New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency mongoose to v5.7.5 [SECURITY] #33

Open

renovate wants to merge 1 commit into master from renovate/npm-mongoose-vulnerability

renovate bot commented Nov 12, 2019 •

edited

This PR contains the following updates:

Package	Type	Update	Change
mongoose (source)	dependencies	minor	`5.2.18` -> `5.7.5`

GitHub Vulnerability Alerts

CVE-2019-17426

Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).

Release Notes

Automattic/mongoose

`v5.7.5`

==================

fix(query): delete top-level _bsontype property in queries to prevent silent empty queries #8222
fix(update): handle subdocument pre('validate') errors in update validation #7187
fix(subdocument): make subdocument#isModified use parent document's isModified #8223
docs(index): add favicon to home page #8226
docs: add schema options to API docs #8012
docs(middleware): add note about accessing the document being updated in pre('findOneAndUpdate') #8218
refactor: remove redundant code in ValidationError #8244 AbdelrahmanHafez

`v5.7.4`

==================

fix(schema): handle required: null and required: undefined as required: false #8219
fix(update): support updating array embedded discriminator props if discriminator key in $elemMatch #8063
fix(populate): allow accessing populate virtual prop underneath array when virtual defined on top level #8198
fix(model): support passing options to Model.remove() #8211
fix(document): handle Document#set() merge option when setting underneath single nested schema #8201
fix: use options constructor class for all schematypes #8012

`v5.7.3`

==================

fix: make CoreMongooseArray#includes() handle fromIndex parameter #8203
fix(update): cast right hand side of $pull as a query instead of an update for document arrays #8166
fix(populate): handle virtual populate of an embedded discriminator nested path #8173
docs(validation): remove deprecated isAsync from validation docs in favor of emphasizing promises #8184
docs(documents): add overwriting section #8178
docs(promises): add note about queries being thenable #8110
perf: avoid update validators going into Mixed types #8192 birdofpreyru
refactor: remove async as a prod dependency #8073

`v5.7.1`

===================

fix(cursor): wait until all eachAsync() functions finish before resolving the promise #8352
fix(update): handle embedded discriminator paths when discriminator key is defined in the update #8378
fix(schematype): handle passing message function to SchemaType#validate() as positional arg #8360
fix(map): handle cloning a schema that has a map of subdocuments #8357
docs(schema): clarify that uppercase, lowercase, and trim options for SchemaString don't affect RegExp queries #8333

`v5.7.0`

==================

feat(document+query): support conditionally immutable schema paths #8001
perf(documentarray): refactor to use ES6 classes instead of mixins, ~30% speedup #7895
feat: use MongoDB driver 3.3.x for MongoDB 4.2 support #8083 #8078
feat(schema+query): add pre('validate') and post('validate') hooks for update validation #7984
fix(timestamps): ensure updatedAt gets incremented consistently using update with and without $set #4768
feat(query): add Query#get() to make writing custom setters that handle both queries and documents easier #7312
feat(document): run setters on defaults #8012
feat(document): add aliases: false option to Document#toObject() #7548
feat(timestamps): support skipping updatedAt and createdAt for individual save() and update() #3934
docs: fix index creation link in guide #8138 joebowbeer

`v5.6.13`

===================

fix(parallel): fix parallelLimit when fns is empty #8130 #8128 sibelius
fix(document): ensure nested mixed validator gets called exactly once #8117
fix(populate): handle justOne = undefined #8125 taxilian

`v5.6.12`

===================

fix(schema): handle required validator correctly with clone() #8111
fix(schema): copy schematype getters and setters when cloning #8124 StphnDamon
fix(discriminator): avoid unnecessarily cloning schema to avoid leaking memory on repeated discriminator() calls #2874
docs(schematypes): clarify when Mongoose uses toString() to convert an object to a string #8112 TheTrueRandom
docs(plugins): fix out of date link to npm docs #8100
docs(deprecations): fix typo #8109 jgcmarins
refactor(model): remove dependency on async.parallelLimit() for insertMany() #8073

