fix(deps): update dependency mongoose to v7.8.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mongoose (source)	7.6.5 → 7.8.4

GitHub Vulnerability Alerts

CVE-2024-53900

Mongoose versions prior to 8.8.3, 7.8.3, 6.13.5, and 5.13.23 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

CVE-2025-23061

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

---

Release Notes

Automattic/mongoose (mongoose)

v7.8.4

Compare Source

===================

• fix: disallow nested $where in populate match CVE-2025-23061

v7.8.3

Compare Source

==================

• fix: disallow using $where in match
• fix(projection): avoid setting projection to unknown exclusive/inclusive if elemMatch on a Date, ObjectId, etc. #​14894 #​14893
• docs(migrating_to_7): add note about keepAlive to Mongoose 7 migration guide #​15032 #​13431

v7.8.2

Compare Source

==================

• fix(projection): avoid setting projection to unknown exclusive/inclusive if elemMatch on a Date, ObjectId, etc. #​14894 #​14893

v7.8.1

Compare Source

==================

• fix(query): handle casting $switch in $expr #​14761
• docs(mongoose): remove out-of-date callback-based example for mongoose.connect() #​14811 #​14810

v7.8.0

Compare Source

==================

• feat: add transactionAsyncLocalStorage option to opt in to automatically setting session on all transactions #​14744 #​14742 #​14583 #​13889
• types(query): fix usage of "RawDocType" where "DocType" should be passed #​14737 hasezoey

v7.7.0

Compare Source

==================

• feat(model): add throwOnValidationError option for opting into getting MongooseBulkWriteError if all valid operations succeed in bulkWrite() and insertMany() #​14599 #​14587 #​14572 #​13410

v7.6.13

Compare Source

===================

• fix(query): shallow clone $or and $and array elements to avoid mutating query filter arguments #​14614 #​14610
• types: pass DocType down to subdocuments so HydratedSingleSubdocument and HydratedArraySubdocument toObject() returns correct type #​14612 #​14601
• docs(migrating_to_7): add id setter to Mongoose 7 migration guide #​14645 #​13672

v7.6.12

Compare Source

===================

• fix(array): avoid converting to $set when calling pull() on an element in the middle of the array #​14531 #​14502
• fix: bump mongodb driver to 5.9.2 #​14561 lorand-horvath
• fix(update): cast array of strings underneath doc array with array filters #​14605 #​14595

v7.6.11

Compare Source

===================

• fix(populate): avoid match function filtering out null values in populate result #​14518
• fix(schema): support setting discriminator options in Schema.prototype.discriminator() #​14493 #​14448
• fix(schema): deduplicate idGetter so creating multiple models with same schema doesn't result in multiple id getters #​14492 #​14457

v7.6.10

Compare Source

===================

• docs(model): add extra note about lean option for insertMany() skipping casting #​14415
• docs(mongoose): add options.overwriteModel details to mongoose.model() docs #​14422

v7.6.9

Compare Source

==================

• fix(document): handle embedded recursive discriminators on nested path defined using Schema.prototype.discriminator #​14256 #​14245
• types(model): correct return type for findByIdAndDelete() #​14233 #​14190
• docs(connections): add note about using asPromise() with createConnection() for error handling #​14364 #​14266
• docs(model+query+findoneandupdate): add more details about overwriteDiscriminatorKey option to docs #​14264 #​14246

v7.6.8

Compare Source

==================

• perf(schema): remove unnecessary lookahead in numeric subpath check
• fix(discriminator): handle reusing schema with embedded discriminators defined using Schema.prototype.discriminator #​14202 #​14162
• fix(ChangeStream): avoid suppressing errors in closed change stream #​14206 #​14177

v7.6.7

Compare Source

==================

• fix: avoid minimizing single nested subdocs if they are required #​14151 #​14058
• fix(populate): allow deselecting discriminator key when populating #​14155 #​3230
• fix: allow adding discriminators using Schema.prototype.discriminator() to subdocuments after defining parent schema #​14131 #​14109
• fix(schema): avoid creating unnecessary clone of schematype in nested array so nested document arrays use correct constructor #​14128 #​14101
• fix(populate): call transform object with single id instead of array when populating a justOne path under an array #​14135 #​14073
• types: add back mistakenly removed findByIdAndRemove() function signature #​14136 #​14132

v7.6.6

Compare Source

==================

• perf: avoid double-running setter logic when calling push() #​14120 #​11380
• fix(populate): set populated docs in correct order when populating virtual underneath doc array with justOne #​14105 #​14018
• fix: bump mongodb driver -> 5.9.1 #​14084 #​13829 lorand-horvath
• types: allow defining document array using [{ prop: String }] syntax #​14095 #​13424
• types: correct types for when includeResultMetadata: true is set #​14078 #​13987 prathamVaidya
• types(query): base filters and projections off of RawDocType instead of DocType so autocomplete doesn't show populate #​14118 #​14077
• types: make property names show up in intellisense for UpdateQuery #​14123 #​14090
• types(model): support calling Model.validate() with pathsToSkip option #​14088 #​14003
• docs: remove "DEPRECATED" warning mistakenly added to read() tags param #​13980

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.