fix(deps): update dependency mongoose to v8.8.3 [security] #2859

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate wants to merge 1 commit into master from renovate/npm-mongoose-vulnerability

Contributor

renovate bot commented Dec 3, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
mongoose (source)	`8.2.2` -> `8.8.3`

GitHub Vulnerability Alerts

CVE-2024-53900

Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

CVE-2025-23061

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Release Notes

Automattic/mongoose (mongoose)

`v8.8.3`

==================

fix: disallow using $where in match
perf: cache results from getAllSubdocs() on saveOptions, only loop through known subdoc properties #15055 #15029
fix(model+query): support overwriteDiscriminatorKey for bulkWrite updateOne and updateMany, allow inferring discriminator key from update #15046 #15040

`v8.8.2`

==================

fix(model): handle array filters when casting bulkWrite #15036 #14978
fix(model): make diffIndexes() avoid trying to drop default timeseries collection index #15035 #14984
fix: save execution stack in query as string #15039 durran
types(cursor): correct asyncIterator and asyncDispose for TypeScript with lib: 'esnext' #15038
docs(migrating_to_8): add note about removing findByIdAndRemove #15024 dragontaek-lee

`v8.8.1`

==================

perf: make a few micro-optimizations to help speed up findOne() #15022 #14906
fix: apply embedded discriminators to subdoc schemas before compiling top level model so middleware applies correctly #15001 #14961
fix(query): add overwriteImmutable option to allow updating immutable properties without disabling strict mode #15000 #8619

`v8.8.0`

==================

feat: upgrade mongodb -> ~6.10 #14991 #14877
feat(query): add schemaLevelProjections option to query to disable schema-level select: false #14986 #11474
feat: allow defining virtuals on arrays, not just array elements #14955 #2326
feat(model): add applyTimestamps() function to apply all schema timestamps, including subdocuments, to a given POJO #14943 #14698
feat(model): add hideIndexes option to syncIndexes() and cleanIndexes() #14987 #14868
fix(query): make sanitizeFilter disable implicit $in #14985 #14657
fix(model): avoid unhandled error if createIndex() throws a sync error #14995
fix(model): avoid throwing TypeError if bulkSave()'s bulkWrite() fails with a non-BulkWriteError #14993
types: added toJSON:flattenObjectIds effect #14989
types: add __v to lean() result type and ModifyResult #14990 #12959
types: use globalThis instead of global for NativeDate #14992 #14988
docs(change-streams): fix markdown syntax highlighting for script output example #14994

`v8.7.3`

==================

fix(cursor): close underlying query cursor when calling destroy() #14982 #14966
types: add JSONSerialized helper that can convert HydratedDocument to JSON output type #14981 #14451
types(model): convert InsertManyResult to interface and remove unnecessary insertedIds override #14977
types(connection): add missing sanitizeFilter option #14975
types: improve goto definition for inferred schema definitions #14968 forivall
docs(migration-guide-v7): correct link to the section "Id Setter" #14973 rb-ntnx

`v8.7.2`

==================

fix(document): recursively clear modified subpaths when setting deeply nested subdoc to null #14963 #14952
fix(populate): handle array of ids with parent refPath #14965
types: make Buffers into mongodb.Binary in lean result type to match runtime behavior #14967
types: correct schema type inference when using nested typeKey like type: { type: String } #14956 #14950
types: re-export DeleteResult and UpdateResult from MongoDB Node.js driver #14947 #14946
docs(documents): add section on setting deeply nested properties, including warning about nullish coalescing assignment #14972
docs(model): add more info on acknowledged: false, specifically that Mongoose may return that if the update was empty #14957

`v8.7.1`

==================

fix: set flattenObjectIds to false when calling toObject() for internal purposes #14938
fix: add mongodb 8 to test matrix #14937
fix: handle buffers stored in MongoDB as EJSON representation with { $binary } #14932
docs: indicate that Mongoose 8.7 is required for full MongoDB 8 support #14937

`v8.7.0`

==================

feat(model): add Model.applyVirtuals() to apply virtuals to a POJO #14905 #14818
feat: upgrade mongodb -> 6.9.0 #14914
feat(query): cast $rename to string #14887 #3027
feat(SchemaType): add getEmbeddedSchemaType() method to SchemaTypes #14880 #8389
fix(model): throw MongooseBulkSaveIncompleteError if bulkSave() didn't completely succeed #14884 #14763
fix(connection): avoid returning readyState = connected if connection state is stale #14812 #14727
fix: depopulate if push() or addToSet() with an ObjectId on a populated array #14883 #1635
types: make __v a number, only set __v on top-level documents #14892

`v8.6.4`

==================

fix(document): avoid massive perf degradation when saving new doc with 10 level deep subdocs #14910 #14897
fix(model): skip applying static hooks by default if static name conflicts with aggregate middleware #14904 dragontaek-lee
fix(model): filter applying static hooks by default if static name conflicts with mongoose middleware #14908 dragontaek-lee

`v8.6.3`

==================

fix: make getters convert uuid to string when calling toObject() and toJSON() #14890 #14869
fix: fix missing Aggregate re-exports for ESM #14886 wongsean
types(document): add generic param to depopulate() to allow updating properties #14891 #14876

`v8.6.2`

==================

fix: make set merge deeply nested objects #14870 #14861 ianHeydoc
types: allow arbitrary keys in query filters again (revert #14764) #14874 #14863 #14862 #14842
types: make SchemaType static setters property accessible in TypeScript #14881 #14879
type(inferrawdoctype): infer Date types as JS dates rather than Mongoose SchemaType Date #14882 #14839

`v8.6.1`

==================

fix(document): avoid unnecessary clone() in applyGetters() that was preventing getters from running on 3-level deep subdocuments #14844 #14840 #14835
fix(model): throw error if bulkSave() did not insert or update any documents #14837 #14763
fix(cursor): throw error in ChangeStream constructor if changeStreamThunk() throws a sync error #14846
types(query): add $expr to RootQuerySelector #14845
docs: update populate.md to fix missing match: { } #14847 makhoulshbeeb

`v8.6.0`

==================

feat: upgrade mongodb -> 6.8.0, handle throwing error on closed cursor in Mongoose with MongooseError instead of MongoCursorExhaustedError #14813
feat(model+query): support options parameter for distinct() #14772 #8006
feat(QueryCursor): add getDriverCursor() function that returns the raw driver cursor #14745
types: change query selector to disallow unknown top-level keys by default #14764 alex-statsig
types: make toObject() and toJSON() not generic by default to avoid type widening #14819 #12883
types: avoid automatically inferring lean result type when assigning to explicitly typed variable #14734

`v8.5.5`

==================

fix(populate): fix a couple of other places where Mongoose gets the document's _id with getters #14833 #14827 #14759
fix(discriminator): shallow clone Schema.prototype.obj before merging schemas to avoid modifying original obj #14821
types: fix schema type based on timestamps schema options value #14829 #14825 ark23CIS

`v8.5.4`

==================

fix: add empty string check for collection name passed #14806 Shubham2552
docs(model): add 'throw' as valid strict value for bulkWrite() and add some more clarification on throwOnValidationError #14809

`v8.5.3`

==================

fix(document): call required functions on subdocuments underneath nested paths with correct context #14801 #14788
fix(populate): avoid throwing error when no result and lean() set #14799 #14794 #14759 MohOraby
fix(document): apply virtuals to subdocuments if parent schema has virtuals: true for backwards compatibility #14774 #14771 #14623 #14394
types: make HydratedSingleSubdocument and HydratedArraySubdocument merge types instead of using & #14800 #14793
types: support schema type inference based on schema options timestamps as well #14773 #13215 ark23CIS
types(cursor): indicate that cursor.next() can return null #14798 #14787
types: allow mongoose.connection.db to be undefined #14797 #14789
docs: add schema type widening advice #14790 JstnMcBrd

`v8.5.2`

==================

perf(clone): avoid further unnecessary checks if cloning a primitive value #14762 #14394
fix: allow setting document array default to null #14769 #14717 #6691
fix(model): support session: null option for save() to opt out of automatic session option with transactionAsyncLocalStorage #14744 #14736
fix(model+document): avoid depopulating manually populated doc as getter value #14760 #14759
fix: correct shardkey access in buildBulkWriteOps #14753 #14752 adf0nt3s
fix(query): handle casting $switch in $expr #14755 #14751
types: allow calling SchemaType.cast() without parent and init parameters #14756 #14748 #9076
docs: fix a wrong example in v6 migration guide #14758 abdelrahman-elkady

`v8.5.1`

==================

perf(model): performance improvements for insertMany() #14724
fix(model): avoid leaving subdoc defaults on top-level doc when setting subdocument to same value #14728 #14722
fix(model): handle transactionAsyncLocalStorage option with insertMany() #14743
types: make _id required on Document type #14735 #14660
types: fix ChangeStream.close to return a Promise like the driver #14740 orgads

`v8.5.0`

==================

perf: memoize toJSON / toObject default options #14672
feat(document): add $createModifiedPathsSnapshot(), $restoreModifiedPathsSnapshot(), $clearModifiedPaths() #14699 #14268
feat(query): make sanitizeProjection prevent projecting in paths deselected in the schema #14691
feat: allow setting array default value to null #14717 #6691
feat(mongoose): allow drivers to set global plugins #14682
feat(connection): bubble up monitorCommands events to Mongoose connection if monitorCommands option set #14681 #14611
fix(document): ensure post('deleteOne') hooks are called when calling save() after subdoc.deleteOne() #14732 #9885
fix(query): remove count() and findOneAndRemove() from query chaining #14692 #14689
fix: remove default connection if setting createInitialConnection to false after Mongoose instance created #14679 #8302
types(models+query): infer return type from schema for 1-level deep nested paths #14632
types(connection): make transaction() return type match the executor function #14661 #14656
docs: fix docs links in index.md mirasayon

`v8.4.5`

==================

types: correct this for validate.validator schematype option #14720 #14696
docs(model): note that insertMany() with lean skips applying defaults #14723 #14698

`v8.4.4`

==================

perf: avoid unnecesary get() call and use faster approach for converting to string #14673 #14394
fix(projection): handle projections on arrays in Model.hydrate() projection option #14686 #14680
fix(document): avoid passing validateModifiedOnly to subdocs so subdocs get fully validating if they're directly modified #14685 #14677
fix: handle casting primitive array with $elemMatch in bulkWrite() #14687 #14678
fix(query): cast $pull using embedded discriminator schema when discriminator key is set in filter #14676 #14675
types(connection): fix return type of withSession() #14690 tt-public
types: add $documents pipeline stage and fix $unionWith type #14666 nick-statsig
docs(findoneandupdate): improve example that shows findOneAndUpdate() returning doc before updates were applied #14671 #14670

`v8.4.3`

==================

fix: remove 0x flamegraph files from release

`v8.4.2`

==================

perf: more toObject() perf improvements #14623 #14606 #14394
fix(model): check the value of overwriteModels in options when calling discriminator() #14646 uditha-g
fix: avoid throwing TypeError when deleting an null entry on a populated Map #14654 futurliberta
fix(connection): fix up some inconsistencies in operation-end event and add to docs #14659 #14648
types: avoid inferring Boolean, Buffer, ObjectId as Date in schema definitions under certain circumstances #14667 #14630
docs: add note about parallelism in transations #14647 fiws

`v8.4.1`

==================

fix: pass options to clone instead of get in applyVirtuals #14606 #14543 andrews05
fix(document): fire pre validate hooks on 5 level deep single nested subdoc when modifying after save() #14604 #14591
fix: ensure buildBulkWriteOperations target shard if shardKey is set #14622 #14621 matlpriceshape
types: pass DocType down to subdocuments so HydratedSingleSubdocument and HydratedArraySubdocument toObject() returns correct type #14612 #14601

`v8.4.0`

==================

feat: upgrade mongodb -> 6.6.2 #14584
feat: add transactionAsyncLocalStorage option to opt in to automatically setting session on all transactions #14583 #13889
feat: handle initially null driver when instantiating Mongoose for Rollup support #14577 #12335
feat(mongoose): export omitUndefined() helper #14582 #14569
feat: add Model.listSearchIndexes() #14519 #14450
feat(connection): add listDatabases() function #14506 #9048
feat(schema): add schema-level readConcern option to apply default readConcern for all queries #14579 #14511
fix(error): remove model property from CastError to avoid printing all model properties to console #14568 #14529
fix(model): make bulkWrite() and insertMany() throw if throwOnValidationError set and all ops invalid #14587 #14572
fix(document): ensure transform function passed to toObject() options applies to subdocs #14600 #14589
types: add inferRawDocType helper #13900 #13772
types(document): make document _id type default to unknown instead of any #14541

`v8.3.5`

==================

fix(query): shallow clone $or, $and if merging onto empty query filter #14580 #14567
types(model+query): pass TInstanceMethods to QueryWithHelpers so populated docs have methods #14581 #14574
docs(typescript): clarify that setting THydratedDocumentType on schemas is necessary for correct method context #14575 #14573

`v8.3.4`

==================

perf(document): avoid cloning options using spread operator for perf reasons #14565 #14394
fix(query): apply translateAliases before casting to avoid strictMode error when using aliases #14562 #14521
fix(model): consistent top-level timestamps option for bulkWrite operations
#14546 #14536
docs(connections): improve description of connection creation patterns #14564 #14528

`v8.3.3`

==================

perf(document): add fast path for applying non-nested virtuals to JSON #14543
fix: make hydrate() recursively hydrate virtual populate docs if hydratedPopulatedDocs is set #14533 #14503
fix: improve timestamps option handling in bulkWrite #14546 #14536 sderrow
fix(model): make recompileSchema() overwrite existing document array discriminators #14527
types(schema): correctly infer Array<Schema.Types.*> #14534 #14367
types(query+populate): apply populate overrides to doc toObject() result #14525 #14441
types: add null to select override return type for findOne #14545 sderrow

`v8.3.2`

==================

fix(populate): avoid match function filtering out null values in populate result #14518 #14494
types(query): make FilterQuery props resolve to any for generics support #14510 #14473 #14459
types(DocumentArray): pass DocType generic to Document for correct toJSON() and toObject() return types #14526 #14469
types(models): fix incorrect bulk write options #14513 emiljanitzek
docs: add documentation for calling schema.post() with async function #14514 #14305

`v8.3.1`

==================

fix(document): make update minimization unset property rather than setting to null #14504 #14445
fix(model): make Model.recompileSchema() also re-apply discriminators #14500 #14444
fix(schema): deduplicate idGetter so creating multiple models with same schema doesn't result in multiple id getters #14492
fix: update kareem -> 2.6.3 for index.d.ts #14508 #14497
fix(mongoose): make setDriver() update mongoose.model() connections and collections #14505
types(validation): support function for validator message property, and add support for accessing validator reason #14499 #14496
docs: remove typo #14501 epmartini

`v8.3.0`

==================

feat: use mongodb@6.5.0
feat(document): add validateAllPaths option to validate() and validateSync() #14467 #14414
feat: pathsToSave option to save() function #14385 #9583
feat(query): add options parameter to Query.prototype.sort() #14375 #14365
feat: add function SchemaType.prototype.validateAll #14434 #6910
fix: handle array schema definitions with of keyword #14447 #14416
types: add overwriteMiddlewareResult and skipMiddlewareFunction to types #14328 #14829

`v8.2.4`

==================

types(query): bring "getFilter" and "getQuery" in-line with "find" and other types #14463 hasezoey
types(schema): re-export the defintion for SearchIndexDescription #14464 noseworthy
docs: removed unused hook from docs #14461 bernardarhia

`v8.2.3`

==================

fix(schema): avoid returning string 'nested' as schematype #14453 #14443 #14435
types(schema): add missing search index types #14449 noseworthy
types: improve the typing of FilterQuery type to prevent it from only getting typed to any #14436 #14398 #14397

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot added the renovate label

Contributor Author

renovate bot commented Dec 3, 2024

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

Branch has one or more failed status checks

renovate bot enabled auto-merge (squash)

December 3, 2024 18:21

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch 17 times, most recently from 3718e41 to 90fba63 Compare

December 6, 2024 13:39

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 90fba63 to ef0d4e2 Compare

December 11, 2024 15:08

sonarqubecloud bot commented Dec 11, 2024

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from ef0d4e2 to 5987d04 Compare

August 10, 2025 12:50

sonarqubecloud bot commented Aug 10, 2025

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud


          fix(deps): update dependency mongoose to v8.8.3 [security]

d982c3d

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 5987d04 to d982c3d Compare

October 21, 2025 10:33

sonarqubecloud bot commented Oct 21, 2025

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels