Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency mongoose to v5.13.20 [security] #940

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

chore(deps): update dependency mongoose to v5.13.20 [security] #940

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented May 28, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
mongoose (source) 5.12.13 -> 5.13.20 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-2564

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

CVE-2023-3696

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

CVE-2022-24304

Description

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.

Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

Proof of Concept

// poc.js
const mongoose = require('mongoose');
const schema = new mongoose.Schema();

malicious_payload = '__proto__.toString'

schema.path(malicious_payload, [String])

x = {}
console.log(x.toString()) // crashed (Denial of service (DoS) attack)

Impact

This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.

Release Notes

Automattic/mongoose (mongoose)

v5.13.20

Compare Source

v5.13.19

Compare Source

v5.13.18

Compare Source

v5.13.17

Compare Source

====================

v5.13.16

Compare Source

====================

v5.13.15

Compare Source

====================

v5.13.14

Compare Source

====================

  • fix(timestamps): avoid setting createdAt on documents that already exist but dont have createdAt #​11024
  • docs(models): fix up nModified example for 5.x #​11055

v5.13.13

Compare Source

====================

v5.13.12

Compare Source

====================

  • fix(cursor): use stream destroy method on close to prevent emitting duplicate 'close' #​10897 iovanom
  • fix(index.d.ts): backport streamlining of FilterQuery and DocumentDefinition to avoid "excessively deep and possibly infinite" TS errors #​10617

v5.13.11

Compare Source

====================

  • fix: upgrade mongodb -> 3.7.2 #​10871 winstonralph
  • fix(connection): call setMaxListeners(0) on MongoClient to avoid event emitter memory leak warnings with useDb() #​10732

v5.13.10

Compare Source

====================

  • fix(index.d.ts): allow using type: SchemaDefinitionProperty in schema definitions #​10674
  • fix(index.d.ts): allow AnyObject as param to findOneAndReplace() #​10714

v5.13.9

Compare Source

===================

  • fix(populate): avoid setting empty array on lean document when populate result is undefined #​10599
  • fix(document): make depopulate() handle populated paths underneath document arrays #​10592
  • fix: peg @​types/bson version to 1.x || 4.0.x to avoid stubbed 4.2.x release #​10678
  • fix(index.d.ts): simplify UpdateQuery to avoid "excessively deep and possibly infinite" errors with extends Document and any #​10647
  • fix(index.d.ts): allow specifying weights as an IndexOption #​10586
  • fix: upgrade to mpath v0.8.4 re: security issue #​10683

v5.13.8

Compare Source

===================

  • fix(populate): handle populating subdoc array virtual with sort #​10552
  • fix(model): check for code instead of codeName when checking for existing collections for backwards compat with MongoDB 3.2 #​10420
  • fix(index.d.ts): correct value of this for custom query helper methods #​10545
  • fix(index.d.ts): allow strings for ObjectIds in nested properties #​10573
  • fix(index.d.ts): add match to VirtualTypeOptions.options #​8749
  • fix(index.d.ts): allow QueryOptions populate parameter type PopulateOptions #​10587 osmanakol
  • docs(api): add Document#$where to API docs #​10583

v5.13.7

Compare Source

===================

  • perf(index.d.ts): loosen up restrictions on ModelType generic for Schema for a ~50% perf improvement when compiling TypeScript and using intellisense #​10536 #​10515 #​10349
  • fix(index.d.ts): fix broken Schema#index() types #​10562 JaredReisinger
  • fix(index.d.ts): allow using SchemaTypeOptions with array of raw document interfaces #​10537
  • fix(index.d.ts): define IndexOptions in terms of mongodb.IndexOptions #​10563 JaredReisinger
  • fix(index.d.ts): improve intellisense for DocumentArray push() #​10546
  • fix(index.d.ts): correct type for expires #​10529
  • fix(index.d.ts): add Query#model property to ts bindings #​10531
  • refactor(index.d.ts): make callbacks use the new Callback and CallbackWithoutResult types #​10550 thiagokisaki

v5.13.6

Compare Source

===================

  • fix: upgrade mongodb driver -> 3.6.11 #​10543 maon-fp
  • fix(schema): throw more helpful error when defining a document array using a schema from a different copy of the Mongoose module #​10453
  • fix: add explicit check on constructor property to avoid throwing an error when checking objects with null prototypes #​10512
  • fix(cursor): make sure to clear stack every 1000 docs when calling next() to avoid stack overflow with large batch size #​10449
  • fix(index.d.ts): allow calling new Model(...) with generic Model param #​10526
  • fix(index.d.ts): update type declarations of Schema.index method #​10538 #​10530 Raader
  • fix(index.d.ts): add useNewUrlParser and useUnifiedTopology to ConnectOptions #​10500
  • fix(index.d.ts): add missing type for diffIndexes #​10547 bvgusak
  • fix(index.d.ts): fixed incorrect type definition for Query's .map function #​10544 GCastilho
  • docs(schema): add more info and examples to Schema#indexes() docs #​10446
  • chore: add types property to package.json #​10557 thiagokisaki

v5.13.5

Compare Source

===================

v5.13.4

Compare Source

===================

  • fix: avoid pulling non-schema paths from documents into nested paths #​10449
  • fix(update): support overwriting nested map paths #​10485
  • fix(update): apply timestamps to subdocs that would be newly created by $setOnInsert #​10460
  • fix(map): correctly clone subdocs when calling toObject() on a map #​10486
  • fix(cursor): cap parallel batchSize for populate at 5000 #​10449
  • fix(index.d.ts): improve autocomplete for new Model() by making doc an object with correct keys #​10475
  • fix(index.d.ts): add MongooseOptions interface #​10471 thiagokisaki
  • fix(index.d.ts): make LeanDocument work with PopulatedDoc #​10494
  • docs(mongoose+connection): correct default value for bufferTimeoutMS #​10476
  • chore: remove unnecessary 'eslint-disable' comments #​10466 thiagokisaki

v5.13.3

Compare Source

===================

  • fix(model): avoid throwing error when bulkSave() called on a document with no changes #​10437
  • fix(timestamps): apply timestamps when creating new subdocs with $addToSet and with positional operator #​10447
  • fix(schema): allow calling Schema#loadClass() with class that has a static getter with no setter #​10436
  • fix(model): handle re-applying object defaults after explicitly unsetting #​10442 semirturgay
  • fix: bump mongodb driver -> 3.6.10 #​10440 AbdelrahmanHafez
  • fix(index.d.ts): consistently use NativeDate instead of Date for Date validators and timestamps functions #​10426
  • fix(index.d.ts): allow calling discriminator() with non-document #​10452 #​10421 DouglasGabr
  • fix(index.d.ts): allow passing ResultType generic to Schema#path() #​10435

v5.13.2

Compare Source

===================

v5.13.1

Compare Source

====================

v5.13.0

Compare Source

===================

  • feat(query): add sanitizeProjection option to opt in to automatically sanitizing untrusted query projections #​10243
  • feat(model): add bulkSave() function that saves multiple docs in 1 bulkWrite() #​9727 #​9673 AbdelrahmanHafez
  • feat(document): allow passing a list of virtuals or pathsToSkip to apply in toObject() and toJSON() #​10120
  • fix(model): make Model.validate use object under validation as context by default #​10360 AbdelrahmanHafez
  • feat(document): add support for pathsToSkip in validate and validateSync #​10375 AbdelrahmanHafez
  • feat(model): add diffIndexes() function that calculates what indexes syncIndexes() will create/drop without actually executing any changes #​10362 IslandRhythms
  • feat(document): avoid using sessions that have ended, so you can use documents that were loaded in the session after calling endSession() #​10306

v5.12.15

Compare Source

====================

v5.12.14

Compare Source

====================

  • fix(schema): check that schema type is an object when setting isUnderneathDocArray #​10361 vmo-khanus
  • fix(document): avoid infinite recursion when setting single nested subdoc to array #​10351
  • fix(populate): allow populating nested path in schema using Model.populate() #​10335
  • fix(drivers): emit operation-start/operation-end events to allow inspecting when operations start and end
  • fix(index.d.ts): improve typings for virtuals #​10350 thiagokisaki
  • fix(index.d.ts): correct constructor type for Document #​10328
  • fix(index.d.ts): add ValidationError as a possible type for ValidationError#errors #​10320 IslandRhythms
  • fix: remove unnecessary async devDependency that's causing npm audit warnings #​10281
  • docs(typescript): add schemas guide #​10308
  • docs(model): add options parameter description to Model.exists() #​10336 Aminoiz

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch 2 times, most recently from abc43e6 to 1eb0fff Compare July 19, 2023 11:42
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 1eb0fff to 6ae38df Compare September 19, 2023 15:33
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 6ae38df to 80bc3f6 Compare September 26, 2023 15:58
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 80bc3f6 to abcefe1 Compare October 15, 2023 11:55
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from abcefe1 to 433d3c6 Compare October 23, 2023 12:48
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 433d3c6 to 0fc4766 Compare December 3, 2023 12:16
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 0fc4766 to f1f83d9 Compare December 27, 2023 19:54
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from f1f83d9 to a2d1f7f Compare January 28, 2024 10:18
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from a2d1f7f to 8efeae4 Compare February 4, 2024 11:41
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 8efeae4 to d72ab0e Compare February 25, 2024 09:02
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from d72ab0e to a3954e4 Compare March 12, 2024 11:35
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch 2 times, most recently from 7289df3 to 14fcb75 Compare March 24, 2024 16:16
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 14fcb75 to ddb644e Compare June 4, 2024 12:24
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from ddb644e to 22e9813 Compare July 21, 2024 11:12
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 22e9813 to 0284d5e Compare August 6, 2024 07:05
@renovate renovate bot changed the title chore(deps): update dependency mongoose to v5.13.15 [security] chore(deps): update dependency mongoose to v5.13.20 [security] Aug 6, 2024
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 0284d5e to e1700e2 Compare August 28, 2024 08:17
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from e1700e2 to 5bf7ba1 Compare September 9, 2024 13:23
@renovate renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 5bf7ba1 to cd7b7d4 Compare October 9, 2024 09:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants