Skip to content

fix(deps): update dependency mongoose to v6.13.6 [security]#35

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-mongoose-vulnerability
Open

fix(deps): update dependency mongoose to v6.13.6 [security]#35
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-mongoose-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 18, 2023

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
mongoose (source) 6.7.56.13.6 age confidence

Mongoose Prototype Pollution vulnerability

CVE-2023-3696 / GHSA-9m93-w8w6-76hh

More information

Details

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

Severity

  • CVSS Score: 10.0 / 10 (Critical)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Mongoose search injection vulnerability

CVE-2025-23061 / GHSA-vg7j-7cwx-8wgw

More information

Details

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Severity

  • CVSS Score: 9.0 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Mongoose search injection vulnerability

CVE-2024-53900 / GHSA-m7xq-9374-9rvx

More information

Details

Mongoose versions prior to 8.8.3, 7.8.3, 6.13.5, and 5.13.23 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

Automattic/mongoose (mongoose)

v6.13.6

Compare Source

===================

v6.13.5

Compare Source

===================

  • fix: disallow using $where in match

v6.13.4

Compare Source

===================

v6.13.3

Compare Source

===================

  • docs(migrating_to_6): document that Lodash _.isEmpty() with ObjectId() as a parameter returns true in Mongoose 6 #​11152

v6.13.2

Compare Source

===================

  • fix(document): make set() respect merge option on deeply nested objects #​14870 #​14878

v6.13.1

Compare Source

===================

v6.13.0

Compare Source

===================

  • feat(model): add throwOnValidationError option for opting into getting MongooseBulkWriteError if all valid operations succeed in bulkWrite() and insertMany() #​14599 #​14587 #​14572 #​13410

v6.12.9

Compare Source

===================

v6.12.8

Compare Source

===================

  • fix(document): handle virtuals that are stored as objects but getter returns string with toJSON #​14468 #​14446
  • fix(schematype): consistently set wasPopulated to object with value property rather than boolean #​14418
  • docs(model): add extra note about lean option for insertMany() skipping casting #​14415 #​14376

v6.12.7

Compare Source

===================

v6.12.6

Compare Source

===================

  • fix(collection): correctly handle buffer timeouts with find() #​14277
  • fix(document): allow calling push() with different $position arguments #​14254

v6.12.5

Compare Source

===================

  • perf(schema): remove unnecessary lookahead in numeric subpath check
  • fix(document): allow setting nested path to null #​14226
  • fix(document): avoid flattening dotted paths in mixed path underneath nested path #​14198 #​14178
  • fix: add ignoreAtomics option to isModified() for better backwards compatibility with Mongoose 5 #​14213

v6.12.4

Compare Source

===================

  • fix: upgrade mongodb driver -> 4.17.2
  • fix(document): avoid treating nested projection as inclusive when applying defaults #​14173 #​14115
  • fix: account for null values when assigning isNew property #​14172 #​13883

v6.12.3

Compare Source

===================

  • fix(ChangeStream): correctly handle hydrate option when using change stream as stream instead of iterator #​14052
  • fix(schema): fix dangling reference to virtual in tree after removeVirtual() #​14019 #​13085
  • fix(document): avoid unmarking modified on nested path if no initial value stored and already modified #​14053 #​14024
  • fix(document): consistently avoid marking subpaths of nested paths as modified #​14053 #​14022

v6.12.2

Compare Source

===================

v6.12.1

Compare Source

===================

v6.12.0

Compare Source

===================

  • feat: use mongodb driver v4.17.1
  • fix(model): make Model.bulkWrite() with empty array and ordered false not throw an error #​13664
  • fix(document): correctly handle inclusive/exclusive projections when applying subdocument defaults #​13763 #​13720

v6.11.6

Compare Source

===================

v6.11.5

Compare Source

===================

  • fix(schema): make Schema.prototype.clone() avoid creating different copies of subdocuments and single nested paths underneath single nested paths #​13671 #​13626
  • fix: custom debug function not processing all args #​13418

v6.11.4

Compare Source

===================

  • perf: speed up mapOfSubdocs benchmark by 4x by avoiding unnecessary O(n^2) loop in getPathsToValidate() #​13614

v6.11.3

Compare Source

===================

  • fix: avoid prototype pollution on init
  • fix(schema): correctly handle uuids with populate() #​13317 #​13595

v6.11.2

Compare Source

===================

v6.11.1

Compare Source

===================

  • fix(query): apply schema-level paths before calculating projection for findOneAndUpdate() #​13348 #​13340
  • fix: add SUPPRESS_JEST_WARNINGS environment variable to hide jest warnings #​13384 #​13373
  • types(model): allow overwriting expected param type for bulkWrite() #​13292 hasezoey

v6.11.0

Compare Source

===================

v6.10.5

Compare Source

===================

  • perf(document): avoid unnecessary loops, conditionals, string manipulation on Document.prototype.get() for 10x speedup on top-level properties #​12953
  • fix(model): execute valid write operations if calling bulkWrite() with ordered: false #​13218 #​13176
  • fix(array): pass-through all parameters #​13202 #​13201 hasezoey
  • fix: improve error message when sorting by empty string #​13249 #​10182
  • docs: add version support and check version docs #​13251 #​13193

v6.10.4

Compare Source

===================

  • fix(document): apply setters on resulting value when calling Document.prototype.$inc() #​13178 #​13158
  • fix(model): add results property to unordered insertMany() to make it easy to identify exactly which documents were inserted #​13163 #​12791
  • docs(guide+schematypes): add UUID to schematypes guide #​13184

v6.10.3

Compare Source

===================

v6.10.2

Compare Source

===================

  • fix(document): avoid setting array default if document array projected out by sibling projection #​13135 #​13043 #​13003
  • fix(documentarray): set correct document array path if making map of document arrays #​13133
  • fix: undo accidental change to engines in package.json #​13124 lorand-horvath
  • docs: quick improvement to Model.init() docs #​13054

v6.10.1

Compare Source

===================

v6.10.0

Compare Source

===================

v6.9.3

Compare Source

==================

v6.9.2

Compare Source

==================

v6.9.1

Compare Source

==================

  • fix(document): isModified should not be triggered when setting a nested boolean to the same value as previously #​12994 lpizzinidev
  • fix(document): save newly set defaults underneath single nested subdocuments #​13002 #​12905
  • fix(update): handle custom discriminator model name when casting update #​12947 wassil
  • fix(connection): handles unique autoincrement ID for connections #​12990 lpizzinidev
  • fix(types): fix type of options of Model.aggregate #​12933 ghost91-
  • fix(types): fix "near" aggregation operator input type #​12954 Jokero
  • fix(types): add missing Top operator to AccumulatorOperator type declaration #​12952 lpizzinidev
  • docs(transactions): added example for Connection.transaction() method #​12943 #​12934 lpizzinidev
  • docs(populate): fix out of date comment referencing onModel property #​13000
  • docs(transactions): fix typo in transactions.md #​12995 Parth86

v6.9.0

Compare Source

==================

v6.8.4

Compare Source

==================

v6.8.3

Compare Source

==================

  • perf: improve performance of assignRawDocsToIdStructure for faster populate on large docs #​12867 Uzlopak
  • fix(model): ensure consistent ordering of validation errors in insertMany() with ordered: false and rawResult: true #​12866
  • fix: avoid passing final callback to pre hook, because calling the callback can mess up hook execution #​12836
  • fix(types): avoid inferring timestamps if methods, virtuals, or statics set #​12871
  • fix(types): correctly infer string enums on const arrays #​12870 JavaScriptBach
  • fix(types): allow virtuals to be invoked in the definition of other virtuals #​12874 sffc
  • fix(types): add type def for Aggregate#model without arguments #​12864 hasezoey
  • docs(discriminators): add section about changing discriminator key #​12861
  • docs(typescript): explain that virtuals inferred from schema only show up on Model, not raw document type #​12860 #​12684

v6.8.2

Compare Source

==================

  • fix(schema): propagate strictQuery to implicitly created schemas for embedded discriminators #​12827 #​12796
  • fix(model): respect discriminators with Model.validate() #​12824 #​12621
  • fix(query): fix unexpected validation error when doing findOneAndReplace() with a nullish value #​12826 #​12821
  • fix(discriminator): apply built-in plugins to discriminator schema even if mergeHooks and mergePlugins are both false #​12833 #​12696
  • fix(types): add option "overwriteModels" as a schema option #​12817 #​12816 hasezoey
  • fix(types): add property "defaultOptions" #​12818 hasezoey
  • docs: make search bar respect documentation version, so you can search 5.x docs #​12548
  • docs(typescript): make note about recommending strict mode when using auto typed schemas #​12825 #​12420
  • docs: add section on sorting to query docs #​12588 IslandRhythms
  • test(query.test): add write-concern option #​12829 hasezoey

v6.8.1

Compare Source

==================

v6.8.0

Compare Source

==================


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.11.3 [security] fix(deps): update dependency mongoose to v6.11.3 [security] - autoclosed Nov 2, 2023
@renovate renovate Bot closed this Nov 2, 2023
@renovate renovate Bot deleted the renovate/npm-mongoose-vulnerability branch November 2, 2023 03:02
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.11.3 [security] - autoclosed fix(deps): update dependency mongoose to v6.11.3 [security] Nov 2, 2023
@renovate renovate Bot reopened this Nov 2, 2023
@renovate renovate Bot restored the renovate/npm-mongoose-vulnerability branch November 2, 2023 06:54
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from fe42310 to bb959a8 Compare November 2, 2023 06:54
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from bb959a8 to caae303 Compare December 3, 2024 09:37
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.11.3 [security] fix(deps): update dependency mongoose to v8 [security] Dec 3, 2024
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v8 [security] fix(deps): update dependency mongoose to v6.11.3 [security] Dec 4, 2024
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch 2 times, most recently from 0d7e4ea to 4e83596 Compare December 5, 2024 03:52
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.11.3 [security] fix(deps): update dependency mongoose to v6.13.5 [security] Dec 5, 2024
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 4e83596 to d8cdfdc Compare January 17, 2025 00:47
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.13.5 [security] fix(deps): update dependency mongoose to v8 [security] Jan 17, 2025
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from d8cdfdc to ce48827 Compare January 17, 2025 20:55
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v8 [security] fix(deps): update dependency mongoose to v6.13.5 [security] Jan 17, 2025
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from ce48827 to de002e1 Compare January 18, 2025 05:06
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.13.5 [security] fix(deps): update dependency mongoose to v6.13.6 [security] Jan 18, 2025
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from de002e1 to 518dfaa Compare August 10, 2025 12:59
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 518dfaa to 9c3dc6e Compare October 21, 2025 14:48
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 9c3dc6e to 0e3bc2c Compare December 31, 2025 17:38
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 0e3bc2c to eb9a3d0 Compare January 19, 2026 14:48
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from eb9a3d0 to 248bce6 Compare February 4, 2026 20:34
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.13.6 [security] fix(deps): update dependency mongoose to v6.13.5 [security] Feb 4, 2026
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 248bce6 to 3867b0b Compare February 12, 2026 10:53
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.13.5 [security] fix(deps): update dependency mongoose to v6.13.5 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-mongoose-vulnerability branch March 27, 2026 01:07
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.13.5 [security] - autoclosed fix(deps): update dependency mongoose to v6.13.5 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 3867b0b to ed05711 Compare March 30, 2026 18:08
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from ed05711 to 17837e6 Compare April 15, 2026 09:12
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.13.5 [security] fix(deps): update dependency mongoose to v6.13.6 [security] Apr 15, 2026
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.13.6 [security] fix(deps): update dependency mongoose to v6.13.6 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v6.13.6 [security] - autoclosed fix(deps): update dependency mongoose to v6.13.6 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch 2 times, most recently from 17837e6 to e9e64ac Compare April 27, 2026 20:57
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from e9e64ac to 94b7ed4 Compare May 12, 2026 09:56
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 94b7ed4 to 27d156f Compare July 12, 2026 13:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants