Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.
Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.
Proof of Concept
// poc.js
const mongoose = require('mongoose');
const schema = new mongoose.Schema();
malicious_payload = '__proto__.toString'
schema.path(malicious_payload, [String])
x = {}
console.log(x.toString()) // crashed (Denial of service (DoS) attack)
Impact
This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.
Release Notes
Automattic/mongoose (mongoose)
### [`v5.13.20`](https://redirect.github.com/Automattic/mongoose/compare/5.13.19...5.13.20)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.19...5.13.20)
### [`v5.13.19`](https://redirect.github.com/Automattic/mongoose/compare/5.13.18...5.13.19)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.18...5.13.19)
### [`v5.13.18`](https://redirect.github.com/Automattic/mongoose/compare/5.13.17...5.13.18)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.17...5.13.18)
### [`v5.13.17`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51317--2023-04-04)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.16...5.13.17)
\====================
- fix: backport fix for array filters handling $or and $and [#13195](https://redirect.github.com/Automattic/mongoose/issues/13195) [#13192](https://redirect.github.com/Automattic/mongoose/issues/13192) [#10696](https://redirect.github.com/Automattic/mongoose/issues/10696) [raj-goguardian](https://redirect.github.com/raj-goguardian)
- fix: update the isIndexEqual function to take into account non-text indexes when checking compound indexes that include both text and non-text indexes [#13138](https://redirect.github.com/Automattic/mongoose/issues/13138) [#13136](https://redirect.github.com/Automattic/mongoose/issues/13136) [rdeavila94](https://redirect.github.com/rdeavila94)
### [`v5.13.16`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51316--2023-02-20)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.15...5.13.16)
\====================
- fix: make access to process.versions lazy [#12584](https://redirect.github.com/Automattic/mongoose/issues/12584) [maciasello](https://redirect.github.com/maciasello)
- fix(types): add missing type definitions for `bulkSave()` [#12019](https://redirect.github.com/Automattic/mongoose/issues/12019)
- docs: backport documentation URL updates [#12692](https://redirect.github.com/Automattic/mongoose/issues/12692) [hasezoey](https://redirect.github.com/hasezoey)
### [`v5.13.15`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51315--2022-08-22)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.14...5.13.15)
\====================
- fix: backport fix for CVE-2022-2564 [#12281](https://redirect.github.com/Automattic/mongoose/issues/12281) [shubanker](https://redirect.github.com/shubanker)
- docs: fix broken link from findandmodify method deprecation [#11366](https://redirect.github.com/Automattic/mongoose/issues/11366) [laissonsilveira](https://redirect.github.com/laissonsilveira)
### [`v5.13.14`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51314--2021-12-27)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.13...5.13.14)
\====================
- fix(timestamps): avoid setting createdAt on documents that already exist but dont have createdAt [#11024](https://redirect.github.com/Automattic/mongoose/issues/11024)
- docs(models): fix up nModified example for 5.x [#11055](https://redirect.github.com/Automattic/mongoose/issues/11055)
### [`v5.13.13`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51313--2021-11-02)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.12...5.13.13)
\====================
- fix: upgrade to mongodb@3.7.3 [#10909](https://redirect.github.com/Automattic/mongoose/issues/10909) [gaurav-sharma-gs](https://redirect.github.com/gaurav-sharma-gs)
- fix: correctly emit end event in before close [#10916](https://redirect.github.com/Automattic/mongoose/issues/10916) [iovanom](https://redirect.github.com/iovanom)
- fix(index.d.ts): improve ts types for query set [#10942](https://redirect.github.com/Automattic/mongoose/issues/10942) [jneal-afs](https://redirect.github.com/jneal-afs)
### [`v5.13.12`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51312--2021-10-19)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.11...5.13.12)
\====================
- fix(cursor): use stream destroy method on close to prevent emitting duplicate 'close' [#10897](https://redirect.github.com/Automattic/mongoose/issues/10897) [iovanom](https://redirect.github.com/iovanom)
- fix(index.d.ts): backport streamlining of FilterQuery and DocumentDefinition to avoid "excessively deep and possibly infinite" TS errors [#10617](https://redirect.github.com/Automattic/mongoose/issues/10617)
### [`v5.13.11`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51311--2021-10-12)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.10...5.13.11)
\====================
