Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(deps): update dependency mongoose to v8.8.3 [security] (#89)
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [mongoose](https://mongoosejs.com) ([source](https://redirect.github.com/Automattic/mongoose)) | [`8.6.3` -> `8.8.3`](https://renovatebot.com/diffs/npm/mongoose/8.6.3/8.8.3) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-53900](https://nvd.nist.gov/vuln/detail/CVE-2024-53900) Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data. --- ### Release Notes <details> <summary>Automattic/mongoose (mongoose)</summary> ### [`v8.8.3`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#883--2024-11-26) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/8.8.2...8.8.3) \================== - fix: disallow using $where in match - perf: cache results from getAllSubdocs() on saveOptions, only loop through known subdoc properties [#​15055](https://redirect.github.com/Automattic/mongoose/issues/15055) [#​15029](https://redirect.github.com/Automattic/mongoose/issues/15029) - fix(model+query): support overwriteDiscriminatorKey for bulkWrite updateOne and updateMany, allow inferring discriminator key from update [#​15046](https://redirect.github.com/Automattic/mongoose/issues/15046) [#​15040](https://redirect.github.com/Automattic/mongoose/issues/15040) ### [`v8.8.2`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#882--2024-11-18) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/8.8.1...8.8.2) \================== - fix(model): handle array filters when casting bulkWrite [#​15036](https://redirect.github.com/Automattic/mongoose/issues/15036) [#​14978](https://redirect.github.com/Automattic/mongoose/issues/14978) - fix(model): make diffIndexes() avoid trying to drop default timeseries collection index [#​15035](https://redirect.github.com/Automattic/mongoose/issues/15035) [#​14984](https://redirect.github.com/Automattic/mongoose/issues/14984) - fix: save execution stack in query as string [#​15039](https://redirect.github.com/Automattic/mongoose/issues/15039) [durran](https://redirect.github.com/durran) - types(cursor): correct asyncIterator and asyncDispose for TypeScript with lib: 'esnext' [#​15038](https://redirect.github.com/Automattic/mongoose/issues/15038) - docs(migrating_to\_8): add note about removing findByIdAndRemove [#​15024](https://redirect.github.com/Automattic/mongoose/issues/15024) [dragontaek-lee](https://redirect.github.com/dragontaek-lee) ### [`v8.8.1`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#881--2024-11-08) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/8.8.0...8.8.1) \================== - perf: make a few micro-optimizations to help speed up findOne() [#​15022](https://redirect.github.com/Automattic/mongoose/issues/15022) [#​14906](https://redirect.github.com/Automattic/mongoose/issues/14906) - fix: apply embedded discriminators to subdoc schemas before compiling top level model so middleware applies correctly [#​15001](https://redirect.github.com/Automattic/mongoose/issues/15001) [#​14961](https://redirect.github.com/Automattic/mongoose/issues/14961) - fix(query): add overwriteImmutable option to allow updating immutable properties without disabling strict mode [#​15000](https://redirect.github.com/Automattic/mongoose/issues/15000) [#​8619](https://redirect.github.com/Automattic/mongoose/issues/8619) ### [`v8.8.0`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#880--2024-10-31) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/8.7.3...8.8.0) \================== - feat: upgrade mongodb -> ~6.10 [#​14991](https://redirect.github.com/Automattic/mongoose/issues/14991) [#​14877](https://redirect.github.com/Automattic/mongoose/issues/14877) - feat(query): add schemaLevelProjections option to query to disable schema-level select: false [#​14986](https://redirect.github.com/Automattic/mongoose/issues/14986) [#​11474](https://redirect.github.com/Automattic/mongoose/issues/11474) - feat: allow defining virtuals on arrays, not just array elements [#​14955](https://redirect.github.com/Automattic/mongoose/issues/14955) [#​2326](https://redirect.github.com/Automattic/mongoose/issues/2326) - feat(model): add applyTimestamps() function to apply all schema timestamps, including subdocuments, to a given POJO [#​14943](https://redirect.github.com/Automattic/mongoose/issues/14943) [#​14698](https://redirect.github.com/Automattic/mongoose/issues/14698) - feat(model): add hideIndexes option to syncIndexes() and cleanIndexes() [#​14987](https://redirect.github.com/Automattic/mongoose/issues/14987) [#​14868](https://redirect.github.com/Automattic/mongoose/issues/14868) - fix(query): make sanitizeFilter disable implicit $in [#​14985](https://redirect.github.com/Automattic/mongoose/issues/14985) [#​14657](https://redirect.github.com/Automattic/mongoose/issues/14657) - fix(model): avoid unhandled error if createIndex() throws a sync error [#​14995](https://redirect.github.com/Automattic/mongoose/issues/14995) - fix(model): avoid throwing TypeError if bulkSave()'s bulkWrite() fails with a non-BulkWriteError [#​14993](https://redirect.github.com/Automattic/mongoose/issues/14993) - types: added toJSON:flattenObjectIds effect [#​14989](https://redirect.github.com/Automattic/mongoose/issues/14989) - types: add `__v` to lean() result type and ModifyResult [#​14990](https://redirect.github.com/Automattic/mongoose/issues/14990) [#​12959](https://redirect.github.com/Automattic/mongoose/issues/12959) - types: use globalThis instead of global for NativeDate [#​14992](https://redirect.github.com/Automattic/mongoose/issues/14992) [#​14988](https://redirect.github.com/Automattic/mongoose/issues/14988) - docs(change-streams): fix markdown syntax highlighting for script output example [#​14994](https://redirect.github.com/Automattic/mongoose/issues/14994) ### [`v8.7.3`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#873--2024-10-25) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/8.7.2...8.7.3) \================== - fix(cursor): close underlying query cursor when calling destroy() [#​14982](https://redirect.github.com/Automattic/mongoose/issues/14982) [#​14966](https://redirect.github.com/Automattic/mongoose/issues/14966) - types: add JSONSerialized helper that can convert HydratedDocument to JSON output type [#​14981](https://redirect.github.com/Automattic/mongoose/issues/14981) [#​14451](https://redirect.github.com/Automattic/mongoose/issues/14451) - types(model): convert InsertManyResult to interface and remove unnecessary insertedIds override [#​14977](https://redirect.github.com/Automattic/mongoose/issues/14977) - types(connection): add missing sanitizeFilter option [#​14975](https://redirect.github.com/Automattic/mongoose/issues/14975) - types: improve goto definition for inferred schema definitions [#​14968](https://redirect.github.com/Automattic/mongoose/issues/14968) [forivall](https://redirect.github.com/forivall) - docs(migration-guide-v7): correct link to the section "Id Setter" [#​14973](https://redirect.github.com/Automattic/mongoose/issues/14973) [rb-ntnx](https://redirect.github.com/rb-ntnx) ### [`v8.7.2`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#872--2024-10-17) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/8.7.1...8.7.2) \================== - fix(document): recursively clear modified subpaths when setting deeply nested subdoc to null [#​14963](https://redirect.github.com/Automattic/mongoose/issues/14963) [#​14952](https://redirect.github.com/Automattic/mongoose/issues/14952) - fix(populate): handle array of ids with parent refPath [#​14965](https://redirect.github.com/Automattic/mongoose/issues/14965) - types: make Buffers into mongodb.Binary in lean result type to match runtime behavior [#​14967](https://redirect.github.com/Automattic/mongoose/issues/14967) - types: correct schema type inference when using nested typeKey like type: { type: String } [#​14956](https://redirect.github.com/Automattic/mongoose/issues/14956) [#​14950](https://redirect.github.com/Automattic/mongoose/issues/14950) - types: re-export DeleteResult and UpdateResult from MongoDB Node.js driver [#​14947](https://redirect.github.com/Automattic/mongoose/issues/14947) [#​14946](https://redirect.github.com/Automattic/mongoose/issues/14946) - docs(documents): add section on setting deeply nested properties, including warning about nullish coalescing assignment [#​14972](https://redirect.github.com/Automattic/mongoose/issues/14972) - docs(model): add more info on acknowledged: false, specifically that Mongoose may return that if the update was empty [#​14957](https://redirect.github.com/Automattic/mongoose/issues/14957) ### [`v8.7.1`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#871--2024-10-09) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/8.7.0...8.7.1) \================== - fix: set flattenObjectIds to false when calling toObject() for internal purposes [#​14938](https://redirect.github.com/Automattic/mongoose/issues/14938) - fix: add mongodb 8 to test matrix [#​14937](https://redirect.github.com/Automattic/mongoose/issues/14937) - fix: handle buffers stored in MongoDB as EJSON representation with { $binary } [#​14932](https://redirect.github.com/Automattic/mongoose/issues/14932) - docs: indicate that Mongoose 8.7 is required for full MongoDB 8 support [#​14937](https://redirect.github.com/Automattic/mongoose/issues/14937) ### [`v8.7.0`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#870--2024-09-27) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/8.6.4...8.7.0) \================== - feat(model): add Model.applyVirtuals() to apply virtuals to a POJO [#​14905](https://redirect.github.com/Automattic/mongoose/issues/14905) [#​14818](https://redirect.github.com/Automattic/mongoose/issues/14818) - feat: upgrade mongodb -> 6.9.0 [#​14914](https://redirect.github.com/Automattic/mongoose/issues/14914) - feat(query): cast $rename to string [#​14887](https://redirect.github.com/Automattic/mongoose/issues/14887) [#​3027](https://redirect.github.com/Automattic/mongoose/issues/3027) - feat(SchemaType): add getEmbeddedSchemaType() method to SchemaTypes [#​14880](https://redirect.github.com/Automattic/mongoose/issues/14880) [#​8389](https://redirect.github.com/Automattic/mongoose/issues/8389) - fix(model): throw MongooseBulkSaveIncompleteError if bulkSave() didn't completely succeed [#​14884](https://redirect.github.com/Automattic/mongoose/issues/14884) [#​14763](https://redirect.github.com/Automattic/mongoose/issues/14763) - fix(connection): avoid returning readyState = connected if connection state is stale [#​14812](https://redirect.github.com/Automattic/mongoose/issues/14812) [#​14727](https://redirect.github.com/Automattic/mongoose/issues/14727) - fix: depopulate if push() or addToSet() with an ObjectId on a populated array [#​14883](https://redirect.github.com/Automattic/mongoose/issues/14883) [#​1635](https://redirect.github.com/Automattic/mongoose/issues/1635) - types: make \__v a number, only set \__v on top-level documents [#​14892](https://redirect.github.com/Automattic/mongoose/issues/14892) ### [`v8.6.4`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#864--2024-09-26) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/8.6.3...8.6.4) \================== - fix(document): avoid massive perf degradation when saving new doc with 10 level deep subdocs [#​14910](https://redirect.github.com/Automattic/mongoose/issues/14910) [#​14897](https://redirect.github.com/Automattic/mongoose/issues/14897) - fix(model): skip applying static hooks by default if static name conflicts with aggregate middleware [#​14904](https://redirect.github.com/Automattic/mongoose/issues/14904) [dragontaek-lee](https://redirect.github.com/dragontaek-lee) - fix(model): filter applying static hooks by default if static name conflicts with mongoose middleware [#​14908](https://redirect.github.com/Automattic/mongoose/issues/14908) [dragontaek-lee](https://redirect.github.com/dragontaek-lee) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - "after 9am and before 5pm Monday" (UTC). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [x] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/cerbos/query-plan-adapters). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS40Mi40IiwidXBkYXRlZEluVmVyIjoiMzkuNDIuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
- Loading branch information
1 parent
abf60d8
commit 5c16900