Skip to content

[Snyk] Upgrade mongoose from 5.13.14 to 9.0.0 #386

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Gabo-Tech wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade mongoose from 5.13.14 to 9.0.0 #386

Gabo-Tech wants to merge 1 commit into from

Conversation

@Gabo-Tech
Copy link
Owner

@Gabo-Tech Gabo-Tech commented Dec 19, 2025

snyk-top-banner

Snyk has created this PR to upgrade mongoose from 5.13.14 to 9.0.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 284 versions ahead of your current version.

  • The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Prototype Pollution
SNYK-JS-MONGOOSE-2961688		 671 Proof of Concept
high severity Prototype Pollution
SNYK-JS-MONGOOSE-5777721		 671 Proof of Concept
high severity Improper Neutralization of Special Elements in Data Query Logic
SNYK-JS-MONGOOSE-8446504		 671 Proof of Concept
high severity Improper Neutralization of Special Elements in Data Query Logic
SNYK-JS-MONGOOSE-8623536		 671 Proof of Concept
Release notes
Package name: mongoose
  • 9.0.0 - 2025-11-21

    9.0.0 / 2025-11-21

    • BREAKING CHANGE: drop support for callback-based pre middleware, e.g. next() in pre() hooks
    • BREAKING CHANGE: update to MongoDB Node driver v7
    • BREAKING CHANGE: make UUID schema type return bson UUIDs #15378
    • BREAKING CHANGE: make findOne(null), find(null), etc. throw an error instead of returning first doc #15019 #14948
    • BREAKING CHANGE: disallow update pipelines by default, require updatePipeline option #15586 #14424
    • BREAKING CHANGE: call virtual ref function with subdoc, not top-level doc #14652 #12440 #12363
    • BREAKING CHANGE(types): make create() and insertOne() params more strict, remove generics to prevent type inference #15587 #15355
    • BREAKING CHANGE(types): make FilterQuery properties no longer resolve to any in TypeScript #15422
    • BREAKING CHANGE(types): change this to HydratedDocument for default() and required(), HydratedDocument | Query for validate() #15020 #14696
    • BREAKING CHANGE(types): make id a virtual in TypeScript rather than a property on Document base class #15572 #13079
    • BREAKING CHANGE(types): consolidate RootQuerySelector, Condition, etc. types with MongoDB driver's #15593
    • BREAKING CHANGE: asyncify update validators, SchemaType.prototype.doValidate(), save hooks for improved stack traces #15312
    • BREAKING CHANGE: remove bson as direct dependency, use mongodb/lib/bson instead #15576 #15154
    • BREAKING CHANGE: remove _executionStack, make validate() async function and call Kareem hooks directly vs through wrappers #15298 #14906
    • BREAKING CHANGE: remove browser build, move to @ mongoosejs/browser instead #15385 #15296
    • BREAKING CHANGE: remove schematype caster and casterConstructor properties in favor of embeddedSchemaType and Constructor #15513 #15179
    • BREAKING CHANGE: adding missing pluralizations, fixing pluralization: virus -> viruses #14247 ItsBradyDavis
    • BREAKING CHANGE: remove connection noListener option #15641 #15640
    • feat(types): add Schema.create() for TypeScript type inference #15482 #14954
    • chore: remove examples directory #15597
  • 9.0.0-rc1 - 2025-11-19

    9.0.0-rc1 / 2025-11-19

    • fix(populate): correctly populate embedded discriminators on subdocuments #15774
  • 9.0.0-rc0 - 2025-11-19

