Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Bump mongoose from 3.6.20 to 5.13.4 #146

Closed

Conversation

dependabot-preview[bot]
Copy link

Bumps mongoose from 3.6.20 to 5.13.4. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Remote Memory Exposure in mongoose Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure.

Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database.

Recommendation

Update to version 4.3.6, 3.8.39 or later.

Affected versions: >= 3.5.5 <= 3.8.38

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects mongoose Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).

Affected versions: < 5.7.5

Sourced from The Node Security Working Group.

Remote Memory Exposure Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database.

Affected versions: >=3.5.5 =4.0.0 <=4.3.5

Changelog

Sourced from mongoose's changelog.

5.13.4 / 2021-07-28

  • fix: avoid pulling non-schema paths from documents into nested paths #10449
  • fix(update): support overwriting nested map paths #10485
  • fix(update): apply timestamps to subdocs that would be newly created by $setOnInsert #10460
  • fix(map): correctly clone subdocs when calling toObject() on a map #10486
  • fix(cursor): cap parallel batchSize for populate at 5000 #10449
  • fix(index.d.ts): improve autocomplete for new Model() by making doc an object with correct keys #10475
  • fix(index.d.ts): add MongooseOptions interface #10471 thiagokisaki
  • fix(index.d.ts): make LeanDocument work with PopulatedDoc #10494
  • docs(mongoose+connection): correct default value for bufferTimeoutMS #10476
  • chore: remove unnecessary 'eslint-disable' comments #10466 thiagokisaki

5.13.3 / 2021-07-16

  • fix(model): avoid throwing error when bulkSave() called on a document with no changes #10437
  • fix(timestamps): apply timestamps when creating new subdocs with $addToSet and with positional operator #10447
  • fix(schema): allow calling Schema#loadClass() with class that has a static getter with no setter #10436
  • fix(model): handle re-applying object defaults after explicitly unsetting #10442 semirturgay
  • fix: bump mongodb driver -> 3.6.10 #10440 AbdelrahmanHafez
  • fix(index.d.ts): consistently use NativeDate instead of Date for Date validators and timestamps functions #10426
  • fix(index.d.ts): allow calling discriminator() with non-document #10452 #10421 DouglasGabr
  • fix(index.d.ts): allow passing ResultType generic to Schema#path() #10435

5.13.2 / 2021-07-03

  • fix: hardcode @​types/node version for now to avoid breaking changes from DefinitelyTyped/DefinitelyTyped#53669 #10415
  • fix(index.d.ts): allow using type: Date with Date paths in SchemaDefinitionType #10409
  • fix(index.d.ts): allow extra VirtualTypeOptions for better plugin support #10412
  • docs(api): add SchemaArray to docs #10397
  • docs(schema+validation): fix broken links #10396
  • docs(transactions): add note about creating a connection to transactions docs #10406

5.13.1 / 2021-07-02

  • fix(discriminator): allow using array as discriminator key in schema and as tied value #10303
  • fix(index.d.ts): allow using & Document in schema definition for required subdocument arrays #10370
  • fix(index.d.ts): if using DocType that doesn't extends Document, default to returning that DocType from toObject() and toJSON() #10345
  • fix(index.d.ts): use raw DocType instead of LeanDocument when using lean() with queries if raw DocType doesn't extends Document #10345
  • fix(index.d.ts): remove err: any in callbacks, use err: CallbackError instead #10340
  • fix(index.d.ts): allow defining map of schemas in TypeScript #10389
  • fix(index.d.ts): correct return type for Model.createCollection() #10359
  • docs(promises+discriminators): correctly escape () in regexp to pull in examples correctly #10364
  • docs(update): fix outdated URL about unindexed upsert #10406 grimmer0125
  • docs(index.d.ts): proper placement of mongoose.Date JSDoc thiagokisaki

5.13.0 / 2021-06-28

  • feat(query): add sanitizeProjection option to opt in to automatically sanitizing untrusted query projections #10243
  • feat(model): add bulkSave() function that saves multiple docs in 1 bulkWrite() #9727 #9673 AbdelrahmanHafez

... (truncated)

Commits
  • 6b33a7b chore: release 5.13.4
  • 060039d fix(index.d.ts): improve autocomplete for new Model() by making doc an ob...
  • 2066180 fix(map): correctly clone subdocs when calling toObject() on a map
  • 7793065 test(map): repro #10486
  • 1be924d style: fix lint
  • c05e7f6 Merge branch 'master' of github.com:Automattic/mongoose
  • b6beb3e fix(update): support overwriting nested map paths
  • 926533f test: repro #10485
  • fcbadbc Merge pull request #10494 from juhdanad/lean-populated
  • 0afa2ba Merge branch 'master' of github.com:Automattic/mongoose
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by vkarpov15, a new releaser for mongoose since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

Bumps [mongoose](https://github.com/Automattic/mongoose) from 3.6.20 to 5.13.4. **This update includes security fixes.**
- [Release notes](https://github.com/Automattic/mongoose/releases)
- [Changelog](https://github.com/Automattic/mongoose/blob/master/History.md)
- [Commits](Automattic/mongoose@3.6.20...5.13.4)

Signed-off-by: dependabot-preview[bot] <[email protected]>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Jul 29, 2021
@dependabot-preview
Copy link
Author

Superseded by #147.

@dependabot-preview dependabot-preview bot deleted the dependabot/npm_and_yarn/mongoose-5.13.4 branch August 3, 2021 04:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants