Bump mongoose from 7.5.3 to 7.8.4

[dependabot]

Bumps mongoose from 7.5.3 to 7.8.4.

Release notes

Sourced from mongoose's releases.

7.8.4 / 2025-01-13

• fix: disallow nested $where in populate match

7.8.3 / 2024-11-26

• fix: disallow using $where in match
• fix(projection): avoid setting projection to unknown exclusive/inclusive if elemMatch on a Date, ObjectId, etc. #14894 #14893
• docs(migrating_to_7): add note about keepAlive to Mongoose 7 migration guide #15032 #13431

7.6.3 / 2023-10-17

• fix(populate): handle multiple spaces when specifying paths to populate using space-delimited paths #13984 #13951
• fix(update): avoid applying defaults on query filter when upserting with empty update #13983 #13962
• fix(model): add versionKey to bulkWrite when inserting or upserting #13981 #13944
• docs: fix typo in timestamps docs #13976 danielcoker

7.6.2 / 2023-10-13

• perf: avoid storing a separate entry in schema subpaths for every element in an array #13953 #13874
• fix(document): avoid triggering setter when initializing Model.prototype.collection to allow defining collection as a schema path name #13968 #13956
• fix(model): make bulkSave() save changes in discriminator paths if calling bulkSave() on base model #13959 #13907
• fix(document): allow calling $model() with no args for TypeScript #13963 #13878
• fix(schema): handle embedded discriminators defined using Schema.prototype.discriminator() #13958 #13898
• types(model): make InsertManyResult consistent with return type of insertMany #13965 #13904
• types(models): add cleaner type definitions for insertMany() with no generics to prevent errors when using insertMany() in generic classes #13964 #13957
• types(schematypes): allow defining map path using type: 'Map' in addition to type: Map #13960 #13755

7.6.1 / 2023-10-09

• fix: bump bson to match [email protected] exactly #13947 hasezoey
• fix: raw result deprecation message #13954 simllll
• type: add types for includeResultMetadata #13955 simllll
• perf(npmignore): ignore newer files #13946 hasezoey
• perf: move mocha config from package.json to mocharc #13948 hasezoey

7.6.0 / 2023-10-06

• feat: upgrade mongodb node driver -> 5.9.0 #13927 #13926 sanguineti
• fix: avoid CastError when passing different value of discriminator key in $or #13938 #13906

7.5.4 / 2023-10-04

• fix: avoid stripping out id property when _id is set #13933 #13892 #13867
• fix(QueryCursor): avoid double-applying schema paths so you can include select: false fields with + projection using cursors #13932 #13773
• fix(query): allow deselecting discriminator key using - syntax #13929 #13760
• fix(query): handle $round in $expr as array #13928 #13881
• fix(document): call pre('validate') hooks when modifying a path underneath triply nested subdoc #13912 #13876
• fix(mongoose): correctly handle global applyPluginsToChildSchemas option #13911 #13887
• types: add insertMany array overload with options #13931 t1bb4r

... (truncated)

Changelog

Sourced from mongoose's changelog.

7.8.4 / 2025-01-13

• fix: disallow nested $where in populate match CVE-2025-23061

6.13.6 / 2025-01-13

• fix: disallow nested $where in populate match CVE-2025-23061

8.9.4 / 2025-01-09

• fix(document): fix document not applying manual populate when using a function in schema.options.ref #15138 IchirokuXVI
• fix(model): make Model.validate() static correctly cast document arrays #15169 #15164
• fix(model): allow passing validateBeforeSave option to bulkSave() to skip validation #15161 #15156
• fix(schema): allow multiple self-referencing discriminator schemas using Schema.prototype.discriminator #15142 #15120
• types: avoid BufferToBinary<> wiping lean types when passed to generic functions #15160 #15158
• docs: fix <code> in header ids #15159
• docs: fix header in field-level-encryption.md #15137 damieng

8.9.3 / 2024-12-30

• fix(schema): make duplicate index error a warning for now to prevent blocking upgrading #15135 #15112 #15109
• fix(model): handle document array paths set to non-array values in Model.castObject() #15124 #15075
• fix(document): avoid using childSchemas.path for compatibility with pre-Mongoose-8.8 schemas #15131 #15071
• fix(model): avoid throwing unnecessary error if updateOne() returns null in save() #15126
• perf(cursor): clear the stack every time if using populate with batchSize to avoid stack overflows with large docs #15136 #10449
• types: make BufferToBinary avoid Document instances #15123 #15122
• types(model+query): avoid stripping out virtuals when calling populate with paths generic #15132 #15111
• types(schema): add missing removeIndex #15134
• types: add cleanIndexes() to IndexManager interface #15127
• docs: move search endpoint to netlify #15119

8.9.2 / 2024-12-19

• fix(schema): avoid throwing duplicate index error if index spec keys have different order or index has a custom name #15112 #15109
• fix(map): clean modified subpaths when overwriting values in map of subdocs #15114 #15108
• fix(aggregate): pull session from transaction local storage for aggregation cursors #15094 IchirokuXVI
• types: correctly handle union types in BufferToBinary and related helpers #15103 #15102 #15057
• types: add UUID to RefType #15115 #15101
• docs: remove link to Mongoose 5.x docs from dropdown #15116
• docs(connection+document+model): remove remaining references to remove(), clarify that deleteOne() does not execute until then() or exec() #15113 #15107

8.9.1 / 2024-12-16

• fix(connection): remove heartbeat check in load balanced mode #15089 #15042 #14812
• fix(discriminator): gather childSchemas when creating discriminator to ensure $getAllSubdocs() can properly get all subdocs #15099 #15088 #15092
• fix(model): handle discriminators in castObject() #15096 #15075
• fix(schema): throw error if duplicate index definition using unique in schema path and subsequent .index() call #15093 #15056
• fix: mark documents that are populated using hydratedPopulatedDocs option as populated in top-level doc #15080 #15048
• fix(document+schema): improve error message for get() on invalid path #15098 #15071
• docs: remove more callback doc references & some small other changes #15095

... (truncated)

Commits

• 73e81ab chore: release 7.8.4
• 4fe9a90 Merge branch '6.x' into 7.x
• e59e342 chore: release 6.13.6
• 64a9f97 fix: disallow nested $where in populate match
• ad7b0e0 chore: bump version 7.8.3
• c79a922 chore: release 7.8.3
• 04f4a77 Merge branch '6.x' into 7.x
• 15bdccf chore: release 6.13.5
• 33679bc fix: disallow using $where in match
• bc2809d Merge branch '6.x' into 7.x
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.
• ⚠️ 2 packages with OpenSSF Scorecard issues.

See the Details below.

OpenSSF Scorecard

Package	Version	Score	Details
npm/@mongodb-js/saslprep	1.2.0	Unknown	Unknown
npm/@types/webidl-conversions	7.0.3	🟢 6.9	Details Check Score Reason Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/bson	5.5.1	🟢 6.1	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 13 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 19/21 approved changesets -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 5 5 existing vulnerabilities detected
npm/ip-address	9.0.5	⚠️ 2.9	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow ⚠️ -1 no workflows found Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 1 Found 3/28 approved changesets -- score normalized to 1 Token-Permissions ⚠️ -1 No tokens found Pinned-Dependencies ⚠️ -1 no dependencies found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 5 5 existing vulnerabilities detected
npm/jsbn	1.1.0	🟢 3.1	Details Check Score Reason Code-Review 🟢 4 Found 10/24 approved changesets -- score normalized to 4 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Pinned-Dependencies ⚠️ -1 no dependencies found Dangerous-Workflow ⚠️ -1 no workflows found Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ -1 No tokens found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 7 3 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/mongodb	5.9.2	🟢 6.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 9 SAST tool detected but not run on all commits Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
npm/mongoose	7.8.4	🟢 6.9	Details Check Score Reason Code-Review 🟢 7 Found 11/14 approved changesets -- score normalized to 7 Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits
npm/socks	2.8.4	🟢 3.7	Details Check Score Reason Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review 🟢 3 Found 9/30 approved changesets -- score normalized to 3 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 6 4 existing vulnerabilities detected
npm/sprintf-js	1.1.3	⚠️ 2.1	Details Check Score Reason Code-Review 🟢 3 Found 5/14 approved changesets -- score normalized to 3 Dangerous-Workflow ⚠️ -1 no workflows found Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Token-Permissions ⚠️ -1 No tokens found Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ -1 no dependencies found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 30 existing vulnerabilities detected
npm/mongoose	^7.8.4	🟢 6.9	Details Check Score Reason Code-Review 🟢 7 Found 11/14 approved changesets -- score normalized to 7 Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits

Scanned Files

• package-lock.json
• package.json