Skip to content

[Snyk] Upgrade mongoose from 8.4.0 to 9.0.0 #322

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nerdy-tech-com-gitub wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade mongoose from 8.4.0 to 9.0.0 #322

nerdy-tech-com-gitub wants to merge 1 commit into from

Conversation

@nerdy-tech-com-gitub
Copy link
Owner

@nerdy-tech-com-gitub nerdy-tech-com-gitub commented Dec 15, 2025

snyk-top-banner

Snyk has created this PR to upgrade mongoose from 8.4.0 to 9.0.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 75 versions ahead of your current version.

  • The recommended version was released 24 days ago.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-CROSSSPAWN-8303230		 57 Proof of Concept
high severity Improper Neutralization of Special Elements in Data Query Logic
SNYK-JS-MONGOOSE-8446504		 57 Proof of Concept
high severity Improper Neutralization of Special Elements in Data Query Logic
SNYK-JS-MONGOOSE-8623536		 57 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-JSYAML-13961110		 57 No Known Exploit
low severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-BRACEEXPANSION-9789073		 57 Proof of Concept
Release notes
Package name: mongoose
  • 9.0.0 - 2025-11-21

    9.0.0 / 2025-11-21

    • BREAKING CHANGE: drop support for callback-based pre middleware, e.g. next() in pre() hooks
    • BREAKING CHANGE: update to MongoDB Node driver v7
    • BREAKING CHANGE: make UUID schema type return bson UUIDs #15378
    • BREAKING CHANGE: make findOne(null), find(null), etc. throw an error instead of returning first doc #15019 #14948
    • BREAKING CHANGE: disallow update pipelines by default, require updatePipeline option #15586 #14424
    • BREAKING CHANGE: call virtual ref function with subdoc, not top-level doc #14652 #12440 #12363
    • BREAKING CHANGE(types): make create() and insertOne() params more strict, remove generics to prevent type inference #15587 #15355
    • BREAKING CHANGE(types): make FilterQuery properties no longer resolve to any in TypeScript #15422
    • BREAKING CHANGE(types): change this to HydratedDocument for default() and required(), HydratedDocument | Query for validate() #15020 #14696
    • BREAKING CHANGE(types): make id a virtual in TypeScript rather than a property on Document base class #15572 #13079
    • BREAKING CHANGE(types): consolidate RootQuerySelector, Condition, etc. types with MongoDB driver's #15593
    • BREAKING CHANGE: asyncify update validators, SchemaType.prototype.doValidate(), save hooks for improved stack traces #15312
    • BREAKING CHANGE: remove bson as direct dependency, use mongodb/lib/bson instead #15576 #15154
    • BREAKING CHANGE: remove _executionStack, make validate() async function and call Kareem hooks directly vs through wrappers #15298 #14906
    • BREAKING CHANGE: remove browser build, move to @ mongoosejs/browser instead #15385 #15296
    • BREAKING CHANGE: remove schematype caster and casterConstructor properties in favor of embeddedSchemaType and Constructor #15513 #15179
    • BREAKING CHANGE: adding missing pluralizations, fixing pluralization: virus -> viruses #14247 ItsBradyDavis
    • BREAKING CHANGE: remove connection noListener option #15641 #15640
    • feat(types): add Schema.create() for TypeScript type inference #15482 #14954
    • chore: remove examples directory #15597
  • 9.0.0-rc1 - 2025-11-19

    9.0.0-rc1 / 2025-11-19

    • fix(populate): correctly populate embedded discriminators on subdocuments #15774
  • 9.0.0-rc0 - 2025-11-19

    9.0.0-rc0 / 2025-11-19

    • BREAKING CHANGE: drop support for callback-based pre middleware, e.g. next() in pre() hooks
    • BREAKING CHANGE: update to MongoDB Node driver v7
    • BREAKING CHANGE: make UUID schema type return bson UUIDs #15378
    • BREAKING CHANGE: make findOne(null), find(null), etc. throw an error instead of returning first doc #15019 #14948
    • BREAKING CHANGE: disallow update pipelines by default, require updatePipeline option #15586 #14424
    • BREAKING CHANGE: call virtual ref function with subdoc, not top-level doc #14652 #12440 #12363
    • BREAKING CHANGE(types): make create() and insertOne() params more strict, remove generics to prevent type inference #15587 #15355
    • BREAKING CHANGE(types): make FilterQuery properties no longer resolve to any in TypeScript #15422
    • BREAKING CHANGE(types): change this to HydratedDocument for default() and required(), HydratedDocument | Query for validate() #15020 #14696
    • BREAKING CHANGE(types): make id a virtual in TypeScript rather than a property on Document base class #15572 #13079
    • BREAKING CHANGE(types): consolidate RootQuerySelector, Condition, etc. types with MongoDB driver's #15593
    • BREAKING CHANGE: asyncify update validators, SchemaType.prototype.doValidate(), save hooks for improved stack traces #15312
    • BREAKING CHANGE: remove bson as direct dependency, use mongodb/lib/bson instead #15576 #15154
    • BREAKING CHANGE: remove _executionStack, make validate() async function and call Kareem hooks directly vs through wrappers #15298 #14906
    • BREAKING CHANGE: remove browser build, move to @ mongoosejs/browser instead #15385 #15296
    • BREAKING CHANGE: remove schematype caster and casterConstructor properties in favor of embeddedSchemaType and Constructor #15513 #15179
    • BREAKING CHANGE: adding missing pluralizations, fixing pluralization: virus -> viruses #14247 ItsBradyDavis
    • BREAKING CHANGE: remove connection noListener option #15641 #15640
    • feat(types): add Schema.create() for TypeScript type inference #15482 #14954
    • chore: remove examples directory #15597
  • 8.20.2 - 2025-12-05

    8.20.2 / 2025-12-05

    • fix(model): bump version if necessary after successful bulkSave() #15809 #15800
    • fix(bulkWrite): pass overwriteImmutable option to castUpdate fixes #15789 #15782 #15781
    • types(schema): allow calling schema.static() with as TStatics #15794 #15780
  • 8.20.1 - 2025-11-20

    8.20.1 / 2025-11-20

    • types: correct Model.schema type and fix unknown check for this param type in schema.methods #15750 #15693
    • docs: add detailed loadClass() TypeScript usage guide #15731 #12813 Necro-Rohan
    • docs: update version support documentation for Mongoose #15761 ManmathX
    • docs: add copy-to-clipboard feature for code blocks in docs #15759 vedansha07
  • 8.20.0 - 2025-11-17

    8.20.0 / 2025-11-17

    • feat: cast id parameter based on schema _id type in DocumentArray.id() #15733 #15725 #15724 Lex-Ashu
    • fix: pass parent schema to SchemaType constructors in interpretAsType to make implementing custom container types easier #15700
    • types(models): default _id type to ObjectId for Document #15688 Catwallon
    • docs: add FAQ entry about DivergentArrayError #15743 Mario5T
    • docs: update browser.md with Mongoose limitations #15744 YashSharma64
    • chore: add benchmark for large nested array documents (related to #9588) #15742 Kundan-CR7
  • 8.19.4 - 2025-11-14

    8.19.4 / 2025-11-14

  • 8.19.3 - 2025-11-04

    8.19.3 / 2025-11-04

    • fix(model+plugins): correctly apply shard key on deleteOne() #15705 #15701
    • fix(schema): correctly cache text indexes as 'text' not 1 #15695
    • types: make inferRawDocType correctly infer empty array type [] as any[] #15704 #15699
  • 8.19.2 - 2025-10-20
  • 8.19.1 - 2025-10-06
  • 8.19.0 - 2025-10-02
  • 8.18.3 - 2025-09-29
  • 8.18.2 - 2025-09-22
  • 8.18.1 - 2025-09-08
  • 8.18.0 - 2025-08-22
  • 8.17.2 - 2025-08-18
  • 8.17.1 - 2025-08-07
  • 8.17.0 - 2025-07-30
  • 8.16.5 - 2025-07-25
  • 8.16.4 - 2025-07-16
  • 8.16.3 - 2025-07-10
  • 8.16.2 - 2025-07-07
  • 8.16.1 - 2025-06-26
  • 8.16.0 - 2025-06-16
  • 8.15.2 - 2025-06-12
  • 8.15.1 - 2025-05-26
  • 8.15.0 - 2025-05-16
  • 8.14.3 - 2025-05-13
  • 8.14.2 - 2025-05-08
  • 8.14.1 - 2025-04-29
  • 8.14.0 - 2025-04-25
  • 8.13.3 - 2025-04-24
  • 8.13.2 - 2025-04-03
  • 8.13.1 - 2025-03-28
  • 8.13.0 - 2025-03-24
  • 8.12.2 - 2025-03-21
  • 8.12.1 - 2025-03-04
  • 8.12.0 - 2025-03-03
  • 8.11.0 - 2025-02-26
  • 8.10.2 - 2025-02-25
  • 8.10.1 - 2025-02-14
  • 8.10.0 - 2025-02-05
  • 8.9.7 - 2025-02-04
  • 8.9.6 - 2025-01-31
  • 8.9.5 - 2025-01-13
  • 8.9.4 - 2025-01-09
  • 8.9.3 - 2024-12-30
  • 8.9.2 - 2024-12-19
  • 8.9.1 - 2024-12-16
  • 8.9.0 - 2024-12-13
  • 8.8.4 - 2024-12-05
  • 8.8.3 - 2024-11-26
  • 8.8.2 - 2024-11-18
  • 8.8.1 - 2024-11-08
  • 8.8.0 - 2024-10-31
  • 8.7.3 - 2024-10-25
  • 8.7.2 - 2024-10-17
  • 8.7.1 - 2024-10-09
  • 8.7.0 - 2024-09-27
  • 8.6.4 - 2024-09-26
  • 8.6.3 - 2024-09-17
  • 8.6.2 - 2024-09-11
  • 8.6.1 - 2024-09-03
  • 8.6.0 - 2024-08-28
  • 8.5.5 - 2024-08-28
  • 8.5.4 - 2024-08-23
  • 8.5.3 - 2024-08-13
  • 8.5.2 - 2024-07-30
  • 8.5.1 - 2024-07-12
  • 8.5.0 - 2024-07-08
  • 8.4.5 - 2024-07-05
  • 8.4.4 - 2024-06-25
  • 8.4.3 - 2024-06-17
  • 8.4.2 - 2024-06-17
  • 8.4.1 - 2024-05-31
  • 8.4.0 - 2024-05-17
from mongoose GitHub release notes

Important

  • Warning: This PR contains a major version upgrade, and may be a breaking change.
  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
feat: upgrade mongoose from 8.4.0 to 9.0.0
9137ee1 
Snyk has created this PR to upgrade mongoose from 8.4.0 to 9.0.0.

See this package in npm:
mongoose

See this project in Snyk:
https://app.snyk.io/org/nerds-github/project/70b74934-be90-4f8b-86e4-d9c4d06d8055?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nerdy-tech-com-gitub @snyk-bot