Skip to content

fix(deps): update dependency mongoose to v7.8.4 [security]#878

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-mongoose-vulnerability
Open

fix(deps): update dependency mongoose to v7.8.4 [security]#878
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-mongoose-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Dec 3, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
mongoose (source) 7.6.57.8.4 age adoption passing confidence

Mongoose search injection vulnerability

CVE-2024-53900 / GHSA-m7xq-9374-9rvx

More information

Details

Mongoose versions prior to 8.8.3, 7.8.3, 6.13.5, and 5.13.23 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Mongoose search injection vulnerability

CVE-2025-23061 / GHSA-vg7j-7cwx-8wgw

More information

Details

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Severity

  • CVSS Score: 9.0 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

Automattic/mongoose (mongoose)

v7.8.4

Compare Source

===================

v7.8.3

Compare Source

==================

  • fix: disallow using $where in match
  • fix(projection): avoid setting projection to unknown exclusive/inclusive if elemMatch on a Date, ObjectId, etc. #​14894 #​14893
  • docs(migrating_to_7): add note about keepAlive to Mongoose 7 migration guide #​15032 #​13431

v7.8.2

Compare Source

==================

  • fix(projection): avoid setting projection to unknown exclusive/inclusive if elemMatch on a Date, ObjectId, etc. #​14894 #​14893

v7.8.1

Compare Source

==================

  • fix(query): handle casting $switch in $expr #​14761
  • docs(mongoose): remove out-of-date callback-based example for mongoose.connect() #​14811 #​14810

v7.8.0

Compare Source

==================

v7.7.0

Compare Source

==================

  • feat(model): add throwOnValidationError option for opting into getting MongooseBulkWriteError if all valid operations succeed in bulkWrite() and insertMany() #​14599 #​14587 #​14572 #​13410

v7.6.13

Compare Source

===================

  • fix(query): shallow clone $or and $and array elements to avoid mutating query filter arguments #​14614 #​14610
  • types: pass DocType down to subdocuments so HydratedSingleSubdocument and HydratedArraySubdocument toObject() returns correct type #​14612 #​14601
  • docs(migrating_to_7): add id setter to Mongoose 7 migration guide #​14645 #​13672

v7.6.12

Compare Source

===================

v7.6.11

Compare Source

===================

  • fix(populate): avoid match function filtering out null values in populate result #​14518
  • fix(schema): support setting discriminator options in Schema.prototype.discriminator() #​14493 #​14448
  • fix(schema): deduplicate idGetter so creating multiple models with same schema doesn't result in multiple id getters #​14492 #​14457

v7.6.10

Compare Source

===================

  • docs(model): add extra note about lean option for insertMany() skipping casting #​14415
  • docs(mongoose): add options.overwriteModel details to mongoose.model() docs #​14422

v7.6.9

Compare Source

==================

  • fix(document): handle embedded recursive discriminators on nested path defined using Schema.prototype.discriminator #​14256 #​14245
  • types(model): correct return type for findByIdAndDelete() #​14233 #​14190
  • docs(connections): add note about using asPromise() with createConnection() for error handling #​14364 #​14266
  • docs(model+query+findoneandupdate): add more details about overwriteDiscriminatorKey option to docs #​14264 #​14246

v7.6.8

Compare Source

==================

  • perf(schema): remove unnecessary lookahead in numeric subpath check
  • fix(discriminator): handle reusing schema with embedded discriminators defined using Schema.prototype.discriminator #​14202 #​14162
  • fix(ChangeStream): avoid suppressing errors in closed change stream #​14206 #​14177

v7.6.7

Compare Source

==================

  • fix: avoid minimizing single nested subdocs if they are required #​14151 #​14058
  • fix(populate): allow deselecting discriminator key when populating #​14155 #​3230
  • fix: allow adding discriminators using Schema.prototype.discriminator() to subdocuments after defining parent schema #​14131 #​14109
  • fix(schema): avoid creating unnecessary clone of schematype in nested array so nested document arrays use correct constructor #​14128 #​14101
  • fix(populate): call transform object with single id instead of array when populating a justOne path under an array #​14135 #​14073
  • types: add back mistakenly removed findByIdAndRemove() function signature #​14136 #​14132

v7.6.6

Compare Source

==================

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the renovate label Dec 3, 2024
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v8 [security] fix(deps): update dependency mongoose to v8 [security] - autoclosed Dec 4, 2024
@renovate renovate Bot closed this Dec 4, 2024
@renovate renovate Bot deleted the renovate/npm-mongoose-vulnerability branch December 4, 2024 17:41
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v8 [security] - autoclosed fix(deps): update dependency mongoose to v8 [security] Dec 4, 2024
@renovate renovate Bot reopened this Dec 4, 2024
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 25d05b0 to 075ced8 Compare December 4, 2024 20:03
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v8 [security] fix(deps): update dependency mongoose to v7.8.3 [security] Dec 4, 2024
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 075ced8 to 6a3976e Compare December 4, 2024 23:14
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 6a3976e to 4fe2b2f Compare January 17, 2025 04:11
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v7.8.3 [security] fix(deps): update dependency mongoose to v8 [security] Jan 17, 2025
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 4fe2b2f to 3040b1b Compare January 19, 2025 08:21
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v8 [security] fix(deps): update dependency mongoose to v7.8.4 [security] Jan 19, 2025
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 3040b1b to b6301af Compare August 10, 2025 13:58
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from b6301af to c214024 Compare December 31, 2025 15:17
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch 2 times, most recently from 1b66a14 to babc661 Compare January 23, 2026 19:42
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from babc661 to 79b52b3 Compare February 2, 2026 16:32
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 79b52b3 to d66701f Compare February 12, 2026 12:08
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v7.8.4 [security] fix(deps): update dependency mongoose to v7.8.4 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v7.8.4 [security] - autoclosed fix(deps): update dependency mongoose to v7.8.4 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch 3 times, most recently from a53f1f1 to 28518ad Compare April 1, 2026 20:34
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 28518ad to b1799f0 Compare April 8, 2026 18:34
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v7.8.4 [security] fix(deps): update dependency mongoose to v7.8.4 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title fix(deps): update dependency mongoose to v7.8.4 [security] - autoclosed fix(deps): update dependency mongoose to v7.8.4 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch 3 times, most recently from 742a81e to 0a9bb71 Compare April 29, 2026 20:12
@renovate renovate Bot force-pushed the renovate/npm-mongoose-vulnerability branch from 0a9bb71 to 6411604 Compare May 12, 2026 10:34
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented May 12, 2026
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml
Progress: resolved 1, reused 0, downloaded 0, added 0
[WARN] deprecated eslint@8.54.0: This version is no longer supported. Please see https://eslint.org/version-support for other options.
[WARN] deprecated uuid@10.0.0: uuid@10 and below is no longer supported.  For ESM codebases, update to uuid@latest.  For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).
Progress: resolved 120, reused 0, downloaded 0, added 0
Progress: resolved 139, reused 0, downloaded 0, added 0
Progress: resolved 357, reused 0, downloaded 0, added 0
[ERR_PNPM_NO_MATCHING_VERSION] No matching version found for has@1.0.29 while fetching it from https://registry.npmjs.org/

This error happened while installing the dependencies of @innei/eslint-config-ts@0.11.1
 at eslint-plugin-import@2.28.1

The latest release of has is "1.0.4".

If you need the full list of all 6 published versions run "pnpm view has versions".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants