fix: update references to mongoose to v6 [security] - autoclosed#351

Closed

renovate[bot] wants to merge 1 commit intodevelopfrom

fix/deps/docs-npm-mongoose-vulnerability

Contributor

renovate bot commented Nov 12, 2025

This PR contains the following updates:

Package	Change	Age	Confidence
mongoose (source)	`5.13.20` -> `6.13.6`

GitHub Vulnerability Alerts

CVE-2024-53900

Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

CVE-2025-23061

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Release Notes

Automattic/mongoose (mongoose)

`v6.13.6`

===================

fix: disallow nested $where in populate match CVE-2025-23061

`v6.13.5`

===================

fix: disallow using $where in match

`v6.13.4`

===================

fix: save execution stack in query as string #15043 #15039
docs: clarify strictQuery default will flip-flop in "Migrating to 6.x" #14998 markstos

`v6.13.3`

===================

docs(migrating_to_6): document that Lodash _.isEmpty() with ObjectId() as a parameter returns true in Mongoose 6 #11152

`v6.13.2`

===================

fix(document): make set() respect merge option on deeply nested objects #14870 #14878

`v6.13.1`

===================

fix: remove empty $and, $or, $not that were made empty by scrict mode #14749 #13086 0x0a0d

`v6.13.0`

===================

feat(model): add throwOnValidationError option for opting into getting MongooseBulkWriteError if all valid operations succeed in bulkWrite() and insertMany() #14599 #14587 #14572 #13410

`v6.12.9`

===================

fix(cast): cast $comment to string in query filters #14590 #14576
types(model): allow passing strict type checking override to create() #14571 #14548

`v6.12.8`

===================

fix(document): handle virtuals that are stored as objects but getter returns string with toJSON #14468 #14446
fix(schematype): consistently set wasPopulated to object with value property rather than boolean #14418
docs(model): add extra note about lean option for insertMany() skipping casting #14415 #14376

`v6.12.7`

===================

perf(model): make insertMany() lean option skip hydrating Mongoose docs #14376 #14372
perf(document+schema): small optimizations to make init() faster #14383 #14113
fix(connection): don't modify passed options object to openUri() #14370 #13376 #13335
fix(ChangeStream): bubble up resumeTokenChanged changeStream event #14355 #14349 3150

`v6.12.6`

===================

fix(collection): correctly handle buffer timeouts with find() #14277
fix(document): allow calling push() with different $position arguments #14254

`v6.12.5`

===================

perf(schema): remove unnecessary lookahead in numeric subpath check
fix(document): allow setting nested path to null #14226
fix(document): avoid flattening dotted paths in mixed path underneath nested path #14198 #14178
fix: add ignoreAtomics option to isModified() for better backwards compatibility with Mongoose 5 #14213

`v6.12.4`

===================

fix: upgrade mongodb driver -> 4.17.2
fix(document): avoid treating nested projection as inclusive when applying defaults #14173 #14115
fix: account for null values when assigning isNew property #14172 #13883

`v6.12.3`

===================

fix(ChangeStream): correctly handle hydrate option when using change stream as stream instead of iterator #14052
fix(schema): fix dangling reference to virtual in tree after removeVirtual() #14019 #13085
fix(document): avoid unmarking modified on nested path if no initial value stored and already modified #14053 #14024
fix(document): consistently avoid marking subpaths of nested paths as modified #14053 #14022

`v6.12.2`

===================

fix: add fullPath to ValidatorProps #13995 Freezystem

`v6.12.1`

===================

fix(mongoose): correctly handle global applyPluginsToChildSchemas option #13945 #13887 hasezoey
fix: Document.prototype.isModified support for a string of keys as first parameter #13940 #13674 k-chop

`v6.12.0`

===================

feat: use mongodb driver v4.17.1
fix(model): make Model.bulkWrite() with empty array and ordered false not throw an error #13664
fix(document): correctly handle inclusive/exclusive projections when applying subdocument defaults #13763 #13720

