Bump mongoose from 7.5.3 to 8.10.2

[dependabot]

Bumps mongoose from 7.5.3 to 8.10.2.

Release notes

Sourced from mongoose's releases.

8.10.2 / 2025-02-25

• fix(model+connection): return MongoDB BulkWriteResult instance even if no valid ops #15266 #15265
• fix(debug): avoid printing trusted symbol in debug output #15267 #15263
• types: make type inference logic resilient to no Buffer type due to missing @​types/node #15261

8.10.1 / 2025-02-14

• perf(document): only call undoReset() 1x/document #15257 #15255
• perf(schema): clear childSchemas when overwriting existing path to avoid performance degradations #15256 #15253
• perf: some more micro optimizations for find() and findOne() #14906 #15250
• fix(model): avoid adding timeout on Model.init() buffering to avoid unintentional dangling open handles #15251 #15241
• fix: avoid connection buffering on init if autoCreate: false #15247 #15241
• fix: infer discriminator key if set in $set with overwriteDiscriminatorKey #15243 #15218
• types(middleware): make this in document middleware the hydrated doc type, not raw doc type #15246 #15242
• types(schema): support options parameter to Schema.prototype.discriminator() #15249 #15244
• types(schema): allow calling Schema.prototype.number() with no message arg #15237 #15236
• docs(typescript): recommend using HydratedSingleSubdocument over Types.Subdocument #15240 #15211

8.10.0 / 2025-02-05

• feat(schema+schematype): add toJSONSchema() method to convert schemas and schematypes to JSON schema #15184 #11162
• feat(connection): make connection helpers respect bufferTimeoutMS #15229 #15201
• feat(document): support schematype-level transform option #15163 #15084
• feat(model): add insertOne() function to insert a single doc #15162 #14843
• feat(connection): support Connection.prototype.aggregate() for db-level aggregations #15153
• feat(model): make syncIndexes() not call createIndex() on indexes that already exist #15175 #12250
• feat(model): useConnection(connection) function #14802
• fix(model): disallow updateMany(update) and fix TypeScript types re: updateMany() #15199 #15190
• fix(collection): avoid buffering if creating a collection during a connection interruption #15187 #14971
• fix(model): throw error if calling create() with multiple docs in a transaction unless ordered: true #15100
• fix(model): skip createCollection() in syncIndexes() if autoCreate: false #15155
• fix(model): make hydrate() handle hydrating deeply nested populated docs with hydratedPopulatedDocs #15130
• types(document): make sure toObject() and toJSON() apply versionKey __v #15097
• ci(NODE-6505): CI Setup for Encryption Support #15139 aditi-khare-mongoDB

8.9.7 / 2025-02-04

• fix: avoid applying defaults on map embedded paths #15217 #15196
• types: add missing $median operator to aggregation types #15233 #15209
• docs(document): clarify that toObject() returns a POJO that may contain non-POJO values #15232 #15208

8.9.6 / 2025-01-31

• fix(document): allow setting values to undefined with set(obj) syntax with strict: false #15207 #15192
• fix(schema): improve reason for UUID cast error, currently a TypeError #15215 #15202
• fix(aggregate): improve error when calling near() with invalid coordinates #15206 #15188

8.9.5 / 2025-01-13

... (truncated)

Changelog

Sourced from mongoose's changelog.

8.10.2 / 2025-02-25

• fix(model+connection): return MongoDB BulkWriteResult instance even if no valid ops #15266 #15265
• fix(debug): avoid printing trusted symbol in debug output #15267 #15263
• types: make type inference logic resilient to no Buffer type due to missing @​types/node #15261

8.10.1 / 2025-02-14

• perf(document): only call undoReset() 1x/document #15257 #15255
• perf(schema): clear childSchemas when overwriting existing path to avoid performance degradations #15256 #15253
• perf: some more micro optimizations for find() and findOne() #14906 #15250
• fix(model): avoid adding timeout on Model.init() buffering to avoid unintentional dangling open handles #15251 #15241
• fix: avoid connection buffering on init if autoCreate: false #15247 #15241
• fix: infer discriminator key if set in $set with overwriteDiscriminatorKey #15243 #15218
• types(middleware): make this in document middleware the hydrated doc type, not raw doc type #15246 #15242
• types(schema): support options parameter to Schema.prototype.discriminator() #15249 #15244
• types(schema): allow calling Schema.prototype.number() with no message arg #15237 #15236
• docs(typescript): recommend using HydratedSingleSubdocument over Types.Subdocument #15240 #15211

8.10.0 / 2025-02-05

• feat(schema+schematype): add toJSONSchema() method to convert schemas and schematypes to JSON schema #15184 #11162
• feat(connection): make connection helpers respect bufferTimeoutMS #15229 #15201
• feat(document): support schematype-level transform option #15163 #15084
• feat(model): add insertOne() function to insert a single doc #15162 #14843
• feat(connection): support Connection.prototype.aggregate() for db-level aggregations #15153
• feat(model): make syncIndexes() not call createIndex() on indexes that already exist #15175 #12250
• feat(model): useConnection(connection) function #14802
• fix(model): disallow updateMany(update) and fix TypeScript types re: updateMany() #15199 #15190
• fix(collection): avoid buffering if creating a collection during a connection interruption #15187 #14971
• fix(model): throw error if calling create() with multiple docs in a transaction unless ordered: true #15100
• fix(model): skip createCollection() in syncIndexes() if autoCreate: false #15155
• fix(model): make hydrate() handle hydrating deeply nested populated docs with hydratedPopulatedDocs #15130
• types(document): make sure toObject() and toJSON() apply versionKey __v #15097
• ci(NODE-6505): CI Setup for Encryption Support #15139 aditi-khare-mongoDB

8.9.7 / 2025-02-04

• fix: avoid applying defaults on map embedded paths #15217 #15196
• types: add missing $median operator to aggregation types #15233 #15209
• docs(document): clarify that toObject() returns a POJO that may contain non-POJO values #15232 #15208

8.9.6 / 2025-01-31

• fix(document): allow setting values to undefined with set(obj) syntax with strict: false #15207 #15192
• fix(schema): improve reason for UUID cast error, currently a TypeError #15215 #15202
• fix(aggregate): improve error when calling near() with invalid coordinates #15206 #15188

7.8.6 / 2025-01-20

... (truncated)

Commits

• b22e9a8 chore: release 8.10.2
• 9dc416a Merge pull request #15266 from Automattic/vkarpov15/gh-15265
• 633ea9d refactor: consolidate .mongoose property creation into helper
• 09caa3c Merge branch 'master' into vkarpov15/gh-15265
• 384b8e8 Merge pull request #15267 from Automattic/vkarpov15/gh-15263
• 5209a3c fix(debug): avoid printing trusted symbol in debug output
• 0173dec fix(model+connection): return MongoDB BulkWriteResult instance even if no val...
• 987f1ad Merge pull request #15261 from Automattic/vkarpov15/gh-15121-3
• 864ac87 types: make type inference logic resilient to no Buffer type due to missing `...
• d64f481 chore: release 8.10.1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.
• ⚠️ 1 packages with OpenSSF Scorecard issues.

See the Details below.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@mongodb-js/saslprep	1.2.0	Unknown	Unknown
npm/@types/webidl-conversions	7.0.3	🟢 7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 9 Found 27/30 approved changesets -- score normalized to 9 License 🟢 9 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/@types/whatwg-url	11.0.5	🟢 7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 9 Found 27/30 approved changesets -- score normalized to 9 License 🟢 9 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/bson	6.10.3	🟢 6.2	Details Check Score Reason Code-Review 🟢 8 Found 17/19 approved changesets -- score normalized to 8 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 12 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 7 3 existing vulnerabilities detected
npm/kareem	2.6.3	Unknown	Unknown
npm/mongodb	6.13.1	🟢 6.4	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Binary-Artifacts 🟢 10 no binaries found in the repo SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
npm/mongodb-connection-string-url	3.0.2	🟢 5.5	Details Check Score Reason Maintained 🟢 6 8 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 6 Found 13/20 approved changesets -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 7 SAST tool is not run on all commits -- score normalized to 7
npm/mongoose	8.10.2	🟢 7	Details Check Score Reason Code-Review 🟢 8 Found 11/13 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 9 SAST tool detected but not run on all commits
npm/punycode	2.3.1	🟢 3.8	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 4 Found 13/30 approved changesets -- score normalized to 4 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/sift	17.1.3	⚠️ 2.7	Details Check Score Reason Code-Review ⚠️ 2 Found 4/16 approved changesets -- score normalized to 2 Token-Permissions ⚠️ -1 No tokens found Packaging ⚠️ -1 packaging workflow not detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow ⚠️ -1 no workflows found Pinned-Dependencies ⚠️ -1 no dependencies found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 5 5 existing vulnerabilities detected
npm/tr46	5.0.0	🟢 4.2	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained ⚠️ 0 0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0 Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Code-Review ⚠️ 1 Found 4/22 approved changesets -- score normalized to 1 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/whatwg-url	14.1.1	🟢 4.9	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 9 8 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 9 Code-Review ⚠️ 0 Found 2/30 approved changesets -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 9 1 existing vulnerabilities detected
npm/mongoose	^8.10.2	🟢 7	Details Check Score Reason Code-Review 🟢 8 Found 11/13 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 9 SAST tool detected but not run on all commits

Scanned Files

• package-lock.json
• package.json

[dependabot]

Superseded by #402.