GoogleCloudPlatform
fix(deps): update dependency mongoose to v6.13.6 [security]
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| mongoose (source) | 6.11.3 -> 6.13.6 |
GitHub Vulnerability Alerts
CVE-2024-53900
Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.
CVE-2025-23061
Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.
NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
Release Notes
Automattic/mongoose (mongoose)
v6.13.6
===================
- fix: disallow nested $where in populate match CVE-2025-23061
v6.13.5
===================
- fix: disallow using $where in match
v6.13.4
===================
- fix: save execution stack in query as string #15043 #15039
- docs: clarify strictQuery default will flip-flop in "Migrating to 6.x" #14998 markstos
v6.13.3
===================
- docs(migrating_to_6): document that Lodash _.isEmpty() with ObjectId() as a parameter returns true in Mongoose 6 #11152
v6.13.2
===================
v6.13.1
===================
v6.13.0
===================
- feat(model): add throwOnValidationError option for opting into getting MongooseBulkWriteError if all valid operations succeed in bulkWrite() and insertMany() #14599 #14587 #14572 #13410
v6.12.9
===================
- fix(cast): cast $comment to string in query filters #14590 #14576
- types(model): allow passing strict type checking override to create() #14571 #14548
v6.12.8
===================
- fix(document): handle virtuals that are stored as objects but getter returns string with toJSON #14468 #14446
- fix(schematype): consistently set wasPopulated to object with
valueproperty rather than boolean #14418 - docs(model): add extra note about lean option for insertMany() skipping casting #14415 #14376
v6.12.7
===================
- perf(model): make insertMany() lean option skip hydrating Mongoose docs #14376 #14372
- perf(document+schema): small optimizations to make init() faster #14383 #14113
- fix(connection): don't modify passed options object to
openUri()#14370 #13376 #13335 - fix(ChangeStream): bubble up resumeTokenChanged changeStream event #14355 #14349 3150
v6.12.6
===================
- fix(collection): correctly handle buffer timeouts with find() #14277
- fix(document): allow calling push() with different $position arguments #14254
v6.12.5
===================
- perf(schema): remove unnecessary lookahead in numeric subpath check
- fix(document): allow setting nested path to null #14226
- fix(document): avoid flattening dotted paths in mixed path underneath nested path #14198 #14178
- fix: add ignoreAtomics option to isModified() for better backwards compatibility with Mongoose 5 #14213
v6.12.4
===================
- fix: upgrade mongodb driver -> 4.17.2
- fix(document): avoid treating nested projection as inclusive when applying defaults #14173 #14115
- fix: account for null values when assigning isNew property #14172 #13883
v6.12.3
===================
- fix(ChangeStream): correctly handle hydrate option when using change stream as stream instead of iterator #14052
- fix(schema): fix dangling reference to virtual in tree after
removeVirtual()#14019 #13085 - fix(document): avoid unmarking modified on nested path if no initial value stored and already modified #14053 #14024
- fix(document): consistently avoid marking subpaths of nested paths as modified #14053 #14022
v6.12.2
===================
- fix: add fullPath to ValidatorProps #13995 Freezystem
v6.12.1
===================
- fix(mongoose): correctly handle global applyPluginsToChildSchemas option #13945 #13887 hasezoey
- fix: Document.prototype.isModified support for a string of keys as first parameter #13940 #13674 k-chop
v6.12.0
===================
- feat: use mongodb driver v4.17.1
- fix(model): make Model.bulkWrite() with empty array and ordered false not throw an error #13664
- fix(document): correctly handle inclusive/exclusive projections when applying subdocument defaults #13763 #13720
v6.11.6
===================
- fix(model): avoid hanging on empty bulkWrite() with ordered: false #13701 #13684 JavaScriptBach
- types: augment bson.ObjectId instead of adding on own type #13515 #12537 hasezoey
v6.11.5
===================
- fix(schema): make Schema.prototype.clone() avoid creating different copies of subdocuments and single nested paths underneath single nested paths #13671 #13626
- fix: custom debug function not processing all args #13418
v6.11.4
===================
- perf: speed up mapOfSubdocs benchmark by 4x by avoiding unnecessary O(n^2) loop in getPathsToValidate() #13614
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
Merge-on-green attempted to merge your PR for 6 hours, but it was not mergeable because either one of your required status checks failed, one of your required reviews was not approved, or there is a do not merge label. Learn more about your required status checks here: https://help.github.com/en/github/administering-a-repository/enabling-required-status-checks. You can remove and reapply the label to re-run the bot.
![gcf-merge-on-green[bot] avatar](https://avatars.githubusercontent.com/in/51806?v=4 "Published by a pub.dev verified publisher"){kind=small}