`v5.6.11`

===================

fix(model): allow passing options to exists() #8075
fix(document): make validateUpdatedOnly option handle pre-existing errors #8091
fix: throw readable error if middleware callback isnt a function #8087
fix: don't throw error if calling find() on a nested array #8089
docs(middleware): clarify that you must add middleware before compiling your model #5087
docs(query): add missing options to setOptions() #8099

`v5.6.10`

===================

fix(schema): fix require() path to work around yet another bug in Jest #8053
fix(document): skip casting when initing a populated path #8062
fix(document): prevent double-calling validators on mixed objects with nested properties #8067
fix(query): handle schematype with null options when checking immutability #8070 rich-earth
fix(schema): support Schema#path() to get schema path underneath doc array #8057
docs(faq): add disable color instruction #8066

`v5.6.9`

==================

fix(model): delete versionError after saving to prevent memory leak #8048
fix(cursor): correctly handle batchSize option with query cursor #8039
fix(populate): handle virtual populate with count = 0 if virtual embedded in doc array #7573
fix(schema): allow declaring ObjectId array with { type: 'ObjectID' }, last 'D' case insensitive #8034

`v5.6.8`

==================

fix(aggregate): allow modifying pipeline in pre('aggregate') hooks #8017
fix(query): make findOneAndReplace() work with orFail() #8030
fix(document): allow saving an unchanged document if required populated path is null #8018
fix(debug): support disabling colors in debug mode #8033 Mangosteen-Yang
docs: add async-await guide #8028 Rossh87
docs(plugins): rewrite plugins docs to be more modern and not use strange = exports syntax #8026
docs(transactions): clarify relationship between session in docs and MongoDB driver ClientSession class, link to driver docs #8009

`v5.6.7`

==================

fix(document): support validators on nested arrays #7926
fix(timestamps): handle timestamps: false in child schema #8007
fix(query): consistently support new option to findOneAndX() as an alternative to returnOriginal #7846
fix(document): make inspect() never return null, because a document or nested path is never == null #7942
docs(query+lean): add links to mongoose-lean-virtuals, mongoose-lean-getters, mongoose-lean-defaults #5606
docs: add example for Schema#pre(Array) #8022 Mangosteen-Yang
docs(schematype): updated comment from Schema.path to proper s.path #8013 chrisweilacker
chore: upgrade nyc #8015 kolya182

`v5.6.6`

==================

fix(populate): handle refPath returning a virtual with Query#populate() #7341
fix(populate): handle refPath in discriminator when populating top-level model #5109
fix(mongoose): ensure destucturing and named imports work for Mongoose singleton methods like set(), etc. #6039
fix(query): add missing options for deleteOne and deleteMany in Query #8004 Fonger
fix(schema): make embedded discriminators instanceof their parent types #5005
fix(array): make validators a private property that doesn't show up in for/in #6572
docs(api): fix array API docs that vanished because of #7798 #7979
docs(discriminators+api): add single nested discriminator to discriminator docs and API docs #7983
docs(connection+mongoose): make option lists consistent between mongoose.connect(), mongoose.createConnection(), and conn.openUri() #7976
docs(validation): clarify resolve(false) vs reject() for promise-based async custom validators #7761
docs(guide): use correct mongoose.set() instead of mongoose.use() #7998
docs: add redis cache example #7997 usama-asfar

`v5.6.5`

==================

fix(document): handle setting non-schema path to ObjectId or Decimal128 if strict: false #7973
fix(connection): remove backwards-breaking multiple mongoose.connect() call for now #7977
fix(schema): print invalid value in error message when a schema path is set to undefined or null #7956
fix(model): throw readable error if calling new Model.discriminator() #7957
fix(mongoose): export cast() function #7975 perfectstorm88
docs(model): fix link to Model.inspect() and add example #7990
docs: fix broken anchor links on validation tutorial #7966
docs(api): fix broken links to split API pages #7978
chore: create LICENSE.md #7989 Fonger

`v5.6.4`

==================

fix(schema): support pre(Array, Function) and post(Array, Function) #7803
fix(document): load docs with a once property successfully #7958
fix(queryhelpers): ensure parent select overwrites child path select if parent is nested #7945
fix(schema): make clone() correctly copy array embedded discriminators #7954
fix(update): fix error when update property gets casted to null #7949
fix(connection): bubble up attemptReconnect event for now #7872
docs(tutorials): add virtuals tutorial #7965
docs(connection): add section on connection handling #6997

`v5.6.3`

==================

fix(document): respect projection when running getters #7940
fix(model): call createCollection() in syncIndexes() to ensure the collection exists #7931
fix(document): consistently use post-order traversal for gathering subdocs for hooks #7929
fix(schema): ensure Schema#pathType() returns correct path type given non-existent positional path #7935
fix(ChangeStream): set closed if emitting close event #7930
fix(connection): bubble up 'attemptReconnect' event from MongoDB connection #7872
docs: fix broken .jade links on search page #7932
docs: correct link to Query#select() #7953 rayhatfield
docs(README): add list of related projects #7773

`v5.6.2`

==================

fix(update): allow using update() with immutable createdAt #7917
fix(model): pass doc parameter to save() error handling middleware #7832
fix(mongoose): add applyPluginsToChildSchemas option to allow opting out of global plugins for child schemas #7916
docs(connection): document useCache option for useDb() #7923
docs: fix broken link in FAQ #7925 christophergeiger3

`v5.6.1`

===================

fix(parallel): fix parallelLimit when fns is empty #8130 #8128 sibelius
fix(document): ensure nested mixed validator gets called exactly once #8117
fix(populate): handle justOne = undefined #8125 taxilian

`v5.6.0`

==================

feat(schematype): add immutable option to disallow changing a given field #7671
docs: split API docs into separate pages to make API documentation more Google-able #7812
perf(array): remove all mixins in favor of ES6 classes, ~20% faster in basic benchmarks #7798
feat(document): use promise rejection error message when async custom validator throws an error #4913
feat(virtual): pass document as 3rd parameter to virtual getters and setters to enable using arrow functions #4143
feat(model): add Model.exists() function to quickly check whether a document matching filter exists #6872
feat(index+connection): support setting global and connection-level maxTimeMS
feat(populate): support setting ref to a function for conventional populate #7669
feat(document): add overwrite() function that overwrites all values in a document #7830
feat(populate): support PopulateOptions#connection option to allow cross-db populate with refPath #6520
feat(populate): add skipInvalidIds option to silently skip population if id is invalid, instead of throwing #7706
feat(array): skip empty array default if there's a 2dsphere index on a geojson path #3233
feat(query): add getFilter() as an alias of getQuery() to be more in line with API docs #7839
feat(model): add Model.inspect() to make models not clutter util.inspect() #7836
perf(discriminator): skip calling createIndex() on indexes that are defined in the base schema #7379
docs: upgrade from Jade to latest Pug #7812
docs(README): update reference to example schema.js #7899 sharils
docs(README): improve variable name #7900 sharils
chore: replace charAt(0) with startsWith #7897 Fonger
chore: replace indexOf with includes, startsWith and endsWith for String #7897 Fonger

`v5.5.15`

===================

fix(connection): reject initial connect promise even if there is an on('error') listener #7850
fix(map): make of automatically convert POJOs to schemas unless typeKey is set #7859
fix(update): use discriminator schema to cast update if discriminator key specified in filter #7843
fix(array): copy atomics from source array #7891 #7889 jyrkive
fix(schema): return this when Schema.prototype.add is called with Schema #7887 Mickael-van-der-Beek
fix(document): add numAffected and result to DocumentNotFoundError for better debugging #7892 #7844

`v5.5.14`

===================

fix(query): correct this scope of setters in update query #7876 Fonger
fix(model): reset modifiedPaths after successful insertMany #7852 #7873 Fonger
fix(populate): allow using refPath with virtual populate #7848
fix(document): prepend private methods getValue and setValue with $ #7870 Fonger
fix: update mongodb driver -> 3.2.7 #7871 Fonger
docs(tutorials): add tutorial about custom casting functions #7045
docs(connection): fix outdated events document #7874 Fonger
docs: fix typo in lean docs #7875 tannakartikey
docs: move off of KeenIO for tracking and use self-hosted analytics instead

`v5.5.13`

===================

fix(model): support passing deleteOne options #7860 #7857 Fonger
fix(update): run setters on array elements when doing $addToSet, $push, etc #4185
fix(model): support getting discriminator by value when creating a new model #7851
docs(transactions): add section about the withTransaction() helper #7598
docs(schema): clarify relationship between Schema#static() and Schema#statics #7827
docs(model): fix typo projetion to projection #7868 dfdeagle47
docs(schema): correct schema options lists #7828

`v5.5.12`

===================

fix(document): fix unexpected error when loading a document with a nested property named schema #7831
fix(model): skip applying static hooks by default if static name conflicts with query middleware (re: mongoose-delete plugin) #7790
fix(query): apply schema-level projections to the result of findOneAndReplace() #7654
fix: upgrade mongodb driver -> 3.2.6
docs(tutorials): add findOneAndUpdate() tutorial #7847
docs(validation): add updateOne() and updateMany() to list of update validator operations #7845
docs(model): make sure options lists in update() API line up #7842

`v5.5.11`

===================

fix(discriminator): allow numeric discriminator keys for embedded discriminators #7808
chore: add Node.js 12 to travis build matrix #7784

`v5.5.10`

===================

fix(discriminator): allow user-defined discriminator path in schema #7807
fix(query): ensure findOneAndReplace() sends replacement to server #7654
fix(cast): allow [] as a value when casting $nin #7806
docs(model): clarify that setters do run on update() by default #7801
docs: fix typo in FAQ #7821 jaona

`v5.5.9`

==================

fix(query): skip schema setters when casting $regexp $options #7802 Fonger
fix(populate): don't skip populating doc array properties whose name conflicts with an array method #7782
fix(populate): make populated virtual return undefined if not populated #7795
fix(schema): handle custom setters in arrays of document arrays #7804 Fonger
docs(tutorials): add query casting tutorial #7789

`v5.5.8`

==================

fix(document): run pre save hooks on nested child schemas #7792
fix(model): set $session() before validation middleware for bulkWrite/insertMany #7785 #7769 Fonger
fix(query): make getPopulatedPaths() return deeply populated paths #7757
fix(query): suppress findAndModify deprecation warning when using Model.findOneAndUpdate() #7794
fix: upgrade mongodb -> 3.2.4 #7794
fix(document): handle a couple edge cases with atomics that happen when schema defines an array property named 'undefined' #7756
docs(discriminator): correct function parameters #7786 gfpacheco

`v5.5.7`

==================

fix(model): set $session() before pre save middleware runs when calling save() with options #7742
fix(model): set $session before pre remove hooks run when calling remove() with options #7742
fix(schema): support remove() on nested path #2398
fix(map): handle setting populated map element to doc #7745
fix(query): return rawResult when inserting with options {new:false,upsert:true,rawResult:true} #7774 #7770 LiaanM
fix(schematype): remove internal validators option because it conflicts with Backbone #7720

`v5.5.6`

==================

fix(document): stop converting arrays to objects when setting non-schema path to array with strict: false #7733
fix(array): make two Mongoose arrays assert.deepEqual() each other if they have the same values #7700
fix(populate): support populating a path in a document array embedded in an array #7647
fix(populate): set populate virtual count to 0 if local field is empty #7731
fix(update): avoid throwing cast error if casting array filter that isn't in schema with strictQuery = false #7728
docs: fix typo in distinct() description #7767 phil-r

`v5.5.5`

==================

fix(document): ensure nested properties within single nested subdocs get set correctly when overwriting single nested subdoc #7748
fix(document): skip non-object validators in schema types #7720
fix: bump mongodb driver -> 3.2.3 #7752
fix(map): disallow setting map key with special properties #7750 Fonger

`v5.5.4`

==================

fix(document): avoid calling custom getters when saving #7719
fix(timestamps): handle child schema timestamps correctly when reusing child schemas #7712
fix(query): pass correct callback for _legacyFindAndModify #7736 Fonger
fix(model+query): allow setting replacement parameter for findOneAndReplace() #7654
fix(map): make delete() unset the key in the database #7746 Fonger
fix(array): use symbol for _schema property to avoid confusing deep equality checks #7700
fix(document): prevent depopulate() from removing fields with empty array #7741 #7740 Fonger
fix: make MongooseArray#includes support ObjectIds #7732 #6354 hansemannn
fix(document): report correct validation error index when pushing onto doc array #7744 Fonger

`v5.5.3`

==================

fix: add findAndModify deprecation warning that references the useFindAndModify option #7644
fix(document): handle pushing a doc onto a discriminator that contains a doc array #7704
fix(update): run setters on array elements when doing $set #7679
fix: correct usage of arguments while buffering commands #7718 rzymek
fix(document): avoid error clearing modified subpaths if doc not defined #7715 bitflower
refactor(array): move _parent property behind a symbol #7726 #7700
docs(model): list out all operations and options for bulkWrite() #7055
docs(aggregate): use eachAsync() instead of nonexistent each() #7699
docs(validation): add CastError validation example #7514
docs(query+model): list out all options and callback details for Model.updateX() and Query#updateX() #7646

`v5.5.2`

==================

fix(document): support setting nested path to non-POJO object #7639
perf(connection): remove leaked event handler in Model.init() so deleteModel() frees all memory #7682
fix(timestamps): handle custom statics that conflict with built-in functions (like mongoose-delete plugin) #7698
fix(populate): make Document#populated() work for populated subdocs #7685
fix(document): support .set() on document array underneath embedded discriminator path #7656

`v5.5.1`

===================

fix(connection): reject initial connect promise even if there is an on('error') listener #7850
fix(map): make of automatically convert POJOs to schemas unless typeKey is set #7859
fix(update): use discriminator schema to cast update if discriminator key specified in filter #7843
fix(array): copy atomics from source array #7891 #7889 jyrkive
fix(schema): return this when Schema.prototype.add is called with Schema #7887 Mickael-van-der-Beek
fix(document): add numAffected and result to DocumentNotFoundError for better debugging #7892 #7844

`v5.5.0`

==================

feat(model): support applying hooks to custom static functions #5982
feat(populate): support specifying a function as match #7397
perf(buffer): avoid calling defineProperties() in Buffer constructor #7331
feat(connection): add plugin() for connection-scoped plugins #7378
feat(model): add Model#deleteOne() and corresponding hooks #7538
feat(query): support hooks for Query#distinct() #5938
feat(model): print warning when calling create() incorrectly with a session #7535
feat(document): add Document#isEmpty() and corresponding helpers for nested paths #5369
feat(document): add getters option to Document#get() #7233
feat(query): add Query#projection() to get or overwrite the current projection #7384
fix(document): set full validator path on validatorProperties if propsParameter set on validator #7447
feat(document): add Document#directModifiedPaths() #7373
feat(document): add $locals property #7691
feat(document): add validateUpdatedOnly option that only validates modified paths in save() #7492 captaincaius
chore: upgrade MongoDB driver to v3.2.0 #7641
fix(schematype): deprecate isAsync option for custom validators #6700
chore(mongoose): deprecate global.MONGOOSE_DRIVER_PATH so we can be webpack-warning-free in 6.0 #7501

`v5.4.23`

===================

fix(document): report cast error when string path in schema is an array in MongoDB #7619
fix(query): set deletedCount on result of remove() #7629
docs(subdocs): add note about parent() and ownerDocument() to subdocument docs #7576

`v5.4.22`

===================

fix(aggregate): allow modifying options in pre('aggregate') hook #7606
fix(map): correctly init maps of maps when loading from MongoDB #7630
docs(model+query): add omitUndefined option to docs for updateX() and findOneAndX() #3486
docs: removed duplicate Query.prototype.merge() reference from doc #7684 shihabmridha
docs(schema): fix shardKey type to object instead of bool #7668 kyletsang
docs(api): fix Model.prototypedelete link #7665 pixcai

`v5.4.21`

===================

fix(updateValidators): run update validators correctly on Decimal128 paths #7561
fix(update): cast array filters in nested doc arrays correctly #7603
fix(document): allow .get() + .set() with aliased paths #7592
fix(document): ensure custom getters on single nested subdocs don't get persisted if toObject.getters = true #7601
fix(document): support setting subdoc path to subdoc copied using object rest {...doc} #7645
docs(schema): correct out-of-date list of reserved words #7593
docs(model+query): add link to update results docs and examples of using results of updateOne(), etc. #7582
docs: use atomic as opposed to $atomic consistently #7649 720degreeLotus

`v5.4.20`

===================

docs(tutorials): add tutorial about lean() #7640
fix(discriminator): fix wrong modelName being used as value to partialFilterExpression index #7635 #7634 egorovli
fix(document): allow setters to modify this when overwriting single nested subdoc #7585
fix(populate): handle count option correctly with multiple docs #7573
fix(date): support declaring min/max validators as functions #7600 ChienDevIT
fix(discriminator): avoid projecting in embedded discriminator if only auto-selected path is discriminator key #7574
fix(discriminator): use discriminator model when using new BaseModel() with discriminator key #7586
fix(timestamps): avoid throwing if doc array has timestamps and array is undefined #7625 serg33v
docs(document): explain DocumentNotFoundError in save() docs #7580
docs(query): fix .all() param type and add example #7612 720degreeLotus
docs: add useNewUrlParser to mongoose.connect for some pages #7615 YC

`v5.4.19`

===================

fix(mongoose): ensure virtuals set on subdocs in global plugins get applied #7572
docs(tutorials): add "Working With Dates" tutorial #7597
docs(guide): clarify that versioning only affects array fields #7555
docs(model): list out all bulkWrite() options #7550

`v5.4.18`

===================

fix(document): handle nested virtuals in populated docs when parent path is projected out #7491
fix(model): make subclassed models handle discriminators correctly #7547
fix(model): remove $versionError from save options for better debug output #7570

`v5.4.17`

===================

fix(update): handle all positional operator when casting array filters #7540
fix(populate): handle populating nested path where top-level path is a primitive in the db #7545
fix(update): run update validators on array filters #7536
fix(document): clean modified subpaths when sorting an array #7556
fix(model): cast $setOnInsert correctly with nested docs #7534
docs: remove extra curly brace from example #7569 kolya182

`v5.4.16`

===================

fix(schema): handle nested objects with _id: false #7524
fix(schema): don't throw error if declaring a virtual that starts with a map path name #7464
fix(browser): add stubbed model() function so code that uses model doesn't throw #7541 caub
fix(schema): merge virtuals correctly #7563 yoursdearboy
docs(connections): add reconnectFailed to connection docs #7477
docs(index): fix typo #7553 DenrizSusam
refactor(schema): iterate over paths instead of depending on childSchemas #7554

`v5.4.15`

===================

fix(update): don't call schematype validators on array if using $pull with runValidators #6971
fix(schema): clone all schema types when cloning an array #7537
docs(connections): improve connectTimeoutMS docs and socketTimeoutMS docs to link to Node.js net.setTimeout() #5169
docs: fix setters example in migration guide #7546 freewil

`v5.4.14`

===================

fix(populate): make getters option handle nested paths #7521
fix(documentarray): report validation errors that occur in an array subdoc created using create() and then set() #7504
docs(schema): add examples for schema functions that didn't have any #7525
docs: add MongooseError to API docs and add list of error names
docs(CONTRIBUTING): fix link #7530 sarpik

`v5.4.13`

===================

fix(query): throw handy error when using updateOne() with overwrite: true and no dollar keys #7475
fix(sc

Renovate configuration

📅 Schedule: "" in timezone Asia/Tokyo.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "rebase!".

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

Newsflash: Renovate has joined WhiteSource, and is now free for all use. Learn more or view updated terms and privacy policies.


          Update dependency mongoose to v5.7.5 [SECURITY]

12b53a6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment