fix(deps): update dependency mongoose to v8.8.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mongoose (source)	8.3.4 -> 8.8.3

GitHub Vulnerability Alerts

CVE-2024-53900

Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

---

Release Notes

Automattic/mongoose (mongoose)

v8.8.3

Compare Source

==================

• fix: disallow using $where in match
• perf: cache results from getAllSubdocs() on saveOptions, only loop through known subdoc properties #​15055 #​15029
• fix(model+query): support overwriteDiscriminatorKey for bulkWrite updateOne and updateMany, allow inferring discriminator key from update #​15046 #​15040

v8.8.2

Compare Source

==================

• fix(model): handle array filters when casting bulkWrite #​15036 #​14978
• fix(model): make diffIndexes() avoid trying to drop default timeseries collection index #​15035 #​14984
• fix: save execution stack in query as string #​15039 durran
• types(cursor): correct asyncIterator and asyncDispose for TypeScript with lib: 'esnext' #​15038
• docs(migrating_to_8): add note about removing findByIdAndRemove #​15024 dragontaek-lee

v8.8.1

Compare Source

==================

• perf: make a few micro-optimizations to help speed up findOne() #​15022 #​14906
• fix: apply embedded discriminators to subdoc schemas before compiling top level model so middleware applies correctly #​15001 #​14961
• fix(query): add overwriteImmutable option to allow updating immutable properties without disabling strict mode #​15000 #​8619

v8.8.0

Compare Source

==================

• feat: upgrade mongodb -> ~6.10 #​14991 #​14877
• feat(query): add schemaLevelProjections option to query to disable schema-level select: false #​14986 #​11474
• feat: allow defining virtuals on arrays, not just array elements #​14955 #​2326
• feat(model): add applyTimestamps() function to apply all schema timestamps, including subdocuments, to a given POJO #​14943 #​14698
• feat(model): add hideIndexes option to syncIndexes() and cleanIndexes() #​14987 #​14868
• fix(query): make sanitizeFilter disable implicit $in #​14985 #​14657
• fix(model): avoid unhandled error if createIndex() throws a sync error #​14995
• fix(model): avoid throwing TypeError if bulkSave()'s bulkWrite() fails with a non-BulkWriteError #​14993
• types: added toJSON:flattenObjectIds effect #​14989
• types: add __v to lean() result type and ModifyResult #​14990 #​12959
• types: use globalThis instead of global for NativeDate #​14992 #​14988
• docs(change-streams): fix markdown syntax highlighting for script output example #​14994

v8.7.3

Compare Source

==================

• fix(cursor): close underlying query cursor when calling destroy() #​14982 #​14966
• types: add JSONSerialized helper that can convert HydratedDocument to JSON output type #​14981 #​14451
• types(model): convert InsertManyResult to interface and remove unnecessary insertedIds override #​14977
• types(connection): add missing sanitizeFilter option #​14975
• types: improve goto definition for inferred schema definitions #​14968 forivall
• docs(migration-guide-v7): correct link to the section "Id Setter" #​14973 rb-ntnx

v8.7.2

Compare Source

==================

• fix(document): recursively clear modified subpaths when setting deeply nested subdoc to null #​14963 #​14952
• fix(populate): handle array of ids with parent refPath #​14965
• types: make Buffers into mongodb.Binary in lean result type to match runtime behavior #​14967
• types: correct schema type inference when using nested typeKey like type: { type: String } #​14956 #​14950
• types: re-export DeleteResult and UpdateResult from MongoDB Node.js driver #​14947 #​14946
• docs(documents): add section on setting deeply nested properties, including warning about nullish coalescing assignment #​14972
• docs(model): add more info on acknowledged: false, specifically that Mongoose may return that if the update was empty #​14957

v8.7.1

Compare Source

==================

• fix: set flattenObjectIds to false when calling toObject() for internal purposes #​14938
• fix: add mongodb 8 to test matrix #​14937
• fix: handle buffers stored in MongoDB as EJSON representation with { $binary } #​14932
• docs: indicate that Mongoose 8.7 is required for full MongoDB 8 support #​14937

v8.7.0

Compare Source

==================

• feat(model): add Model.applyVirtuals() to apply virtuals to a POJO #​14905 #​14818
• feat: upgrade mongodb -> 6.9.0 #​14914
• feat(query): cast $rename to string #​14887 #​3027
• feat(SchemaType): add getEmbeddedSchemaType() method to SchemaTypes #​14880 #​8389
• fix(model): throw MongooseBulkSaveIncompleteError if bulkSave() didn't completely succeed #​14884 #​14763
• fix(connection): avoid returning readyState = connected if connection state is stale #​14812 #​14727
• fix: depopulate if push() or addToSet() with an ObjectId on a populated array #​14883 #​1635
• types: make __v a number, only set __v on top-level documents #​14892

v8.6.4

Compare Source

==================

• fix(document): avoid massive perf degradation when saving new doc with 10 level deep subdocs #​14910 #​14897
• fix(model): skip applying static hooks by default if static name conflicts with aggregate middleware #​14904 dragontaek-lee
• fix(model): filter applying static hooks by default if static name conflicts with mongoose middleware #​14908 dragontaek-lee

v8.6.3

Compare Source

==================

• fix: make getters convert uuid to string when calling toObject() and toJSON() #​14890 #​14869
• fix: fix missing Aggregate re-exports for ESM #​14886 wongsean
• types(document): add generic param to depopulate() to allow updating properties #​14891 #​14876

v8.6.2

Compare Source

==================

• fix: make set merge deeply nested objects #​14870 #​14861 ianHeydoc
• types: allow arbitrary keys in query filters again (revert #​14764) #​14874 #​14863 #​14862 #​14842
• types: make SchemaType static setters property accessible in TypeScript #​14881 #​14879
• type(inferrawdoctype): infer Date types as JS dates rather than Mongoose SchemaType Date #​14882 #​14839

v8.6.1

Compare Source

==================

• fix(document): avoid unnecessary clone() in applyGetters() that was preventing getters from running on 3-level deep subdocuments #​14844 #​14840 #​14835
• fix(model): throw error if bulkSave() did not insert or update any documents #​14837 #​14763
• fix(cursor): throw error in ChangeStream constructor if changeStreamThunk() throws a sync error #​14846
• types(query): add $expr to RootQuerySelector #​14845
• docs: update populate.md to fix missing match: { } #​14847 makhoulshbeeb

v8.6.0

Compare Source

==================

• feat: upgrade mongodb -> 6.8.0, handle throwing error on closed cursor in Mongoose with MongooseError instead of MongoCursorExhaustedError #​14813
• feat(model+query): support options parameter for distinct() #​14772 #​8006
• feat(QueryCursor): add getDriverCursor() function that returns the raw driver cursor #​14745
• types: change query selector to disallow unknown top-level keys by default #​14764 alex-statsig
• types: make toObject() and toJSON() not generic by default to avoid type widening #​14819 #​12883
• types: avoid automatically inferring lean result type when assigning to explicitly typed variable #​14734

v8.5.5

Compare Source

==================

• fix(populate): fix a couple of other places where Mongoose gets the document's _id with getters #​14833 #​14827 #​14759
• fix(discriminator): shallow clone Schema.prototype.obj before merging schemas to avoid modifying original obj #​14821
• types: fix schema type based on timestamps schema options value #​14829 #​14825 ark23CIS

v8.5.4

Compare Source

==================

• fix: add empty string check for collection name passed #​14806 Shubham2552
• docs(model): add 'throw' as valid strict value for bulkWrite() and add some more clarification on throwOnValidationError #​14809

v8.5.3

Compare Source

==================

• fix(document): call required functions on subdocuments underneath nested paths with correct context #​14801 #​14788
• fix(populate): avoid throwing error when no result and lean() set #​14799 #​14794 #​14759 MohOraby
• fix(document): apply virtuals to subdocuments if parent schema has virtuals: true for backwards compatibility #​14774 #​14771 #​14623 #​14394
• types: make HydratedSingleSubdocument and HydratedArraySubdocument merge types instead of using & #​14800 #​14793
• types: support schema type inference based on schema options timestamps as well #​14773 #​13215 ark23CIS
• types(cursor): indicate that cursor.next() can return null #​14798 #​14787
• types: allow mongoose.connection.db to be undefined #​14797 #​14789
• docs: add schema type widening advice #​14790 JstnMcBrd

v8.5.2

Compare Source

==================

• perf(clone): avoid further unnecessary checks if cloning a primitive value #​14762 #​14394
• fix: allow setting document array default to null #​14769 #​14717 #​6691
• fix(model): support session: null option for save() to opt out of automatic session option with transactionAsyncLocalStorage #​14744 #​14736
• fix(model+document): avoid depopulating manually populated doc as getter value #​14760 #​14759
• fix: correct shardkey access in buildBulkWriteOps #​14753 #​14752 adf0nt3s
• fix(query): handle casting $switch in $expr #​14755 #​14751
• types: allow calling SchemaType.cast() without parent and init parameters #​14756 #​14748 #​9076
• docs: fix a wrong example in v6 migration guide #​14758 abdelrahman-elkady

v8.5.1

Compare Source

==================

• perf(model): performance improvements for insertMany() #​14724
• fix(model): avoid leaving subdoc defaults on top-level doc when setting subdocument to same value #​14728 #​14722
• fix(model): handle transactionAsyncLocalStorage option with insertMany() #​14743
• types: make _id required on Document type #​14735 #​14660
• types: fix ChangeStream.close to return a Promise like the driver #​14740 orgads

v8.5.0

Compare Source

==================

• perf: memoize toJSON / toObject default options #​14672
• feat(document): add $createModifiedPathsSnapshot(), $restoreModifiedPathsSnapshot(), $clearModifiedPaths() #​14699 #​14268
• feat(query): make sanitizeProjection prevent projecting in paths deselected in the schema #​14691
• feat: allow setting array default value to null #​14717 #​6691
• feat(mongoose): allow drivers to set global plugins #​14682
• feat(connection): bubble up monitorCommands events to Mongoose connection if monitorCommands option set #​14681 #​14611
• fix(document): ensure post('deleteOne') hooks are called when calling save() after subdoc.deleteOne() #​14732 #​9885
• fix(query): remove count() and findOneAndRemove() from query chaining #​14692 #​14689
• fix: remove default connection if setting createInitialConnection to false after Mongoose instance created #​14679 #​8302
• types(models+query): infer return type from schema for 1-level deep nested paths #​14632
• types(connection): make transaction() return type match the executor function #​14661 #​14656
• docs: fix docs links in index.md mirasayon

v8.4.5

Compare Source

==================

• types: correct this for validate.validator schematype option #​14720 #​14696
• docs(model): note that insertMany() with lean skips applying defaults #​14723 #​14698

v8.4.4

Compare Source

==================

• perf: avoid unnecesary get() call and use faster approach for converting to string #​14673 #​14394
• fix(projection): handle projections on arrays in Model.hydrate() projection option #​14686 #​14680
• fix(document): avoid passing validateModifiedOnly to subdocs so subdocs get fully validating if they're directly modified #​14685 #​14677
• fix: handle casting primitive array with $elemMatch in bulkWrite() #​14687 #​14678
• fix(query): cast $pull using embedded discriminator schema when discriminator key is set in filter #​14676 #​14675
• types(connection): fix return type of withSession() #​14690 tt-public
• types: add $documents pipeline stage and fix $unionWith type #​14666 nick-statsig
• docs(findoneandupdate): improve example that shows findOneAndUpdate() returning doc before updates were applied #​14671 #​14670

v8.4.3

Compare Source

==================

• fix: remove 0x flamegraph files from release

v8.4.2

Compare Source

==================

• perf: more toObject() perf improvements #​14623 #​14606 #​14394
• fix(model): check the value of overwriteModels in options when calling discriminator() #​14646 uditha-g
• fix: avoid throwing TypeError when deleting an null entry on a populated Map #​14654 futurliberta
• fix(connection): fix up some inconsistencies in operation-end event and add to docs #​14659 #​14648
• types: avoid inferring Boolean, Buffer, ObjectId as Date in schema definitions under certain circumstances #​14667 #​14630
• docs: add note about parallelism in transations #​14647 fiws

v8.4.1

Compare Source

==================

• fix: pass options to clone instead of get in applyVirtuals #​14606 #​14543 andrews05
• fix(document): fire pre validate hooks on 5 level deep single nested subdoc when modifying after save() #​14604 #​14591
• fix: ensure buildBulkWriteOperations target shard if shardKey is set #​14622 #​14621 matlpriceshape
• types: pass DocType down to subdocuments so HydratedSingleSubdocument and HydratedArraySubdocument toObject() returns correct type #​14612 #​14601

v8.4.0

Compare Source

==================

• feat: upgrade mongodb -> 6.6.2 #​14584
• feat: add transactionAsyncLocalStorage option to opt in to automatically setting session on all transactions #​14583 #​13889
• feat: handle initially null driver when instantiating Mongoose for Rollup support #​14577 #​12335
• feat(mongoose): export omitUndefined() helper #​14582 #​14569
• feat: add Model.listSearchIndexes() #​14519 #​14450
• feat(connection): add listDatabases() function #​14506 #​9048
• feat(schema): add schema-level readConcern option to apply default readConcern for all queries #​14579 #​14511
• fix(error): remove model property from CastError to avoid printing all model properties to console #​14568 #​14529
• fix(model): make bulkWrite() and insertMany() throw if throwOnValidationError set and all ops invalid #​14587 #​14572
• fix(document): ensure transform function passed to toObject() options applies to subdocs #​14600 #​14589
• types: add inferRawDocType helper #​13900 #​13772
• types(document): make document _id type default to unknown instead of any #​14541

v8.3.5

Compare Source

==================

• fix(query): shallow clone $or, $and if merging onto empty query filter #​14580 #​14567
• types(model+query): pass TInstanceMethods to QueryWithHelpers so populated docs have methods #​14581 #​14574
• docs(typescript): clarify that setting THydratedDocumentType on schemas is necessary for correct method context #​14575 #​14573

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR updates the mongoose dependency from version 8.3.4 to 8.8.3 to address a security vulnerability (CVE-2024-53900) related to improper use of the $where operator. The update also includes various bug fixes, performance improvements, and new features.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
Security fix for CVE-2024-53900 vulnerability	Disallow using $where operator in match to prevent code injection attacks Prevent unauthorized access and manipulation of database data through $where clause	package.json
Performance improvements	Cache results from getAllSubdocs() on saveOptions Optimize loop through known subdoc properties Improve performance of findOne() with micro-optimizations Memoize toJSON/toObject default options	package.json
MongoDB driver compatibility updates	Upgrade mongodb driver to ~6.10 Add support for MongoDB 8 Handle buffers stored in MongoDB as EJSON representation	package.json

Possibly linked issues

• fix(deps): update dependency mongoose to v8.8.3 [security] #10: The PR updates mongoose to v8.8.3, addressing a security issue listed in the dashboard.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.