[Snyk] Upgrade mongoose from 8.1.2 to 8.17.0

[nejidevelops]

Snyk has created this PR to upgrade mongoose from 8.1.2 to 8.17.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 71 versions ahead of your current version.

• The recommended version was released 23 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Improper Neutralization of Special Elements in Data Query Logic SNYK-JS-MONGOOSE-8446504	649	No Known Exploit
	Improper Neutralization of Special Elements in Data Query Logic SNYK-JS-MONGOOSE-8623536	649	No Known Exploit

Release notes

Package name: mongoose

• 8.17.0 - 2025-07-30
  

  8.17.0 / 2025-07-30

  • feat: upgrade mongodb -> 6.18.0 #15552
  • feat(mongoose): export base Connection and Collection classes #15548
  • feat: make Schema.prototype.$conditionalHandlers public #15497
  • types: automatically infer discriminator type #15547 #15535
  • types: make versionKey: false disable __v from hydrated document #15524 #15511
  • types: indicate support for mongodb abort #15549 GalacticHypernova
  • types: add options property to schemas #15524
  • types(schematype): make defaultOptions static and add schemaOptions to DocumentArray #15529 #15524
• 8.16.5 - 2025-07-25
  

  8.16.5 / 2025-07-25

  • fix(map): avoid throwing required error if saving map of primitives with required: true #15542
  • types(model): export MongooseBulkWriteResult type #15546
  • types(connection): add base to connection type #15544
• 8.16.4 - 2025-07-16
  

  8.16.4 / 2025-07-16

  • fix(connection): avoid calling connection.close() internally with force: Object #15534 #15531
  • types(schema): handle required: string in schema definitions #15538 #15536
  • types(document): allow calling $isDefault() with no args #15528 #15522
  • types: infer Typescript string enums #15530 ruiaraujo
  • types: pass TModelType down to schema statics #15537
• 8.16.3 - 2025-07-10
  

  8.16.3 / 2025-07-10

  • fix(document): clean modified subpaths if unsetting map #15520 #15519
  • fix: make DocumentArray SchemaType pass all options to embedded SchemaType #15523
  • types: support readonly array in query.select #15527 omermizr
• 8.16.2 - 2025-07-07
  

  8.16.2 / 2025-07-07

  • fix(cursor): populate after hydrating in queryCursor so populated docs get parent() #15498 #15494
  • fix(schema): support toJSONSchema() on mixed types and improve error message about unsupported types #15492 #15489
  • types: add _id and __v to toObject/toJSON transform type #15501 #15479
  • types(schema): use user-provided THydratedDocumentType as context for virtual get() and set() #15517 #15516
  • types: improve typing for transform option to toJSON and toObject #15485
  • docs: link to custom setter docs from lowercase, etc. options and note that setters run on query filters #15493 #15491
  • docs(jest): add note about resetModules #15515
• 8.16.1 - 2025-06-26
  

  8.16.1 / 2025-06-26

  • fix(document): avoid setting _skipMarkModified when setting nested path with merge option #15484 #11913
  • fix(model): make sure post save error handler gets doc as param on VersionError #15483 #15480
  • fix: consistent $conditionalHandlers setup between schematypes #15490
  • docs(compatibility): note that mongodb 4.0 is not supported anymore since 8.16.0 #15487 hasezoey
  • docs: remove unnecessary --save flag from npm install instruction #15486 Thahirgeek
• 8.16.0 - 2025-06-16
  

  8.16.0 / 2025-06-16

  • feat(model): add Model.createSearchIndexes() #15470 #15465
  • feat: upgrade MongoDB driver -> 6.17.0 #15468 gmstavros
• 8.15.2 - 2025-06-12
  

  8.15.2 / 2025-06-12

  • fix(document+schema): improve handling for setting paths underneath maps, including maps of maps #15477 #15461
  • fix: report default paths in VersionError message because they can can cause VersionError #15464
  • fix(updateValidators): ensure update validators only call validators underneath single nested paths once #15446 #15436
  • fix: fix validation for deeply nested maps of subdocuments #15469 #15447 AbdelrahmanHafez
  • fix(DocumentArray): correctly set parent if instantiated with schema from another Mongoose instance #15471 #15466
  • types(model): use ProjectionType for Model.hydrate() #15447 #15443
• 8.15.1 - 2025-05-26
• 8.15.0 - 2025-05-16
• 8.14.3 - 2025-05-13
• 8.14.2 - 2025-05-08
• 8.14.1 - 2025-04-29
• 8.14.0 - 2025-04-25
• 8.13.3 - 2025-04-24
• 8.13.2 - 2025-04-03
• 8.13.1 - 2025-03-28
• 8.13.0 - 2025-03-24
• 8.12.2 - 2025-03-21
• 8.12.1 - 2025-03-04
• 8.12.0 - 2025-03-03
• 8.11.0 - 2025-02-26
• 8.10.2 - 2025-02-25
• 8.10.1 - 2025-02-14
• 8.10.0 - 2025-02-05
• 8.9.7 - 2025-02-04
• 8.9.6 - 2025-01-31
• 8.9.5 - 2025-01-13
• 8.9.4 - 2025-01-09
• 8.9.3 - 2024-12-30
• 8.9.2 - 2024-12-19
• 8.9.1 - 2024-12-16
• 8.9.0 - 2024-12-13
• 8.8.4 - 2024-12-05
• 8.8.3 - 2024-11-26
• 8.8.2 - 2024-11-18
• 8.8.1 - 2024-11-08
• 8.8.0 - 2024-10-31
• 8.7.3 - 2024-10-25
• 8.7.2 - 2024-10-17
• 8.7.1 - 2024-10-09
• 8.7.0 - 2024-09-27
• 8.6.4 - 2024-09-26
• 8.6.3 - 2024-09-17
• 8.6.2 - 2024-09-11
• 8.6.1 - 2024-09-03
• 8.6.0 - 2024-08-28
• 8.5.5 - 2024-08-28
• 8.5.4 - 2024-08-23
• 8.5.3 - 2024-08-13
• 8.5.2 - 2024-07-30
• 8.5.1 - 2024-07-12
• 8.5.0 - 2024-07-08
• 8.4.5 - 2024-07-05
• 8.4.4 - 2024-06-25
• 8.4.3 - 2024-06-17
• 8.4.2 - 2024-06-17
• 8.4.1 - 2024-05-31
• 8.4.0 - 2024-05-17
• 8.3.5 - 2024-05-15
• 8.3.4 - 2024-05-06
• 8.3.3 - 2024-04-29
• 8.3.2 - 2024-04-16
• 8.3.1 - 2024-04-08
• 8.3.0 - 2024-04-03
• 8.2.4 - 2024-03-28
• 8.2.3 - 2024-03-21
• 8.2.2 - 2024-03-15
• 8.2.1 - 2024-03-04
• 8.2.0 - 2024-02-22
• 8.1.3 - 2024-02-16
• 8.1.2 - 2024-02-11

from mongoose GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[gemini-code-assist]

Summary of Changes

Hello @nejidevelops, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request, automatically generated by Snyk, updates the mongoose dependency from version 8.1.2 to 8.17.0. The primary goal of this upgrade is to enhance the project's security posture by addressing two high-severity vulnerabilities and ensuring that the application benefits from the latest fixes and improvements in the mongoose ecosystem.

Highlights

• Mongoose Version Upgrade: The primary change involves upgrading the mongoose package from version 8.1.2 to 8.17.0.
• Security Vulnerability Fixes: This upgrade directly addresses two high-severity security vulnerabilities, SNYK-JS-MONGOOSE-8446504 and SNYK-JS-MONGOOSE-8623536, enhancing the project's security posture.
• Dependency Updates and Improvements: The update includes numerous fixes and features from 71 versions of mongoose, along with updates to underlying dependencies such as mongodb, bson, kareem, and sift.
• Node.js Version Compatibility: Some updated transitive dependencies, specifically tr46 and whatwg-url, now require Node.js version 18 or higher, which may necessitate a Node.js environment upgrade.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request, automatically generated by Snyk, upgrades mongoose from version 8.1.2 to 8.17.0. This is a significant update that spans 71 patch and minor versions, primarily aimed at resolving security vulnerabilities related to 'Improper Neutralization of Special Elements in Data Query Logic'. While this is a minor version upgrade for mongoose itself and shouldn't contain breaking API changes, it's important to note that some of its transitive dependencies have received major version bumps. My review has identified a critical issue regarding the Node.js version requirement. A transitive dependency now requires Node.js v18 or higher, which could break your application if you are running on an older version. Please see the specific comment for details. It is crucial to test the application thoroughly after merging these changes.

[gemini-code-assist]

This upgrade introduces transitive dependencies that now require Node.js v18 or higher.

Specifically, whatwg-url (a dependency of mongodb) and its own dependency tr46 have been upgraded to major versions that now require node >= 18. The previous versions supported older Node.js runtimes.

Your package.json does not specify a Node.js version in the engines field. This upgrade could break your application if your development or deployment environments use a Node.js version older than 18.

Recommendation:

1. Ensure your environments are running Node.js v18 or later.
2. Consider adding an engines field to your package.json to enforce the Node.js version and make this requirement explicit for all developers.