Bump mongoose from 7.5.3 to 8.10.1

[dependabot]

Bumps mongoose from 7.5.3 to 8.10.1.

Release notes

Sourced from mongoose's releases.

8.10.1 / 2025-02-14

• perf(document): only call undoReset() 1x/document #15257 #15255
• perf(schema): clear childSchemas when overwriting existing path to avoid performance degradations #15256 #15253
• perf: some more micro optimizations for find() and findOne() #14906 #15250
• fix(model): avoid adding timeout on Model.init() buffering to avoid unintentional dangling open handles #15251 #15241
• fix: avoid connection buffering on init if autoCreate: false #15247 #15241
• fix: infer discriminator key if set in $set with overwriteDiscriminatorKey #15243 #15218
• types(middleware): make this in document middleware the hydrated doc type, not raw doc type #15246 #15242
• types(schema): support options parameter to Schema.prototype.discriminator() #15249 #15244
• types(schema): allow calling Schema.prototype.number() with no message arg #15237 #15236
• docs(typescript): recommend using HydratedSingleSubdocument over Types.Subdocument #15240 #15211

8.10.0 / 2025-02-05

• feat(schema+schematype): add toJSONSchema() method to convert schemas and schematypes to JSON schema #15184 #11162
• feat(connection): make connection helpers respect bufferTimeoutMS #15229 #15201
• feat(document): support schematype-level transform option #15163 #15084
• feat(model): add insertOne() function to insert a single doc #15162 #14843
• feat(connection): support Connection.prototype.aggregate() for db-level aggregations #15153
• feat(model): make syncIndexes() not call createIndex() on indexes that already exist #15175 #12250
• feat(model): useConnection(connection) function #14802
• fix(model): disallow updateMany(update) and fix TypeScript types re: updateMany() #15199 #15190
• fix(collection): avoid buffering if creating a collection during a connection interruption #15187 #14971
• fix(model): throw error if calling create() with multiple docs in a transaction unless ordered: true #15100
• fix(model): skip createCollection() in syncIndexes() if autoCreate: false #15155
• fix(model): make hydrate() handle hydrating deeply nested populated docs with hydratedPopulatedDocs #15130
• types(document): make sure toObject() and toJSON() apply versionKey __v #15097
• ci(NODE-6505): CI Setup for Encryption Support #15139 aditi-khare-mongoDB

8.9.7 / 2025-02-04

• fix: avoid applying defaults on map embedded paths #15217 #15196
• types: add missing $median operator to aggregation types #15233 #15209
• docs(document): clarify that toObject() returns a POJO that may contain non-POJO values #15232 #15208

8.9.6 / 2025-01-31

• fix(document): allow setting values to undefined with set(obj) syntax with strict: false #15207 #15192
• fix(schema): improve reason for UUID cast error, currently a TypeError #15215 #15202
• fix(aggregate): improve error when calling near() with invalid coordinates #15206 #15188

8.9.5 / 2025-01-13

• fix: disallow nested $where in populate match
• fix(schema): handle bitwise operators on Int32 #15176 #15170

8.9.4 / 2025-01-09

• fix(document): fix document not applying manual populate when using a function in schema.options.ref #15138 IchirokuXVI

... (truncated)

Changelog

Sourced from mongoose's changelog.

8.10.1 / 2025-02-14

• perf(document): only call undoReset() 1x/document #15257 #15255
• perf(schema): clear childSchemas when overwriting existing path to avoid performance degradations #15256 #15253
• perf: some more micro optimizations for find() and findOne() #14906 #15250
• fix(model): avoid adding timeout on Model.init() buffering to avoid unintentional dangling open handles #15251 #15241
• fix: avoid connection buffering on init if autoCreate: false #15247 #15241
• fix: infer discriminator key if set in $set with overwriteDiscriminatorKey #15243 #15218
• types(middleware): make this in document middleware the hydrated doc type, not raw doc type #15246 #15242
• types(schema): support options parameter to Schema.prototype.discriminator() #15249 #15244
• types(schema): allow calling Schema.prototype.number() with no message arg #15237 #15236
• docs(typescript): recommend using HydratedSingleSubdocument over Types.Subdocument #15240 #15211

8.10.0 / 2025-02-05

• feat(schema+schematype): add toJSONSchema() method to convert schemas and schematypes to JSON schema #15184 #11162
• feat(connection): make connection helpers respect bufferTimeoutMS #15229 #15201
• feat(document): support schematype-level transform option #15163 #15084
• feat(model): add insertOne() function to insert a single doc #15162 #14843
• feat(connection): support Connection.prototype.aggregate() for db-level aggregations #15153
• feat(model): make syncIndexes() not call createIndex() on indexes that already exist #15175 #12250
• feat(model): useConnection(connection) function #14802
• fix(model): disallow updateMany(update) and fix TypeScript types re: updateMany() #15199 #15190
• fix(collection): avoid buffering if creating a collection during a connection interruption #15187 #14971
• fix(model): throw error if calling create() with multiple docs in a transaction unless ordered: true #15100
• fix(model): skip createCollection() in syncIndexes() if autoCreate: false #15155
• fix(model): make hydrate() handle hydrating deeply nested populated docs with hydratedPopulatedDocs #15130
• types(document): make sure toObject() and toJSON() apply versionKey __v #15097
• ci(NODE-6505): CI Setup for Encryption Support #15139 aditi-khare-mongoDB

8.9.7 / 2025-02-04

• fix: avoid applying defaults on map embedded paths #15217 #15196
• types: add missing $median operator to aggregation types #15233 #15209
• docs(document): clarify that toObject() returns a POJO that may contain non-POJO values #15232 #15208

8.9.6 / 2025-01-31

• fix(document): allow setting values to undefined with set(obj) syntax with strict: false #15207 #15192
• fix(schema): improve reason for UUID cast error, currently a TypeError #15215 #15202
• fix(aggregate): improve error when calling near() with invalid coordinates #15206 #15188

7.8.6 / 2025-01-20

• chore: remove coverage output from bundle

6.13.8 / 2025-01-20

• chore: remove coverage output from bundle

... (truncated)

Commits

• d64f481 chore: release 8.10.1
• 0a1cd39 Merge pull request #15257 from Automattic/vkarpov15/gh-15255
• d48bc5f Merge pull request #15256 from Automattic/vkarpov15/gh-15253
• 9bb9ce7 quick fix
• 29a02a4 perf(document): only call undoReset() 1x/document
• 14032ff perf(schema): clear childSchemas when overwriting existing path to avoid perf...
• f1c6ad2 Merge pull request #15251 from Automattic/vkarpov15/gh-15241-2
• 0a2da71 refactor: dedupe waitForConnectPromise logic
• b80a8d9 Merge pull request #15254 from Automattic/revert-15245-unrefConnectionTimeout
• 48412c6 Revert "fix(connection): unref the "_waitForConnect""
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.
• ⚠️ 1 packages with OpenSSF Scorecard issues.

See the Details below.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@mongodb-js/saslprep	1.2.0	Unknown	Unknown
npm/@types/webidl-conversions	7.0.3	🟢 6.9	Details Check Score Reason Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/@types/whatwg-url	11.0.5	🟢 6.9	Details Check Score Reason Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/bson	6.10.2	🟢 6.1	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 13 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 19/21 approved changesets -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 5 5 existing vulnerabilities detected
npm/kareem	2.6.3	Unknown	Unknown
npm/mongodb	6.13.0	🟢 6.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 9 SAST tool detected but not run on all commits Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
npm/mongodb-connection-string-url	3.0.2	🟢 5.6	Details Check Score Reason Maintained 🟢 7 9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7 Code-Review 🟢 6 Found 13/20 approved changesets -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 7 SAST tool is not run on all commits -- score normalized to 7
npm/mongoose	8.10.1	🟢 6.9	Details Check Score Reason Code-Review 🟢 7 Found 11/14 approved changesets -- score normalized to 7 Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits
npm/punycode	2.3.1	🟢 3.8	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review 🟢 4 Found 13/30 approved changesets -- score normalized to 4 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/sift	17.1.3	⚠️ 2.7	Details Check Score Reason Code-Review ⚠️ 2 Found 4/16 approved changesets -- score normalized to 2 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ -1 No tokens found Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow ⚠️ -1 no workflows found Pinned-Dependencies ⚠️ -1 no dependencies found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 5 5 existing vulnerabilities detected
npm/tr46	5.0.0	🟢 4.2	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 0 0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0 Code-Review ⚠️ 1 Found 4/22 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/whatwg-url	14.1.1	🟢 4.9	Details Check Score Reason Code-Review ⚠️ 0 Found 2/30 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 9 8 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 9 1 existing vulnerabilities detected
npm/mongoose	^8.10.1	🟢 6.9	Details Check Score Reason Code-Review 🟢 7 Found 11/14 approved changesets -- score normalized to 7 Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits

Scanned Files

• package-lock.json
• package.json

[dependabot]

Superseded by #399.