studio
studio copied to clipboard
Published
20 hours ago •
mathigon
mathigon
Update dependency mongoose to v8.9.5
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| mongoose (source) | dependencies | minor | 8.5.2 -> 8.9.5 |
By merging this PR, the issue #402 will be automatically resolved and closed:
| Severity |  CVSS Score |
CVE | Reachability |
|---|---|---|---|
 Critical |
9.1 | CVE-2024-53900 | |
| Critical |
9.0 | CVE-2025-23061 |
Release Notes
Automattic/mongoose (mongoose)
v8.9.5
==================
- fix: disallow nested $where in populate match CVE-2025-23061
- fix(schema): handle bitwise operators on Int32 #15176 #15170
v8.9.4
==================
- fix(document): fix document not applying manual populate when using a function in schema.options.ref #15138 IchirokuXVI
- fix(model): make Model.validate() static correctly cast document arrays #15169 #15164
- fix(model): allow passing validateBeforeSave option to bulkSave() to skip validation #15161 #15156
- fix(schema): allow multiple self-referencing discriminator schemas using Schema.prototype.discriminator #15142 #15120
- types: avoid BufferToBinary<> wiping lean types when passed to generic functions #15160 #15158
- docs: fix
<code>in header ids #15159 - docs: fix header in field-level-encryption.md #15137 damieng
v8.9.3
==================
- fix(schema): make duplicate index error a warning for now to prevent blocking upgrading #15135 #15112 #15109
- fix(model): handle document array paths set to non-array values in Model.castObject() #15124 #15075
- fix(document): avoid using childSchemas.path for compatibility with pre-Mongoose-8.8 schemas #15131 #15071
- fix(model): avoid throwing unnecessary error if updateOne() returns null in save() #15126
- perf(cursor): clear the stack every time if using populate with batchSize to avoid stack overflows with large docs #15136 #10449
- types: make BufferToBinary avoid Document instances #15123 #15122
- types(model+query): avoid stripping out virtuals when calling populate with paths generic #15132 #15111
- types(schema): add missing removeIndex #15134
- types: add cleanIndexes() to IndexManager interface #15127
- docs: move search endpoint to netlify #15119
v8.9.2
==================
- fix(schema): avoid throwing duplicate index error if index spec keys have different order or index has a custom name #15112 #15109
- fix(map): clean modified subpaths when overwriting values in map of subdocs #15114 #15108
- fix(aggregate): pull session from transaction local storage for aggregation cursors #15094 IchirokuXVI
- types: correctly handle union types in BufferToBinary and related helpers #15103 #15102 #15057
- types: add UUID to RefType #15115 #15101
- docs: remove link to Mongoose 5.x docs from dropdown #15116
- docs(connection+document+model): remove remaining references to remove(), clarify that deleteOne() does not execute until then() or exec() #15113 #15107
v8.9.1
==================
- fix(connection): remove heartbeat check in load balanced mode #15089 #15042 #14812
- fix(discriminator): gather childSchemas when creating discriminator to ensure $getAllSubdocs() can properly get all subdocs #15099 #15088 #15092
- fix(model): handle discriminators in castObject() #15096 #15075
- fix(schema): throw error if duplicate index definition using unique in schema path and subsequent .index() call #15093 #15056
- fix: mark documents that are populated using hydratedPopulatedDocs option as populated in top-level doc #15080 #15048
- fix(document+schema): improve error message for get() on invalid path #15098 #15071
- docs: remove more callback doc references & some small other changes #15095
v8.9.0
==================
- feat: upgrade mongodb -> 6.12
- feat: add int32 schematype #15054 aditi-khare-mongoDB
- feat: add double schematype #15061 aditi-khare-mongoDB
- feat: allow specifying error message override for duplicate key errors unique: true #15059 #12844
- feat(connection): add support for Connection.prototype.bulkWrite() with MongoDB server 8.0 #15058 #15028
- feat: add forceRepopulate option for populate() to allow avoiding repopulating already populated docs #15044 #14979
- fix(connection): remove heartbeat check in load balanced mode #15089 #15042
- fix(query): clone PopulateOptions when setting _localModel to avoid state leaking between subpopulate instances #15082 #15026