- fix: upgrade mongodb -> 3.7.2 [#10871](https://redirect.github.com/Automattic/mongoose/issues/10871) [winstonralph](https://redirect.github.com/winstonralph)
- fix(connection): call setMaxListeners(0) on MongoClient to avoid event emitter memory leak warnings with `useDb()` [#10732](https://redirect.github.com/Automattic/mongoose/issues/10732)
### [`v5.13.10`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51310--2021-10-05)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.9...5.13.10)
\====================
- fix(index.d.ts): allow using type: SchemaDefinitionProperty in schema definitions [#10674](https://redirect.github.com/Automattic/mongoose/issues/10674)
- fix(index.d.ts): allow AnyObject as param to findOneAndReplace() [#10714](https://redirect.github.com/Automattic/mongoose/issues/10714)
### [`v5.13.9`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5139--2021-09-06)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.8...5.13.9)
\===================
- fix(populate): avoid setting empty array on lean document when populate result is undefined [#10599](https://redirect.github.com/Automattic/mongoose/issues/10599)
- fix(document): make depopulate() handle populated paths underneath document arrays [#10592](https://redirect.github.com/Automattic/mongoose/issues/10592)
- fix: peg [@types/bson](https://redirect.github.com/types/bson) version to 1.x || 4.0.x to avoid stubbed 4.2.x release [#10678](https://redirect.github.com/Automattic/mongoose/issues/10678)
- fix(index.d.ts): simplify UpdateQuery to avoid "excessively deep and possibly infinite" errors with `extends Document` and `any` [#10647](https://redirect.github.com/Automattic/mongoose/issues/10647)
- fix(index.d.ts): allow specifying weights as an IndexOption [#10586](https://redirect.github.com/Automattic/mongoose/issues/10586)
- fix: upgrade to mpath v0.8.4 re: security issue [#10683](https://redirect.github.com/Automattic/mongoose/issues/10683)
### [`v5.13.8`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5138--2021-08-23)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.7...5.13.8)
\===================
- fix(populate): handle populating subdoc array virtual with sort [#10552](https://redirect.github.com/Automattic/mongoose/issues/10552)
- fix(model): check for code instead of codeName when checking for existing collections for backwards compat with MongoDB 3.2 [#10420](https://redirect.github.com/Automattic/mongoose/issues/10420)
- fix(index.d.ts): correct value of this for custom query helper methods [#10545](https://redirect.github.com/Automattic/mongoose/issues/10545)
- fix(index.d.ts): allow strings for ObjectIds in nested properties [#10573](https://redirect.github.com/Automattic/mongoose/issues/10573)
- fix(index.d.ts): add match to VirtualTypeOptions.options [#8749](https://redirect.github.com/Automattic/mongoose/issues/8749)
- fix(index.d.ts): allow QueryOptions populate parameter type PopulateOptions [#10587](https://redirect.github.com/Automattic/mongoose/issues/10587) [osmanakol](https://redirect.github.com/osmanakol)
- docs(api): add Document#$where to API docs [#10583](https://redirect.github.com/Automattic/mongoose/issues/10583)
### [`v5.13.7`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5137--2021-08-11)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/477afdc8aa1297b87e784085133617765a059a4d...5.13.7)
\===================
- perf(index.d.ts): loosen up restrictions on ModelType generic for Schema for a ~50% perf improvement when compiling TypeScript and using intellisense [#10536](https://redirect.github.com/Automattic/mongoose/issues/10536) [#10515](https://redirect.github.com/Automattic/mongoose/issues/10515) [#10349](https://redirect.github.com/Automattic/mongoose/issues/10349)
- fix(index.d.ts): fix broken `Schema#index()` types [#10562](https://redirect.github.com/Automattic/mongoose/issues/10562) [JaredReisinger](https://redirect.github.com/JaredReisinger)
- fix(index.d.ts): allow using SchemaTypeOptions with array of raw document interfaces [#10537](https://redirect.github.com/Automattic/mongoose/issues/10537)
- fix(index.d.ts): define IndexOptions in terms of mongodb.IndexOptions [#10563](https://redirect.github.com/Automattic/mongoose/issues/10563) [JaredReisinger](https://redirect.github.com/JaredReisinger)
- fix(index.d.ts): improve intellisense for DocumentArray `push()` [#10546](https://redirect.github.com/Automattic/mongoose/issues/10546)
- fix(index.d.ts): correct type for expires [#10529](https://redirect.github.com/Automattic/mongoose/issues/10529)
- fix(index.d.ts): add Query#model property to ts bindings [#10531](https://redirect.github.com/Automattic/mongoose/issues/10531)
- refactor(index.d.ts): make callbacks use the new Callback and CallbackWithoutResult types [#10550](https://redirect.github.com/Automattic/mongoose/issues/10550) [thiagokisaki](https://redirect.github.com/thiagokisaki)
### [`v5.13.6`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5136--2021-08-09)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.5...477afdc8aa1297b87e784085133617765a059a4d)
\===================
- fix: upgrade mongodb driver -> 3.6.11 [#10543](https://redirect.github.com/Automattic/mongoose/issues/10543) [maon-fp](https://redirect.github.com/maon-fp)
- fix(schema): throw more helpful error when defining a document array using a schema from a different copy of the Mongoose module [#10453](https://redirect.github.com/Automattic/mongoose/issues/10453)
- fix: add explicit check on constructor property to avoid throwing an error when checking objects with null prototypes [#10512](https://redirect.github.com/Automattic/mongoose/issues/10512)
- fix(cursor): make sure to clear stack every 1000 docs when calling `next()` to avoid stack overflow with large batch size [#10449](https://redirect.github.com/Automattic/mongoose/issues/10449)
- fix(index.d.ts): allow calling new Model(...) with generic Model param [#10526](https://redirect.github.com/Automattic/mongoose/issues/10526)
- fix(index.d.ts): update type declarations of Schema.index method [#10538](https://redirect.github.com/Automattic/mongoose/issues/10538) [#10530](https://redirect.github.com/Automattic/mongoose/issues/10530) [Raader](https://redirect.github.com/Raader)
- fix(index.d.ts): add useNewUrlParser and useUnifiedTopology to ConnectOptions [#10500](https://redirect.github.com/Automattic/mongoose/issues/10500)
- fix(index.d.ts): add missing type for diffIndexes [#10547](https://redirect.github.com/Automattic/mongoose/issues/10547) [bvgusak](https://redirect.github.com/bvgusak)
- fix(index.d.ts): fixed incorrect type definition for Query's .map function [#10544](https://redirect.github.com/Automattic/mongoose/issues/10544) [GCastilho](https://redirect.github.com/GCastilho)
- docs(schema): add more info and examples to Schema#indexes() docs [#10446](https://redirect.github.com/Automattic/mongoose/issues/10446)
- chore: add types property to package.json [#10557](https://redirect.github.com/Automattic/mongoose/issues/10557) [thiagokisaki](https://redirect.github.com/thiagokisaki)
### [`v5.13.5`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5135--2021-07-30)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.4...5.13.5)
\===================
- perf(index.d.ts): improve typescript type checking performance [#10515](https://redirect.github.com/Automattic/mongoose/issues/10515) [andreialecu](https://redirect.github.com/andreialecu)
- fix(index.d.ts): fix debug type in MongooseOptions [#10510](https://redirect.github.com/Automattic/mongoose/issues/10510) [thiagokisaki](https://redirect.github.com/thiagokisaki)
- docs(api): clarify that `depopulate()` with no args depopulates all [#10501](https://redirect.github.com/Automattic/mongoose/issues/10501) [gfrancz](https://redirect.github.com/gfrancz)
### [`v5.13.4`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5134--2021-07-28)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.3...5.13.4)
\===================
- fix: avoid pulling non-schema paths from documents into nested paths [#10449](https://redirect.github.com/Automattic/mongoose/issues/10449)
- fix(update): support overwriting nested map paths [#10485](https://redirect.github.com/Automattic/mongoose/issues/10485)
- fix(update): apply timestamps to subdocs that would be newly created by `$setOnInsert` [#10460](https://redirect.github.com/Automattic/mongoose/issues/10460)
- fix(map): correctly clone subdocs when calling toObject() on a map [#10486](https://redirect.github.com/Automattic/mongoose/issues/10486)
- fix(cursor): cap parallel batchSize for populate at 5000 [#10449](https://redirect.github.com/Automattic/mongoose/issues/10449)
- fix(index.d.ts): improve autocomplete for new Model() by making `doc` an object with correct keys [#10475](https://redirect.github.com/Automattic/mongoose/issues/10475)
- fix(index.d.ts): add MongooseOptions interface [#10471](https://redirect.github.com/Automattic/mongoose/issues/10471) [thiagokisaki](https://redirect.github.com/thiagokisaki)
- fix(index.d.ts): make LeanDocument work with PopulatedDoc [#10494](https://redirect.github.com/Automattic/mongoose/issues/10494)
- docs(mongoose+connection): correct default value for bufferTimeoutMS [#10476](https://redirect.github.com/Automattic/mongoose/issues/10476)
- chore: remove unnecessary 'eslint-disable' comments [#10466](https://redirect.github.com/Automattic/mongoose/issues/10466) [thiagokisaki](https://redirect.github.com/thiagokisaki)
### [`v5.13.3`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5133--2021-07-16)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.2...5.13.3)
\===================
- fix(model): avoid throwing error when bulkSave() called on a document with no changes [#10437](https://redirect.github.com/Automattic/mongoose/issues/10437)
- fix(timestamps): apply timestamps when creating new subdocs with `$addToSet` and with positional operator [#10447](https://redirect.github.com/Automattic/mongoose/issues/10447)
- fix(schema): allow calling Schema#loadClass() with class that has a static getter with no setter [#10436](https://redirect.github.com/Automattic/mongoose/issues/10436)
- fix(model): handle re-applying object defaults after explicitly unsetting [#10442](https://redirect.github.com/Automattic/mongoose/issues/10442) [semirturgay](https://redirect.github.com/semirturgay)
- fix: bump mongodb driver -> 3.6.10 [#10440](https://redirect.github.com/Automattic/mongoose/issues/10440) [AbdelrahmanHafez](https://redirect.github.com/AbdelrahmanHafez)
- fix(index.d.ts): consistently use NativeDate instead of Date for Date validators and timestamps functions [#10426](https://redirect.github.com/Automattic/mongoose/issues/10426)
- fix(index.d.ts): allow calling `discriminator()` with non-document [#10452](https://redirect.github.com/Automattic/mongoose/issues/10452) [#10421](https://redirect.github.com/Automattic/mongoose/issues/10421) [DouglasGabr](https://redirect.github.com/DouglasGabr)
- fix(index.d.ts): allow passing ResultType generic to Schema#path() [#10435](https://redirect.github.com/Automattic/mongoose/issues/10435)
### [`v5.13.2`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5132--2021-07-03)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.1...5.13.2)
\===================
- fix: hardcode [@types/node](https://redirect.github.com/types/node) version for now to avoid breaking changes from [DefinitelyTyped/DefinitelyTyped#53669](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/issues/53669) [#10415](https://redirect.github.com/Automattic/mongoose/issues/10415)
- fix(index.d.ts): allow using type: Date with Date paths in SchemaDefinitionType [#10409](https://redirect.github.com/Automattic/mongoose/issues/10409)
- fix(index.d.ts): allow extra VirtualTypeOptions for better plugin support [#10412](https://redirect.github.com/Automattic/mongoose/issues/10412)
- docs(api): add SchemaArray to docs [#10397](https://redirect.github.com/Automattic/mongoose/issues/10397)
- docs(schema+validation): fix broken links [#10396](https://redirect.github.com/Automattic/mongoose/issues/10396)
- docs(transactions): add note about creating a connection to transactions docs [#10406](https://redirect.github.com/Automattic/mongoose/issues/10406)
### [`v5.13.1`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51317--2023-04-04)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.0...5.13.1)
\====================
- fix: backport fix for array filters handling $or and $and [#13195](https://redirect.github.com/Automattic/mongoose/issues/13195) [#13192](https://redirect.github.com/Automattic/mongoose/issues/13192) [#10696](https://redirect.github.com/Automattic/mongoose/issues/10696) [raj-goguardian](https://redirect.github.com/raj-goguardian)
- fix: update the isIndexEqual function to take into account non-text indexes when checking compound indexes that include both text and non-text indexes [#13138](https://redirect.github.com/Automattic/mongoose/issues/13138) [#13136](https://redirect.github.com/Automattic/mongoose/issues/13136) [rdeavila94](https://redirect.github.com/rdeavila94)
### [`v5.13.0`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5130--2021-06-28)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.15...5.13.0)
\===================
- feat(query): add sanitizeProjection option to opt in to automatically sanitizing untrusted query projections [#10243](https://redirect.github.com/Automattic/mongoose/issues/10243)
- feat(model): add `bulkSave()` function that saves multiple docs in 1 `bulkWrite()` [#9727](https://redirect.github.com/Automattic/mongoose/issues/9727) [#9673](https://redirect.github.com/Automattic/mongoose/issues/9673) [AbdelrahmanHafez](https://redirect.github.com/AbdelrahmanHafez)
- feat(document): allow passing a list of virtuals or `pathsToSkip` to apply in `toObject()` and `toJSON()` [#10120](https://redirect.github.com/Automattic/mongoose/issues/10120)
- fix(model): make Model.validate use object under validation as context by default [#10360](https://redirect.github.com/Automattic/mongoose/issues/10360) [AbdelrahmanHafez](https://redirect.github.com/AbdelrahmanHafez)
- feat(document): add support for pathsToSkip in validate and validateSync [#10375](https://redirect.github.com/Automattic/mongoose/issues/10375) [AbdelrahmanHafez](https://redirect.github.com/AbdelrahmanHafez)
- feat(model): add `diffIndexes()` function that calculates what indexes `syncIndexes()` will create/drop without actually executing any changes [#10362](https://redirect.github.com/Automattic/mongoose/issues/10362) [IslandRhythms](https://redirect.github.com/IslandRhythms)
- feat(document): avoid using sessions that have ended, so you can use documents that were loaded in the session after calling `endSession()` [#10306](https://redirect.github.com/Automattic/mongoose/issues/10306)
### [`v5.12.15`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51215--2021-06-25)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.14...5.12.15)
\====================
- fix(index.d.ts): add extra TInstanceMethods generic param to `Schema` for cases when we can't infer from Model [#10358](https://redirect.github.com/Automattic/mongoose/issues/10358)
- fix(index.d.ts): added typings for near() in model aggregation [#10373](https://redirect.github.com/Automattic/mongoose/issues/10373) [tbhaxor](https://redirect.github.com/tbhaxor)
- fix(index.d.ts): correct function signature for `Query#cast()` [#10388](https://redirect.github.com/Automattic/mongoose/issues/10388) [lkho](https://redirect.github.com/lkho)
- docs(transactions): add import statement [#10365](https://redirect.github.com/Automattic/mongoose/issues/10365) [JimLynchCodes](https://redirect.github.com/JimLynchCodes)
- docs(schema): add missing `discriminatorKey` schema option [#10386](https://redirect.github.com/Automattic/mongoose/issues/10386) [#10376](https://redirect.github.com/Automattic/mongoose/issues/10376) [IslandRhythms](https://redirect.github.com/IslandRhythms)
- docs(index.d.ts): fix typo [#10363](https://redirect.github.com/Automattic/mongoose/issues/10363) [houssemchebeb](https://redirect.github.com/houssemchebeb)
### [`v5.12.14`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51214--2021-06-15)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.13...5.12.14)
\====================
- fix(schema): check that schema type is an object when setting isUnderneathDocArray [#10361](https://redirect.github.com/Automattic/mongoose/issues/10361) [vmo-khanus](https://redirect.github.com/vmo-khanus)
- fix(document): avoid infinite recursion when setting single nested subdoc to array [#10351](https://redirect.github.com/Automattic/mongoose/issues/10351)
- fix(populate): allow populating nested path in schema using `Model.populate()` [#10335](https://redirect.github.com/Automattic/mongoose/issues/10335)
- fix(drivers): emit operation-start/operation-end events to allow inspecting when operations start and end
- fix(index.d.ts): improve typings for virtuals [#10350](https://redirect.github.com/Automattic/mongoose/issues/10350) [thiagokisaki](https://redirect.github.com/thiagokisaki)
- fix(index.d.ts): correct constructor type for Document [#10328](https://redirect.github.com/Automattic/mongoose/issues/10328)
- fix(index.d.ts): add `ValidationError` as a possible type for `ValidationError#errors` [#10320](https://redirect.github.com/Automattic/mongoose/issues/10320) [IslandRhythms](https://redirect.github.com/IslandRhythms)
- fix: remove unnecessary async devDependency that's causing npm audit warnings [#10281](https://redirect.github.com/Automattic/mongoose/issues/10281)
- docs(typescript): add schemas guide [#10308](https://redirect.github.com/Automattic/mongoose/issues/10308)
- docs(model): add options parameter description to `Model.exists()` [#10336](https://redirect.github.com/Automattic/mongoose/issues/10336) [Aminoiz](https://redirect.github.com/Aminoiz)
### [`v5.12.13`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51213--2021-06-04)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.12...5.12.13)
\====================
- perf(document): avoid creating nested paths when running `$getAllSubdocs()` [#10275](https://redirect.github.com/Automattic/mongoose/issues/10275)
- fix: make returnDocument option work with `findOneAndUpdate()` [#10232](https://redirect.github.com/Automattic/mongoose/issues/10232) [#10231](https://redirect.github.com/Automattic/mongoose/issues/10231) [cnwangjie](https://redirect.github.com/cnwangjie)
- fix(document): correctly reset subdocument when resetting a map subdocument underneath a single nested subdoc after save [#10295](https://redirect.github.com/Automattic/mongoose/issues/10295)
- perf(query): avoid setting non-null sessions to avoid overhead from $getAllSubdocs() [#10275](https://redirect.github.com/Automattic/mongoose/issues/10275)
- perf(document): pre split schematype paths when compiling schema to avoid extra overhead of splitting when hydrating documents [#10275](https://redirect.github.com/Automattic/mongoose/issues/10275)
- perf(schema): pre-calculate mapPaths to avoid looping over every path for each path when initing doc [#10275](https://redirect.github.com/Automattic/mongoose/issues/10275)
- fix(index.d.ts): drill down into nested arrays when creating LeanDocument type [#10293](https://redirect.github.com/Automattic/mongoose/issues/10293)
### [`v5.12.12`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51212--2021-05-28)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.11...5.12.12)
\====================
- fix(documentarray): retain atomics when setting to a new array [#10272](https://redirect.github.com/Automattic/mongoose/issues/10272)
- fix(query+model): fix deprecation warning for `returnOriginal` with `findOneAndUpdate()` [#10298](https://redirect.github.com/Automattic/mongoose/issues/10298) [#10297](https://redirect.github.com/Automattic/mongoose/issues/10297) [#10292](https://redirect.github.com/Automattic/mongoose/issues/10292) [#10285](https://redirect.github.com/Automattic/mongoose/issues/10285) [IslandRhythms](https://redirect.github.com/IslandRhythms)
- fix(index.d.ts): make `map()` result an array if used over an array [#10288](https://redirect.github.com/Automattic/mongoose/issues/10288) [quantumsheep](https://redirect.github.com/quantumsheep)
### [`v5.12.11`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51211--2021-05-24)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.10...5.12.11)
\====================
- fix(populate): skip applying setters when casting arrays for populate() to avoid issues with arrays of immutable elements [#10264](https://redirect.github.com/Automattic/mongoose/issues/10264)
- perf(schematype): avoid cloning setters every time we run setters [#9588](https://redirect.github.com/Automattic/mongoose/issues/9588)
- perf(get): add benchmarks and extra cases to speed up get() [#9588](https://redirect.github.com/Automattic/mongoose/issues/9588)
- perf(array): improve array constructor performance on small arrays to improve nested array perf [#9588](https://redirect.github.com/Automattic/mongoose/issues/9588)
- fix(index.d.ts): allow using type: \[String] with string\[] when using SchemaDefinition with generic [#10261](https://redirect.github.com/Automattic/mongoose/issues/10261)
- fix(index.d.ts): support ReadonlyArray as well as regular array where possible in schema definitions [#10260](https://redirect.github.com/Automattic/mongoose/issues/10260)
- docs(connection): document noListener option to useDb [#10278](https://redirect.github.com/Automattic/mongoose/issues/10278) [stuartpb](https://redirect.github.com/stuartpb)
- docs: migrate raw tutorial content from pug / JS to markdown [#10271](https://redirect.github.com/Automattic/mongoose/issues/10271)
- docs: fix typo [#10269](https://redirect.github.com/Automattic/mongoose/issues/10269) [sanjib](https://redirect.github.com/sanjib)
### [`v5.12.10`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51210--2021-05-18)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.9...5.12.10)
\====================
- fix(query): allow setting `defaults` option on result documents from query options [#7287](https://redirect.github.com/Automattic/mongoose/issues/7287) [IslandRhythms](https://redirect.github.com/IslandRhythms)
- fix(populate): handle populating embedded discriminator with custom tiedValue [#10231](https://redirect.github.com/Automattic/mongoose/issues/10231)
- fix(document): allow passing space-delimited string of `pathsToValidate` to `validate()` and `validateSync()` [#10258](https://redirect.github.com/Automattic/mongoose/issues/10258)
- fix(model+schema): support `loadClass()` on classes that have `collection` as a static property [#10257](https://redirect.github.com/Automattic/mongoose/issues/10257) [#10254](https://redirect.github.com/Automattic/mongoose/issues/10254) [IslandRhythms](https://redirect.github.com/IslandRhythms)
- fix(SchemaArrayOptions): correct property name [#10236](https://redirect.github.com/Automattic/mongoose/issues/10236)
- fix(index.d.ts): add any to all query operators to minimize likelihood of "type instantiation is excessively deep" when querying docs with 4-level deep subdocs [#10189](https://redirect.github.com/Automattic/mongoose/issues/10189)
- fix(index.d.ts): add $parent() in addition to parent() in TS definitions
- fix(index.d.ts): correct async iterator return type for QueryCursor [#10253](https://redirect.github.com/Automattic/mongoose/issues/10253) [#10252](https://redirect.github.com/Automattic/mongoose/issues/10252) [#10251](https://redirect.github.com/Automattic/mongoose/issues/10251) [borfig](https://redirect.github.com/borfig)
- fix(index.d.ts): add `virtualsOnly` parameter to `loadClass()` function signature [IslandRhythms](https://redirect.github.com/IslandRhythms)
- docs(typescript): add typescript populate docs [#10212](https://redirect.github.com/Automattic/mongoose/issues/10212)
- docs: switch from AWS to Azure Functions for search [#10244](https://redirect.github.com/Automattic/mongoose/issues/10244)
### [`v5.12.9`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5129--2021-05-13)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.8...5.12.9)
\===================
- fix(schema): ensure add() overwrites existing schema paths by default [#10208](https://redirect.github.com/Automattic/mongoose/issues/10208) [#10203](https://redirect.github.com/Automattic/mongoose/issues/10203)
- fix(schema): support creating nested paths underneath document arrays [#10193](https://redirect.github.com/Automattic/mongoose/issues/10193)
- fix(update): convert nested dotted paths in update to nested paths to avoid ending up with dotted properties in update [#10200](https://redirect.github.com/Automattic/mongoose/issues/10200)
- fix(document): allow calling validate() and validateSync() with `options` as first parameter [#10216](https://redirect.github.com/Automattic/mongoose/issues/10216)
- fix(schema): apply static properties to model when using loadClass() [#10206](https://redirect.github.com/Automattic/mongoose/issues/10206)
- fix(index.d.ts): allow returning Promise from middleware functions [#10229](https://redirect.github.com/Automattic/mongoose/issues/10229)
- fix(index.d.ts): add pre('distinct') hooks to TypeScript [#10192](https://redirect.github.com/Automattic/mongoose/issues/10192)
### [`v5.12.8`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5128--2021-05-10)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.7...5.12.8)
\===================
- fix(populate): handle populating immutable array paths [#10159](https://redirect.github.com/Automattic/mongoose/issues/10159)
- fix(CastError): add `toJSON()` function to ensure `name` property always ends up in `JSON.stringify()` output [#10166](https://redirect.github.com/Automattic/mongoose/issues/10166) [IslandRhythms](https://redirect.github.com/IslandRhythms)
- fix(query): add allowDiskUse() method to improve setting MongoDB 4.4's new `allowDiskUse` option [#10177](https://redirect.github.com/Automattic/mongoose/issues/10177)
- fix(populate): allow populating paths under mixed schematypes where some documents have non-object properties [#10191](https://redirect.github.com/Automattic/mongoose/issues/10191)
- chore: remove unnecessary driver dynamic imports so Mongoose can work with Parcel [#9603](https://redirect.github.com/Automattic/mongoose/issues/9603)
- fix(index.d.ts): allow any object as parameter to create() and `insertMany()` [#10144](https://redirect.github.com/Automattic/mongoose/issues/10144)
- fix(index.d.ts): allow creating Model class with raw interface, no `extends Document` [#10144](https://redirect.github.com/Automattic/mongoose/issues/10144)
- fix(index.d.ts): separate UpdateQuery from `UpdateWithAggregationPipeline` for cases when `UpdateQuery` is used as a function param [#10186](https://redirect.github.com/Automattic/mongoose/issues/10186)
- fix(index.d.ts): don't require error value in pre/post hooks [#10213](https://redirect.github.com/Automattic/mongoose/issues/10213) [michaln-q](https://redirect.github.com/michaln-q)
- docs(typescript): add a typescript intro tutorial and statics tutorial [#10021](https://redirect.github.com/Automattic/mongoose/issues/10021)
- docs(typescript): add query helpers tutorial [#10021](https://redirect.github.com/Automattic/mongoose/issues/10021)
- docs(deprecations): add note that you can safely ignore `useFindAndModify` and `useCreateIndex` deprecation warnings [#10155](https://redirect.github.com/Automattic/mongoose/issues/10155)
- chore(workflows): add node 16 to github actions [#10201](https://redirect.github.com/Automattic/mongoose/issues/10201) [AbdelrahmanHafez](https://redirect.github.com/AbdelrahmanHafez)
### [`v5.12.7`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5127--2021-04-29)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.6...5.12.7)
\===================
- fix(document): make $getPopulatedDocs() return populated virtuals [#10148](https://redirect.github.com/Automattic/mongoose/issues/10148)
- fix(discriminator): take discriminator schema's single nested paths over base schema's [#10157](https://redirect.github.com/Automattic/mongoose/issues/10157)
- fix(discriminator): allow numbers and ObjectIds as tied values for discriminators [#10130](https://redirect.github.com/Automattic/mongoose/issues/10130)
- fix(document): avoid double validating paths underneath mixed objects in save() [#10141](https://redirect.github.com/Automattic/mongoose/issues/10141)
- fix(schema): allow path() to return single nested paths within document arrays [#10164](https://redirect.github.com/Automattic/mongoose/issues/10164)
- fix(model+query): consistently wrap query callbacks in `process.nextTick()` to avoid clean stack traces causing memory leak when using synchronous recursion like `async.whilst()` [#9864](https://redirect.github.com/Automattic/mongoose/issues/9864)
- fix(cursor): correctly report CastError when using noCursorTimeout flag [#10150](https://redirect.github.com/Automattic/mongoose/issues/10150)
- fix(index.d.ts): add CastError constructor [#10176](https://redirect.github.com/Automattic/mongoose/issues/10176)
- fix(index.d.ts): allow setting mongoose.pluralize(null) in TypeScript [#10185](https://redirect.github.com/Automattic/mongoose/issues/10185)
