Update dependency mongoose to v5.7.5 [SECURITY] #33
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.2.18
->5.7.5
GitHub Vulnerability Alerts
CVE-2019-17426
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).
Release Notes
Automattic/mongoose
v5.7.5
Compare Source
==================
_bsontype
property in queries to prevent silent empty queries #8222v5.7.4
Compare Source
==================
required: null
andrequired: undefined
asrequired: false
#8219options
toModel.remove()
#8211Document#set()
merge option when setting underneath single nested schema #8201v5.7.3
Compare Source
==================
fromIndex
parameter #8203$pull
as a query instead of an update for document arrays #8166isAsync
from validation docs in favor of emphasizing promises #8184v5.7.1
Compare Source
===================
eachAsync()
functions finish before resolving the promise #8352message
function toSchemaType#validate()
as positional arg #8360uppercase
,lowercase
, andtrim
options for SchemaString don't affect RegExp queries #8333v5.7.0
Compare Source
==================
Query#get()
to make writing custom setters that handle both queries and documents easier #7312aliases: false
option toDocument#toObject()
#7548v5.6.13
Compare Source
===================
justOne = undefined
#8125 taxilianv5.6.12
Compare Source
===================
clone()
#8111discriminator()
calls #2874toString()
to convert an object to a string #8112 TheTrueRandomasync.parallelLimit()
forinsertMany()
#8073v5.6.11
Compare Source
===================
exists()
#8075validateUpdatedOnly
option handle pre-existing errors #8091find()
on a nested array #8089setOptions()
#8099v5.6.10
Compare Source
===================
null
options when checking immutability #8070 rich-earthSchema#path()
to get schema path underneath doc array #8057v5.6.9
Compare Source
==================
{ type: 'ObjectID' }
, last 'D' case insensitive #8034v5.6.8
Compare Source
==================
findOneAndReplace()
work withorFail()
#8030= exports
syntax #8026session
in docs and MongoDB driver ClientSession class, link to driver docs #8009v5.6.7
Compare Source
==================
timestamps: false
in child schema #8007new
option tofindOneAndX()
as an alternative toreturnOriginal
#7846inspect()
never returnnull
, because a document or nested path is never== null
#7942Schema#pre(Array)
#8022 Mangosteen-Yangv5.6.6
Compare Source
==================
Query#populate()
#7341refPath
in discriminator when populating top-level model #5109set()
, etc. #6039instanceof
their parent types #5005validators
a private property that doesn't show up in for/in #6572mongoose.connect()
,mongoose.createConnection()
, andconn.openUri()
#7976mongoose.set()
instead ofmongoose.use()
#7998v5.6.5
Compare Source
==================
new Model.discriminator()
#7957cast()
function #7975 perfectstorm88v5.6.4
Compare Source
==================
once
property successfully #7958select
overwrites child pathselect
if parent is nested #7945clone()
correctly copy array embedded discriminators #7954v5.6.3
Compare Source
==================
Schema#pathType()
returns correct path type given non-existent positional path #7935closed
if emitting close event #7930Query#select()
#7953 rayhatfieldv5.6.2
Compare Source
==================
update()
with immutablecreatedAt
#7917doc
parameter to save() error handling middleware #7832useCache
option foruseDb()
#7923v5.6.1
Compare Source
===================
justOne = undefined
#8125 taxilianv5.6.0
Compare Source
==================
immutable
option to disallow changing a given field #7671Model.exists()
function to quickly check whether a document matchingfilter
exists #6872maxTimeMS
ref
to a function for conventional populate #7669PopulateOptions#connection
option to allow cross-db populate with refPath #6520getFilter()
as an alias ofgetQuery()
to be more in line with API docs #7839util.inspect()
#7836createIndex()
on indexes that are defined in the base schema #7379v5.5.15
Compare Source
===================
of
automatically convert POJOs to schemas unless typeKey is set #7859numAffected
andresult
to DocumentNotFoundError for better debugging #7892 #7844v5.5.14
Compare Source
===================
refPath
with virtual populate #7848v5.5.13
Compare Source
===================
withTransaction()
helper #7598projetion
toprojection
#7868 dfdeagle47v5.5.12
Compare Source
===================
schema
#7831findOneAndReplace()
#7654updateOne()
andupdateMany()
to list of update validator operations #7845update()
API line up #7842v5.5.11
Compare Source
===================
v5.5.10
Compare Source
===================
findOneAndReplace()
sendsreplacement
to server #7654[]
as a value when casting$nin
#7806update()
by default #7801v5.5.9
Compare Source
==================
v5.5.8
Compare Source
==================
getPopulatedPaths()
return deeply populated paths #7757Model.findOneAndUpdate()
#7794v5.5.7
Compare Source
==================
remove()
on nested path #2398{new:false,upsert:true,rawResult:true}
#7774 #7770 LiaanMvalidators
option because it conflicts with Backbone #7720v5.5.6
Compare Source
==================
assert.deepEqual()
each other if they have the same values #7700distinct()
description #7767 phil-rv5.5.5
Compare Source
==================
validators
in schema types #7720v5.5.4
Compare Source
==================
replacement
parameter forfindOneAndReplace()
#7654delete()
unset the key in the database #7746 Fonger_schema
property to avoid confusing deep equality checks #7700depopulate()
from removing fields with empty array #7741 #7740 FongerMongooseArray#includes
support ObjectIds #7732 #6354 hansemannnv5.5.3
Compare Source
==================
_parent
property behind a symbol #7726 #7700bulkWrite()
#7055eachAsync()
instead of nonexistenteach()
#7699v5.5.2
Compare Source
==================
Model.init()
sodeleteModel()
frees all memory #7682Document#populated()
work for populated subdocs #7685.set()
on document array underneath embedded discriminator path #7656v5.5.1
Compare Source
===================
of
automatically convert POJOs to schemas unless typeKey is set #7859numAffected
andresult
to DocumentNotFoundError for better debugging #7892 #7844v5.5.0
Compare Source
==================
match
#7397defineProperties()
in Buffer constructor #7331plugin()
for connection-scoped plugins #7378Query#distinct()
#5938getters
option to Document#get() #7233propsParameter
set on validator #7447save()
#7492 captaincaiusisAsync
option for custom validators #6700v5.4.23
Compare Source
===================
v5.4.22
Compare Source
===================
omitUndefined
option to docs for updateX() and findOneAndX() #3486Model.prototypedelete
link #7665 pixcaiv5.4.21
Compare Source
===================
{...doc}
#7645v5.4.20
Compare Source
===================
lean()
#7640this
when overwriting single nested subdoc #7585new BaseModel()
with discriminator key #7586v5.4.19
Compare Source
===================
v5.4.18
Compare Source
===================
v5.4.17
Compare Source
===================
v5.4.16
Compare Source
===================
_id: false
#7524model()
function so code that uses model doesn't throw #7541 caubv5.4.15
Compare Source
===================
v5.4.14
Compare Source
===================
getters
option handle nested paths #7521create()
and thenset()
#7504v5.4.13
Compare Source
===================
Renovate configuration
📅 Schedule: "" in timezone Asia/Tokyo.
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻️ Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "
rebase!
".🔕 Ignore: Close this PR and you won't be reminded about this update again.
Newsflash: Renovate has joined WhiteSource, and is now free for all use. Learn more or view updated terms and privacy policies.