    9.0.0-rc0 / 2025-11-19

    • BREAKING CHANGE: drop support for callback-based pre middleware, e.g. next() in pre() hooks
    • BREAKING CHANGE: update to MongoDB Node driver v7
    • BREAKING CHANGE: make UUID schema type return bson UUIDs #15378
    • BREAKING CHANGE: make findOne(null), find(null), etc. throw an error instead of returning first doc #15019 #14948
    • BREAKING CHANGE: disallow update pipelines by default, require updatePipeline option #15586 #14424
    • BREAKING CHANGE: call virtual ref function with subdoc, not top-level doc #14652 #12440 #12363
    • BREAKING CHANGE(types): make create() and insertOne() params more strict, remove generics to prevent type inference #15587 #15355
    • BREAKING CHANGE(types): make FilterQuery properties no longer resolve to any in TypeScript #15422
    • BREAKING CHANGE(types): change this to HydratedDocument for default() and required(), HydratedDocument | Query for validate() #15020 #14696
    • BREAKING CHANGE(types): make id a virtual in TypeScript rather than a property on Document base class #15572 #13079
    • BREAKING CHANGE(types): consolidate RootQuerySelector, Condition, etc. types with MongoDB driver's #15593
    • BREAKING CHANGE: asyncify update validators, SchemaType.prototype.doValidate(), save hooks for improved stack traces #15312
    • BREAKING CHANGE: remove bson as direct dependency, use mongodb/lib/bson instead #15576 #15154
    • BREAKING CHANGE: remove _executionStack, make validate() async function and call Kareem hooks directly vs through wrappers #15298 #14906
    • BREAKING CHANGE: remove browser build, move to @ mongoosejs/browser instead #15385 #15296
    • BREAKING CHANGE: remove schematype caster and casterConstructor properties in favor of embeddedSchemaType and Constructor #15513 #15179
    • BREAKING CHANGE: adding missing pluralizations, fixing pluralization: virus -> viruses #14247 ItsBradyDavis
    • BREAKING CHANGE: remove connection noListener option #15641 #15640
    • feat(types): add Schema.create() for TypeScript type inference #15482 #14954
    • chore: remove examples directory #15597
  • 8.20.4 - 2025-12-18

    8.20.4 / 2025-12-18

    • fix(model): ensure $isDeleted is set after calling doc.deleteOne() successfully #15898
    • fix(document): use bitwise OR to accumulate version mode flags #15893 #15888 AbdelrahmanHafez
  • 8.20.3 - 2025-12-15

    8.20.3 / 2025-12-15

    • perf: use Object.hasOwn instead of Object#hasOwnProperty #15875 AbdelrahmanHafez
    • fix: improve error when calling Document.prototype.init() with null/undefined #15812 Vegapunk-debug
    • types(schema): avoid treating paths with default: null as required #15889
    • types(schema): allow partial statics to schema.statics() #15780
  • 8.20.2 - 2025-12-05

    8.20.2 / 2025-12-05

    • fix(model): bump version if necessary after successful bulkSave() #15809 #15800
    • fix(bulkWrite): pass overwriteImmutable option to castUpdate fixes #15789 #15782 #15781
    • types(schema): allow calling schema.static() with as TStatics #15794 #15780
  • 8.20.1 - 2025-11-20

    8.20.1 / 2025-11-20

    • types: correct Model.schema type and fix unknown check for this param type in schema.methods #15750 #15693
    • docs: add detailed loadClass() TypeScript usage guide #15731 #12813 Necro-Rohan
    • docs: update version support documentation for Mongoose #15761 ManmathX
    • docs: add copy-to-clipboard feature for code blocks in docs #15759 vedansha07
  • 8.20.0 - 2025-11-17
  • 8.19.4 - 2025-11-14
  • 8.19.3 - 2025-11-04
  • 8.19.2 - 2025-10-20
  • 8.19.1 - 2025-10-06
  • 8.19.0 - 2025-10-02
  • 8.18.3 - 2025-09-29
  • 8.18.2 - 2025-09-22
  • 8.18.1 - 2025-09-08
  • 8.18.0 - 2025-08-22
  • 8.17.2 - 2025-08-18
  • 8.17.1 - 2025-08-07
  • 8.17.0 - 2025-07-30
  • 8.16.5 - 2025-07-25
  • 8.16.4 - 2025-07-16
  • 8.16.3 - 2025-07-10
  • 8.16.2 - 2025-07-07
  • 8.16.1 - 2025-06-26
  • 8.16.0 - 2025-06-16
  • 8.15.2 - 2025-06-12
  • 8.15.1 - 2025-05-26
  • 8.15.0 - 2025-05-16
  • 8.14.3 - 2025-05-13
  • 8.14.2 - 2025-05-08
  • 8.14.1 - 2025-04-29
  • 8.14.0 - 2025-04-25
  • 8.13.3 - 2025-04-24
  • 8.13.2 - 2025-04-03
  • 8.13.1 - 2025-03-28
  • 8.13.0 - 2025-03-24
  • 8.12.2 - 2025-03-21
  • 8.12.1 - 2025-03-04
  • 8.12.0 - 2025-03-03
  • 8.11.0 - 2025-02-26
  • 8.10.2 - 2025-02-25
  • 8.10.1 - 2025-02-14
  • 8.10.0 - 2025-02-05
  • 8.9.7 - 2025-02-04
  • 8.9.6 - 2025-01-31
  • 8.9.5 - 2025-01-13
  • 8.9.4 - 2025-01-09
  • 8.9.3 - 2024-12-30
  • 8.9.2 - 2024-12-19
  • 8.9.1 - 2024-12-16
  • 8.9.0 - 2024-12-13
  • 8.8.4 - 2024-12-05
  • 8.8.3 - 2024-11-26
  • 8.8.2 - 2024-11-18
  • 8.8.1 - 2024-11-08
  • 8.8.0 - 2024-10-31
  • 8.7.3 - 2024-10-25
  • 8.7.2 - 2024-10-17
  • 8.7.1 - 2024-10-09
  • 8.7.0 - 2024-09-27
  • 8.6.4 - 2024-09-26
  • 8.6.3 - 2024-09-17
  • 8.6.2 - 2024-09-11
  • 8.6.1 - 2024-09-03
  • 8.6.0 - 2024-08-28
  • 8.5.5 - 2024-08-28
  • 8.5.4 - 2024-08-23
  • 8.5.3 - 2024-08-13
  • 8.5.2 - 2024-07-30
  • 8.5.1 - 2024-07-12
  • 8.5.0 - 2024-07-08
  • 8.4.5 - 2024-07-05
  • 8.4.4 - 2024-06-25
  • 8.4.3 - 2024-06-17
  • 8.4.2 - 2024-06-17
  • 8.4.1 - 2024-05-31
  • 8.4.0 - 2024-05-17
  • 8.3.5 - 2024-05-15
  • 8.3.4 - 2024-05-06
  • 8.3.3 - 2024-04-29
  • 8.3.2 - 2024-04-16
  • 8.3.1 - 2024-04-08
  • 8.3.0 - 2024-04-03
  • 8.2.4 - 2024-03-28
  • 8.2.3 - 2024-03-21
  • 8.2.2 - 2024-03-15
  • 8.2.1 - 2024-03-04
  • 8.2.0 - 2024-02-22
  • 8.1.3 - 2024-02-16
  • 8.1.2 - 2024-02-11
  • 8.1.1 - 2024-01-24
  • 8.1.0 - 2024-01-16
  • 8.0.4 - 2024-01-09
  • 8.0.3 - 2023-12-07
  • 8.0.2 - 2023-11-28
  • 8.0.1 - 2023-11-15
  • 8.0.0 - 2023-10-31
  • 8.0.0-rc0 - 2023-10-24
  • 7.8.8 - 2025-12-05

    7.8.8 / 2025-12-04

    • fix(bulkWrite): pass overwriteImmutable option to castUpdate fixes #15789 #15782 #15781
    • fix(model): bump version if necessary after successful bulkSave() #15800
  • 7.8.7 - 2025-04-30
  • 7.8.6 - 2025-01-20
  • 7.8.5 - 2025-01-20
  • 7.8.4 - 2025-01-13
  • 7.8.3 - 2024-11-26
  • 7.8.2 - 2024-09-25
  • 7.8.1 - 2024-08-19
  • 7.8.0 - 2024-07-23
  • 7.7.0 - 2024-06-18
  • 7.6.13 - 2024-06-05
  • 7.6.12 - 2024-05-21
  • 7.6.11 - 2024-04-11
  • 7.6.10 - 2024-03-13
  • 7.6.9 - 2024-02-26
  • 7.6.8 - 2024-01-08
  • 7.6.7 - 2023-12-06
  • 7.6.6 - 2023-11-27
  • 7.6.5 - 2023-11-14
  • 7.6.4 - 2023-10-30
  • 7.6.3 - 2023-10-17
  • 7.6.2 - 2023-10-13
  • 7.6.1 - 2023-10-09
  • 7.6.0 - 2023-10-06
  • 7.5.4 - 2023-10-04
  • 7.5.3 - 2023-09-25
  • 7.5.2 - 2023-09-15
  • 7.5.1 - 2023-09-11
  • 7.5.0 - 2023-08-29
  • 7.4.5 - 2023-08-25
  • 7.4.4 - 2023-08-22
  • 7.4.3 - 2023-08-11
  • 7.4.2 - 2023-08-03
  • 7.4.1 - 2023-07-24
  • 7.4.0 - 2023-07-18
  • 7.3.4 - 2023-07-12
  • 7.3.3 - 2023-07-11
  • 7.3.2 - 2023-07-06
  • 7.3.1 - 2023-06-21
  • 7.3.0 - 2023-06-14
  • 7.2.4 - 2023-06-12
  • 7.2.3 - 2023-06-09
  • 7.2.2 - 2023-05-30
  • 7.2.1 - 2023-05-24
  • 7.2.0 - 2023-05-19
  • 7.1.2 - 2023-05-19
  • 7.1.1 - 2023-05-10
  • 7.1.0 - 2023-04-27
  • 7.0.5 - 2023-04-24
  • 7.0.4 - 2023-04-17
  • 7.0.3 - 2023-03-23
  • 7.0.2 - 2023-03-15
  • 7.0.1 - 2023-03-06
  • 7.0.0 - 2023-02-27
  • 7.0.0-rc0 - 2023-02-23
  • 6.13.8 - 2025-01-20
  • 6.13.7 - 2025-01-20
  • 6.13.6 - 2025-01-13
  • 6.13.5 - 2024-11-26
  • 6.13.4 - 2024-11-15
  • 6.13.3 - 2024-09-23
  • 6.13.2 - 2024-09-12
  • 6.13.1 - 2024-09-06
  • 6.13.0 - 2024-06-06
  • 6.12.9 - 2024-05-24
  • 6.12.8 - 2024-04-10
  • 6.12.7 - 2024-03-01
  • 6.12.6 - 2024-01-22
  • 6.12.5 - 2024-01-03
  • 6.12.4 - 2023-12-27
  • 6.12.3 - 2023-11-07
  • 6.12.2 - 2023-10-25
  • 6.12.1 - 2023-10-12
  • 6.12.0 - 2023-08-24
  • 6.11.6 - 2023-08-21
  • 6.11.5 - 2023-08-01
  • 6.11.4 - 2023-07-17
  • 6.11.3 - 2023-07-11
  • 6.11.2 - 2023-06-08
  • 6.11.1 - 2023-05-08
  • 6.11.0 - 2023-05-01
  • 6.10.5 - 2023-04-06
  • 6.10.4 - 2023-03-21
  • 6.10.3 - 2023-03-13
  • 6.10.2 - 2023-03-07
  • 6.10.1 - 2023-03-03
  • 6.10.0 - 2023-02-22
  • 6.9.3 - 2023-02-22
  • 6.9.2 - 2023-02-16
  • 6.9.1 - 2023-02-06
  • 6.9.0 - 2023-01-25
  • 6.8.4 - 2023-01-17
  • 6.8.3 - 2023-01-06
  • 6.8.2 - 2022-12-28
  • 6.8.1 - 2022-12-19
  • 6.8.0 - 2022-12-05
  • 6.7.5 - 2022-11-30
  • 6.7.4 - 2022-11-28
  • 6.7.3 - 2022-11-22
  • 6.7.2 - 2022-11-07
  • 6.7.1 - 2022-11-02
  • 6.7.0 - 2022-10-24
  • 6.6.7 - 2022-10-21
  • 6.6.6 - 2022-10-20
  • 6.6.5 - 2022-10-05
  • 6.6.4 - 2022-10-03
  • 6.6.3 - 2022-09-30
  • 6.6.2 - 2022-09-26
  • 6.6.1 - 2022-09-14
  • 6.6.0 - 2022-09-08
  • 6.5.5 - 2022-09-07
  • 6.5.4 - 2022-08-30
  • 6.5.3 - 2022-08-25
  • 6.5.2 - 2022-08-10
  • 6.5.1 - 2022-08-03
  • 6.5.0 - 2022-07-26
  • 6.4.7 - 2022-07-25
  • 6.4.6 - 2022-07-20
  • 6.4.5 - 2022-07-18
  • 6.4.4 - 2022-07-08
  • 6.4.3 - 2022-07-05
  • 6.4.2 - 2022-07-01
  • 6.4.1 - 2022-06-27
  • 6.4.0 - 2022-06-17
  • 6.3.9 - 2022-06-17
  • 6.3.8 - 2022-06-13
  • 6.3.7 - 2022-06-13
  • 6.3.6 - 2022-06-07
  • 6.3.5 - 2022-05-30
  • 6.3.4 - 2022-05-19
  • 6.3.3 - 2022-05-09
  • 6.3.2 - 2022-05-02
  • 6.3.1 - 2022-04-21
  • 6.3.0 - 2022-04-14
  • 6.2.11 - 2022-04-13
  • 6.2.10 - 2022-04-04
  • 6.2.9 - 2022-03-28
  • 6.2.8 - 2022-03-23
  • 6.2.7 - 2022-03-16
  • 6.2.6 - 2022-03-11
  • 6.2.5 - 2022-03-09
  • 6.2.4 - 2022-02-28
  • 6.2.3 - 2022-02-21
  • 6.2.2 - 2022-02-16
  • 6.2.1 - 2022-02-07
  • 6.2.0 - 2022-02-02
  • 6.1.10 - 2022-02-01
  • 6.1.9 - 2022-01-31
  • 6.1.8 - 2022-01-24
  • 6.1.7 - 2022-01-17
  • 6.1.6 - 2022-01-10
  • 6.1.5 - 2022-01-04
  • 6.1.4 - 2021-12-27
  • 6.1.3 - 2021-12-21
  • 6.1.2 - 2021-12-15
  • 6.1.1 - 2021-12-09
  • 6.1.0 - 2021-12-07
  • 6.0.15 - 2021-12-06
  • 6.0.14 - 2021-11-29
  • 6.0.13 - 2021-11-15
  • 6.0.12 - 2021-10-21
  • 6.0.11 - 2021-10-14
  • 6.0.10 - 2021-10-08
  • 6.0.9 - 2021-10-04
  • 6.0.8 - 2021-09-27
  • 6.0.7 - 2021-09-20
  • 6.0.6 - 2021-09-15
  • 6.0.5 - 2021-09-06
  • 6.0.4 - 2021-09-01
  • 6.0.3 - 2021-08-30
  • 6.0.2 - 2021-08-26
  • 6.0.1 - 2021-08-25
  • 6.0.0 - 2021-08-24
  • 6.0.0-rc2 - 2021-08-23
  • 6.0.0-rc1 - 2021-08-12
  • 6.0.0-rc0 - 2021-08-03
  • 5.13.23 - 2024-12-17
  • 5.13.22 - 2024-01-02
  • 5.13.21 - 2023-10-19
  • 5.13.20 - 2023-07-12
  • 5.13.19 - 2023-06-22
  • 5.13.18 - 2023-06-22
  • 5.13.17 - 2023-04-04
  • 5.13.16 - 2023-02-20
  • 5.13.15 - 2022-08-22
  • 5.13.14 - 2021-12-27
from mongoose GitHub release notes

Important

  • Warning: This PR contains a major version upgrade, and may be a breaking change.
  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
feat: upgrade mongoose from 5.13.14 to 9.0.0
699149b 
Snyk has created this PR to upgrade mongoose from 5.13.14 to 9.0.0.

See this package in npm:
mongoose

See this project in Snyk:
https://app.snyk.io/org/gabriel19971029/project/5f768f32-8289-42b4-9352-03cb8bdca27b?utm_source=github&utm_medium=referral&page=upgrade-pr
@Gabo-Tech
Copy link
Owner Author

Gabo-Tech commented Dec 19, 2025

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Gabo-Tech @snyk-bot