New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency mongoose to v6.11.3 [security] #195

Open

renovate wants to merge 1 commit into master from renovate/npm-mongoose-vulnerability

renovate bot commented Mar 17, 2023 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mongoose (source)	`6.3.8` -> `6.11.3`

GitHub Vulnerability Alerts

CVE-2022-2564

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

CVE-2023-3696

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

CVE-2022-24304

Description

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.

Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

Proof of Concept

// poc.js
const mongoose = require('mongoose');
const schema = new mongoose.Schema();

malicious_payload = '__proto__.toString'

schema.path(malicious_payload, [String])

x = {}
console.log(x.toString()) // crashed (Denial of service (DoS) attack)

Impact

This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.

Release Notes

Automattic/mongoose (mongoose)

`v6.11.3`

===================

fix: avoid prototype pollution on init
fix(schema): correctly handle uuids with populate() #13317 #13595

`v6.11.2`

===================

fix(cursor): allow find middleware to modify query cursor options #13476 #13453 #13435

`v6.11.1`

===================

fix(query): apply schema-level paths before calculating projection for findOneAndUpdate() #13348 #13340
fix: add SUPPRESS_JEST_WARNINGS environment variable to hide jest warnings #13384 #13373
types(model): allow overwriting expected param type for bulkWrite() #13292 hasezoey

`v6.11.0`

===================

feat: upgrade to mongodb 4.16.0 for Deno+Atlas connection fix #13337 #13075
perf: speed up creating maps of subdocuments #13280 #13191 #13271
fix(query): set ObjectParameterError if calling findOneAndX() with filter as non-object #13338
fix(document): merge Document $inc calls instead of overwriting #13322
fix(update): handle casting doubly nested arrays with $pullAll #13285
docs: backport documentation versioning changes to 6.x #13253 #13190 hasezoey

`v6.10.5`

===================

perf(document): avoid unnecessary loops, conditionals, string manipulation on Document.prototype.get() for 10x speedup on top-level properties #12953
fix(model): execute valid write operations if calling bulkWrite() with ordered: false #13218 #13176
fix(array): pass-through all parameters #13202 #13201 hasezoey
fix: improve error message when sorting by empty string #13249 #10182
docs: add version support and check version docs #13251 #13193

`v6.10.4`

===================

fix(document): apply setters on resulting value when calling Document.prototype.$inc() #13178 #13158
fix(model): add results property to unordered insertMany() to make it easy to identify exactly which documents were inserted #13163 #12791
docs(guide+schematypes): add UUID to schematypes guide #13184

`v6.10.3`

===================

fix(connection): add stub implementation of doClose to base connection class #13157
fix(types): add cursor.eachAsync index parameter #13162 #13153 hasezoey
docs: fix 6.x docs sidebar links #13147 #13144 hasezoey
docs(validation): clarify that validation runs as first pre(save) middleware #13062

`v6.10.2`

===================

fix(document): avoid setting array default if document array projected out by sibling projection #13135 #13043 #13003
fix(documentarray): set correct document array path if making map of document arrays #13133
fix: undo accidental change to engines in package.json #13124 lorand-horvath
docs: quick improvement to Model.init() docs #13054

`v6.10.1`

===================

fix: avoid removing empty query filters in $and and $or #13086 #12898
fix(schematype): fixed validation for required UUID field #13018 lpizzinidev
fix(types): add missing Paths generic param to Model.populate() #13070
docs(migrating_to_6): added info about removal of reconnectTries and reconnectInterval options #13083 lpizzinidev
docs: fix code in headers for migrating_to_5 #13077 hasezoey
docs: backport misc documentation changes into 6.x #13091 hasezoey

`v6.10.0`

===================

feat: upgrade to mongodb driver 4.14.0 #13036
feat: added Schema.prototype.omit() function #12939 #12931 lpizzinidev
feat(index): added createInitialConnection option to Mongoose constructor #13021 #12965 lpizzinidev

