feathersjs · daffl · Mar 23, 2026 · Feb 3, 2026 · Feb 3, 2026 · Feb 19, 2026
diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml
@@ -27,4 +27,4 @@ jobs:
       - run: |
           gh pr create --title "chore(dependencies): Update all dependencies" --body ""
         env:
-          GITHUB_TOKEN: ${{secrets.CI_ACCESS_TOKEN}}
+          GH_TOKEN: ${{secrets.CI_ACCESS_TOKEN}}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -576,6 +576,33 @@ See [Conventional Commits](https://conventionalcommits.org) for commit guideline
 - **package:** Removes adapter tests from @feathersjs/adapter-commons
 - Move database adapter utilities from @feathersjs/commons into its own module
 - This module no longer supports Node.js 0.10
+## [5.0.43](https://github.com/feathersjs/feathers/compare/v5.0.42...v5.0.43) (2026-03-21)
+
+### Bug Fixes
+
+- **authentication-oauth:** prevent open redirect via domain suffix attack ([#3669](https://github.com/feathersjs/feathers/issues/3669)) ([9905f9f](https://github.com/feathersjs/feathers/commit/9905f9fe9fa09334c8ba10fd052fad7cdf195718))
+- **authentication-oauth:** Use actual URL origin comparison for origin check ([#3676](https://github.com/feathersjs/feathers/issues/3676)) ([32f04d0](https://github.com/feathersjs/feathers/commit/32f04d0d0169639294e2f1c28b8994f5d826dc30))
+- **mongodb:** Block $rename operator in \_patch data by default (CWE-943) ([#3665](https://github.com/feathersjs/feathers/issues/3665)) ([0526ffd](https://github.com/feathersjs/feathers/commit/0526ffd9a7f41968deb47c676aab9e60e676dbca))
+
+## [5.0.42](https://github.com/feathersjs/feathers/compare/v5.0.41...v5.0.42) (2026-03-04)
+
+### Bug Fixes
+
+- **authentication-oauth:** Fix OAuth Callback Account Takeover ([#3663](https://github.com/feathersjs/feathers/issues/3663)) ([d6b0b5c](https://github.com/feathersjs/feathers/commit/d6b0b5cfbaf6f86a63662027c25616c28e54ede1))
+- **mongodb:** Ensure arbitrary objects can't be passed as MongoDB ids ([#3664](https://github.com/feathersjs/feathers/issues/3664)) ([163e664](https://github.com/feathersjs/feathers/commit/163e664f231a57041034c852b80525fc5c8cf68d))
+- Update dependencies ([#3666](https://github.com/feathersjs/feathers/issues/3666)) ([477bf45](https://github.com/feathersjs/feathers/commit/477bf45f9c9dbde77a14a07828aa02300de23ae7))
+
+## [5.0.41](https://github.com/feathersjs/feathers/compare/v5.0.40...v5.0.41) (2026-02-19)
+
+### Bug Fixes
+
+- **client:** Ensure all client methods require valid ids ([#3661](https://github.com/feathersjs/feathers/issues/3661)) ([bc754d3](https://github.com/feathersjs/feathers/commit/bc754d3666b059b9d93799602dac427cb419ddc6))
+
+## [5.0.40](https://github.com/feathersjs/feathers/compare/v5.0.39...v5.0.40) (2026-02-03)
+
+### Bug Fixes
+
+- **oauth:** Patch open redirect and origin validation ([#3653](https://github.com/feathersjs/feathers/issues/3653)) ([ee19a0a](https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401))
 
 ## [5.0.39](https://github.com/feathersjs/feathers/compare/v5.0.38...v5.0.39) (2026-01-31)
 

diff --git a/docs/api/databases/mongodb.md b/docs/api/databases/mongodb.md
@@ -63,6 +63,7 @@ MongoDB adapter specific options are:
 - `Model {Promise<MongoDBCollection>}` (**required**) - A Promise that resolves with the MongoDB collection instance. This can also be the return value of an `async` function without `await`
 - `disableObjectify {boolean}` (_optional_, default `false`) - This will disable conversion of the id field to a MongoDB ObjectID if you want to e.g. use normal strings
 - `useEstimatedDocumentCount {boolean}` (_optional_, default `false`) - If `true` document counting will rely on `estimatedDocumentCount` instead of `countDocuments`
+- `disabledOperators {string[]}` (_optional_, default `['$rename']`) - A list of [MongoDB update operators](https://www.mongodb.com/docs/manual/reference/operator/update/) to block in `patch` data. See [Securing update operators](#securing-update-operators) for details.
 
 The [common API options](./common.md#options) are:
 
@@ -164,6 +165,52 @@ Note that creating indexes for an existing collection with many entries should b
 
 Additionally to the [common querying mechanism](./querying.md) this adapter also supports [MongoDB's query syntax](https://www.mongodb.com/docs/manual/tutorial/query-documents/) and the `update` method also supports MongoDB [update operators](https://www.mongodb.com/docs/manual/reference/operator/update/).
 
+## Securing update operators
+
+The `patch` method supports MongoDB [update operators](https://www.mongodb.com/docs/manual/reference/operator/update/) like `$push`, `$inc`, and `$unset` in the data payload. While this is powerful, it can be a security risk if patch data from the client is not properly validated. For example, an authenticated user who can patch their own profile could send:
+
+```ts
+// Escalate privileges by pushing to a roles array
+await app.service('users').patch(userId, { $push: { roles: 'admin' } })
+
+// Expose internal fields by renaming them
+await app.service('users').patch(userId, { $rename: { secretField: 'public' } })
+```
+
+### Schema validation
+
+The primary defense is to use [schema validation](../schema/validators.md) on your patch data. When your schema only allows known fields with known types, unexpected operators will be rejected before they reach the database.
+
+### The `disabledOperators` option
+
+As an additional layer of defense, the `disabledOperators` option blocks specific update operators from being passed through to MongoDB. By default, `$rename` is blocked.
+
+To block additional operators on a service:
+
+```ts
+new MongoDBService({
+  Model: app.get('mongodbClient').then((db) => db.collection('users')),
+  disabledOperators: ['$rename', '$unset', '$inc']
+})
+```
+
+To override per-call via `params.adapter`:
+
+```ts
+service.patch(id, data, {
+  adapter: { disabledOperators: ['$rename', '$unset'] }
+})
+```
+
+To allow all operators (not recommended without schema validation):
+
+```ts
+new MongoDBService({
+  Model: app.get('mongodbClient').then((db) => db.collection('messages')),
+  disabledOperators: []
+})
+```
+
 ## Search
 
 <BlockQuote type="warning" label="Important">

diff --git a/docs/package.json b/docs/package.json
@@ -11,29 +11,29 @@
     "start": "npm run dev"
   },
   "dependencies": {
-    "@vueuse/core": "^14.1.0",
+    "@vueuse/core": "^14.2.1",
     "date-fns": "^4.1.0",
-    "element-plus": "^2.13.2",
+    "element-plus": "^2.13.6",
     "query-string": "^9.3.1",
-    "shiki": "^3.22.0",
-    "vue": "^3.5.27"
+    "shiki": "^4.0.2",
+    "vue": "^3.5.30"
   },
   "devDependencies": {
-    "@feathersjs/generators": "^5.0.39",
-    "@iconify-json/carbon": "^1.2.18",
-    "@types/node": "^25.1.0",
-    "@unocss/preset-typography": "^66.6.0",
-    "@unocss/reset": "^66.6.0",
-    "@unocss/transformer-directives": "^66.6.0",
-    "@vitejs/plugin-vue": "^6.0.3",
+    "@feathersjs/generators": "^5.0.42",
+    "@iconify-json/carbon": "^1.2.19",
+    "@types/node": "^25.5.0",
+    "@unocss/preset-typography": "^66.6.7",
+    "@unocss/reset": "^66.6.7",
+    "@unocss/transformer-directives": "^66.6.7",
+    "@vitejs/plugin-vue": "^6.0.5",
     "esno": "^4.8.0",
     "fast-glob": "^3.3.3",
     "flexsearch": "^0.7.31",
     "https-localhost": "^4.7.1",
-    "markdown-it": "^14.1.0",
-    "sass": "^1.97.3",
-    "sitemap": "^9.0.0",
-    "unocss": "^66.6.0",
+    "markdown-it": "^14.1.1",
+    "sass": "^1.98.0",
+    "sitemap": "^9.0.1",
+    "unocss": "^66.6.7",
     "unplugin-auto-import": "^21.0.0",
     "unplugin-vue-components": "^31.0.0",
     "vite-plugin-pwa": "^1.2.0",