- types: add splice() to DocumentArray to allow adding partial objects with splice() #15085 #15041
- types(aggregate): add $firstN, $lastN, $bottom, $bottomN, $minN and $maxN operators #15087 mlomnicki
- docs: Remove merge conflict markers #15090 sponrad
v8.8.4
==================
- fix: cast using overwritten embedded discriminator key when set #15076 #15051
- fix: avoid throwing error if saveOptions undefined when invalidating subdoc cache #15062
v8.8.3
==================
- fix: disallow using $where in match
- perf: cache results from getAllSubdocs() on saveOptions, only loop through known subdoc properties #15055 #15029
- fix(model+query): support overwriteDiscriminatorKey for bulkWrite updateOne and updateMany, allow inferring discriminator key from update #15046 #15040
v8.8.2
==================
- fix(model): handle array filters when casting bulkWrite #15036 #14978
- fix(model): make diffIndexes() avoid trying to drop default timeseries collection index #15035 #14984
- fix: save execution stack in query as string #15039 durran
- types(cursor): correct asyncIterator and asyncDispose for TypeScript with lib: 'esnext' #15038
- docs(migrating_to_8): add note about removing findByIdAndRemove #15024 dragontaek-lee
v8.8.1
==================
- perf: make a few micro-optimizations to help speed up findOne() #15022 #14906
- fix: apply embedded discriminators to subdoc schemas before compiling top level model so middleware applies correctly #15001 #14961
- fix(query): add overwriteImmutable option to allow updating immutable properties without disabling strict mode #15000 #8619
v8.8.0
==================
- feat: upgrade mongodb -> ~6.10 #14991 #14877
- feat(query): add schemaLevelProjections option to query to disable schema-level select: false #14986 #11474
- feat: allow defining virtuals on arrays, not just array elements #14955 #2326
- feat(model): add applyTimestamps() function to apply all schema timestamps, including subdocuments, to a given POJO #14943 #14698
- feat(model): add hideIndexes option to syncIndexes() and cleanIndexes() #14987 #14868
- fix(query): make sanitizeFilter disable implicit $in #14985 #14657
- fix(model): avoid unhandled error if createIndex() throws a sync error #14995
- fix(model): avoid throwing TypeError if bulkSave()'s bulkWrite() fails with a non-BulkWriteError #14993
- types: added toJSON:flattenObjectIds effect #14989
- types: add
__vto lean() result type and ModifyResult #14990 #12959 - types: use globalThis instead of global for NativeDate #14992 #14988
- docs(change-streams): fix markdown syntax highlighting for script output example #14994
v8.7.3
==================
- fix(cursor): close underlying query cursor when calling destroy() #14982 #14966
- types: add JSONSerialized helper that can convert HydratedDocument to JSON output type #14981 #14451
- types(model): convert InsertManyResult to interface and remove unnecessary insertedIds override #14977
- types(connection): add missing sanitizeFilter option #14975
- types: improve goto definition for inferred schema definitions #14968 forivall
- docs(migration-guide-v7): correct link to the section "Id Setter" #14973 rb-ntnx
v8.7.2
==================
- fix(document): recursively clear modified subpaths when setting deeply nested subdoc to null #14963 #14952
- fix(populate): handle array of ids with parent refPath #14965
- types: make Buffers into mongodb.Binary in lean result type to match runtime behavior #14967
- types: correct schema type inference when using nested typeKey like type: { type: String } #14956 #14950
- types: re-export DeleteResult and UpdateResult from MongoDB Node.js driver #14947 #14946
- docs(documents): add section on setting deeply nested properties, including warning about nullish coalescing assignment #14972
- docs(model): add more info on acknowledged: false, specifically that Mongoose may return that if the update was empty #14957
v8.7.1
==================
- fix: set flattenObjectIds to false when calling toObject() for internal purposes #14938
- fix: add mongodb 8 to test matrix #14937
- fix: handle buffers stored in MongoDB as EJSON representation with { $binary } #14932
- docs: indicate that Mongoose 8.7 is required for full MongoDB 8 support #14937
v8.7.0
==================
- feat(model): add Model.applyVirtuals() to apply virtuals to a POJO #14905 #14818
