New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency mongoose to v8 [SECURITY] #66

Open

renovate wants to merge 1 commit into main from renovate/npm-mongoose-vulnerability

Contributor

renovate bot commented Mar 17, 2023 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mongoose (source)	`6.1.8` -> `8.8.3`

GitHub Vulnerability Alerts

CVE-2022-2564

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

CVE-2023-3696

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

CVE-2022-24304

Description

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.

Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

Proof of Concept

// poc.js
const mongoose = require('mongoose');
const schema = new mongoose.Schema();

malicious_payload = '__proto__.toString'

schema.path(malicious_payload, [String])

x = {}
console.log(x.toString()) // crashed (Denial of service (DoS) attack)

Impact

This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.

CVE-2024-53900

Mongoose before 8.8.3 can improperly use $where in match.

Release Notes

Automattic/mongoose (mongoose)

`v8.8.3`

==================

fix: disallow using $where in match
perf: cache results from getAllSubdocs() on saveOptions, only loop through known subdoc properties #15055 #15029
fix(model+query): support overwriteDiscriminatorKey for bulkWrite updateOne and updateMany, allow inferring discriminator key from update #15046 #15040

`v8.8.2`

==================

fix(model): handle array filters when casting bulkWrite #15036 #14978
fix(model): make diffIndexes() avoid trying to drop default timeseries collection index #15035 #14984
fix: save execution stack in query as string #15039 durran
types(cursor): correct asyncIterator and asyncDispose for TypeScript with lib: 'esnext' #15038
docs(migrating_to_8): add note about removing findByIdAndRemove #15024 dragontaek-lee

`v8.8.1`

==================

perf: make a few micro-optimizations to help speed up findOne() #15022 #14906
fix: apply embedded discriminators to subdoc schemas before compiling top level model so middleware applies correctly #15001 #14961
fix(query): add overwriteImmutable option to allow updating immutable properties without disabling strict mode #15000 #8619

`v8.8.0`

==================

feat: upgrade mongodb -> ~6.10 #14991 #14877
feat(query): add schemaLevelProjections option to query to disable schema-level select: false #14986 #11474
feat: allow defining virtuals on arrays, not just array elements #14955 #2326
feat(model): add applyTimestamps() function to apply all schema timestamps, including subdocuments, to a given POJO #14943 #14698
feat(model): add hideIndexes option to syncIndexes() and cleanIndexes() #14987 #14868
fix(query): make sanitizeFilter disable implicit $in #14985 #14657
fix(model): avoid unhandled error if createIndex() throws a sync error #14995
fix(model): avoid throwing TypeError if bulkSave()'s bulkWrite() fails with a non-BulkWriteError #14993
types: added toJSON:flattenObjectIds effect #14989
types: add __v to lean() result type and ModifyResult #14990 #12959
types: use globalThis instead of global for NativeDate #14992 #14988
docs(change-streams): fix markdown syntax highlighting for script output example #14994

`v8.7.3`

==================

fix(cursor): close underlying query cursor when calling destroy() #14982 #14966
types: add JSONSerialized helper that can convert HydratedDocument to JSON output type #14981 #14451
types(model): convert InsertManyResult to interface and remove unnecessary insertedIds override #14977
types(connection): add missing sanitizeFilter option #14975
types: improve goto definition for inferred schema definitions #14968 forivall
docs(migration-guide-v7): correct link to the section "Id Setter" #14973 rb-ntnx

`v8.7.2`

==================

fix(document): recursively clear modified subpaths when setting deeply nested subdoc to null #14963 #14952
fix(populate): handle array of ids with parent refPath #14965
types: make Buffers into mongodb.Binary in lean result type to match runtime behavior #14967
types: correct schema type inference when using nested typeKey like type: { type: String } #14956 #14950
types: re-export DeleteResult and UpdateResult from MongoDB Node.js driver #14947 #14946
docs(documents): add section on setting deeply nested properties, including warning about nullish coalescing assignment #14972
docs(model): add more info on acknowledged: false, specifically that Mongoose may return that if the update was empty #14957

`v8.7.1`

==================

fix: set flattenObjectIds to false when calling toObject() for internal purposes #14938
fix: add mongodb 8 to test matrix #14937
fix: handle buffers stored in MongoDB as EJSON representation with { $binary } #14932
docs: indicate that Mongoose 8.7 is required for full MongoDB 8 support #14937

`v8.7.0`

==================

feat(model): add Model.applyVirtuals() to apply virtuals to a POJO #14905 #14818
feat: upgrade mongodb -> 6.9.0 #14914
feat(query): cast $rename to string #14887 #3027
feat(SchemaType): add getEmbeddedSchemaType() method to SchemaTypes #14880 #8389
fix(model): throw MongooseBulkSaveIncompleteError if bulkSave() didn't completely succeed #14884 #14763
fix(connection): avoid returning readyState = connected if connection state is stale #14812 #14727
fix: depopulate if push() or addToSet() with an ObjectId on a populated array #14883 #1635
types: make __v a number, only set __v on top-level documents #14892

`v8.6.4`

==================

fix(document): avoid massive perf degradation when saving new doc with 10 level deep subdocs #14910 #14897
fix(model): skip applying static hooks by default if static name conflicts with aggregate middleware #14904 dragontaek-lee
fix(model): filter applying static hooks by default if static name conflicts with mongoose middleware #14908 dragontaek-lee

`v8.6.3`

==================

fix: make getters convert uuid to string when calling toObject() and toJSON() #14890 #14869
fix: fix missing Aggregate re-exports for ESM #14886 wongsean
types(document): add generic param to depopulate() to allow updating properties #14891 #14876

`v8.6.2`

==================

fix: make set merge deeply nested objects #14870 #14861 ianHeydoc
types: allow arbitrary keys in query filters again (revert #14764) #14874 #14863 #14862 #14842
types: make SchemaType static setters property accessible in TypeScript #14881 #14879
type(inferrawdoctype): infer Date types as JS dates rather than Mongoose SchemaType Date #14882 #14839

`v8.6.1`

==================

fix(document): avoid unnecessary clone() in applyGetters() that was preventing getters from running on 3-level deep subdocuments #14844 #14840 #14835
fix(model): throw error if bulkSave() did not insert or update any documents #14837 #14763
fix(cursor): throw error in ChangeStream constructor if changeStreamThunk() throws a sync error #14846
types(query): add $expr to RootQuerySelector #14845
docs: update populate.md to fix missing match: { } #14847 makhoulshbeeb

`v8.6.0`

==================

feat: upgrade mongodb -> 6.8.0, handle throwing error on closed cursor in Mongoose with MongooseError instead of MongoCursorExhaustedError #14813
feat(model+query): support options parameter for distinct() #14772 #8006
feat(QueryCursor): add getDriverCursor() function that returns the raw driver cursor #14745
types: change query selector to disallow unknown top-level keys by default #14764 alex-statsig
types: make toObject() and toJSON() not generic by default to avoid type widening #14819 #12883
types: avoid automatically inferring lean result type when assigning to explicitly typed variable #14734

`v8.5.5`

==================

fix(populate): fix a couple of other places where Mongoose gets the document's _id with getters #14833 #14827 #14759
fix(discriminator): shallow clone Schema.prototype.obj before merging schemas to avoid modifying original obj #14821
types: fix schema type based on timestamps schema options value #14829 #14825 ark23CIS

`v8.5.4`

==================

fix: add empty string check for collection name passed #14806 Shubham2552
docs(model): add 'throw' as valid strict value for bulkWrite() and add some more clarification on throwOnValidationError #14809

`v8.5.3`

==================

fix(document): call required functions on subdocuments underneath nested paths with correct context #14801 #14788
fix(populate): avoid throwing error when no result and lean() set #14799 #14794 #14759 MohOraby
fix(document): apply virtuals to subdocuments if parent schema has virtuals: true for backwards compatibility #14774 #14771 #14623 #14394
types: make HydratedSingleSubdocument and HydratedArraySubdocument merge types instead of using & #14800 #14793
types: support schema type inference based on schema options timestamps as well #14773 #13215 ark23CIS
types(cursor): indicate that cursor.next() can return null #14798 #14787
types: allow mongoose.connection.db to be undefined #14797 #14789
docs: add schema type widening advice #14790 JstnMcBrd

`v8.5.2`

==================

perf(clone): avoid further unnecessary checks if cloning a primitive value #14762 #14394
fix: allow setting document array default to null #14769 #14717 #6691
fix(model): support session: null option for save() to opt out of automatic session option with transactionAsyncLocalStorage #14744 #14736
fix(model+document): avoid depopulating manually populated doc as getter value #14760 #14759
fix: correct shardkey access in buildBulkWriteOps #14753 #14752 adf0nt3s
fix(query): handle casting $switch in $expr #14755 #14751
types: allow calling SchemaType.cast() without parent and init parameters #14756 #14748 #9076
docs: fix a wrong example in v6 migration guide #14758 abdelrahman-elkady

`v8.5.1`

==================

perf(model): performance improvements for insertMany() #14724
fix(model): avoid leaving subdoc defaults on top-level doc when setting subdocument to same value #14728 #14722
fix(model): handle transactionAsyncLocalStorage option with insertMany() #14743
types: make _id required on Document type #14735 #14660
types: fix ChangeStream.close to return a Promise like the driver #14740 orgads

`v8.5.0`

==================

perf: memoize toJSON / toObject default options #14672
feat(document): add $createModifiedPathsSnapshot(), $restoreModifiedPathsSnapshot(), $clearModifiedPaths() #14699 #14268
feat(query): make sanitizeProjection prevent projecting in paths deselected in the schema #14691
feat: allow setting array default value to null #14717 #6691
feat(mongoose): allow drivers to set global plugins #14682
feat(connection): bubble up monitorCommands events to Mongoose connection if monitorCommands option set #14681 #14611
fix(document): ensure post('deleteOne') hooks are called when calling save() after subdoc.deleteOne() #14732 #9885
fix(query): remove count() and findOneAndRemove() from query chaining #14692 #14689
fix: remove default connection if setting createInitialConnection to false after Mongoose instance created #14679 #8302
types(models+query): infer return type from schema for 1-level deep nested paths #14632
types(connection): make transaction() return type match the executor function #14661 #14656
docs: fix docs links in index.md mirasayon

`v8.4.5`

==================

types: correct this for validate.validator schematype option #14720 #14696
docs(model): note that insertMany() with lean skips applying defaults #14723 #14698

`v8.4.4`

==================

perf: avoid unnecesary get() call and use faster approach for converting to string #14673 #14394
fix(projection): handle projections on arrays in Model.hydrate() projection option #14686 #14680
fix(document): avoid passing validateModifiedOnly to subdocs so subdocs get fully validating if they're directly modified #14685 #14677
fix: handle casting primitive array with $elemMatch in bulkWrite() #14687 #14678
fix(query): cast $pull using embedded discriminator schema when discriminator key is set in filter #14676 #14675
types(connection): fix return type of withSession() #14690 tt-public
types: add $documents pipeline stage and fix $unionWith type #14666 nick-statsig
docs(findoneandupdate): improve example that shows findOneAndUpdate() returning doc before updates were applied #14671 #14670

`v8.4.3`

==================

fix: remove 0x flamegraph files from release

`v8.4.2`

==================

perf: more toObject() perf improvements #14623 #14606 #14394
fix(model): check the value of overwriteModels in options when calling discriminator() #14646 uditha-g
fix: avoid throwing TypeError when deleting an null entry on a populated Map #14654 futurliberta
fix(connection): fix up some inconsistencies in operation-end event and add to docs #14659 #14648
types: avoid inferring Boolean, Buffer, ObjectId as Date in schema definitions under certain circumstances #14667 #14630
docs: add note about parallelism in transations #14647 fiws

`v8.4.1`

==================

fix: pass options to clone instead of get in applyVirtuals #14606 #14543 andrews05
fix(document): fire pre validate hooks on 5 level deep single nested subdoc when modifying after save() #14604 #14591
fix: ensure buildBulkWriteOperations target shard if shardKey is set #14622 #14621 matlpriceshape
types: pass DocType down to subdocuments so HydratedSingleSubdocument and HydratedArraySubdocument toObject() returns correct type #14612 #14601

`v8.4.0`

==================

feat: upgrade mongodb -> 6.6.2 #14584
feat: add transactionAsyncLocalStorage option to opt in to automatically setting session on all transactions #14583 #13889
feat: handle initially null driver when instantiating Mongoose for Rollup support #14577 #12335
feat(mongoose): export omitUndefined() helper #14582 #14569
feat: add Model.listSearchIndexes() #14519 #14450
feat(connection): add listDatabases() function #14506 #9048
feat(schema): add schema-level readConcern option to apply default readConcern for all queries #14579 #14511
fix(error): remove model property from CastError to avoid printing all model properties to console #14568 #14529
fix(model): make bulkWrite() and insertMany() throw if throwOnValidationError set and all ops invalid #14587 #14572
fix(document): ensure transform function passed to toObject() options applies to subdocs #14600 #14589
types: add inferRawDocType helper #13900 #13772
types(document): make document _id type default to unknown instead of any #14541

`v8.3.5`

==================

fix(query): shallow clone $or, $and if merging onto empty query filter #14580 #14567
types(model+query): pass TInstanceMethods to QueryWithHelpers so populated docs have methods #14581 #14574
docs(typescript): clarify that setting THydratedDocumentType on schemas is necessary for correct method context #14575 #14573

`v8.3.4`

==================

perf(document): avoid cloning options using spread operator for perf reasons #14565 #14394
fix(query): apply translateAliases before casting to avoid strictMode error when using aliases #14562 #14521
fix(model): consistent top-level timestamps option for bulkWrite operations
#14546 #14536
docs(connections): improve description of connection creation patterns #14564 #14528

`v8.3.3`

==================

perf(document): add fast path for applying non-nested virtuals to JSON #14543
fix: make hydrate() recursively hydrate virtual populate docs if hydratedPopulatedDocs is set #14533 #14503
fix: improve timestamps option handling in bulkWrite #14546 #14536 sderrow
fix(model): make recompileSchema() overwrite existing document array discriminators #14527
types(schema): correctly infer Array<Schema.Types.*> #14534 #14367
types(query+populate): apply populate overrides to doc toObject() result #14525 #14441
types: add null to select override return type for findOne #14545 sderrow

`v8.3.2`

==================

fix(populate): avoid match function filtering out null values in populate result #14518 #14494
types(query): make FilterQuery props resolve to any for generics support #14510 #14473 #14459
types(DocumentArray): pass DocType generic to Document for correct toJSON() and toObject() return types #14526 #14469
types(models): fix incorrect bulk write options #14513 emiljanitzek
docs: add documentation for calling schema.post() with async function #14514 #14305

`v8.3.1`

==================

fix(document): make update minimization unset property rather than setting to null #14504 #14445
fix(model): make Model.recompileSchema() also re-apply discriminators #14500 #14444
fix(schema): deduplicate idGetter so creating multiple models with same schema doesn't result in multiple id getters #14492
fix: update kareem -> 2.6.3 for index.d.ts #14508 #14497
fix(mongoose): make setDriver() update mongoose.model() connections and collections #14505
types(validation): support function for validator message property, and add support for accessing validator reason #14499 #14496
docs: remove typo #14501 epmartini

`v8.3.0`

==================

feat(document): add validateAllPaths option to validate() and validateSync() #14467 #14414
feat: pathsToSave option to save() function #14385 #9583
feat(query): add options parameter to Query.prototype.sort() #14375 #14365
feat: add function SchemaType.prototype.validateAll #14434 #6910
fix: handle array schema definitions with of keyword #14447 #14416
types: add overwriteMiddlewareResult and skipMiddlewareFunction to types #14328 #14829

`v8.2.4`

==================

types(query): bring "getFilter" and "getQuery" in-line with "find" and other types #14463 noseworthy
types(schema): re-export the defintion for SearchIndexDescription #14464
docs: removed unused hook from docs #14461 bernardarhia

`v8.2.3`

==================

fix(schema): avoid returning string 'nested' as schematype #14453 #14443 #14435
types(schema): add missing search index types #14449 noseworthy
types: improve the typing of FilterQuery type to prevent it from only getting typed to any #14436 #14398 #14397

`v8.2.2`

==================

fix(model): improve update minimizing to only minimize top-level properties in the update #14437 #14420 #13782
fix: add Null check in case schema.options['type'][0] is undefined #14431 Atharv-Bobde
types: consistently infer array of objects in schema as a DocumentArray #14430 #14367
types: add TypeScript interface for the new PipelineStage - Vector Search - solving issue #14428 #14429 jkorach
types: add pre and post function types on Query class #14433 #14432 IICarst
types(model): make bulkWrite() types more flexible to account for casting #14423
docs: update version support documentation for mongoose 5 & 6 #14427 hasezoey

`v8.2.1`

==================

fix(document): make $clone avoid converting subdocs into POJOs #14395 #14353
fix(connection): avoid unhandled error on createConnection() if on('error') handler registered #14390 #14377
fix(schema): avoid applying default write concern to operations that are in a transaction #14391 #11382
types(querycursor): correct cursor async iterator type with populate() support #14384 #14374
types: missing typescript details on options params of updateMany, updateOne, etc. #14382 #14379 #14378 FaizBShah sderrow
types: allow Record<string, string> as valid query select argument #14371 sderrow

`v8.2.0`

==================

feat(model): add recompileSchema() function to models to allow applying schema changes after compiling #14306 #14296
feat: add middleware for bulkWrite() and createCollection() #14358 #14263 #7893
feat(model): add hydratedPopulatedDocs option to make hydrate recursively hydrate populated docs #14352 #4727
feat(connection): add withSession helper #14339 #14330

`v8.1.3`

==================

fix: avoid corrupting $set-ed arrays when transaction error occurs #14346 #14340
fix(populate): handle ref() functions that return a model instance #14343 #14249
fix: insert version key when using insertMany even if toObject.versionKey set to false #14344
fix(cursor): make aggregation cursor support transform option to match query cursor #14348 #14331
docs(document): clarify that transform function option applies to subdocs #13757

`v8.1.2`

==================

fix: include virtuals in document array toString() output if toObject.virtuals set #14335 #14315
fix(document): handle setting nested path to spread doc with extra properties #14287 #14269
fix(populate): call setter on virtual populated path with populated doc instead of undefined #14314
fix(QueryCursor): remove callback parameter of AggregationCursor and QueryCursor #14299 DevooKim
types: add typescript support for arbitrary fields for the options parameter of Model functions which are of type MongooseQueryOptions #14342 #14341 FaizBShah
types(model): correct return type for findOneAndUpdate with includeResultMetadata and lean set #14336 #14303
types(connection): add type definition for createCollections() #14295 #14279
docs(timestamps): clarify that replaceOne() and findOneAndReplace() overwrite timestamps #14337 #14309

`v8.1.1`

==================

fix(model): throw readable error when calling Model() with a string instead of model() #14288 #14281
fix(document): handle setting nested path to spread doc with extra properties #14287 #14269
types(query): add back context and setDefaultsOnInsert as Mongoose-specific query options #14284 #14282
types(query): add missing runValidators back to MongooseQueryOptions #14278 #14275

`v8.1.0`

==================

feat: upgrade MongoDB driver -> 6.3.0 #14241 #14189 [#14108](https://redirect.github.com/Automattic/mongoo

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Oslo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot added the security label

renovate bot changed the title ~~Update dependency mongoose to 6.4.6 [SECURITY]~~ Update dependency mongoose to v6.4.6 [SECURITY]

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from fe4b853 to 8a069c4 Compare

July 18, 2023 18:27

renovate bot changed the title ~~Update dependency mongoose to v6.4.6 [SECURITY]~~ Update dependency mongoose to v6.11.3 [SECURITY]

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 8a069c4 to f9db526 Compare

November 30, 2023 12:02


          Update dependency mongoose to v8 [SECURITY]

63fc73a

Dependency update (patch) :)

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from f9db526 to 63fc73a Compare

December 3, 2024 08:00

renovate bot changed the title ~~Update dependency mongoose to v6.11.3 [SECURITY]~~ Update dependency mongoose to v8 [SECURITY]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels