Update dependency mongoose to v6.4.6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mongoose (source)	6.3.4 -> 6.4.6

GitHub Vulnerability Alerts

CVE-2022-2564

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.\n\nAffected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

---

Release Notes

Automattic/mongoose

v6.4.6

Compare Source

==================

• fix(schema): disallow setting proto when creating schema with dotted properties #​12085
• fix(document): avoid mutating original object passed to $set() when applying defaults to nested properties #​12102
• fix(query): apply lean transform option to top-level document #​12093
• docs(migrating_to_6): correct example for isObjectIdOrHexString() #​12123 LokeshKanumoori

v6.4.5

Compare Source

==================

• fix(model+timestamps): set timestamps on subdocuments in insertMany() #​12060
• fix: correct isAtlas check #​12110 skrtheboss
• fix(types): fix various issues with auto typed schemas #​12042 mohammad0-0ahmad
• fix(types): allow any value for AddFields #​12096
• fix(types): allow arbitrary expressions for ConcatArrays #​12058
• fix(types): make $addToSet fields mutable to allow programatically constructing $addToSet #​12091
• fix(types): add $let as a possible expression to $addFields #​12087 AbdelrahmanHafez
• fix(types): fix $switch expression type #​12088 AbdelrahmanHafez
• fix(types): correct options type for syncIndexes() #​12101 lpizzinidev
• fix(types): avoid treating | undefined types as any in Require_id to better support _id: String with auto-typed schemas #​12070
• docs: fix up various jsdoc issues #​12086 hasezoey
• docs: add sanitizeFilter to mongoose.set() options #​12112 pathei-kosmos

v6.4.4

Compare Source

==================

• fix(types): allow using an object to configure timestamps #​12061 lantw44
• fix(types): support findOneAndReplace with rawResult #​12062 lantw44
• docs: upgrade API documentation parser #​12078 #​12072 #​12071 #​12024 hasezoey
• docs(document): add more info on $isNew #​11990
• docs: add SchemaType doValidate() to docs #​12068

v6.4.3

Compare Source

==================

• fix(document): handle validating deeply nested subdocuments underneath nested paths with required: false #​12021
• fix(types): infer schematype type from schema paths when calling SchemaType.path() #​11987
• fix(types): add $top and $topN aggregation operators #​12053
• fix(types): clean up a couple of issues with $add and $ifNull #​12017
• fix(types): allow $cond with $in #​12028
• docs: add path level descending index example in docs #​12023 MitchellCash
• docs: add Buffer, Decimal128, Map to docs #​11971

v6.4.2

Compare Source

==================

• fix: keep autoIndex & autoCreate as true by default if read preference is primaryPreferred #​11976
• fix(types): improve inferred Schema Type to handle nested paths and ObjectIds #​12007 iammola
• fix(types): avoid inferring doc type from param to create() #​12001
• fix(types): make populate Paths generic consistently overwrite doc interface #​11955
• fix(types): allow null at ne expression second parameter #​11996 jyeros
• fix(types): change index "weights" to be more explicit #​11997 hasezoey

v6.4.1

Compare Source

==================

• fix(schema): allow 0 for numbers if required and ref both set #​11912
• fix(query): skip applying default projections over slice projections #​11940
• fix(types): handle arrays in ApplyBasicQueryCasting correctly #​11964
• fix(types): fix $match typings #​11969 andreialecu
• fix(types): avoid adding non-existent properties from model constructor for typegoose #​11960
• fix(types): make Mongoose UpdateQuery compatible with MongoDB UpdateFilter #​11911
• fix(types): simplify MergeType constraints #​11978
• fix(types): correct references to Buffer for @​types/node >= 16.0.0 < 16.6.0 #​11963
• fix(types): re-add the possibility to pass undefined for projection in Model.find #​11965 ghost91-
• fix(types): fix typo for indexes #​11953 AbdelrahmanHafez
• fix(document+types): document merge option #​11913
• docs: update schematypes.md #​11981 korzio
• docs: update validation.md #​11982 korzio

v6.4.0

Compare Source

==================

• feat: upgrade mongodb driver -> 4.7.0 #​11909 AbdelrahmanHafez
• feat(types+document): add $assertPopulated() for working with manually populated paths in TypeScript #​11843
• feat(mongoose): add setDriver() function to allow overwriting driver in a more consistent way #​11900
• feat(types): add helpers to infer schema type automatically #​11563 mohammad0-0ahmad
• feat: add transform option to lean() #​10423 IslandRhythms
• feat(base): add support to set default immutable for createdAt globally #​11888 AbdelrahmanHafez
• fix: make doValidate() on document array elements run validation on the whole subdoc #​11902
• feat(types): add expression typings to Aggregate stages #​11370 Uzlopak
• fix: remove on from schema reserved keys #​11580 IslandRhythms

v6.3.9

Compare Source

==================

• fix(document): handle nested paths underneath subdocuments when getting all subdocuments for pre save hooks #​11917
• fix(types): correct typing in post aggregate hooks #​11924 GCastilho
• docs: remove connect-option reconnectTries and reconnectInterval #​11930 Uzlopak

v6.3.8

Compare Source

==================

• fix: revert 670b445 perf optimizations that caused some test failures #​11541

v6.3.7

Compare Source

==================

• fix(schema+document): allow disabling _id on subdocuments by default #​11541
• fix(update): respect global strictQuery option when casting array filters #​11836
• perf(document): avoid unnecessarily creating new options object on every $set #​11541
• fix: toJSON with undefined path #​11922 kerryChen95
• fix: add refPath to SchemaTypeOptions class #​11862
• fix(types): handle boolean default functions #​11828
• docs(populate): make path names in refPath section consistent #​11724

v6.3.6

Compare Source

==================

• fix(update): apply timestamps to nested subdocs within $push and $addToSet #​11775
• fix(document): use shallow clone instead of deep clone for toObject() options #​11776
• fix: avoid checking for ObjectId with instanceof #​11891 noseworthy
• fix(types): Allow sorting by text score #​11893
• fix(types): allow schematype get() functions to return undefined #​11561
• fix(types): add Schema.discriminator #​11855 Uzlopak
• fix(types): discriminator generic type not being passed to schema #​11898 GCastilho

v6.3.5

Compare Source

==================

• fix(document): avoid infinite recursion when calling toObject() on self-referencing document #​11756
• fix(document): avoid manually populating documents that are manually populated in another doc with different unpopulatedValue #​11442
• fix(document): fix ObjectId conversion for external schemas #​11841 coyotte508
• fix: fix codeql warnings #​11817 Uzlopak
• fix(types): allow passing TVirtuals to Schema class #​11543
• fix(types): Type of Connection.transaction() #​11825 dwrss
• docs(typescript): add coverage for TypeScript query helpers #​11709
• docs: fix documention of error handling #​11844 Uzlopak
• docs: typings mongoose.Error should reference to MongooseError #​11850 Uzlopak
• chore: improve issue templates #​11794 Uzlopak
• chore: use ts-benchmark instead of internal TS benchmarking #​11798 mohammad0-0ahmad

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.