fix(deps): update dependency mongoose to v6.13.6 [security] by renovate-bot · Pull Request #1382 · GoogleCloudPlatform/cloud-code-samples

renovate-bot · 2024-12-05T01:01:20Z

This PR contains the following updates:

Package	Change	Age	Confidence
mongoose (source)	`6.11.3` → `6.13.6`

GitHub Vulnerability Alerts

CVE-2025-23061

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Release Notes

Automattic/mongoose (mongoose)

`v6.13.6`

Compare Source

===================

fix: disallow nested $where in populate match CVE-2025-23061

`v6.13.5`

Compare Source

===================

fix: disallow using $where in match

`v6.13.4`

Compare Source

===================

fix: save execution stack in query as string #15043 #15039
docs: clarify strictQuery default will flip-flop in "Migrating to 6.x" #14998 markstos

`v6.13.3`

Compare Source

===================

docs(migrating_to_6): document that Lodash _.isEmpty() with ObjectId() as a parameter returns true in Mongoose 6 #11152

`v6.13.2`

Compare Source

===================

fix(document): make set() respect merge option on deeply nested objects #14870 #14878

`v6.13.1`

Compare Source

===================

fix: remove empty $and, $or, $not that were made empty by scrict mode #14749 #13086 0x0a0d

`v6.13.0`

Compare Source

===================

feat(model): add throwOnValidationError option for opting into getting MongooseBulkWriteError if all valid operations succeed in bulkWrite() and insertMany() #14599 #14587 #14572 #13410

`v6.12.9`

Compare Source

===================

fix(cast): cast $comment to string in query filters #14590 #14576
types(model): allow passing strict type checking override to create() #14571 #14548

`v6.12.8`

Compare Source

===================

fix(document): handle virtuals that are stored as objects but getter returns string with toJSON #14468 #14446
fix(schematype): consistently set wasPopulated to object with value property rather than boolean #14418
docs(model): add extra note about lean option for insertMany() skipping casting #14415 #14376

`v6.12.7`

Compare Source

===================

perf(model): make insertMany() lean option skip hydrating Mongoose docs #14376 #14372
perf(document+schema): small optimizations to make init() faster #14383 #14113
fix(connection): don't modify passed options object to openUri() #14370 #13376 #13335
fix(ChangeStream): bubble up resumeTokenChanged changeStream event #14355 #14349 3150

`v6.12.6`

Compare Source

===================

fix(collection): correctly handle buffer timeouts with find() #14277
fix(document): allow calling push() with different $position arguments #14254

`v6.12.5`

Compare Source

===================

perf(schema): remove unnecessary lookahead in numeric subpath check
fix(document): allow setting nested path to null #14226
fix(document): avoid flattening dotted paths in mixed path underneath nested path #14198 #14178
fix: add ignoreAtomics option to isModified() for better backwards compatibility with Mongoose 5 #14213

`v6.12.4`

Compare Source

===================

fix: upgrade mongodb driver -> 4.17.2
fix(document): avoid treating nested projection as inclusive when applying defaults #14173 #14115
fix: account for null values when assigning isNew property #14172 #13883

`v6.12.3`

Compare Source

===================

fix(ChangeStream): correctly handle hydrate option when using change stream as stream instead of iterator #14052
fix(schema): fix dangling reference to virtual in tree after removeVirtual() #14019 #13085
fix(document): avoid unmarking modified on nested path if no initial value stored and already modified #14053 #14024
fix(document): consistently avoid marking subpaths of nested paths as modified #14053 #14022

`v6.12.2`

Compare Source

===================

fix: add fullPath to ValidatorProps #13995 Freezystem

`v6.12.1`

Compare Source

===================

fix(mongoose): correctly handle global applyPluginsToChildSchemas option #13945 #13887 hasezoey
fix: Document.prototype.isModified support for a string of keys as first parameter #13940 #13674 k-chop

`v6.12.0`

Compare Source

===================

feat: use mongodb driver v4.17.1
fix(model): make Model.bulkWrite() with empty array and ordered false not throw an error #13664
fix(document): correctly handle inclusive/exclusive projections when applying subdocument defaults #13763 #13720

`v6.11.6`

Compare Source

===================

fix(model): avoid hanging on empty bulkWrite() with ordered: false #13701 #13684 JavaScriptBach
types: augment bson.ObjectId instead of adding on own type #13515 #12537 hasezoey

`v6.11.5`

Compare Source

===================

fix(schema): make Schema.prototype.clone() avoid creating different copies of subdocuments and single nested paths underneath single nested paths #13671 #13626
fix: custom debug function not processing all args #13418

`v6.11.4`

Compare Source

===================

perf: speed up mapOfSubdocs benchmark by 4x by avoiding unnecessary O(n^2) loop in getPathsToValidate() #13614

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

dpebot · 2024-12-05T01:01:27Z

/gcbrun

gcf-merge-on-green · 2024-12-06T01:02:20Z

Merge-on-green attempted to merge your PR for 6 hours, but it was not mergeable because either one of your required status checks failed, one of your required reviews was not approved, or there is a do not merge label. Learn more about your required status checks here: https://help.github.com/en/github/administering-a-repository/enabling-required-status-checks. You can remove and reapply the label to re-run the bot.

dpebot · 2025-01-16T21:25:20Z

/gcbrun

dpebot · 2025-01-17T18:10:22Z

/gcbrun

dpebot · 2025-01-18T02:22:56Z

/gcbrun

dpebot · 2025-04-17T00:35:30Z

/gcbrun

dpebot · 2025-05-28T23:04:58Z

/gcbrun

dpebot · 2025-10-08T23:55:46Z

/gcbrun

renovate-bot requested a review from a team as a code owner December 5, 2024 01:01

forking-renovate bot added the automerge Merge the pull request once unit tests and other checks pass. label Dec 5, 2024

gcf-merge-on-green bot removed the automerge Merge the pull request once unit tests and other checks pass. label Dec 6, 2024

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from 7381ef6 to a543775 Compare January 16, 2025 21:25

renovate-bot changed the title ~~fix(deps): update dependency mongoose to v6.13.5 [security]~~ fix(deps): update dependency mongoose to v8 [security] Jan 16, 2025

renovate-bot changed the title ~~fix(deps): update dependency mongoose to v8 [security]~~ fix(deps): update dependency mongoose to v6.13.5 [security] Jan 17, 2025

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from a543775 to 1d51988 Compare January 17, 2025 18:10

renovate-bot changed the title ~~fix(deps): update dependency mongoose to v6.13.5 [security]~~ fix(deps): update dependency mongoose to v6.13.6 [security] Jan 18, 2025

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from 1d51988 to 3c35b87 Compare January 18, 2025 02:22

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from 3c35b87 to 430d5f7 Compare April 17, 2025 00:35

renovate-bot requested a review from a team as a code owner April 17, 2025 00:35

glasnt removed the request for review from a team April 17, 2025 02:17

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from 430d5f7 to 0540588 Compare May 28, 2025 23:04

fix(deps): update dependency mongoose to v6.13.6 [security]

8fcef00

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from 0540588 to 8fcef00 Compare October 8, 2025 23:55

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update dependency mongoose to v6.13.6 [security]#1382

fix(deps): update dependency mongoose to v6.13.6 [security]#1382
renovate-bot wants to merge 1 commit intoGoogleCloudPlatform:v1from
renovate-bot:renovate/npm-mongoose-vulnerability

renovate-bot commented Dec 5, 2024 •

edited

Loading

Uh oh!

dpebot commented Dec 5, 2024

Uh oh!

gcf-merge-on-green bot commented Dec 6, 2024

Uh oh!

dpebot commented Jan 16, 2025

Uh oh!

dpebot commented Jan 17, 2025

Uh oh!

dpebot commented Jan 18, 2025

Uh oh!

dpebot commented Apr 17, 2025

Uh oh!

dpebot commented May 28, 2025

Uh oh!

dpebot commented Oct 8, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

renovate-bot commented Dec 5, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Release Notes

Configuration

Uh oh!

dpebot commented Dec 5, 2024

Uh oh!

gcf-merge-on-green bot commented Dec 6, 2024

Uh oh!

dpebot commented Jan 16, 2025

Uh oh!

dpebot commented Jan 17, 2025

Uh oh!

dpebot commented Jan 18, 2025

Uh oh!

dpebot commented Apr 17, 2025

Uh oh!

dpebot commented May 28, 2025

Uh oh!

dpebot commented Oct 8, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

renovate-bot commented Dec 5, 2024 •

edited

Loading