🚨 [security] Update mongoose 5.13.8 → 8.9.5 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ mongoose (5.13.8 → 8.9.5) · Repo · Changelog

Security Advisories 🚨

🚨 Mongoose search injection vulnerability

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

🚨 Mongoose search injection vulnerability

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

🚨 Mongoose search injection vulnerability

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

🚨 Mongoose search injection vulnerability

Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

🚨 Mongoose search injection vulnerability

Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

🚨 Mongoose search injection vulnerability

Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

🚨 Mongoose Prototype Pollution vulnerability

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

🚨 Mongoose Prototype Pollution vulnerability

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

🚨 Mongoose Prototype Pollution vulnerability

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

🚨 Mongoose Vulnerable to Prototype Pollution in Schema Object

Description

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.

Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

Proof of Concept

// poc.js
const mongoose = require('mongoose');
const schema = new mongoose.Schema();
malicious_payload = 'proto.toString'
schema.path(malicious_payload, [String])
x = {}

console.log(x.toString()) // crashed (Denial of service (DoS) attack)

Impact

This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.

🚨 Mongoose Vulnerable to Prototype Pollution in Schema Object

Description

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.

Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

Proof of Concept

// poc.js
const mongoose = require('mongoose');
const schema = new mongoose.Schema();
malicious_payload = 'proto.toString'
schema.path(malicious_payload, [String])
x = {}

console.log(x.toString()) // crashed (Denial of service (DoS) attack)

Impact

This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.

🚨 automattic/mongoose vulnerable to Prototype pollution via Schema.path

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

🚨 automattic/mongoose vulnerable to Prototype pollution via Schema.path

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 10 commits:

• chore: release 8.9.5
• Merge branch '7.x'
• chore: release 7.8.4
• Merge branch '6.x' into 7.x
• chore: release 6.13.6
• fix: disallow nested $where in populate match
• Merge pull request #15176 from Automattic/vkarpov15/gh-15170
• test: make test cast non-boolean value
• fix(schema): handle bitwise operators on Int32
• docs: quick changelog formatting fix

↗️ bson (indirect, 1.1.6 → 6.10.1) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ kareem (indirect, 2.3.2 → 2.6.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 73 commits:

• chore: release 2.6.3
• chore: update npmignore to exclude a couple of extraneous files
• chore: release 2.6.2
• fix: publish all files by default
• chore: release 2.6.1
• chore: release 2.6.0
• Merge pull request #35 from hasezoey/updateUrl
• Merge pull request #37 from mongoosejs/vkarpov15/typescript
• improve typings for options
• add declare and fix other issues with typescript types
• add typescript types
• create SECURITY.md
• chore: release 2.5.1
• Merge pull request #36 from mongoosejs/vkarpov15/mongoose-12836
• avoid passing final callback to pre hook, because calling the callback can mess up hook execution
• docs(README): remove coverage status, because it is currently not submitted
• docs(README): update build ci badge to github-ci
• chore(package.json): update repository url for moved package
• chore: release 2.5.0
• Merge pull request #34 from mongoosejs/vkarpov15/mongoose-12583
• feat: add errorHandler option to `post()`
• Merge pull request #33 from hasezoey/addJSDOC
• Update index.js
• Merge pull request #32 from hasezoey/modernize
• update license, fix #31
• style(index): consistenize some variable names
• style(index): add JSDOC
• chore(workflows/test.yml): change "run" to execute script, not alias
• deps(eslint): update version to "8.20.0"
• deps(acquit-ignore): update version to "0.2.x"
• style: apply new eslint config
• chore(.eslintrc): replace old config with mongoose's
• chore(package.json): add "engines" property
• chore(package.json): add "files" property
• chore(workflows/test.yml): change testing script to use coverage
• chore(.gitignore): add yarn.lock to ignore
• chore(package.json): rename script "test-travis" to "test-coverage"
• chore(package.json): add remaining missing scripts from MAKEFILE
• chore(.travis.yml): remove file
• chore: release 2.4.1
• style: fix lint
• fix: only pass promise resolved value to next middleware if instanceof `overwriteResult`
• add lint and lint workflow
• chore: release 2.4.0
• only run tests on ubuntu 20.04
• chore: add GitHub workflows CI
• Merge pull request #30 from vkarpov15/vkarpov15/mongoose-11426
• feat: add skipWrappedFunction() annd overwriteResult() to allow changing the wrapped function's result
• chore: release 2.3.5
• Merge pull request #22 from Uzlopak/perf-improve-wrap
• Merge pull request #19 from Uzlopak/browser-support
• Merge pull request #18 from Uzlopak/isPromiseLike
• address comments
• chore: release 2.3.4
• Update index.js
• Merge pull request #27 from Uzlopak/remove-some-codesmells
• Merge pull request #24 from Uzlopak/improve-handleWrapError
• Merge pull request #23 from Uzlopak/perf-remove-get
• Merge pull request #21 from Uzlopak/perf-use-array-from-instead-slice
• Merge pull request #20 from Uzlopak/remove-error-parm
• Merge pull request #17 from Uzlopak/update-mocha-nyc
• simplify
• remove some codesmells
• improve _handleWrapError
• perf: remove get in favor of directly getting the value
• perf: improve perf of wrap
• perf: use Array.from instead of slice
• remove passing error to next
• use setTimeout as fallback when we use a browser
• make isPromiseLike favor of Promise
• update mocha and nyc
• chore: release 2.3.3
• fix: handle sync errors in `wrap()`

↗️ mongodb (indirect, 3.6.11 → 6.12.0) · Repo · Changelog

Security Advisories 🚨

🚨 MongoDB Driver may publish events containing authentication-related data

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.

Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).

This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

🚨 MongoDB Driver may publish events containing authentication-related data

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.

Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).

This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mpath (indirect, 0.8.3 → 0.9.0) · Repo · Changelog

Security Advisories 🚨

🚨 Type confusion in mpath

This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.

Release Notes

0.9.0 (from changelog)

• feat: export stringToParts()

0.8.4 (from changelog)

• fix: throw error if parts contains an element that isn't a string or number #13

Does any of this look wrong? Please let us know.

↗️ mquery (indirect, 3.2.5 → 5.0.0) · Repo · Changelog

Release Notes

5.0.0 (from changelog)

• BREAKING CHANGE: drop callback support #137 hasezoey
• BREAKING CHANGE: remove custom promise library support #137 hasezoey
• BREAKING CHANGE: remove long deprecated update, remove functions #136 hasezoey
• BREAKING CHANGE: remove collection ducktyping: first param to mquery() is now always the query filter #138
• feat: support MongoDB Node driver 5 #137 hasezoey

4.0.3 (from changelog)

• fix: allow using comment with findOneAndUpdate(), count(), distinct() and hint with findOneAndUpdate() Automattic/mongoose#11793

4.0.2 (from changelog)

• perf: replace regexp-clone with native functionality #131 Uzlopak

4.0.1 (from changelog)

• perf: remove sliced, add various microoptimizations #130 Uzlopak
• refactor: convert NodeCollection to a class #128 jimmywarting

4.0.0 / 2021-08-24

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sift (indirect, 13.5.2 → 17.1.3) · Repo · Changelog

Release Notes

16.0.0 (from changelog)

• Fix #243
• Fix #242

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 72 commits:

• 17.1.3
• fix #269
• 17.1.2
• change to mjs
• prettier
• update deps
• 17.1.1
• fix tests
• Merge pull request #267 from weiliddat/patch-array-prop-access
• fix: use hasOwnProperty instead of `in`
• fix: property access in array-like
• 17.1.0
• update yarn lock
• Merge pull request #264 from weiliddat/patch-263
• Merge pull request #266 from weiliddat/patch-265
• fix: $in/nin with non-arrays as params
• fix: $exists comparing non-leaf values
• test: add nested key exist test
• remove extra -
• add to changelog
• Merge pull request #260 from kubo550/master
• fix typoes and code errors in documentation
• Merge pull request #259 from crcn/fix-255
• 17.0.1
• coerce undefined to null
• Merge pull request #256 from crcn/fix-255
• regenerate
• 17.0.0
• ensure that numerical operations with null work like MongoDB
• bump
• 16.0.1
• Merge pull request #251 from Helveg/export-query-types
• Exported other types as well
• Renamed `QueryKeys` to `QueryOperators` with generic T for `elemMatch`
• added `QueryKeys`
• export to top level
• Export ShapeQuery
• Merge pull request #244 from crcn/fix-bugs
• add to changelog
• 16.0.0
• revert
• fix #243
• add test case
• fix #242
• reveert
• 15.1.0
• fix #239
• fix readme
• include custom op tester
• 15.0.0
• throw error if empty
• Merge branch 'master' of github.com:crcn/sift.js
• 14.0.3
• use hasOwnProp
• fix #231
• Merge pull request #230 from crcn/custom-ops-no-$
• Merge pull request #229 from crcn/custom-ops-no-$
• 14.0.2
• test for error
• allow custom ops
• 14.0.1
• throw error if params is not an object
• 14.0.0
• fix
• fix #225
• 13.5.4
• Merge pull request #226 from Seldszar/patch/where
• fix(types): $where signature
• Merge pull request #224 from crcn/dependabot/npm_and_yarn/hosted-git-info-2.8.9
• Bump hosted-git-info from 2.8.8 to 2.8.9
• 13.5.3
• upgrade deps to prevent tsc issue

🆕 @​mongodb-js/saslprep (added, 1.1.9)

🆕 @​types/webidl-conversions (added, 7.0.3)

🆕 @​types/whatwg-url (added, 11.0.5)

🆕 mongodb-connection-string-url (added, 3.0.2)

🗑️ @​types/bson (removed)

🗑️ @​types/mongodb (removed)

🗑️ @​types/node (removed)

🗑️ bl (removed)

🗑️ bluebird (removed)

🗑️ core-util-is (removed)

🗑️ denque (removed)

🗑️ mongoose-legacy-pluralize (removed)

🗑️ optional-require (removed)

🗑️ process-nextick-args (removed)

🗑️ regexp-clone (removed)

🗑️ saslprep (removed)

🗑️ sliced (removed)

🗑️ util-deprecate (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)