`v6.11.6`

===================

fix(model): avoid hanging on empty bulkWrite() with ordered: false #13701 #13684 JavaScriptBach
types: augment bson.ObjectId instead of adding on own type #13515 #12537 hasezoey

`v6.11.5`

===================

fix(schema): make Schema.prototype.clone() avoid creating different copies of subdocuments and single nested paths underneath single nested paths #13671 #13626
fix: custom debug function not processing all args #13418

`v6.11.4`

===================

perf: speed up mapOfSubdocs benchmark by 4x by avoiding unnecessary O(n^2) loop in getPathsToValidate() #13614

`v6.11.3`

===================

fix: avoid prototype pollution on init
fix(schema): correctly handle uuids with populate() #13317 #13595

`v6.11.2`

===================

fix(cursor): allow find middleware to modify query cursor options #13476 #13453 #13435

`v6.11.1`

===================

fix(query): apply schema-level paths before calculating projection for findOneAndUpdate() #13348 #13340
fix: add SUPPRESS_JEST_WARNINGS environment variable to hide jest warnings #13384 #13373
types(model): allow overwriting expected param type for bulkWrite() #13292 hasezoey

`v6.11.0`

===================

feat: upgrade to mongodb 4.16.0 for Deno+Atlas connection fix #13337 #13075
perf: speed up creating maps of subdocuments #13280 #13191 #13271
fix(query): set ObjectParameterError if calling findOneAndX() with filter as non-object #13338
fix(document): merge Document $inc calls instead of overwriting #13322
fix(update): handle casting doubly nested arrays with $pullAll #13285
docs: backport documentation versioning changes to 6.x #13253 #13190 hasezoey

`v6.10.5`

===================

perf(document): avoid unnecessary loops, conditionals, string manipulation on Document.prototype.get() for 10x speedup on top-level properties #12953
fix(model): execute valid write operations if calling bulkWrite() with ordered: false #13218 #13176
fix(array): pass-through all parameters #13202 #13201 hasezoey
fix: improve error message when sorting by empty string #13249 #10182
docs: add version support and check version docs #13251 #13193

`v6.10.4`

===================

fix(document): apply setters on resulting value when calling Document.prototype.$inc() #13178 #13158
fix(model): add results property to unordered insertMany() to make it easy to identify exactly which documents were inserted #13163 #12791
docs(guide+schematypes): add UUID to schematypes guide #13184

`v6.10.3`

===================

fix(connection): add stub implementation of doClose to base connection class #13157
fix(types): add cursor.eachAsync index parameter #13162 #13153 hasezoey
docs: fix 6.x docs sidebar links #13147 #13144 hasezoey
docs(validation): clarify that validation runs as first pre(save) middleware #13062

`v6.10.2`

===================

fix(document): avoid setting array default if document array projected out by sibling projection #13135 #13043 #13003
fix(documentarray): set correct document array path if making map of document arrays #13133
fix: undo accidental change to engines in package.json #13124 lorand-horvath
docs: quick improvement to Model.init() docs #13054

`v6.10.1`

===================

fix: avoid removing empty query filters in $and and $or #13086 #12898
fix(schematype): fixed validation for required UUID field #13018 lpizzinidev
fix(types): add missing Paths generic param to Model.populate() #13070
docs(migrating_to_6): added info about removal of reconnectTries and reconnectInterval options #13083 lpizzinidev
docs: fix code in headers for migrating_to_5 #13077 hasezoey
docs: backport misc documentation changes into 6.x #13091 hasezoey

`v6.10.0`

===================

feat: upgrade to mongodb driver 4.14.0 #13036
feat: added Schema.prototype.omit() function #12939 #12931 lpizzinidev
feat(index): added createInitialConnection option to Mongoose constructor #13021 #12965 lpizzinidev

`v6.9.3`

==================

fix(connection): delay calculating autoCreate and autoIndex until after initial connection established #13007 #12940 lpizzinidev
fix(discriminator): allows update doc with discriminatorKey #13056 #13055 abarriel
fix(query): avoid sending unnecessary empty projection to MongoDB server #13059 #13050
fix(model): avoid sending null session option with document operations #13053 #13052 lpizzinidev
fix(types): use MergeTypes for type overrides in HydratedDocument #13066 #13040
docs(middleware): list validate as a potential query middleware #13057 #12680
docs(getters-setters): explain that getters do not run by default on toJSON() #13058 #13049
docs: refactor docs generation scripts #13044 hasezoey

`v6.9.2`

==================

fix(model): fixed post('save') callback parameter #13030 #13026 lpizzinidev
fix(UUID): added null check to prevent error on binaryToString conversion #13034 #13032 #13029 lpizzinidev Freezystem
fix(query): revert breaking changes introduced by #12797 #12999 lpizzinidev
fix(document): make array $shift() use $pop instead of overwriting array #13004
docs: update & remove old links #13019 hasezoey
docs(middleware): describe how to access model from document middleware #13031 AxeOfMen
docs: update broken & outdated links #13001 hasezoey
chore: change deno tests to also use MMS #12918 hasezoey

`v6.9.1`

==================

fix(document): isModified should not be triggered when setting a nested boolean to the same value as previously #12994 lpizzinidev
fix(document): save newly set defaults underneath single nested subdocuments #13002 #12905
fix(update): handle custom discriminator model name when casting update #12947 wassil
fix(connection): handles unique autoincrement ID for connections #12990 lpizzinidev
fix(types): fix type of options of Model.aggregate #12933 ghost91-
fix(types): fix "near" aggregation operator input type #12954 Jokero
fix(types): add missing Top operator to AccumulatorOperator type declaration #12952 lpizzinidev
docs(transactions): added example for Connection.transaction() method #12943 #12934 lpizzinidev
docs(populate): fix out of date comment referencing onModel property #13000
docs(transactions): fix typo in transactions.md #12995 Parth86

`v6.9.0`

==================

feat(schema): add removeVirtual(path) function to schema #12920 IslandRhythms
fix(cast): remove empty $or conditions after strict applied #12898 0x0a0d
docs: fixed typo #12946 Gbengstar

`v6.8.4`

==================

fix(collection): handle creating model when connection disconnected with bufferCommands = false #12889
fix(populate): merge instead of overwrite when match is on _id #12891
fix: add guard to stop loadClass copying Document if Document is used as base of loaded class (same hack as implemented for Model already) #12820 sgpinkus
fix(types): correctly infer types on document arrays #12884 #12882 JavaScriptBach
fix(types): added omit for ArraySubdocument type in LeanType declaration #12903 piyushk96
fix(types): add returnDocument type safety #12906 AbdelrahmanHafez
docs(typescript): add notes about virtual context to Mongoose 6 migration and TypeScript virtuals docs #12912 #12806
docs(schematypes): removed dead link and fixed formatting #12897 #12885 lpizzinidev
docs: fix link to lean api #12910 manniL
docs: list all possible strings for schema.pre in one place #12868
docs: add list of known incompatible npm packages #12892 IslandRhythms

`v6.8.3`

==================

perf: improve performance of assignRawDocsToIdStructure for faster populate on large docs #12867 Uzlopak
fix(model): ensure consistent ordering of validation errors in insertMany() with ordered: false and rawResult: true #12866
fix: avoid passing final callback to pre hook, because calling the callback can mess up hook execution #12836
fix(types): avoid inferring timestamps if methods, virtuals, or statics set #12871
fix(types): correctly infer string enums on const arrays #12870 JavaScriptBach
fix(types): allow virtuals to be invoked in the definition of other virtuals #12874 sffc
fix(types): add type def for Aggregate#model without arguments #12864 hasezoey
docs(discriminators): add section about changing discriminator key #12861
docs(typescript): explain that virtuals inferred from schema only show up on Model, not raw document type #12860 #12684

`v6.8.2`

==================

fix(schema): propagate strictQuery to implicitly created schemas for embedded discriminators #12827 #12796
fix(model): respect discriminators with Model.validate() #12824 #12621
fix(query): fix unexpected validation error when doing findOneAndReplace() with a nullish value #12826 #12821
fix(discriminator): apply built-in plugins to discriminator schema even if mergeHooks and mergePlugins are both false #12833 #12696
fix(types): add option "overwriteModels" as a schema option #12817 #12816 hasezoey
fix(types): add property "defaultOptions" #12818 hasezoey
docs: make search bar respect documentation version, so you can search 5.x docs #12548
docs(typescript): make note about recommending strict mode when using auto typed schemas #12825 #12420
docs: add section on sorting to query docs #12588 IslandRhythms
test(query.test): add write-concern option #12829 hasezoey

`v6.8.1`

==================

fix(query): avoid throwing circular dependency error if same object is used in multiple properties #12774 orgads
fix(map): return value from super.delete() #12777 danbrud
fix(populate): handle virtual populate underneath document array with justOne=true and sort set where 1 element has only 1 result #12815 #12730
fix(update): handle embedded discriminators when casting array filters #12802 #12565
fix(populate): avoid calling transform if there's no populate results and using lean #12804 #12739
fix(model): prevent index creation on syncIndexes if not necessary #12785 #12250 lpizzinidev
fix(types): correctly infer this when using pre('updateOne') with { document: true, query: false } #12778
fix(types): make InferSchemaType: consider { required: boolean } required if it isn't explicitly false #12784 JavaScriptBach
docs: replace many occurrences of "localhost" with "127.0.0.1" #12811 #12741 hasezoey SadiqOnGithub
docs(mongoose): Added missing options to set #12810 lpizzinidev
docs: add info on $locals parameters to getters/setters tutorial #12814 #12550 IslandRhythms
docs: make Document.prototype.$clone() public #12803
docs(query): updated explanation for slice #12776 #12474 lpizzinidev
docs(middleware): fix broken links #12787 lpizzinidev
docs(queries): fixed broken links #12790 lpizzinidev

`v6.8.0`

==================

feat: add alpha support for Deno #12397 #9056
feat: add deprecation warning for default strictQuery #12666
feat: upgrade to MongoDB driver 4.12.1
feat(schema): add doc as second params to validation message function #12564 #12651 IslandRhythms
feat(document): add $clone method #12549 #11849 lpizzinidev
feat(populate): allow overriding localField and foreignField for virtual populate #12657 #6963 IslandRhythms
feat(schema+types): add { errorHandler: true } option to Schema post() for better TypeScript support #12723 #12583
feat(debug): allow setting debug on a per-connection basis #12704 #12700 lpizzinidev
feat: add rewind function to QueryCursor #12710 passabilities
feat(types): infer timestamps option from schema #12731 #12069
docs: change links to not link to api.html anymore #12644 hasezoey

`v6.7.5`

==================

fix(schema): copy indexes when calling add() with schema instance #12737 #12654
fix(query): handle deselecting _id when another field has schema-level select: false #12736 #12670
fix(types): support using UpdateQuery in bulkWrite() #12742 #12595
docs(middleware): added note about execution policy on subdocuments #12735 #12694 lpizzinidev
docs(validation): clarify context for update validators in validation docs #12738 #12655 IslandRhythms

`v6.7.4`

==================

fix: allow setting global strictQuery after Schema creation #12717 #12703 lpizzinidev
fix(cursor): make eachAsync() avoid modifying batch when mixing parallel and batchSize #12716
fix(types): infer virtuals in query results #12727 #12702 #12684
fix(types): correctly infer ReadonlyArray types in schema definitions #12720
fix(types): avoid typeof Query with generics for TypeScript 4.6 support #12712 #12688
chore: avoid bundling .tgz files when publishing #12725 hasezoey

`v6.7.3`

==================

fix(document): handle setting array to itself after saving and pushing a new value #12672 #12656
fix(types): update replaceWith pipeline stage #12715 coyotte508
fix(types): remove incorrect modelName type definition #12682 #12669 lpizzinidev
fix(schema): fix setupTimestamps for browser.umd #12683 raphael-papazikas
docs: correct justOne description #12686 #12599 tianguangcn
docs: make links more consistent #12690 #12645 hasezoey
docs(document): explain that $isNew is false in post('save') hooks #12685 #11990
docs: fixed line causing a "used before defined" linting error #12707 sgpinkus

`v6.7.2`

==================

fix(discriminator): skip copying base schema plugins if applyPlugins == false #12613 #12604 lpizzinidev
fix(types): add UUID to types #12650 #12593
fix(types): allow setting SchemaTypeOptions' index property to IndexOptions #12562
fix(types): set this to doc type in SchemaType.prototype.validate() #12663 #12590
fix(types): correct handling for model #12659 #12573
fix(types): pre hook with deleteOne should resolve this as Query #12642 #12622 lpizzinidev

`v6.7.1`

==================

fix(query): select Map field with select: false when explicitly requested #12616 #12603 lpizzinidev
fix: correctly find paths underneath single nested document with an array of mixed #12605 #12530
fix(populate): better support for populating maps of arrays of refs #12601 #12494
fix(types): add missing create constructor signature override type #12585 naorpeled
fix(types): make array paths optional in inferred type of array default returns undefined #12649 #12420
fix(types): improve ValidateOpts type #12606 Freezystem
docs: add Lodash guide highlighting issues with cloneDeep() #12609
docs: removed v5 link from v6 docs #12641 #12624 lpizzinidev
docs: removed outdated connection example #12618 lpizzinidev

`v6.7.0`

==================

feat: upgrade to mongodb driver 4.11.0 #12446
feat: add UUID Schema Type (BSON Buffer SubType 4) #12268 #3208 hasezoey
feat(aggregation): add $fill pipeline stage #12545 raphael-papazikas
feat(types+schema): allow defining schema paths using mongoose.Types.* to work around TS type inference issues #12352
feat(schema): add alias() method that makes it easier to define multiple aliases for a given path #12368
feat(model): add mergeHooks option to Model.discriminator() to avoid duplicate hooks #12542
feat(document): add $timestamps() method to set timestamps for save(), bulkSave(), and insertMany() #12540

`v6.6.7`

==================

fix: correct browser build and improve isAsyncFunction check for browser #12577 #12576 #12392
fix(query): allow overwriting discriminator key with overwriteDiscriminatorKey if strict: 'throw' #12578 #12513

`v6.6.6`

==================

fix(update): handle runValidators when using $set on a doc array in discriminator schema #12571 #12518
fix(document): allow creating document with document array and top-level key named schema #12569 #12480
fix(cast): make schema-level strictQuery override schema-level strict for query filters #12570 #12508
fix(aggregate): avoid adding extra $match stage if user manually set discriminator key to correct value in first pipeline stage #12568 #12478
fix: Throws error when updating a key name that match the discriminator key name on nested object #12534 #12517 lpizzinidev
fix(types): add limit to $filter expression #12553 [raphael-papazi

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          fix: update references to mongoose to v6 [security]

ede4be8

| datasource | package  | from    | to     |
| ---------- | -------- | ------- | ------ |
| npm        | mongoose | 5.13.20 | 6.13.6 |

renovate bot added dependencies security labels

Contributor Author

renovate bot commented Nov 12, 2025

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

Branch has one or more failed status checks

renovate bot assigned timoa

renovate bot changed the title ~~fix: update references to mongoose to v6 [security]~~ fix: update references to mongoose to v6 [security] - autoclosed

renovate bot closed this

renovate bot deleted the fix/deps/docs-npm-mongoose-vulnerability branch

November 13, 2025 21:41

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies security