[Security] Bump mongoose from 4.13.21 to 5.11.1

[dependabot-preview]

Bumps mongoose from 4.13.21 to 5.11.1. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects mongoose Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).

Affected versions: < 5.7.5

Changelog

Sourced from mongoose's changelog.

5.11.1 / 2020-12-01

• fix(index.d.ts): add missing SchemaOptions #9606
• fix(index.d.ts): allow using $set in updates #9609
• fix(index.d.ts): add support for using return value of createConnection() as a connection as well as a promise #9612 #9610 alecgibson
• fix(index.d.ts): allow using Types.ObjectId() without new in TypeScript #9608

5.11.0 / 2020-11-30

• feat: add official TypeScript definitions index.d.ts file #8108
• feat(connection): add bufferTimeoutMS option that configures how long Mongoose will allow commands to buffer #9469
• feat(populate): support populate virtuals with localField and foreignField as arrays #6608
• feat(populate+virtual): feat: support getters on populate virtuals, including get option for Schema#virtual() #9343
• feat(populate+schema): add support for populate schematype option that sets default populate options #6029
• feat(QueryCursor): execute post find hooks for each doc in query cursor #9345
• feat(schema): support overwriting cast logic for individual schematype instances #8407
• feat(QueryCursor): make cursor populate() in batch when using batchSize #9366 biomorgoth
• chore: remove changelog from published bundle #9404
• feat(model+mongoose): add overwriteModels option to bypass OverwriteModelError globally #9406
• feat(model+query): allow defining middleware for all query methods or all document methods, but not other middleware types #9190
• feat(document+model): make change tracking skip saving if new value matches last saved value #9396
• perf(utils): major speedup for deepEqual() on documents and arrays #9396
• feat(schema): support passing a TypeScript enum to enum validator in schema #9547 #9546 AbdelrahmanHafez
• feat(debug): #8963 shell option for date format (ISODate) #9532 FlameFractal
• feat(document): support square bracket indexing for get(), set() #9375
• feat(document): support array and space-delimited syntax for Document#$isValid(), isDirectSelected(), isSelected(), $isDefault() #9474
• feat(string): make minLength and maxLength behave the same as minlength and maxlength #8777 m-weeks
• feat(document): add $parent() as an alias for parent() for documents and subdocuments to avoid path name conflicts #9455

5.10.19 / 2020-11-30

• fix(query): support passing an array to $type in query filters #9577
• perf(schema): avoid creating unnecessary objects when casting to array #9588
• docs: make example gender neutral #9601 rehatkathuria

5.10.18 / 2020-11-29

• fix(connection): connect and disconnect can be used destructured #9598 #9597 AbdelrahmanHafez

5.10.17 / 2020-11-27

• fix(document): allow setting fields after an undefined field #9587 AbdelrahmanHafez

5.10.16 / 2020-11-25

• fix(connection): copy config options from connection rather than base connection when calling useDb() #9569
• fix(schema): support of for array type definitions to be consistent with maps #9564
• docs(dates): fix broken example reference #9557 kertof
• docs(virtualtype): remove unintentional h2 tag re: tj/dox#60 #9568

Commits

• 1f36f61 chore: release 5.11.1
• e665a95 test: add test covering SchemaOptions
• 13140c0 fix(index.d.ts): add missing SchemaOptions
• b2be066 fix(index.d.ts): allow using $set in updates
• 43d6bfc fix(index.d.ts): allow using Types.ObjectId() without new in TypeScript
• 7bf56aa Merge pull request #9612 from alecgibson/ts-create-connection
• 0d9e3c6 TS: Return Connection from createConnection
• 07b1412 chore: update opencollective sponsors
• 9657faa chore: update opencollective sponsors
• 0941569 chore: release 5.11.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #207.