`v6.9.3`

==================

fix(connection): delay calculating autoCreate and autoIndex until after initial connection established #13007 #12940 lpizzinidev
fix(discriminator): allows update doc with discriminatorKey #13056 #13055 abarriel
fix(query): avoid sending unnecessary empty projection to MongoDB server #13059 #13050
fix(model): avoid sending null session option with document operations #13053 #13052 lpizzinidev
fix(types): use MergeTypes for type overrides in HydratedDocument #13066 #13040
docs(middleware): list validate as a potential query middleware #13057 #12680
docs(getters-setters): explain that getters do not run by default on toJSON() #13058 #13049
docs: refactor docs generation scripts #13044 hasezoey

`v6.9.2`

==================

fix(model): fixed post('save') callback parameter #13030 #13026 lpizzinidev
fix(UUID): added null check to prevent error on binaryToString conversion #13034 #13032 #13029 lpizzinidev Freezystem
fix(query): revert breaking changes introduced by #12797 #12999 lpizzinidev
fix(document): make array $shift() use $pop instead of overwriting array #13004
docs: update & remove old links #13019 hasezoey
docs(middleware): describe how to access model from document middleware #13031 AxeOfMen
docs: update broken & outdated links #13001 hasezoey
chore: change deno tests to also use MMS #12918 hasezoey

`v6.9.1`

==================

fix(document): isModified should not be triggered when setting a nested boolean to the same value as previously #12994 lpizzinidev
fix(document): save newly set defaults underneath single nested subdocuments #13002 #12905
fix(update): handle custom discriminator model name when casting update #12947 wassil
fix(connection): handles unique autoincrement ID for connections #12990 lpizzinidev
fix(types): fix type of options of Model.aggregate #12933 ghost91-
fix(types): fix "near" aggregation operator input type #12954 Jokero
fix(types): add missing Top operator to AccumulatorOperator type declaration #12952 lpizzinidev
docs(transactions): added example for Connection.transaction() method #12943 #12934 lpizzinidev
docs(populate): fix out of date comment referencing onModel property #13000
docs(transactions): fix typo in transactions.md #12995 Parth86

`v6.9.0`

==================

feat(schema): add removeVirtual(path) function to schema #12920 IslandRhythms
fix(cast): remove empty $or conditions after strict applied #12898 0x0a0d
docs: fixed typo #12946 Gbengstar

`v6.8.4`

==================

fix(collection): handle creating model when connection disconnected with bufferCommands = false #12889
fix(populate): merge instead of overwrite when match is on _id #12891
fix: add guard to stop loadClass copying Document if Document is used as base of loaded class (same hack as implemented for Model already) #12820 sgpinkus
fix(types): correctly infer types on document arrays #12884 #12882 JavaScriptBach
fix(types): added omit for ArraySubdocument type in LeanType declaration #12903 piyushk96
fix(types): add returnDocument type safety #12906 AbdelrahmanHafez
docs(typescript): add notes about virtual context to Mongoose 6 migration and TypeScript virtuals docs #12912 #12806
docs(schematypes): removed dead link and fixed formatting #12897 #12885 lpizzinidev
docs: fix link to lean api #12910 manniL
docs: list all possible strings for schema.pre in one place #12868
docs: add list of known incompatible npm packages #12892 IslandRhythms

`v6.8.3`

==================

perf: improve performance of assignRawDocsToIdStructure for faster populate on large docs #12867 Uzlopak
fix(model): ensure consistent ordering of validation errors in insertMany() with ordered: false and rawResult: true #12866
fix: avoid passing final callback to pre hook, because calling the callback can mess up hook execution #12836
fix(types): avoid inferring timestamps if methods, virtuals, or statics set #12871
fix(types): correctly infer string enums on const arrays #12870 JavaScriptBach
fix(types): allow virtuals to be invoked in the definition of other virtuals #12874 sffc
fix(types): add type def for Aggregate#model without arguments #12864 hasezoey
docs(discriminators): add section about changing discriminator key #12861
docs(typescript): explain that virtuals inferred from schema only show up on Model, not raw document type #12860 #12684

`v6.8.2`

==================

fix(schema): propagate strictQuery to implicitly created schemas for embedded discriminators #12827 #12796
fix(model): respect discriminators with Model.validate() #12824 #12621
fix(query): fix unexpected validation error when doing findOneAndReplace() with a nullish value #12826 #12821
fix(discriminator): apply built-in plugins to discriminator schema even if mergeHooks and mergePlugins are both false #12833 #12696
fix(types): add option "overwriteModels" as a schema option #12817 #12816 hasezoey
fix(types): add property "defaultOptions" #12818 hasezoey
docs: make search bar respect documentation version, so you can search 5.x docs #12548
docs(typescript): make note about recommending strict mode when using auto typed schemas #12825 #12420
docs: add section on sorting to query docs #12588 IslandRhythms
test(query.test): add write-concern option #12829 hasezoey

`v6.8.1`

==================

fix(query): avoid throwing circular dependency error if same object is used in multiple properties #12774 orgads
fix(map): return value from super.delete() #12777 danbrud
fix(populate): handle virtual populate underneath document array with justOne=true and sort set where 1 element has only 1 result #12815 #12730
fix(update): handle embedded discriminators when casting array filters #12802 #12565
fix(populate): avoid calling transform if there's no populate results and using lean #12804 #12739
fix(model): prevent index creation on syncIndexes if not necessary #12785 #12250 lpizzinidev
fix(types): correctly infer this when using pre('updateOne') with { document: true, query: false } #12778
fix(types): make InferSchemaType: consider { required: boolean } required if it isn't explicitly false #12784 JavaScriptBach
docs: replace many occurrences of "localhost" with "127.0.0.1" #12811 #12741 hasezoey SadiqOnGithub
docs(mongoose): Added missing options to set #12810 lpizzinidev
docs: add info on $locals parameters to getters/setters tutorial #12814 #12550 IslandRhythms
docs: make Document.prototype.$clone() public #12803
docs(query): updated explanation for slice #12776 #12474 lpizzinidev
docs(middleware): fix broken links #12787 lpizzinidev
docs(queries): fixed broken links #12790 lpizzinidev

`v6.8.0`

==================

feat: add alpha support for Deno #12397 #9056
feat: add deprecation warning for default strictQuery #12666
feat: upgrade to MongoDB driver 4.12.1
feat(schema): add doc as second params to validation message function #12564 #12651 IslandRhythms
feat(document): add $clone method #12549 #11849 lpizzinidev
feat(populate): allow overriding localField and foreignField for virtual populate #12657 #6963 IslandRhythms
feat(schema+types): add { errorHandler: true } option to Schema post() for better TypeScript support #12723 #12583
feat(debug): allow setting debug on a per-connection basis #12704 #12700 lpizzinidev
feat: add rewind function to QueryCursor #12710 passabilities
feat(types): infer timestamps option from schema #12731 #12069
docs: change links to not link to api.html anymore #12644 hasezoey

`v6.7.5`

==================

fix(schema): copy indexes when calling add() with schema instance #12737 #12654
fix(query): handle deselecting _id when another field has schema-level select: false #12736 #12670
fix(types): support using UpdateQuery in bulkWrite() #12742 #12595
docs(middleware): added note about execution policy on subdocuments #12735 #12694 lpizzinidev
docs(validation): clarify context for update validators in validation docs #12738 #12655 IslandRhythms

`v6.7.4`

==================

fix: allow setting global strictQuery after Schema creation #12717 #12703 lpizzinidev
fix(cursor): make eachAsync() avoid modifying batch when mixing parallel and batchSize #12716
fix(types): infer virtuals in query results #12727 #12702 #12684
fix(types): correctly infer ReadonlyArray types in schema definitions #12720
fix(types): avoid typeof Query with generics for TypeScript 4.6 support #12712 #12688
chore: avoid bundling .tgz files when publishing #12725 hasezoey

`v6.7.3`

`v6.7.2`

`v6.7.1`

==================

fix(query): select Map field with select: false when explicitly requested #12616 #12603 lpizzinidev
fix: correctly find paths underneath single nested document with an array of mixed #12605 #12530
fix(populate): better support for populating maps of arrays of refs #12601 #12494
fix(types): add missing create constructor signature override type #12585 naorpeled
fix(types): make array paths optional in inferred type of array default returns undefined #12649 #12420
fix(types): improve ValidateOpts type #12606 Freezystem
docs: add Lodash guide highlighting issues with cloneDeep() #12609
docs: removed v5 link from v6 docs #12641 #12624 lpizzinidev
docs: removed outdated connection example #12618 lpizzinidev

`v6.7.0`

`v6.6.7`

==================

fix: correct browser build and improve isAsyncFunction check for browser #12577 #12576 #12392
fix(query): allow overwriting discriminator key with overwriteDiscriminatorKey if strict: 'throw' #12578 #12513

`v6.6.6`

==================

fix(update): handle runValidators when using $set on a doc array in discriminator schema #12571 #12518
fix(document): allow creating document with document array and top-level key named schema #12569 #12480
fix(cast): make schema-level strictQuery override schema-level strict for query filters #12570 #12508
fix(aggregate): avoid adding extra $match stage if user manually set discriminator key to correct value in first pipeline stage #12568 #12478
fix: Throws error when updating a key name that match the discriminator key name on nested object #12534 #12517 lpizzinidev
fix(types): add limit to $filter expression #12553 raphael-papazikas
fix(types): correct replaceWith type pipeline stage #12535 FabioCingottini
fix(types): add missing densify type pipeline type #12533 FabioCingottini
docs(populate): added transform option description #12560 #12551 lpizzinidev
docs(connection): add sample to useDb() documentation #12541 lpizzinidev
docs(guide): update broken read-preference links #12538 #12525 hasezoey
chore: add TypeScript version field to issue template #12532 hasezoey

`v6.6.5`

`v6.6.4`

`v6.6.3`

==================

fix(query): treat findOne(_id) as equivalent to findOne({ _id }) #12485 #12325
fix(timestamps): findOneAndUpdate creates subdocs with timestamps in reverse order #12484 #12475 lpizzinidev
fix(types): make schema.plugin() more flexible for schemas that don't define any generics #12486 #12454
fix(types): add "array of array key-value pairs" as a argument option for "query.sort()" #12483 #12434 hasezoey
fix(types): remove unused defaults in "PluginFunction" #12459 hasezoey
fix(types): update DiscriminatorSchema to have better names and combine statics #12460 hasezoey

`v6.6.2`

`v6.6.1`

==================

fix: correctly apply defaults after subdoc init #12328
fix(array): avoid using default _id when using pull() #12294
fix: allow null values inside $expr objects #12429 MartinDrost
fix(query): use correct Query constructor when cloning query #12418
docs(website): remove setting "latest38x" which is not used anywhere #12396 hasezoey

`v6.6.0`

==================

feat: upgrade mongodb driver -> 4.9.1 #12370 AbdelrahmanHafez
feat: re-export default Mongoose instance properties for ESM named imports support #12256
feat(model): add option to skip invalid fields with castObject() #12156 IslandRhythms
feat: use setPrototypeOf() instead of proto to allow running on Deno #12315
feat(QueryCursor): add support for AbortSignal on eachAsync() #12323
feat(types): add types for new $densify operator #12118 IslandRhythms

`v6.5.5`

==================

fix(setDefaultsOnInsert): avoid applying defaults on insert if nested property set #12279
fix(model): make applyHooks() and applyMethods() handle case where custom method is set to Mongoose implementation #12254
fix(types): add string "ascending" and "descending" index-directions #10269
docs: upgrade dox to 1.0.0 #12403 hasezoey
docs: update old mongodb nodejs driver documentation urls #12387 hasezoey
docs: update JSDOC ... (spread) definition #12388 hasezoey
refactor(model): allow optionally passing indexes to createIndexes and cleanIndexes #12280 AbdelrahmanHafez

`v6.5.4`

==================

fix(document): allow calling $assertPopulated() with values to better support manual population #12233
fix(connection+mongoose): better handling for calling model() with 1 argument #12359
fix(model): allow defining discriminator virtuals and methods using schema options #12326
fix(types): fix MongooseQueryMiddleware missing "findOneAndReplace" and "replaceOne" #12330 #12329 Jule- lpizzinidev
fix(types): fix replaceOne return type #12351 lpizzinidev
fix(types): use this for return type from $assertPopulated() #12234
docs: highlight how to connect using auth in README #12354 AntonyOnScript
docs: improve jsdoc comments for private methods #12337 hasezoey
docs: fix minor typo in compatibility table header #12355 skyme5

`v6.5.3`

==================

fix(document): handle maps when applying defaults to nested paths #12322
fix(schema): make ArraySubdocuments apply _id defaults on init #12264
fix(populate): handle specifying recursive populate as a string with discriminators #12266
perf(types): remove extends Query in Schema.pre() and Schema.post(), loosen discriminator() generic #10349
perf(types): some more micro-optimizations re: #10349, remove extra type checking on $ne, etc.
fix(types): infer schema on connection.model() #12298 #12125 hasezoey
fix(types): add missing findById() type definitions #12309 lpizzinidev
fix(types): allow $search in $lookup pipeline stages for MongoDB v6.x support #12278 AbdelrahmanHafez
fix(types): add parameter "options" to "Model.remove" #12258 hasezoey
fix(types): sync single-generic-no-constraint "model" between "index.d.ts" and "connection.d.ts" #12299 hasezoey
fix(types): update isDirectModified typing #12290 gabrielDonnantuoni
docs: update links on api docs #12293 eatmoarrice
docs: add note about language_override option #12310 IslandRhythms
docs(document): add "String[]" to Document.depopulate as jsdoc parameter type #12300 hasezoey
docs: update Node.js EventEmitter url #12303 rainrisa

`v6.5.2`

==================

fix(aggregate): avoid throwing error when disconnecting with change stream open #12201 ramos-ph
fix(query): overwrite top-level key if using Query.prototype.set() to set to undefined #12155
fix(query): shallow clone options before modifying #12176
fix(types): auto schema type inference on Connection.prototype.model() #12240 hasezoey
fix(types): better typescript support for schema plugins #12139 emiljanitzek
fix(types): make bulkWrite() type param optional #12221 #12212
docs: misc cleanup #12199 hasezoey
docs: highlight current top-most visible header in navbar #12222 hasezoey
docs(populate): improve examples for Document.prototype.populate() #12111
docs(middleware): clarify document vs model in middleware docs #12113

`v6.5.1`

==================

fix(timestamps): set timestamps on child schema when child schema has timestamps: true but parent schema does not #12119
fix(schema+timestamps): handle insertMany() with timestamps and discriminators #12150
fix(model+query): handle populate with lean transform that deletes _id #12143
fix(types): allow $pull with _id #12142
fix(types): add schema plugin option inference #12196 hasezoey
fix(types): pass type to mongodb bulk write operation #12167 emiljanitzek
fix(types): map correct generics from model to schema #12125 emiljanitzek
fix(types): avoid baffling circular reference when using PopulatedDoc with a bidirectional reference #12136
fix(types): allow using path with $count #12149
docs(compatibility): change to use a table #12200 hasezoey
docs(api_split.pug): add "code" to sidebar entries #12153 hasezoey
docs: add "code" to Headers (and index list) #12152 hasezoey

`v6.5.0`

==================

perf(document): avoid creating unnecessary empty objects when creating a state machine #11988
feat: upgrade mongodb driver -> 4.8.1 #12103 AbdelrahmanHafez
feat(model): allow passing timestamps option to Model.bulkSave(...) #12082 AbdelrahmanHafez
feat(model): add castObject() function that casts a POJO to the model's schema #11945
feat(document): add $inc() helper that increments numeric paths #12115
feat(schema): add schema level lean option IslandRhythms
feat(schema): add global id option to disable id on schemas #12067 IslandRhythms
fix(connection): re-run Model.init() if re-co

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          fix(deps): update dependency mongoose to v6.11.3 [security]

9180f28

renovate bot changed the title ~~fix(deps): update dependency mongoose to v6.4.6 [security]~~ fix(deps): update dependency mongoose to v6.11.3 [security]

renovate bot force-pushed the renovate/npm-mongoose-vulnerability branch from 6ea83c9 to 9180f28 Compare

July 18, 2023 22:36

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet