Update dependency mongoose to v6.13.6 [SECURITY]

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
mongoose (source)	6.6.5 -> 6.13.6

GitHub Vulnerability Alerts

CVE-2023-3696

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

CVE-2024-53900

Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

CVE-2025-23061

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

---

Release Notes

Automattic/mongoose (mongoose)

v6.13.6

Compare Source

===================

• fix: disallow nested $where in populate match CVE-2025-23061

v6.13.5

Compare Source

===================

• fix: disallow using $where in match

v6.13.4

Compare Source

===================

• fix: save execution stack in query as string #​15043 #​15039
• docs: clarify strictQuery default will flip-flop in "Migrating to 6.x" #​14998 markstos

v6.13.3

Compare Source

===================

• docs(migrating_to_6): document that Lodash _.isEmpty() with ObjectId() as a parameter returns true in Mongoose 6 #​11152

v6.13.2

Compare Source

===================

• fix(document): make set() respect merge option on deeply nested objects #​14870 #​14878

v6.13.1

Compare Source

===================

• fix: remove empty $and, $or, $not that were made empty by scrict mode #​14749 #​13086 0x0a0d

v6.13.0

Compare Source

===================

• feat(model): add throwOnValidationError option for opting into getting MongooseBulkWriteError if all valid operations succeed in bulkWrite() and insertMany() #​14599 #​14587 #​14572 #​13410

v6.12.9

Compare Source

===================

• fix(cast): cast $comment to string in query filters #​14590 #​14576
• types(model): allow passing strict type checking override to create() #​14571 #​14548

v6.12.8

Compare Source

===================

• fix(document): handle virtuals that are stored as objects but getter returns string with toJSON #​14468 #​14446
• fix(schematype): consistently set wasPopulated to object with value property rather than boolean #​14418
• docs(model): add extra note about lean option for insertMany() skipping casting #​14415 #​14376

v6.12.7

Compare Source

===================

• perf(model): make insertMany() lean option skip hydrating Mongoose docs #​14376 #​14372
• perf(document+schema): small optimizations to make init() faster #​14383 #​14113
• fix(connection): don't modify passed options object to openUri() #​14370 #​13376 #​13335
• fix(ChangeStream): bubble up resumeTokenChanged changeStream event #​14355 #​14349 3150

v6.12.6

Compare Source

===================

• fix(collection): correctly handle buffer timeouts with find() #​14277
• fix(document): allow calling push() with different $position arguments #​14254

v6.12.5

Compare Source

===================

• perf(schema): remove unnecessary lookahead in numeric subpath check
• fix(document): allow setting nested path to null #​14226
• fix(document): avoid flattening dotted paths in mixed path underneath nested path #​14198 #​14178
• fix: add ignoreAtomics option to isModified() for better backwards compatibility with Mongoose 5 #​14213

v6.12.4

Compare Source

===================

• fix: upgrade mongodb driver -> 4.17.2
• fix(document): avoid treating nested projection as inclusive when applying defaults #​14173 #​14115
• fix: account for null values when assigning isNew property #​14172 #​13883

v6.12.3

Compare Source

===================

• fix(ChangeStream): correctly handle hydrate option when using change stream as stream instead of iterator #​14052
• fix(schema): fix dangling reference to virtual in tree after removeVirtual() #​14019 #​13085
• fix(document): avoid unmarking modified on nested path if no initial value stored and already modified #​14053 #​14024
• fix(document): consistently avoid marking subpaths of nested paths as modified #​14053 #​14022

v6.12.2

Compare Source

===================

• fix: add fullPath to ValidatorProps #​13995 Freezystem

v6.12.1

Compare Source

===================

• fix(mongoose): correctly handle global applyPluginsToChildSchemas option #​13945 #​13887 hasezoey
• fix: Document.prototype.isModified support for a string of keys as first parameter #​13940 #​13674 k-chop

v6.12.0

Compare Source

===================

• feat: use mongodb driver v4.17.1
• fix(model): make Model.bulkWrite() with empty array and ordered false not throw an error #​13664
• fix(document): correctly handle inclusive/exclusive projections when applying subdocument defaults #​13763 #​13720

v6.11.6

Compare Source

===================

• fix(model): avoid hanging on empty bulkWrite() with ordered: false #​13701 #​13684 JavaScriptBach
• types: augment bson.ObjectId instead of adding on own type #​13515 #​12537 hasezoey

v6.11.5

Compare Source

===================

• fix(schema): make Schema.prototype.clone() avoid creating different copies of subdocuments and single nested paths underneath single nested paths #​13671 #​13626
• fix: custom debug function not processing all args #​13418

v6.11.4

Compare Source

===================

• perf: speed up mapOfSubdocs benchmark by 4x by avoiding unnecessary O(n^2) loop in getPathsToValidate() #​13614

v6.11.3

Compare Source

===================

• fix: avoid prototype pollution on init
• fix(schema): correctly handle uuids with populate() #​13317 #​13595

v6.11.2

Compare Source

===================

• fix(cursor): allow find middleware to modify query cursor options #​13476 #​13453 #​13435

v6.11.1

Compare Source

===================

• fix(query): apply schema-level paths before calculating projection for findOneAndUpdate() #​13348 #​13340
• fix: add SUPPRESS_JEST_WARNINGS environment variable to hide jest warnings #​13384 #​13373
• types(model): allow overwriting expected param type for bulkWrite() #​13292 hasezoey

v6.11.0

Compare Source

===================

• feat: upgrade to mongodb 4.16.0 for Deno+Atlas connection fix #​13337 #​13075
• perf: speed up creating maps of subdocuments #​13280 #​13191 #​13271
• fix(query): set ObjectParameterError if calling findOneAndX() with filter as non-object #​13338
• fix(document): merge Document $inc calls instead of overwriting #​13322
• fix(update): handle casting doubly nested arrays with $pullAll #​13285
• docs: backport documentation versioning changes to 6.x #​13253 #​13190 hasezoey

v6.10.5

Compare Source

===================

• perf(document): avoid unnecessary loops, conditionals, string manipulation on Document.prototype.get() for 10x speedup on top-level properties #​12953
• fix(model): execute valid write operations if calling bulkWrite() with ordered: false #​13218 #​13176
• fix(array): pass-through all parameters #​13202 #​13201 hasezoey
• fix: improve error message when sorting by empty string #​13249 #​10182
• docs: add version support and check version docs #​13251 #​13193

v6.10.4

Compare Source

===================

• fix(document): apply setters on resulting value when calling Document.prototype.$inc() #​13178 #​13158
• fix(model): add results property to unordered insertMany() to make it easy to identify exactly which documents were inserted #​13163 #​12791
• docs(guide+schematypes): add UUID to schematypes guide #​13184

v6.10.3

Compare Source

===================

• fix(connection): add stub implementation of doClose to base connection class #​13157
• fix(types): add cursor.eachAsync index parameter #​13162 #​13153 hasezoey
• docs: fix 6.x docs sidebar links #​13147 #​13144 hasezoey
• docs(validation): clarify that validation runs as first pre(save) middleware #​13062

v6.10.2

Compare Source

===================

• fix(document): avoid setting array default if document array projected out by sibling projection #​13135 #​13043 #​13003
• fix(documentarray): set correct document array path if making map of document arrays #​13133
• fix: undo accidental change to engines in package.json #​13124 lorand-horvath
• docs: quick improvement to Model.init() docs #​13054

v6.10.1

Compare Source

===================

• fix: avoid removing empty query filters in $and and $or #​13086 #​12898
• fix(schematype): fixed validation for required UUID field #​13018 lpizzinidev
• fix(types): add missing Paths generic param to Model.populate() #​13070
• docs(migrating_to_6): added info about removal of reconnectTries and reconnectInterval options #​13083 lpizzinidev
• docs: fix code in headers for migrating_to_5 #​13077 hasezoey
• docs: backport misc documentation changes into 6.x #​13091 hasezoey

v6.10.0

Compare Source

===================

• feat: upgrade to mongodb driver 4.14.0 #​13036
• feat: added Schema.prototype.omit() function #​12939 #​12931 lpizzinidev
• feat(index): added createInitialConnection option to Mongoose constructor #​13021 #​12965 lpizzinidev

v6.9.3

Compare Source

==================

• fix(connection): delay calculating autoCreate and autoIndex until after initial connection established #​13007 #​12940 lpizzinidev
• fix(discriminator): allows update doc with discriminatorKey #​13056 #​13055 abarriel
• fix(query): avoid sending unnecessary empty projection to MongoDB server #​13059 #​13050
• fix(model): avoid sending null session option with document operations #​13053 #​13052 lpizzinidev
• fix(types): use MergeTypes for type overrides in HydratedDocument #​13066 #​13040
• docs(middleware): list validate as a potential query middleware #​13057 #​12680
• docs(getters-setters): explain that getters do not run by default on toJSON() #​13058 #​13049
• docs: refactor docs generation scripts #​13044 hasezoey

v6.9.2

Compare Source

==================

• fix(model): fixed post('save') callback parameter #​13030 #​13026 lpizzinidev
• fix(UUID): added null check to prevent error on binaryToString conversion #​13034 #​13032 #​13029 lpizzinidev Freezystem
• fix(query): revert breaking changes introduced by #​12797 #​12999 lpizzinidev
• fix(document): make array $shift() use $pop instead of overwriting array #​13004
• docs: update & remove old links #​13019 hasezoey
• docs(middleware): describe how to access model from document middleware #​13031 AxeOfMen
• docs: update broken & outdated links #​13001 hasezoey
• chore: change deno tests to also use MMS #​12918 hasezoey

v6.9.1

Compare Source

==================

• fix(document): isModified should not be triggered when setting a nested boolean to the same value as previously #​12994 lpizzinidev
• fix(document): save newly set defaults underneath single nested subdocuments #​13002 #​12905
• fix(update): handle custom discriminator model name when casting update #​12947 wassil
• fix(connection): handles unique autoincrement ID for connections #​12990 lpizzinidev
• fix(types): fix type of options of Model.aggregate #​12933 ghost91-
• fix(types): fix "near" aggregation operator input type #​12954 Jokero
• fix(types): add missing Top operator to AccumulatorOperator type declaration #​12952 lpizzinidev
• docs(transactions): added example for Connection.transaction() method #​12943 #​12934 lpizzinidev
• docs(populate): fix out of date comment referencing onModel property #​13000
• docs(transactions): fix typo in transactions.md #​12995 Parth86

v6.9.0

Compare Source

==================

• feat(schema): add removeVirtual(path) function to schema #​12920 IslandRhythms
• fix(cast): remove empty $or conditions after strict applied #​12898 0x0a0d
• docs: fixed typo #​12946 Gbengstar

v6.8.4

Compare Source

==================

• fix(collection): handle creating model when connection disconnected with bufferCommands = false #​12889
• fix(populate): merge instead of overwrite when match is on _id #​12891
• fix: add guard to stop loadClass copying Document if Document is used as base of loaded class (same hack as implemented for Model already) #​12820 sgpinkus
• fix(types): correctly infer types on document arrays #​12884 #​12882 JavaScriptBach
• fix(types): added omit for ArraySubdocument type in LeanType declaration #​12903 piyushk96
• fix(types): add returnDocument type safety #​12906 AbdelrahmanHafez
• docs(typescript): add notes about virtual context to Mongoose 6 migration and TypeScript virtuals docs #​12912 #​12806
• docs(schematypes): removed dead link and fixed formatting #​12897 #​12885 lpizzinidev
• docs: fix link to lean api #​12910 manniL
• docs: list all possible strings for schema.pre in one place #​12868
• docs: add list of known incompatible npm packages #​12892 IslandRhythms

v6.8.3

Compare Source

==================

• perf: improve performance of assignRawDocsToIdStructure for faster populate on large docs #​12867 Uzlopak
• fix(model): ensure consistent ordering of validation errors in insertMany() with ordered: false and rawResult: true #​12866
• fix: avoid passing final callback to pre hook, because calling the callback can mess up hook execution #​12836
• fix(types): avoid inferring timestamps if methods, virtuals, or statics set #​12871
• fix(types): correctly infer string enums on const arrays #​12870 JavaScriptBach
• fix(types): allow virtuals to be invoked in the definition of other virtuals #​12874 sffc
• fix(types): add type def for Aggregate#model without arguments #​12864 hasezoey
• docs(discriminators): add section about changing discriminator key #​12861
• docs(typescript): explain that virtuals inferred from schema only show up on Model, not raw document type #​12860 #​12684

v6.8.2

Compare Source

==================

• fix(schema): propagate strictQuery to implicitly created schemas for embedded discriminators #​12827 #​12796
• fix(model): respect discriminators with Model.validate() #​12824 #​12621
• fix(query): fix unexpected validation error when doing findOneAndReplace() with a nullish value #​12826 #​12821
• fix(discriminator): apply built-in plugins to discriminator schema even if mergeHooks and mergePlugins are both false #​12833 #​12696
• fix(types): add option "overwriteModels" as a schema option #​12817 #​12816 hasezoey
• fix(types): add property "defaultOptions" #​12818 hasezoey
• docs: make search bar respect documentation version, so you can search 5.x docs #​12548
• docs(typescript): make note about recommending strict mode when using auto typed schemas #​12825 #​12420
• docs: add section on sorting to query docs #​12588 IslandRhythms
• test(query.test): add write-concern option #​12829 hasezoey

v6.8.1

Compare Source

==================

• fix(query): avoid throwing circular dependency error if same object is used in multiple properties #​12774 orgads
• fix(map): return value from super.delete() #​12777 danbrud
• fix(populate): handle virtual populate underneath document array with justOne=true and sort set where 1 element has only 1 result #​12815 #​12730
• fix(update): handle embedded discriminators when casting array filters #​12802 #​12565
• fix(populate): avoid calling transform if there's no populate results and using lean #​12804 #​12739
• fix(model): prevent index creation on syncIndexes if not necessary #​12785 #​12250 lpizzinidev
• fix(types): correctly infer this when using pre('updateOne') with { document: true, query: false } #​12778
• fix(types): make InferSchemaType: consider { required: boolean } required if it isn't explicitly false #​12784 JavaScriptBach
• docs: replace many occurrences of "localhost" with "127.0.0.1" #​12811 #​12741 hasezoey SadiqOnGithub
• docs(mongoose): Added missing options to set #​12810 lpizzinidev
• docs: add info on $locals parameters to getters/setters tutorial #​12814 #​12550 IslandRhythms
• docs: make Document.prototype.$clone() public #​12803
• docs(query): updated explanation for slice #​12776 #​12474 lpizzinidev
• docs(middleware): fix broken links #​12787 lpizzinidev
• docs(queries): fixed broken links #​12790 lpizzinidev

v6.8.0

Compare Source

==================

• feat: add alpha support for Deno #​12397 #​9056
• feat: add deprecation warning for default strictQuery #​12666
• feat: upgrade to MongoDB driver 4.12.1
• feat(schema): add doc as second params to validation message function #​12564 #​12651 IslandRhythms
• feat(document): add $clone method #​12549 #​11849 lpizzinidev
• feat(populate): allow overriding localField and foreignField for virtual populate #​12657 #​6963 IslandRhythms
• feat(schema+types): add { errorHandler: true } option to Schema post() for better TypeScript support #​12723 #​12583
• feat(debug): allow setting debug on a per-connection basis #​12704 #​12700 lpizzinidev
• feat: add rewind function to QueryCursor #​12710 passabilities
• feat(types): infer timestamps option from schema #​12731 #​12069
• docs: change links to not link to api.html anymore #​12644 hasezoey

v6.7.5

Compare Source

==================

• fix(schema): copy indexes when calling add() with schema instance #​12737 #​12654
• fix(query): handle deselecting _id when another field has schema-level select: false #​12736 #​12670
• fix(types): support using UpdateQuery in bulkWrite() #​12742 #​12595
• docs(middleware): added note about execution policy on subdocuments #​12735 #​12694 lpizzinidev
• docs(validation): clarify context for update validators in validation docs #​12738 #​12655 IslandRhythms

