[Snyk] Upgrade mongoose from 8.1.2 to 8.16.1

[nejidevelops]

Snyk has created this PR to upgrade mongoose from 8.1.2 to 8.16.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 66 versions ahead of your current version.

• The recommended version was released 22 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Improper Neutralization of Special Elements in Data Query Logic SNYK-JS-MONGOOSE-8446504	649	No Known Exploit
	Improper Neutralization of Special Elements in Data Query Logic SNYK-JS-MONGOOSE-8623536	649	No Known Exploit

Release notes

Package name: mongoose

• 8.16.1 - 2025-06-26
  

  8.16.1 / 2025-06-26

  • fix(document): avoid setting _skipMarkModified when setting nested path with merge option #15484 #11913
  • fix(model): make sure post save error handler gets doc as param on VersionError #15483 #15480
  • fix: consistent $conditionalHandlers setup between schematypes #15490
  • docs(compatibility): note that mongodb 4.0 is not supported anymore since 8.16.0 #15487 hasezoey
  • docs: remove unnecessary --save flag from npm install instruction #15486 Thahirgeek
• 8.16.0 - 2025-06-16
  

  8.16.0 / 2025-06-16

  • feat(model): add Model.createSearchIndexes() #15470 #15465
  • feat: upgrade MongoDB driver -> 6.17.0 #15468 gmstavros
• 8.15.2 - 2025-06-12
  

  8.15.2 / 2025-06-12

  • fix(document+schema): improve handling for setting paths underneath maps, including maps of maps #15477 #15461
  • fix: report default paths in VersionError message because they can can cause VersionError #15464
  • fix(updateValidators): ensure update validators only call validators underneath single nested paths once #15446 #15436
  • fix: fix validation for deeply nested maps of subdocuments #15469 #15447 AbdelrahmanHafez
  • fix(DocumentArray): correctly set parent if instantiated with schema from another Mongoose instance #15471 #15466
  • types(model): use ProjectionType for Model.hydrate() #15447 #15443
• 8.15.1 - 2025-05-26
  

  8.15.1 / 2025-05-26

  • types: correct handling of _id in ProjectionType #15432 #15418
  • types: fix definition of VectorSearch.$vectorSearch #15429 chriskrycho
  • docs: add Document#save to list of function with callbacks removed #15433 SethFalco
• 8.15.0 - 2025-05-16
  

  8.15.0 / 2025-05-16

  • feat: CSFLE support #15390 baileympearson
  • feat: add strictFilter option to findOneAndUpdate (#14913) #15402 #14913 muazahmed-dev
  • feat(error): set cause to MongoDB error reason on ServerSelection errors #15420 #15416
  • fix(model): make bulkSave() rely on document.validateSync() to validate docs and skip bulkWrite casting #15415 #15410
  • types: stricter projection typing with 1-level deep nesting #15418 #15327 #13840 pshaddel
  • docs: emphasize automatic type inference in TypeScript intro and statics/methods, remove duplicated statics.md #15421
• 8.14.3 - 2025-05-13
  

  8.14.3 / 2025-05-13

  • types(schema): allow post('init') #15413 #15412 #15333
  • types: fix signature of DocumentArray.id #15414 Sainan
  • docs: fix typo - change 'prodecure' to 'procedure' #15419 0xEbrahim
• 8.14.2 - 2025-05-08
  

  8.14.2 / 2025-05-08

  • fix(query): handle casting array filter paths underneath array filter paths with embedded discriminators #15388 #15386
  • docs(typescript): correct schema and model generic params in TS virtuals docs #15391
  • docs+types(schema): add alternative optimisticConcurrency syntaxes to docs + types #15405 #10591
  • chore: add Node 24 to CI matrix #15408 stscoundrel
• 8.14.1 - 2025-04-29
• 8.14.0 - 2025-04-25
• 8.13.3 - 2025-04-24
• 8.13.2 - 2025-04-03
• 8.13.1 - 2025-03-28
• 8.13.0 - 2025-03-24
• 8.12.2 - 2025-03-21
• 8.12.1 - 2025-03-04
• 8.12.0 - 2025-03-03
• 8.11.0 - 2025-02-26
• 8.10.2 - 2025-02-25
• 8.10.1 - 2025-02-14
• 8.10.0 - 2025-02-05
• 8.9.7 - 2025-02-04
• 8.9.6 - 2025-01-31
• 8.9.5 - 2025-01-13
• 8.9.4 - 2025-01-09
• 8.9.3 - 2024-12-30
• 8.9.2 - 2024-12-19
• 8.9.1 - 2024-12-16
• 8.9.0 - 2024-12-13
• 8.8.4 - 2024-12-05
• 8.8.3 - 2024-11-26
• 8.8.2 - 2024-11-18
• 8.8.1 - 2024-11-08
• 8.8.0 - 2024-10-31
• 8.7.3 - 2024-10-25
• 8.7.2 - 2024-10-17
• 8.7.1 - 2024-10-09
• 8.7.0 - 2024-09-27
• 8.6.4 - 2024-09-26
• 8.6.3 - 2024-09-17
• 8.6.2 - 2024-09-11
• 8.6.1 - 2024-09-03
• 8.6.0 - 2024-08-28
• 8.5.5 - 2024-08-28
• 8.5.4 - 2024-08-23
• 8.5.3 - 2024-08-13
• 8.5.2 - 2024-07-30
• 8.5.1 - 2024-07-12
• 8.5.0 - 2024-07-08
• 8.4.5 - 2024-07-05
• 8.4.4 - 2024-06-25
• 8.4.3 - 2024-06-17
• 8.4.2 - 2024-06-17
• 8.4.1 - 2024-05-31
• 8.4.0 - 2024-05-17
• 8.3.5 - 2024-05-15
• 8.3.4 - 2024-05-06
• 8.3.3 - 2024-04-29
• 8.3.2 - 2024-04-16
• 8.3.1 - 2024-04-08
• 8.3.0 - 2024-04-03
• 8.2.4 - 2024-03-28
• 8.2.3 - 2024-03-21
• 8.2.2 - 2024-03-15
• 8.2.1 - 2024-03-04
• 8.2.0 - 2024-02-22
• 8.1.3 - 2024-02-16
• 8.1.2 - 2024-02-11

from mongoose GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[gemini-code-assist]

Summary of Changes

Hello @nejidevelops, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request is an automated dependency upgrade initiated by Snyk. Its main purpose is to update the mongoose package to its latest stable version, thereby resolving critical security vulnerabilities and ensuring the project benefits from the latest features and bug fixes in the Mongoose ecosystem. This is a routine maintenance update to keep the project's dependencies current and secure.

Highlights

• Dependency Upgrade: The primary change is the upgrade of the mongoose package from version 8.1.2 to 8.16.1.
• Security Vulnerability Fixes: This upgrade addresses two high-severity security vulnerabilities (SNYK-JS-MONGOOSE-8446504 and SNYK-JS-MONGOOSE-8623536) related to 'Improper Neutralization of Special Elements in Data Query Logic'.
• Transitive Dependency Updates: Several underlying dependencies of mongoose have also been updated, including mongodb (from 6.3.0 to 6.17.0), bson (from 6.3.0 to 6.10.4), kareem (from 2.5.1 to 2.6.3), and sift (from 16.0.1 to 17.1.3). These updates also include additions of license information for various packages and bumps in required Node.js engine versions for tr46 and whatwg-url.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This Snyk pull request upgrades mongoose to fix two high-severity security vulnerabilities. This is a crucial update. However, my review highlights that this upgrade introduces a requirement for Node.js v18 or higher due to updated transitive dependencies. This could be a breaking change for your environment. I've added a comment with details and a recommendation to specify the Node.js version in your package.json.

[gemini-code-assist]

While upgrading mongoose is important for security, this version bump to 8.16.1 has a significant side-effect on your project's environment requirements.

This is because mongoose now depends on newer major versions of transitive dependencies like whatwg-url (v14.x) and tr46 (v5.x), which require Node.js v18 or higher to run. The previous dependency tree was compatible with older Node.js versions like v16.

If your deployment environment uses a Node.js version older than 18, this change will likely cause your application to fail during dependency installation or at runtime.

To avoid this, please ensure all your environments (development, testing, production) are updated to Node.js v18+. It's also a best practice to explicitly declare this requirement in your package.json by adding an engines field:

"engines": {
  "node": ">=18.0.0"
}