- feat: upgrade mongodb -> 6.9.0 #14914
- feat(query): cast $rename to string #14887 #3027
- feat(SchemaType): add getEmbeddedSchemaType() method to SchemaTypes #14880 #8389
- fix(model): throw MongooseBulkSaveIncompleteError if bulkSave() didn't completely succeed #14884 #14763
- fix(connection): avoid returning readyState = connected if connection state is stale #14812 #14727
- fix: depopulate if push() or addToSet() with an ObjectId on a populated array #14883 #1635
- types: make __v a number, only set __v on top-level documents #14892
v8.6.4
==================
- fix(document): avoid massive perf degradation when saving new doc with 10 level deep subdocs #14910 #14897
- fix(model): skip applying static hooks by default if static name conflicts with aggregate middleware #14904 dragontaek-lee
- fix(model): filter applying static hooks by default if static name conflicts with mongoose middleware #14908 dragontaek-lee
v8.6.3
==================
- fix: make getters convert uuid to string when calling toObject() and toJSON() #14890 #14869
- fix: fix missing Aggregate re-exports for ESM #14886 wongsean
- types(document): add generic param to depopulate() to allow updating properties #14891 #14876
v8.6.2
==================
- fix: make set merge deeply nested objects #14870 #14861 ianHeydoc
- types: allow arbitrary keys in query filters again (revert #14764) #14874 #14863 #14862 #14842
- types: make SchemaType static setters property accessible in TypeScript #14881 #14879
- type(inferrawdoctype): infer Date types as JS dates rather than Mongoose SchemaType Date #14882 #14839
v8.6.1
==================
- fix(document): avoid unnecessary clone() in applyGetters() that was preventing getters from running on 3-level deep subdocuments #14844 #14840 #14835
- fix(model): throw error if bulkSave() did not insert or update any documents #14837 #14763
- fix(cursor): throw error in ChangeStream constructor if changeStreamThunk() throws a sync error #14846
- types(query): add $expr to RootQuerySelector #14845
- docs: update populate.md to fix missing match: { } #14847 makhoulshbeeb
v8.6.0
==================
- feat: upgrade mongodb -> 6.8.0, handle throwing error on closed cursor in Mongoose with
MongooseErrorinstead ofMongoCursorExhaustedError#14813 - feat(model+query): support options parameter for distinct() #14772 #8006
- feat(QueryCursor): add getDriverCursor() function that returns the raw driver cursor #14745
- types: change query selector to disallow unknown top-level keys by default #14764 alex-statsig
- types: make toObject() and toJSON() not generic by default to avoid type widening #14819 #12883
- types: avoid automatically inferring lean result type when assigning to explicitly typed variable #14734
v8.5.5
==================
- fix(populate): fix a couple of other places where Mongoose gets the document's _id with getters #14833 #14827 #14759
- fix(discriminator): shallow clone Schema.prototype.obj before merging schemas to avoid modifying original obj #14821
- types: fix schema type based on timestamps schema options value #14829 #14825 ark23CIS
v8.5.4
==================
- fix: add empty string check for collection name passed #14806 Shubham2552
- docs(model): add 'throw' as valid strict value for bulkWrite() and add some more clarification on throwOnValidationError #14809
v8.5.3
==================
- fix(document): call required functions on subdocuments underneath nested paths with correct context #14801 #14788
- fix(populate): avoid throwing error when no result and
lean()set #14799 #14794 #14759 MohOraby - fix(document): apply virtuals to subdocuments if parent schema has virtuals: true for backwards compatibility #14774 #14771 #14623 #14394
- types: make HydratedSingleSubdocument and HydratedArraySubdocument merge types instead of using & #14800 #14793
- types: support schema type inference based on schema options timestamps as well #14773 #13215 ark23CIS
- types(cursor): indicate that cursor.next() can return null #14798 #14787
- types: allow mongoose.connection.db to be undefined #14797 #14789
- docs: add schema type widening advice #14790 JstnMcBrd
- [ ] If you want to rebase/retry this PR, check this box
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "Published by a pub.dev verified publisher"){kind=small}