fix(deps): update dependency mongoose to v6.13.5 [security] by renovate-bot · Pull Request #124 · GoogleCloudPlatform/cloud-code-custom-samples-example

renovate-bot · 2023-02-01T01:34:32Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
mongoose (source)	`6.3.2` → `6.13.5`

GitHub Vulnerability Alerts

CVE-2022-2564

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

CVE-2023-3696

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

CVE-2022-24304

Description

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.

Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

Proof of Concept

// poc.js
const mongoose = require('mongoose');
const schema = new mongoose.Schema();

malicious_payload = '__proto__.toString'

schema.path(malicious_payload, [String])

x = {}
console.log(x.toString()) // crashed (Denial of service (DoS) attack)

Impact

This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.

CVE-2025-23061

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

CVE-2024-53900

Mongoose versions prior to 8.8.3, 7.8.3, 6.13.5, and 5.13.23 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

Release Notes

Automattic/mongoose (mongoose)

`v6.13.5`

Compare Source

===================

fix: disallow using $where in match

`v6.13.4`

Compare Source

===================

fix: save execution stack in query as string #15043 #15039
docs: clarify strictQuery default will flip-flop in "Migrating to 6.x" #14998 markstos

`v6.13.3`

Compare Source

===================

docs(migrating_to_6): document that Lodash _.isEmpty() with ObjectId() as a parameter returns true in Mongoose 6 #11152

`v6.13.2`

Compare Source

===================

fix(document): make set() respect merge option on deeply nested objects #14870 #14878

`v6.13.1`

Compare Source

===================

fix: remove empty $and, $or, $not that were made empty by scrict mode #14749 #13086 0x0a0d

`v6.13.0`

Compare Source

===================

feat(model): add throwOnValidationError option for opting into getting MongooseBulkWriteError if all valid operations succeed in bulkWrite() and insertMany() #14599 #14587 #14572 #13410

`v6.12.9`

Compare Source

===================

fix(cast): cast $comment to string in query filters #14590 #14576
types(model): allow passing strict type checking override to create() #14571 #14548

`v6.12.8`

Compare Source

===================

fix(document): handle virtuals that are stored as objects but getter returns string with toJSON #14468 #14446
fix(schematype): consistently set wasPopulated to object with value property rather than boolean #14418
docs(model): add extra note about lean option for insertMany() skipping casting #14415 #14376

`v6.12.7`

Compare Source

===================

perf(model): make insertMany() lean option skip hydrating Mongoose docs #14376 #14372
perf(document+schema): small optimizations to make init() faster #14383 #14113
fix(connection): don't modify passed options object to openUri() #14370 #13376 #13335
fix(ChangeStream): bubble up resumeTokenChanged changeStream event #14355 #14349 3150

`v6.12.6`

Compare Source

===================

fix(collection): correctly handle buffer timeouts with find() #14277
fix(document): allow calling push() with different $position arguments #14254

`v6.12.5`

Compare Source

===================

perf(schema): remove unnecessary lookahead in numeric subpath check
fix(document): allow setting nested path to null #14226
fix(document): avoid flattening dotted paths in mixed path underneath nested path #14198 #14178
fix: add ignoreAtomics option to isModified() for better backwards compatibility with Mongoose 5 #14213

`v6.12.4`

Compare Source

===================

fix: upgrade mongodb driver -> 4.17.2
fix(document): avoid treating nested projection as inclusive when applying defaults #14173 #14115
fix: account for null values when assigning isNew property #14172 #13883

`v6.12.3`

Compare Source

===================

fix(ChangeStream): correctly handle hydrate option when using change stream as stream instead of iterator #14052
fix(schema): fix dangling reference to virtual in tree after removeVirtual() #14019 #13085
fix(document): avoid unmarking modified on nested path if no initial value stored and already modified #14053 #14024
fix(document): consistently avoid marking subpaths of nested paths as modified #14053 #14022

`v6.12.2`

Compare Source

===================

fix: add fullPath to ValidatorProps #13995 Freezystem

`v6.12.1`

Compare Source

===================

fix(mongoose): correctly handle global applyPluginsToChildSchemas option #13945 #13887 hasezoey
fix: Document.prototype.isModified support for a string of keys as first parameter #13940 #13674 k-chop

`v6.12.0`

Compare Source

===================

feat: use mongodb driver v4.17.1
fix(model): make Model.bulkWrite() with empty array and ordered false not throw an error #13664
fix(document): correctly handle inclusive/exclusive projections when applying subdocument defaults #13763 #13720

`v6.11.6`

Compare Source

===================

fix(model): avoid hanging on empty bulkWrite() with ordered: false #13701 #13684 JavaScriptBach
types: augment bson.ObjectId instead of adding on own type #13515 #12537 hasezoey

`v6.11.5`

Compare Source

===================

fix(schema): make Schema.prototype.clone() avoid creating different copies of subdocuments and single nested paths underneath single nested paths #13671 #13626
fix: custom debug function not processing all args #13418

`v6.11.4`

Compare Source

===================

perf: speed up mapOfSubdocs benchmark by 4x by avoiding unnecessary O(n^2) loop in getPathsToValidate() #13614

`v6.11.3`

Compare Source

===================

fix: avoid prototype pollution on init
fix(schema): correctly handle uuids with populate() #13317 #13595

`v6.11.2`

Compare Source

===================

fix(cursor): allow find middleware to modify query cursor options #13476 #13453 #13435

`v6.11.1`

Compare Source

===================

fix(query): apply schema-level paths before calculating projection for findOneAndUpdate() #13348 #13340
fix: add SUPPRESS_JEST_WARNINGS environment variable to hide jest warnings #13384 #13373
types(model): allow overwriting expected param type for bulkWrite() #13292 hasezoey

`v6.11.0`

Compare Source

===================

feat: upgrade to mongodb 4.16.0 for Deno+Atlas connection fix #13337 #13075
perf: speed up creating maps of subdocuments #13280 #13191 #13271
fix(query): set ObjectParameterError if calling findOneAndX() with filter as non-object #13338
fix(document): merge Document $inc calls instead of overwriting #13322
fix(update): handle casting doubly nested arrays with $pullAll #13285
docs: backport documentation versioning changes to 6.x #13253 #13190 hasezoey

`v6.10.5`

Compare Source

===================

perf(document): avoid unnecessary loops, conditionals, string manipulation on Document.prototype.get() for 10x speedup on top-level properties #12953
fix(model): execute valid write operations if calling bulkWrite() with ordered: false #13218 #13176
fix(array): pass-through all parameters #13202 #13201 hasezoey
fix: improve error message when sorting by empty string #13249 #10182
docs: add version support and check version docs #13251 #13193

`v6.10.4`

Compare Source

===================

fix(document): apply setters on resulting value when calling Document.prototype.$inc() #13178 #13158
fix(model): add results property to unordered insertMany() to make it easy to identify exactly which documents were inserted #13163 #12791
docs(guide+schematypes): add UUID to schematypes guide #13184

`v6.10.3`

Compare Source

===================

fix(connection): add stub implementation of doClose to base connection class #13157
fix(types): add cursor.eachAsync index parameter #13162 #13153 hasezoey
docs: fix 6.x docs sidebar links #13147 #13144 hasezoey
docs(validation): clarify that validation runs as first pre(save) middleware #13062

`v6.10.2`

Compare Source

===================

fix(document): avoid setting array default if document array projected out by sibling projection #13135 #13043 #13003
fix(documentarray): set correct document array path if making map of document arrays #13133
fix: undo accidental change to engines in package.json #13124 lorand-horvath
docs: quick improvement to Model.init() docs #13054

`v6.10.1`

Compare Source

===================

fix: avoid removing empty query filters in $and and $or #13086 #12898
fix(schematype): fixed validation for required UUID field #13018 lpizzinidev
fix(types): add missing Paths generic param to Model.populate() #13070
docs(migrating_to_6): added info about removal of reconnectTries and reconnectInterval options #13083 lpizzinidev
docs: fix code in headers for migrating_to_5 #13077 hasezoey
docs: backport misc documentation changes into 6.x #13091 hasezoey

`v6.10.0`

Compare Source

===================

feat: upgrade to mongodb driver 4.14.0 #13036
feat: added Schema.prototype.omit() function #12939 #12931 lpizzinidev
feat(index): added createInitialConnection option to Mongoose constructor #13021 #12965 lpizzinidev

`v6.9.3`

Compare Source

==================

fix(connection): delay calculating autoCreate and autoIndex until after initial connection established #13007 #12940 lpizzinidev
fix(discriminator): allows update doc with discriminatorKey #13056 #13055 abarriel
fix(query): avoid sending unnecessary empty projection to MongoDB server #13059 #13050
fix(model): avoid sending null session option with document operations #13053 #13052 lpizzinidev
fix(types): use MergeTypes for type overrides in HydratedDocument #13066 #13040
docs(middleware): list validate as a potential query middleware #13057 #12680
docs(getters-setters): explain that getters do not run by default on toJSON() #13058 #13049
docs: refactor docs generation scripts #13044 hasezoey

`v6.9.2`

Compare Source

==================

fix(model): fixed post('save') callback parameter #13030 #13026 lpizzinidev
fix(UUID): added null check to prevent error on binaryToString conversion #13034 #13032 #13029 lpizzinidev Freezystem
fix(query): revert breaking changes introduced by #12797 #12999 lpizzinidev
fix(document): make array $shift() use $pop instead of overwriting array #13004
docs: update & remove old links #13019 hasezoey
docs(middleware): describe how to access model from document middleware #13031 AxeOfMen
docs: update broken & outdated links #13001 hasezoey
chore: change deno tests to also use MMS #12918 hasezoey

`v6.9.1`

Compare Source

==================

fix(document): isModified should not be triggered when setting a nested boolean to the same value as previously #12994 lpizzinidev
fix(document): save newly set defaults underneath single nested subdocuments #13002 #12905
fix(update): handle custom discriminator model name when casting update #12947 wassil
fix(connection): handles unique autoincrement ID for connections #12990 lpizzinidev
fix(types): fix type of options of Model.aggregate #12933 ghost91-
fix(types): fix "near" aggregation operator input type #12954 Jokero
fix(types): add missing Top operator to AccumulatorOperator type declaration #12952 lpizzinidev
docs(transactions): added example for Connection.transaction() method #12943 #12934 lpizzinidev
docs(populate): fix out of date comment referencing onModel property #13000
docs(transactions): fix typo in transactions.md #12995 Parth86

`v6.9.0`

Compare Source

==================

feat(schema): add removeVirtual(path) function to schema #12920 IslandRhythms
fix(cast): remove empty $or conditions after strict applied #12898 0x0a0d
docs: fixed typo #12946 Gbengstar

`v6.8.4`

Compare Source

==================

fix(collection): handle creating model when connection disconnected with bufferCommands = false #12889
fix(populate): merge instead of overwrite when match is on _id #12891
fix: add guard to stop loadClass copying Document if Document is used as base of loaded class (same hack as implemented for Model already) #12820 sgpinkus
fix(types): correctly infer types on document arrays #12884 #12882 JavaScriptBach
fix(types): added omit for ArraySubdocument type in LeanType declaration #12903 piyushk96
fix(types): add returnDocument type safety #12906 AbdelrahmanHafez
docs(typescript): add notes about virtual context to Mongoose 6 migration and TypeScript virtuals docs #12912 #12806
docs(schematypes): removed dead link and fixed formatting #12897 #12885 lpizzinidev
docs: fix link to lean api #12910 manniL
docs: list all possible strings for schema.pre in one place #12868
docs: add list of known incompatible npm packages #12892 IslandRhythms

`v6.8.3`

Compare Source

==================

perf: improve performance of assignRawDocsToIdStructure for faster populate on large docs #12867 Uzlopak
fix(model): ensure consistent ordering of validation errors in insertMany() with ordered: false and rawResult: true #12866
fix: avoid passing final callback to pre hook, because calling the callback can mess up hook execution #12836
fix(types): avoid inferring timestamps if methods, virtuals, or statics set #12871
fix(types): correctly infer string enums on const arrays #12870 JavaScriptBach
fix(types): allow virtuals to be invoked in the definition of other virtuals #12874 sffc
fix(types): add type def for Aggregate#model without arguments #12864 hasezoey
docs(discriminators): add section about changing discriminator key #12861
docs(typescript): explain that virtuals inferred from schema only show up on Model, not raw document type #12860 #12684

`v6.8.2`

Compare Source

==================

fix(schema): propagate strictQuery to implicitly created schemas for embedded discriminators #12827 #12796
fix(model): respect discriminators with Model.validate() #12824 #12621
fix(query): fix unexpected validation error when doing findOneAndReplace() with a nullish value #12826 #12821
fix(discriminator): apply built-in plugins to discriminator schema even if mergeHooks and mergePlugins are both false #12833 #12696
fix(types): add option "overwriteModels" as a schema option #12817 #12816 hasezoey
fix(types): add property "defaultOptions" #12818 hasezoey
docs: make search bar respect documentation version, so you can search 5.x docs #12548
docs(typescript): make note about recommending strict mode when using auto typed schemas #12825 #12420
docs: add section on sorting to query docs #12588 IslandRhythms
test(query.test): add write-concern option #12829 hasezoey

`v6.8.1`

Compare Source

==================

fix(query): avoid throwing circular dependency error if same object is used in multiple properties #12774 orgads
fix(map): return value from super.delete() #12777 danbrud
fix(populate): handle virtual populate underneath document array with justOne=true and sort set where 1 element has only 1 result #12815 #12730
fix(update): handle embedded discriminators when casting array filters #12802 #12565
fix(populate): avoid calling transform if there's no populate results and using lean #12804 #12739
fix(model): prevent index creation on syncIndexes if not necessary #12785 #12250 lpizzinidev
fix(types): correctly infer this when using pre('updateOne') with { document: true, query: false } #12778
fix(types): make InferSchemaType: consider { required: boolean } required if it isn't explicitly false #12784 JavaScriptBach
docs: replace many occurrences of "localhost" with "127.0.0.1" #12811 #12741 hasezoey SadiqOnGithub
docs(mongoose): Added missing options to set #12810 lpizzinidev
docs: add info on $locals parameters to getters/setters tutorial #12814 #12550 IslandRhythms
docs: make Document.prototype.$clone() public #12803
docs(query): updated explanation for slice #12776 #12474 lpizzinidev
docs(middleware): fix broken links #12787 lpizzinidev
docs(queries): fixed broken links #12790 lpizzinidev

`v6.8.0`

Compare Source

==================

feat: add alpha support for Deno #12397 #9056
feat: add deprecation warning for default strictQuery #12666
feat: upgrade to MongoDB driver 4.12.1
feat(schema): add doc as second params to validation message function #12564 #12651 IslandRhythms
feat(document): add $clone method #12549 #11849 lpizzinidev
feat(populate): allow overriding localField and foreignField for virtual populate #12657 #6963 IslandRhythms
feat(schema+types): add { errorHandler: true } option to Schema post() for better TypeScript support #12723 #12583
feat(debug): allow setting debug on a per-connection basis #12704 #12700 lpizzinidev
feat: add rewind function to QueryCursor #12710 passabilities
feat(types): infer timestamps option from schema #12731 #12069
docs: change links to not link to api.html anymore #12644 hasezoey

`v6.7.5`

Compare Source

==================

fix(schema): copy indexes when calling add() with schema instance #12737 #12654
fix(query): handle deselecting _id when another field has schema-level select: false #12736 #12670
fix(types): support using UpdateQuery in bulkWrite() #12742 #12595
docs(middleware): added note about execution policy on subdocuments #12735 #12694 lpizzinidev
docs(validation): clarify context for update validators in validation docs #12738 #12655 IslandRhythms

`v6.7.4`

Compare Source

==================

fix: allow setting global strictQuery after Schema creation #12717 #12703 lpizzinidev
fix(cursor): make eachAsync() avoid modifying batch when mixing parallel and batchSize #12716
fix(types): infer virtuals in query results #12727 #12702 #12684
fix(types): correctly infer ReadonlyArray types in schema definitions #12720
fix(types): avoid typeof Query with generics for TypeScript 4.6 support #12712 #12688
chore: avoid bundling .tgz files when publishing #12725 hasezoey

`v6.7.3`

Compare Source

==================

fix(document): handle setting array to itself after saving and pushing a new value #12672 #12656
fix(types): update replaceWith pipeline stage #12715 coyotte508
fix(types): remove incorrect modelName type definition #12682 #12669 lpizzinidev
fix(schema): fix setupTimestamps for browser.umd #12683 raphael-papazikas
docs: correct justOne description #12686 #12599 tianguangcn
docs: make links more consistent #12690 #12645 hasezoey
docs(document): explain that $isNew is false in post('save') hooks #12685 #11990
docs: fixed line causing a "used before defined" linting error #12707 sgpinkus

`v6.7.2`

Compare Source

==================

fix(discriminator): skip copying base schema plugins if applyPlugins == false #12613 #12604 lpizzinidev
fix(types): add UUID to types #12650 #12593
fix(types): allow setting SchemaTypeOptions' index property to IndexOptions #12562
fix(types): set this to doc type in SchemaType.prototype.validate() #12663 #12590
fix(types): correct handling for model #12659 #12573
fix(types): pre hook with deleteOne should resolve this as Query #12642 #12622 lpizzinidev

`v6.7.1`

Compare Source

==================

fix(query): select Map field with select: false when explicitly requested #12616 #12603 lpizzinidev
fix: correctly find paths underneath single nested document with an array of mixed #12605 #12530
fix(populate): better support for populating maps of arrays of refs #12601 #12494
fix(types): add missing create constructor signature override type #12585 naorpeled
fix(types): make array paths optional in inferred type of array default returns undefined #12649 #12420
fix(types): improve ValidateOpts type #12606 Freezystem
docs: add Lodash guide highlighting issues with cloneDeep() #12609
docs: removed v5 link from v6 docs #12641 #12624 lpizzinidev
docs: removed outdated connection example #12618 lpizzinidev

`v6.7.0`

Compare Source

==================

feat: upgrade to mongodb driver 4.11.0 #12446
feat: add UUID Schema Type (BSON Buffer SubType 4) #12268 #3208 hasezoey
feat(aggregation): add $fill pipeline stage #12545 raphael-papazikas
feat(types+schema): allow defining schema paths using mongoose.Types.* to work around TS type inference issues #12352
feat(schema): add alias() method that makes it easier to define multiple aliases for a given path #12368
feat(model): add mergeHooks option to Model.discriminator() to avoid duplicate hooks #12542
feat(document): add $timestamps() method to set timestamps for save(), bulkSave(), and insertMany() #12540

`v6.6.7`

Compare Source

==================

fix: correct browser build and improve isAsyncFunction check for browser #12577 #12576 #12392
fix(query): allow overwriting discriminator key with overwriteDiscriminatorKey if strict: 'throw' #12578 #12513

`v6.6.6`

Compare Source

==================

fix(update): handle runValidators when using $set on a doc array in discriminator schema [#12571](htt

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate-bot changed the title ~~fix(deps): update dependency mongoose to v6.4.6 [security]~~ fix(deps): update dependency mongoose to v6.11.3 [security] Jul 18, 2023

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from 5869907 to 6d11084 Compare July 18, 2023 19:16

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from 6d11084 to 4c9055a Compare December 3, 2024 05:50

renovate-bot changed the title ~~fix(deps): update dependency mongoose to v6.11.3 [security]~~ fix(deps): update dependency mongoose to v8 [security] Dec 3, 2024

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from 4c9055a to c8935b9 Compare December 4, 2024 19:34

renovate-bot changed the title ~~fix(deps): update dependency mongoose to v8 [security]~~ fix(deps): update dependency mongoose to v6.11.3 [security] Dec 4, 2024

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from c8935b9 to 2ce1891 Compare December 5, 2024 01:24

renovate-bot changed the title ~~fix(deps): update dependency mongoose to v6.11.3 [security]~~ fix(deps): update dependency mongoose to v6.13.5 [security] Dec 5, 2024

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from 2ce1891 to f95bd90 Compare January 16, 2025 22:47

renovate-bot changed the title ~~fix(deps): update dependency mongoose to v6.13.5 [security]~~ fix(deps): update dependency mongoose to v8 [security] Jan 16, 2025

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from f95bd90 to cca3da9 Compare January 17, 2025 18:18

renovate-bot changed the title ~~fix(deps): update dependency mongoose to v8 [security]~~ fix(deps): update dependency mongoose to v6.13.5 [security] Jan 17, 2025

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from cca3da9 to 3fceefb Compare January 18, 2025 02:04

renovate-bot changed the title ~~fix(deps): update dependency mongoose to v6.13.5 [security]~~ fix(deps): update dependency mongoose to v6.13.6 [security] Jan 18, 2025

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch 2 times, most recently from ec5a03a to 37ea8de Compare August 13, 2025 12:13

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from 37ea8de to a04596a Compare August 31, 2025 12:48

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from a04596a to d04929d Compare September 25, 2025 17:57

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from d04929d to bf3075f Compare October 21, 2025 20:46

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from bf3075f to 4f9a12b Compare November 11, 2025 03:05

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from 4f9a12b to 830b2ce Compare November 18, 2025 23:13

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from 830b2ce to a839f59 Compare December 3, 2025 15:12

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch 3 times, most recently from 33a7831 to 3a43c2d Compare January 2, 2026 02:55

renovate-bot changed the title ~~fix(deps): update dependency mongoose to v6.13.6 [security]~~ fix(deps): update dependency mongoose to v6.13.5 [security] Jan 2, 2026

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from 3a43c2d to 6403c86 Compare January 2, 2026 02:57

renovate-bot changed the title ~~fix(deps): update dependency mongoose to v6.13.5 [security]~~ fix(deps): update dependency mongoose to v6.13.6 [security] Jan 2, 2026

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from 6403c86 to 2f02f96 Compare January 8, 2026 21:14

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from 2f02f96 to abc97b2 Compare January 19, 2026 17:35

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from abc97b2 to 5f38bd3 Compare February 2, 2026 17:01

fix(deps): update dependency mongoose to v6.13.5 [security]

218fcfc

renovate-bot force-pushed the renovate/npm-mongoose-vulnerability branch from 5f38bd3 to 218fcfc Compare February 4, 2026 18:12

renovate-bot changed the title ~~fix(deps): update dependency mongoose to v6.13.6 [security]~~ fix(deps): update dependency mongoose to v6.13.5 [security] Feb 4, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update dependency mongoose to v6.13.5 [security]#124

fix(deps): update dependency mongoose to v6.13.5 [security]#124
renovate-bot wants to merge 1 commit intoGoogleCloudPlatform:mainfrom
renovate-bot:renovate/npm-mongoose-vulnerability

renovate-bot commented Feb 1, 2023 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

renovate-bot commented Feb 1, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Description

Proof of Concept

Impact

Release Notes

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

renovate-bot commented Feb 1, 2023 •

edited

Loading