced by #12797 #12999 lpizzinidev
fix(document): make array $shift() use $pop instead of overwriting array #13004
docs: update & remove old links #13019 hasezoey
docs(middleware): describe how to access model from document middleware #13031 AxeOfMen
docs: update broken & outdated links #13001 hasezoey
chore: change deno tests to also use MMS #12918 hasezoey

`v6.9.1`

==================

fix(document): isModified should not be triggered when setting a nested boolean to the same value as previously #12994 lpizzinidev
fix(document): save newly set defaults underneath single nested subdocuments #13002 #12905
fix(update): handle custom discriminator model name when casting update #12947 wassil
fix(connection): handles unique autoincrement ID for connections #12990 lpizzinidev
fix(types): fix type of options of Model.aggregate #12933 ghost91-
fix(types): fix "near" aggregation operator input type #12954 Jokero
fix(types): add missing Top operator to AccumulatorOperator type declaration #12952 lpizzinidev
docs(transactions): added example for Connection.transaction() method #12943 #12934 lpizzinidev
docs(populate): fix out of date comment referencing onModel property #13000
docs(transactions): fix typo in transactions.md #12995 Parth86

`v6.9.0`

==================

feat(schema): add removeVirtual(path) function to schema #12920 IslandRhythms
fix(cast): remove empty $or conditions after strict applied #12898 0x0a0d
docs: fixed typo #12946 Gbengstar

`v6.8.4`

==================

fix(collection): handle creating model when connection disconnected with bufferCommands = false #12889
fix(populate): merge instead of overwrite when match is on _id #12891
fix: add guard to stop loadClass copying Document if Document is used as base of loaded class (same hack as implemented for Model already) #12820 sgpinkus
fix(types): correctly infer types on document arrays #12884 #12882 JavaScriptBach
fix(types): added omit for ArraySubdocument type in LeanType declaration #12903 piyushk96
fix(types): add returnDocument type safety #12906 AbdelrahmanHafez
docs(typescript): add notes about virtual context to Mongoose 6 migration and TypeScript virtuals docs #12912 #12806
docs(schematypes): removed dead link and fixed formatting #12897 #12885 lpizzinidev
docs: fix link to lean api #12910 manniL
docs: list all possible strings for schema.pre in one place #12868
docs: add list of known incompatible npm packages #12892 IslandRhythms

`v6.8.3`

==================

perf: improve performance of assignRawDocsToIdStructure for faster populate on large docs #12867 Uzlopak
fix(model): ensure consistent ordering of validation errors in insertMany() with ordered: false and rawResult: true #12866
fix: avoid passing final callback to pre hook, because calling the callback can mess up hook execution #12836
fix(types): avoid inferring timestamps if methods, virtuals, or statics set #12871
fix(types): correctly infer string enums on const arrays #12870 JavaScriptBach
fix(types): allow virtuals to be invoked in the definition of other virtuals #12874 sffc
fix(types): add type def for Aggregate#model without arguments #12864 hasezoey
docs(discriminators): add section about changing discriminator key #12861
docs(typescript): explain that virtuals inferred from schema only show up on Model, not raw document type #12860 #12684

`v6.8.2`

==================

fix(schema): propagate strictQuery to implicitly created schemas for embedded discriminators #12827 #12796
fix(model): respect discriminators with Model.validate() #12824 #12621
fix(query): fix unexpected validation error when doing findOneAndReplace() with a nullish value #12826 #12821
fix(discriminator): apply built-in plugins to discriminator schema even if mergeHooks and mergePlugins are both false #12833 #12696
fix(types): add option "overwriteModels" as a schema option #12817 #12816 hasezoey
fix(types): add property "defaultOptions" #12818 hasezoey
docs: make search bar respect documentation version, so you can search 5.x docs #12548
docs(typescript): make note about recommending strict mode when using auto typed schemas #12825 #12420
docs: add section on sorting to query docs #12588 IslandRhythms
test(query.test): add write-concern option #12829 hasezoey

`v6.8.1`

==================

fix(query): avoid throwing circular dependency error if same object is used in multiple properties #12774 orgads
fix(map): return value from super.delete() #12777 danbrud
fix(populate): handle virtual populate underneath document array with justOne=true and sort set where 1 element has only 1 result #12815 #12730
fix(update): handle embedded discriminators when casting array filters #12802 #12565
fix(populate): avoid calling transform if there's no populate results and using lean #12804 #12739
fix(model): prevent index creation on syncIndexes if not necessary #12785 #12250 lpizzinidev
fix(types): correctly infer this when using pre('updateOne') with { document: true, query: false } #12778
fix(types): make InferSchemaType: consider { required: boolean } required if it isn't explicitly false #12784 JavaScriptBach
docs: replace many occurrences of "localhost" with "127.0.0.1" #12811 #12741 hasezoey SadiqOnGithub
docs(mongoose): Added missing options to set #12810 lpizzinidev
docs: add info on $locals parameters to getters/setters tutorial #12814 #12550 IslandRhythms
docs: make Document.prototype.$clone() public #12803
docs(query): updated explanation for slice #12776 #12474 lpizzinidev
docs(middleware): fix broken links #12787 lpizzinidev
docs(queries): fixed broken links #12790 lpizzinidev

`v6.8.0`

==================

feat: add alpha support for Deno #12397 #9056
feat: add deprecation warning for default strictQuery #12666
feat: upgrade to MongoDB driver 4.12.1
feat(schema): add doc as second params to validation message function #12564 #12651 IslandRhythms
feat(document): add $clone method #12549 #11849 lpizzinidev
feat(populate): allow overriding localField and foreignField for virtual populate #12657 #6963 IslandRhythms
feat(schema+types): add { errorHandler: true } option to Schema post() for better TypeScript support #12723 #12583
feat(debug): allow setting debug on a per-connection basis #12704 #12700 lpizzinidev
feat: add rewind function to QueryCursor #12710 passabilities
feat(types): infer timestamps option from schema #12731 #12069
docs: change links to not link to api.html anymore #12644 hasezoey

`v6.7.5`

==================

fix(schema): copy indexes when calling add() with schema instance #12737 #12654
fix(query): handle deselecting _id when another field has schema-level select: false #12736 #12670
fix(types): support using UpdateQuery in bulkWrite() #12742 #12595
docs(middleware): added note about execution policy on subdocuments #12735 #12694 lpizzinidev
docs(validation): clarify context for update validators in validation docs #12738 #12655 IslandRhythms

`v6.7.4`

==================

fix: allow setting global strictQuery after Schema creation #12717 #12703 lpizzinidev
fix(cursor): make eachAsync() avoid modifying batch when mixing parallel and batchSize #12716
fix(types): infer virtuals in query results #12727 #12702 #12684
fix(types): correctly infer ReadonlyArray types in schema definitions #12720
fix(types): avoid typeof Query with generics for TypeScript 4.6 support #12712 #12688
chore: avoid bundling .tgz files when publishing #12725 hasezoey

`v6.7.3`

==================

fix(document): handle setting array to itself after saving and pushing a new value #12672 #12656
fix(types): update replaceWith pipeline stage #12715 coyotte508
fix(types): remove incorrect modelName type definition #12682 #12669 lpizzinidev
fix(schema): fix setupTimestamps for browser.umd #12683 raphael-papazikas
docs: correct justOne description #12686 #12599 tianguangcn
docs: make links more consistent #12690 #12645 hasezoey
docs(document): explain that $isNew is false in post('save') hooks #12685 #11990
docs: fixed line causing a "used before defined" linting error #12707 sgpinkus

`v6.7.2`

==================

fix(discriminator): skip copying base schema plugins if applyPlugins == false #12613 #12604 lpizzinidev
fix(types): add UUID to types #12650 #12593
fix(types): allow setting SchemaTypeOptions' index property to IndexOptions #12562
fix(types): set this to doc type in SchemaType.prototype.validate() #12663 #12590
fix(types): correct handling for model #12659 #12573
fix(types): pre hook with deleteOne should resolve this as Query #12642 #12622 lpizzinidev

`v6.7.1`

==================

fix(query): select Map field with select: false when explicitly requested #12616 #12603 lpizzinidev
fix: correctly find paths underneath single nested document with an array of mixed #12605 #12530
fix(populate): better support for populating maps of arrays of refs #12601 #12494
fix(types): add missing create constructor signature override type #12585 naorpeled
fix(types): make array paths optional in inferred type of array default returns undefined #12649 #12420
fix(types): improve ValidateOpts type #12606 Freezystem
docs: add Lodash guide highlighting issues with cloneDeep() #12609
docs: removed v5 link from v6 docs #12641 #12624 lpizzinidev
docs: removed outdated connection example #12618 lpizzinidev

`v6.7.0`

==================

feat: upgrade to mongodb driver 4.11.0 #12446
feat: add UUID Schema Type (BSON Buffer SubType 4) #12268 #3208 hasezoey
feat(aggregation): add $fill pipeline stage #12545 raphael-papazikas
feat(types+schema): allow defining schema paths using mongoose.Types.* to work around TS type inference issues #12352
feat(schema): add alias() method that makes it easier to define multiple aliases for a given path #12368
feat(model): add mergeHooks option to Model.discriminator() to avoid duplicate hooks #12542
feat(document): add $timestamps() method to set timestamps for save(), bulkSave(), and insertMany() #12540

`v6.6.7`

==================

fix: correct browser build and improve isAsyncFunction check for browser #12577 #12576 #12392
fix(query): allow overwriting discriminator key with overwriteDiscriminatorKey if strict: 'throw' #12578 #12513

`v6.6.6`

==================

fix(update): handle runValidators when using $set on a doc array in discriminator schema #12571 #12518
fix(document): allow creating document with document array and top-level key named schema #12569 #12480
fix(cast): make schema-level strictQuery override schema-level strict for query filters #12570 #12508
fix(aggregate): avoid adding extra $match stage if user manually set discriminator key to correct value in first pipeline stage #12568 #12478
fix: Throws error when updating a key name that match the discriminator key name on nested object #12534 #12517 lpizzinidev
fix(types): add limit to $filter expression [#12553](https://redirect.github.com/Automattic/mongoose/issues/

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot added the renovate label

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from fd7ddd8 to 9b4f095 Compare

May 3, 2025 06:09

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 9b4f095 to 0726545 Compare

July 5, 2025 05:33

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch 2 times, most recently from 1de656b to e3da930 Compare

July 19, 2025 10:51

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch 2 times, most recently from 0f93508 to 2b1bf29 Compare

August 13, 2025 11:47

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 2b1bf29 to 2e029d5 Compare

August 19, 2025 14:49

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch 2 times, most recently from 77f2d35 to 887abf8 Compare

September 6, 2025 05:00

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 887abf8 to d38cda4 Compare

September 25, 2025 15:36

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch 2 times, most recently from a958b2e to 14151e2 Compare

October 22, 2025 01:12

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 14151e2 to 0cf2296 Compare

November 11, 2025 02:13

socket-security bot commented Nov 11, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	mongoose@6.13.6

View full report

fix(deps): update dependency mongoose to v6 [security]

38fa40e

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 0cf2296 to 38fa40e Compare

November 18, 2025 12:04

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment