fix(deps): update dependency mongoose to v6.11.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mongoose (source)	6.4.6 -> 6.11.3

GitHub Vulnerability Alerts

CVE-2023-3696

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

---

Release Notes

Automattic/mongoose (mongoose)

v6.11.3

Compare Source

===================

• fix: avoid prototype pollution on init
• fix(schema): correctly handle uuids with populate() #​13317 #​13595

v6.11.2

Compare Source

===================

• fix(cursor): allow find middleware to modify query cursor options #​13476 #​13453 #​13435

v6.11.1

Compare Source

===================

• fix(query): apply schema-level paths before calculating projection for findOneAndUpdate() #​13348 #​13340
• fix: add SUPPRESS_JEST_WARNINGS environment variable to hide jest warnings #​13384 #​13373
• types(model): allow overwriting expected param type for bulkWrite() #​13292 hasezoey

v6.11.0

Compare Source

===================

• feat: upgrade to mongodb 4.16.0 for Deno+Atlas connection fix #​13337 #​13075
• perf: speed up creating maps of subdocuments #​13280 #​13191 #​13271
• fix(query): set ObjectParameterError if calling findOneAndX() with filter as non-object #​13338
• fix(document): merge Document $inc calls instead of overwriting #​13322
• fix(update): handle casting doubly nested arrays with $pullAll #​13285
• docs: backport documentation versioning changes to 6.x #​13253 #​13190 hasezoey

v6.10.5

Compare Source

===================

• perf(document): avoid unnecessary loops, conditionals, string manipulation on Document.prototype.get() for 10x speedup on top-level properties #​12953
• fix(model): execute valid write operations if calling bulkWrite() with ordered: false #​13218 #​13176
• fix(array): pass-through all parameters #​13202 #​13201 hasezoey
• fix: improve error message when sorting by empty string #​13249 #​10182
• docs: add version support and check version docs #​13251 #​13193

v6.10.4

Compare Source

===================

• fix(document): apply setters on resulting value when calling Document.prototype.$inc() #​13178 #​13158
• fix(model): add results property to unordered insertMany() to make it easy to identify exactly which documents were inserted #​13163 #​12791
• docs(guide+schematypes): add UUID to schematypes guide #​13184

v6.10.3

Compare Source

===================

• fix(connection): add stub implementation of doClose to base connection class #​13157
• fix(types): add cursor.eachAsync index parameter #​13162 #​13153 hasezoey
• docs: fix 6.x docs sidebar links #​13147 #​13144 hasezoey
• docs(validation): clarify that validation runs as first pre(save) middleware #​13062

v6.10.2

Compare Source

===================

• fix(document): avoid setting array default if document array projected out by sibling projection #​13135 #​13043 #​13003
• fix(documentarray): set correct document array path if making map of document arrays #​13133
• fix: undo accidental change to engines in package.json #​13124 lorand-horvath
• docs: quick improvement to Model.init() docs #​13054

v6.10.1

Compare Source

===================

• fix: avoid removing empty query filters in $and and $or #​13086 #​12898
• fix(schematype): fixed validation for required UUID field #​13018 lpizzinidev
• fix(types): add missing Paths generic param to Model.populate() #​13070
• docs(migrating_to_6): added info about removal of reconnectTries and reconnectInterval options #​13083 lpizzinidev
• docs: fix code in headers for migrating_to_5 #​13077 hasezoey
• docs: backport misc documentation changes into 6.x #​13091 hasezoey

v6.10.0

Compare Source

===================

• feat: upgrade to mongodb driver 4.14.0 #​13036
• feat: added Schema.prototype.omit() function #​12939 #​12931 lpizzinidev
• feat(index): added createInitialConnection option to Mongoose constructor #​13021 #​12965 lpizzinidev

v6.9.3

Compare Source

==================

• fix(connection): delay calculating autoCreate and autoIndex until after initial connection established #​13007 #​12940 lpizzinidev
• fix(discriminator): allows update doc with discriminatorKey #​13056 #​13055 abarriel
• fix(query): avoid sending unnecessary empty projection to MongoDB server #​13059 #​13050
• fix(model): avoid sending null session option with document operations #​13053 #​13052 lpizzinidev
• fix(types): use MergeTypes for type overrides in HydratedDocument #​13066 #​13040
• docs(middleware): list validate as a potential query middleware #​13057 #​12680
• docs(getters-setters): explain that getters do not run by default on toJSON() #​13058 #​13049
• docs: refactor docs generation scripts #​13044 hasezoey

v6.9.2

Compare Source

==================

• fix(model): fixed post('save') callback parameter #​13030 #​13026 lpizzinidev
• fix(UUID): added null check to prevent error on binaryToString conversion #​13034 #​13032 #​13029 lpizzinidev Freezystem
• fix(query): revert breaking changes introduced by #​12797 #​12999 lpizzinidev
• fix(document): make array $shift() use $pop instead of overwriting array #​13004
• docs: update & remove old links #​13019 hasezoey
• docs(middleware): describe how to access model from document middleware #​13031 AxeOfMen
• docs: update broken & outdated links #​13001 hasezoey
• chore: change deno tests to also use MMS #​12918 hasezoey

v6.9.1

Compare Source

==================

• fix(document): isModified should not be triggered when setting a nested boolean to the same value as previously #​12994 lpizzinidev
• fix(document): save newly set defaults underneath single nested subdocuments #​13002 #​12905
• fix(update): handle custom discriminator model name when casting update #​12947 wassil
• fix(connection): handles unique autoincrement ID for connections #​12990 lpizzinidev
• fix(types): fix type of options of Model.aggregate #​12933 ghost91-
• fix(types): fix "near" aggregation operator input type #​12954 Jokero
• fix(types): add missing Top operator to AccumulatorOperator type declaration #​12952 lpizzinidev
• docs(transactions): added example for Connection.transaction() method #​12943 #​12934 lpizzinidev
• docs(populate): fix out of date comment referencing onModel property #​13000
• docs(transactions): fix typo in transactions.md #​12995 Parth86

v6.9.0

Compare Source

==================

• feat(schema): add removeVirtual(path) function to schema #​12920 IslandRhythms
• fix(cast): remove empty $or conditions after strict applied #​12898 0x0a0d
• docs: fixed typo #​12946 Gbengstar

v6.8.4

Compare Source

==================

• fix(collection): handle creating model when connection disconnected with bufferCommands = false #​12889
• fix(populate): merge instead of overwrite when match is on _id #​12891
• fix: add guard to stop loadClass copying Document if Document is used as base of loaded class (same hack as implemented for Model already) #​12820 sgpinkus
• fix(types): correctly infer types on document arrays #​12884 #​12882 JavaScriptBach
• fix(types): added omit for ArraySubdocument type in LeanType declaration #​12903 piyushk96
• fix(types): add returnDocument type safety #​12906 AbdelrahmanHafez
• docs(typescript): add notes about virtual context to Mongoose 6 migration and TypeScript virtuals docs #​12912 #​12806
• docs(schematypes): removed dead link and fixed formatting #​12897 #​12885 lpizzinidev
• docs: fix link to lean api #​12910 manniL
• docs: list all possible strings for schema.pre in one place #​12868
• docs: add list of known incompatible npm packages #​12892 IslandRhythms

v6.8.3

Compare Source

==================

• perf: improve performance of assignRawDocsToIdStructure for faster populate on large docs #​12867 Uzlopak
• fix(model): ensure consistent ordering of validation errors in insertMany() with ordered: false and rawResult: true #​12866
• fix: avoid passing final callback to pre hook, because calling the callback can mess up hook execution #​12836
• fix(types): avoid inferring timestamps if methods, virtuals, or statics set #​12871
• fix(types): correctly infer string enums on const arrays #​12870 JavaScriptBach
• fix(types): allow virtuals to be invoked in the definition of other virtuals #​12874 sffc
• fix(types): add type def for Aggregate#model without arguments #​12864 hasezoey
• docs(discriminators): add section about changing discriminator key #​12861
• docs(typescript): explain that virtuals inferred from schema only show up on Model, not raw document type #​12860 #​12684

v6.8.2

Compare Source

==================

• fix(schema): propagate strictQuery to implicitly created schemas for embedded discriminators #​12827 #​12796
• fix(model): respect discriminators with Model.validate() #​12824 #​12621
• fix(query): fix unexpected validation error when doing findOneAndReplace() with a nullish value #​12826 #​12821
• fix(discriminator): apply built-in plugins to discriminator schema even if mergeHooks and mergePlugins are both false #​12833 #​12696
• fix(types): add option "overwriteModels" as a schema option #​12817 #​12816 hasezoey
• fix(types): add property "defaultOptions" #​12818 hasezoey
• docs: make search bar respect documentation version, so you can search 5.x docs #​12548
• docs(typescript): make note about recommending strict mode when using auto typed schemas #​12825 #​12420
• docs: add section on sorting to query docs #​12588 IslandRhythms
• test(query.test): add write-concern option #​12829 hasezoey

v6.8.1

Compare Source

==================

• fix(query): avoid throwing circular dependency error if same object is used in multiple properties #​12774 orgads
• fix(map): return value from super.delete() #​12777 danbrud
• fix(populate): handle virtual populate underneath document array with justOne=true and sort set where 1 element has only 1 result #​12815 #​12730
• fix(update): handle embedded discriminators when casting array filters #​12802 #​12565
• fix(populate): avoid calling transform if there's no populate results and using lean #​12804 #​12739
• fix(model): prevent index creation on syncIndexes if not necessary #​12785 #​12250 lpizzinidev
• fix(types): correctly infer this when using pre('updateOne') with { document: true, query: false } #​12778
• fix(types): make InferSchemaType: consider { required: boolean } required if it isn't explicitly false #​12784 JavaScriptBach
• docs: replace many occurrences of "localhost" with "127.0.0.1" #​12811 #​12741 hasezoey SadiqOnGithub
• docs(mongoose): Added missing options to set #​12810 lpizzinidev
• docs: add info on $locals parameters to getters/setters tutorial #​12814 #​12550 IslandRhythms
• docs: make Document.prototype.$clone() public #​12803
• docs(query): updated explanation for slice #​12776 #​12474 lpizzinidev
• docs(middleware): fix broken links #​12787 lpizzinidev
• docs(queries): fixed broken links #​12790 lpizzinidev

v6.8.0

Compare Source

==================

• feat: add alpha support for Deno #​12397 #​9056
• feat: add deprecation warning for default strictQuery #​12666
• feat: upgrade to MongoDB driver 4.12.1
• feat(schema): add doc as second params to validation message function #​12564 #​12651 IslandRhythms
• feat(document): add $clone method #​12549 #​11849 lpizzinidev
• feat(populate): allow overriding localField and foreignField for virtual populate #​12657 #​6963 IslandRhythms
• feat(schema+types): add { errorHandler: true } option to Schema post() for better TypeScript support #​12723 #​12583
• feat(debug): allow setting debug on a per-connection basis #​12704 #​12700 lpizzinidev
• feat: add rewind function to QueryCursor #​12710 passabilities
• feat(types): infer timestamps option from schema #​12731 #​12069
• docs: change links to not link to api.html anymore #​12644 hasezoey

v6.7.5

Compare Source

==================

• fix(schema): copy indexes when calling add() with schema instance #​12737 #​12654
• fix(query): handle deselecting _id when another field has schema-level select: false #​12736 #​12670
• fix(types): support using UpdateQuery in bulkWrite() #​12742 #​12595
• docs(middleware): added note about execution policy on subdocuments #​12735 #​12694 lpizzinidev
• docs(validation): clarify context for update validators in validation docs #​12738 #​12655 IslandRhythms

v6.7.4

Compare Source

==================

• fix: allow setting global strictQuery after Schema creation #​12717 #​12703 lpizzinidev
• fix(cursor): make eachAsync() avoid modifying batch when mixing parallel and batchSize #​12716
• fix(types): infer virtuals in query results #​12727 #​12702 #​12684
• fix(types): correctly infer ReadonlyArray types in schema definitions #​12720
• fix(types): avoid typeof Query with generics for TypeScript 4.6 support #​12712 #​12688
• chore: avoid bundling .tgz files when publishing #​12725 hasezoey

v6.7.3

Compare Source

v6.7.2

Compare Source

v6.7.1

Compare Source

==================

• fix(query): select Map field with select: false when explicitly requested #​12616 #​12603 lpizzinidev
• fix: correctly find paths underneath single nested document with an array of mixed #​12605 #​12530
• fix(populate): better support for populating maps of arrays of refs #​12601 #​12494
• fix(types): add missing create constructor signature override type #​12585 naorpeled
• fix(types): make array paths optional in inferred type of array default returns undefined #​12649 #​12420
• fix(types): improve ValidateOpts type #​12606 Freezystem
• docs: add Lodash guide highlighting issues with cloneDeep() #​12609
• docs: removed v5 link from v6 docs #​12641 #​12624 lpizzinidev
• docs: removed outdated connection example #​12618 lpizzinidev

v6.7.0

Compare Source

v6.6.7

Compare Source

==================

• fix: correct browser build and improve isAsyncFunction check for browser #​12577 #​12576 #​12392
• fix(query): allow overwriting discriminator key with overwriteDiscriminatorKey if strict: 'throw' #​12578 #​12513

v6.6.6

Compare Source

==================

• fix(update): handle runValidators when using $set on a doc array in discriminator schema #​12571 #​12518
• fix(document): allow creating document with document array and top-level key named schema #​12569 #​12480
• fix(cast): make schema-level strictQuery override schema-level strict for query filters #​12570 #​12508
• fix(aggregate): avoid adding extra $match stage if user manually set discriminator key to correct value in first pipeline stage #​12568 #​12478
• fix: Throws error when updating a key name that match the discriminator key name on nested object #​12534 #​12517 lpizzinidev
• fix(types): add limit to $filter expression #​12553 raphael-papazikas
• fix(types): correct replaceWith type pipeline stage #​12535 FabioCingottini
• fix(types): add missing densify type pipeline type #​12533 FabioCingottini
• docs(populate): added transform option description #​12560 #​12551 lpizzinidev
• docs(connection): add sample to useDb() documentation #​12541 lpizzinidev
• docs(guide): update broken read-preference links #​12538 #​12525 hasezoey
• chore: add TypeScript version field to issue template #​12532 hasezoey

v6.6.5

Compare Source

v6.6.4

Compare Source

v6.6.3

Compare Source

==================

• fix(query): treat findOne(_id) as equivalent to findOne({ _id }) #​12485 #​12325
• fix(timestamps): findOneAndUpdate creates subdocs with timestamps in reverse order #​12484 #​12475 lpizzinidev
• fix(types): make schema.plugin() more flexible for schemas that don't define any generics #​12486 #​12454
• fix(types): add "array of array key-value pairs" as a argument option for "query.sort()" #​12483 #​12434 hasezoey
• fix(types): remove unused defaults in "PluginFunction" #​12459 hasezoey
• fix(types): update DiscriminatorSchema to have better names and combine statics #​12460 hasezoey

v6.6.2

Compare Source

v6.6.1

Compare Source

==================

• fix: correctly apply defaults after subdoc init #​12328
• fix(array): avoid using default _id when using pull() #​12294
• fix: allow null values inside $expr objects #​12429 MartinDrost
• fix(query): use correct Query constructor when cloning query #​12418
• docs(website): remove setting "latest38x" which is not used anywhere #​12396 hasezoey

v6.6.0

Compare Source

==================

• feat: upgrade mongodb driver -> 4.9.1 #​12370 AbdelrahmanHafez
• feat: re-export default Mongoose instance properties for ESM named imports support #​12256
• feat(model): add option to skip invalid fields with castObject() #​12156 IslandRhythms
• feat: use setPrototypeOf() instead of proto to allow running on Deno #​12315
• feat(QueryCursor): add support for AbortSignal on eachAsync() #​12323
• feat(types): add types for new $densify operator #​12118 IslandRhythms

v6.5.5

Compare Source

==================

• fix(setDefaultsOnInsert): avoid applying defaults on insert if nested property set #​12279
• fix(model): make applyHooks() and applyMethods() handle case where custom method is set to Mongoose implementation #​12254
• fix(types): add string "ascending" and "descending" index-directions #​10269
• docs: upgrade dox to 1.0.0 #​12403 hasezoey
• docs: update old mongodb nodejs driver documentation urls #​12387 hasezoey
• docs: update JSDOC ... (spread) definition #​12388 hasezoey
• refactor(model): allow optionally passing indexes to createIndexes and cleanIndexes #​12280 AbdelrahmanHafez

v6.5.4

Compare Source

==================

• fix(document): allow calling $assertPopulated() with values to better support manual population #​12233
• fix(connection+mongoose): better handling for calling model() with 1 argument #​12359
• fix(model): allow defining discriminator virtuals and methods using schema options #​12326
• fix(types): fix MongooseQueryMiddleware missing "findOneAndReplace" and "replaceOne" #​12330 #​12329 Jule- lpizzinidev
• fix(types): fix replaceOne return type #​12351 lpizzinidev
• fix(types): use this for return type from $assertPopulated() #​12234
• docs: highlight how to connect using auth in README #​12354 AntonyOnScript
• docs: improve jsdoc comments for private methods #​12337 hasezoey
• docs: fix minor typo in compatibility table header #​12355 skyme5

v6.5.3

Compare Source

==================

• fix(document): handle maps when applying defaults to nested paths #​12322
• fix(schema): make ArraySubdocuments apply _id defaults on init #​12264
• fix(populate): handle specifying recursive populate as a string with discriminators #​12266
• perf(types): remove extends Query in Schema.pre() and Schema.post(), loosen discriminator() generic #​10349
• perf(types): some more micro-optimizations re: #​10349, remove extra type checking on $ne, etc.
• fix(types): infer schema on connection.model() #​12298 #​12125 hasezoey
• fix(types): add missing findById() type definitions #​12309 lpizzinidev
• fix(types): allow $search in $lookup pipeline stages for MongoDB v6.x support #​12278 AbdelrahmanHafez
• fix(types): add parameter "options" to "Model.remove" #​12258 hasezoey
• fix(types): sync single-generic-no-constraint "model" between "index.d.ts" and "connection.d.ts" #​12299 hasezoey
• fix(types): update isDirectModified typing #​12290 gabrielDonnantuoni
• docs: update links on api docs #​12293 eatmoarrice
• docs: add note about language_override option #​12310 IslandRhythms
• docs(document): add "String[]" to Document.depopulate as jsdoc parameter type #​12300 hasezoey
• docs: update Node.js EventEmitter url #​12303 rainrisa

v6.5.2

Compare Source

==================

• fix(aggregate): avoid throwing error when disconnecting with change stream open #​12201 ramos-ph
• fix(query): overwrite top-level key if using Query.prototype.set() to set to undefined #​12155
• fix(query): shallow clone options before modifying #​12176
• fix(types): auto schema type inference on Connection.prototype.model() #​12240 hasezoey
• fix(types): better typescript support for schema plugins #​12139 emiljanitzek
• fix(types): make bulkWrite() type param optional #​12221 #​12212
• docs: misc cleanup #​12199 hasezoey
• docs: highlight current top-most visible header in navbar #​12222 hasezoey
• docs(populate): improve examples for Document.prototype.populate() #​12111
• docs(middleware): clarify document vs model in middleware docs #​12113

v6.5.1

Compare Source

==================

• fix(timestamps): set timestamps on child schema when child schema has timestamps: true but parent schema does not #​12119
• fix(schema+timestamps): handle insertMany() with timestamps and discriminators #​12150
• fix(model+query): handle populate with lean transform that deletes _id #​12143
• fix(types): allow $pull with _id #​12142
• fix(types): add schema plugin option inference #​12196 hasezoey
• fix(types): pass type to mongodb bulk write operation #​12167 emiljanitzek
• fix(types): map correct generics from model to schema #​12125 emiljanitzek
• fix(types): avoid baffling circular reference when using PopulatedDoc with a bidirectional reference #​12136
• fix(types): allow using path with $count #​12149
• docs(compatibility): change to use a table #​12200 hasezoey
• docs(api_split.pug): add "code" to sidebar entries #​12153 hasezoey
• docs: add "code" to Headers (and index list) #​12152 hasezoey

v6.5.0

Compare Source

==================

• perf(document): avoid creating unnecessary empty objects when creating a state machine #​11988
• feat: upgrade mongodb driver -> 4.8.1 #​12103 AbdelrahmanHafez
• feat(model): allow passing timestamps option to Model.bulkSave(...) #​12082 AbdelrahmanHafez
• feat(model): add castObject() function that casts a POJO to the model's schema #​11945
• feat(document): add $inc() helper that increments numeric paths #​12115
• feat(schema): add schema level lean option IslandRhythms
• feat(schema): add global id option to disable id on schemas #​12067 IslandRhythms
• fix(connection): re-run Model.init() if re-connecting after explicitly closing a connection #​12130
• feat(model): add applyDefaults() helper that allows applying defaults to document or POJO #​11945
• feat(model): allow calling hydrate() with { setters: true } #​11653
• feat(model): add hydrate option to Model.watch() to automatically hydrate fullDocument #​12121
• feat(types): add support for automatically typed virtuals in schemas #​11908 mohammad0-0ahmad

v6.4.7

Compare Source

==================

• fix(virtualtype): use $locals for default virtual getter/setter rather than top-level doc #​12124
• fix(document): call subdocument getters if child schema has getters: true #​12105
• fix(schematype): actually always return "this" where specified #​12141 hasezoey
• fix(types): correct return value for Model.exists() #​12094
• docs(guides): add link to advanced schemas doc #​12073
• docs: handle @​see in jsdoc #​12144 hasezoey
• docs: make use of the deprecated tag available in jsdoc for documentation #​12080 hasezoey
• docs(api_split): add basic DEPRECATED output #​12146 hasezoey
• docs: various jsdoc cleanup #​12140 hasezoey
• docs(api_split.pug): add "code" to parameter name #​12145 hasezoey

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.