v6.7.4

Compare Source

==================

• fix: allow setting global strictQuery after Schema creation #​12717 #​12703 lpizzinidev
• fix(cursor): make eachAsync() avoid modifying batch when mixing parallel and batchSize #​12716
• fix(types): infer virtuals in query results #​12727 #​12702 #​12684
• fix(types): correctly infer ReadonlyArray types in schema definitions #​12720
• fix(types): avoid typeof Query with generics for TypeScript 4.6 support #​12712 #​12688
• chore: avoid bundling .tgz files when publishing #​12725 hasezoey

v6.7.3

Compare Source

==================

• fix(document): handle setting array to itself after saving and pushing a new value #​12672 #​12656
• fix(types): update replaceWith pipeline stage #​12715 coyotte508
• fix(types): remove incorrect modelName type definition #​12682 #​12669 lpizzinidev
• fix(schema): fix setupTimestamps for browser.umd #​12683 raphael-papazikas
• docs: correct justOne description #​12686 #​12599 tianguangcn
• docs: make links more consistent #​12690 #​12645 hasezoey
• docs(document): explain that $isNew is false in post('save') hooks #​12685 #​11990
• docs: fixed line causing a "used before defined" linting error #​12707 sgpinkus

v6.7.2

Compare Source

==================

• fix(discriminator): skip copying base schema plugins if applyPlugins == false #​12613 #​12604 lpizzinidev
• fix(types): add UUID to types #​12650 #​12593
• fix(types): allow setting SchemaTypeOptions' index property to IndexOptions #​12562
• fix(types): set this to doc type in SchemaType.prototype.validate() #​12663 #​12590
• fix(types): correct handling for model #​12659 #​12573
• fix(types): pre hook with deleteOne should resolve this as Query #​12642 #​12622 lpizzinidev

v6.7.1

Compare Source

==================

• fix(query): select Map field with select: false when explicitly requested #​12616 #​12603 lpizzinidev
• fix: correctly find paths underneath single nested document with an array of mixed #​12605 #​12530
• fix(populate): better support for populating maps of arrays of refs #​12601 #​12494
• fix(types): add missing create constructor signature override type #​12585 naorpeled
• fix(types): make array paths optional in inferred type of array default returns undefined #​12649 #​12420
• fix(types): improve ValidateOpts type #​12606 Freezystem
• docs: add Lodash guide highlighting issues with cloneDeep() #​12609
• docs: removed v5 link from v6 docs #​12641 #​12624 lpizzinidev
• docs: removed outdated connection example #​12618 lpizzinidev

v6.7.0

Compare Source

==================

• feat: upgrade to mongodb driver 4.11.0 #​12446
• feat: add UUID Schema Type (BSON Buffer SubType 4) #​12268 #​3208 hasezoey
• feat(aggregation): add $fill pipeline stage #​12545 raphael-papazikas
• feat(types+schema): allow defining schema paths using mongoose.Types.* to work around TS type inference issues #​12352
• feat(schema): add alias() method that makes it easier to define multiple aliases for a given path #​12368
• feat(model): add mergeHooks option to Model.discriminator() to avoid duplicate hooks #​12542
• feat(document): add $timestamps() method to set timestamps for save(), bulkSave(), and insertMany() #​12540

v6.6.7

Compare Source

==================

• fix: correct browser build and improve isAsyncFunction check for browser #​12577 #​12576 #​12392
• fix(query): allow overwriting discriminator key with overwriteDiscriminatorKey if strict: 'throw' #​12578 #​12513

v6.6.6

Compare Source

==================

• fix(update): handle runValidators when using $set on a doc array in discriminator schema #​12571 #​12518
• fix(document): allow creating document with document array and top-level key named schema #​12569 #​12480
• fix(cast): make schema-level strictQuery override schema-level strict for query filters #​12570 #​12508
• fix(aggregate): avoid adding extra $match stage if user manually set discriminator key to correct value in first pipeline stage #​12568 #​12478
• fix: Throws error when updating a key name that match the discriminator key name on nested object #​12534 [#​12517](https://redirect.github.com/Automattic/mongoose/iss

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.