- docs: add link to transactions guide from nav bar [#10143](https://redirect.github.com/Automattic/mongoose/issues/10143)
- docs(validation): add section about custom error messages [#10140](https://redirect.github.com/Automattic/mongoose/issues/10140)
- docs: make headers linkable via clicking [#10156](https://redirect.github.com/Automattic/mongoose/issues/10156)
- docs: broken link in document.js [#10190](https://redirect.github.com/Automattic/mongoose/issues/10190) [joostdecock](https://redirect.github.com/joostdecock)
- docs: make navbar responsive on legacy 2.x docs [#10171](https://redirect.github.com/Automattic/mongoose/issues/10171) [ad99526](https://redirect.github.com/ad99526)
### [`v5.12.6`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5126--2021-04-27)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.5...5.12.6)
\===================
- fix(query): allow setting `writeConcern` schema option to work around MongoDB driver's `writeConcern` deprecation warning [#10083](https://redirect.github.com/Automattic/mongoose/issues/10083) [#10009](https://redirect.github.com/Automattic/mongoose/issues/10009) [IslandRhythms](https://redirect.github.com/IslandRhythms)
- fix(populate): dedupe when virtual populate foreignField is an array to avoid duplicate docs in result [#10117](https://redirect.github.com/Automattic/mongoose/issues/10117)
- fix(populate): add `localField` filter to `$elemMatch` on virtual populate when custom `match` has a `$elemMatch` and `foreignField` is an array [#10117](https://redirect.github.com/Automattic/mongoose/issues/10117)
- fix(query): convert projection string values to numbers as a workaround for [#10142](https://redirect.github.com/Automattic/mongoose/issues/10142)
- fix(document): set version key filter on `save()` when using `optimisticConcurrency` if no changes in document [#10128](https://redirect.github.com/Automattic/mongoose/issues/10128) [IslandRhythms](https://redirect.github.com/IslandRhythms)
- fix(model): use `obj` as `context` in `Model.validate()` if `obj` is a document [#10132](https://redirect.github.com/Automattic/mongoose/issues/10132)
- fix(connection): avoid db events deprecation warning when using `useDb()` with `useUnifiedTopology` [#8267](https://redirect.github.com/Automattic/mongoose/issues/8267)
- fix: upgrade to sift@13.5.2 to work around transitive dev dependency security warning [#10121](https://redirect.github.com/Automattic/mongoose/issues/10121)
- fix(index.d.ts): allow any object as parameter to `create()` and `insertMany()` [#10144](https://redirect.github.com/Automattic/mongoose/issues/10144)
- fix(index.d.ts): clarify that `eachAsync()` callback receives a single doc rather than array of docs unless `batchSize` is set [#10135](https://redirect.github.com/Automattic/mongoose/issues/10135)
- fix(index.d.ts): clarify that return value from `validateSync()` is a ValidationError [#10147](https://redirect.github.com/Automattic/mongoose/issues/10147) [michaln-q](https://redirect.github.com/michaln-q)
- fix(index.d.ts): add generic type for Model constructor [#10074](https://redirect.github.com/Automattic/mongoose/issues/10074) [Duchynko](https://redirect.github.com/Duchynko)
- fix(index.d.ts): add parameter type in merge [#10168](https://redirect.github.com/Automattic/mongoose/issues/10168) [yoonhoGo](https://redirect.github.com/yoonhoGo)
### [`v5.12.5`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5125--2021-04-19)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.4...5.12.5)
\===================
- fix(populate): handle populating underneath document array when document array property doesn't exist in db [#10003](https://redirect.github.com/Automattic/mongoose/issues/10003)
- fix(populate): clear out dangling pointers to populated docs so query cursor with populate() can garbage collect populated subdocs [#9864](https://redirect.github.com/Automattic/mongoose/issues/9864)
- fix(connection): pull correct `autoCreate` value from Mongoose global when creating new model before calling `connect()` [#10091](https://redirect.github.com/Automattic/mongoose/issues/10091)
- fix(populate): handle populating paths on documents with discriminator keys that point to non-existent discriminators [#10082](https://redirect.github.com/Automattic/mongoose/issues/10082)
- fix(index.d.ts): allow numbers as discriminator names [#10115](https://redirect.github.com/Automattic/mongoose/issues/10115)
- fix(index.d.ts): allow `type: Boolean` in Schema definitions [#10085](https://redirect.github.com/Automattic/mongoose/issues/10085)
- fix(index.d.ts): allow passing array of aggregation pipeline stages to `updateOne()` and `updateMany()` [#10095](https://redirect.github.com/Automattic/mongoose/issues/10095)
- fix(index.d.ts): support legacy 2nd param callback syntax for `deleteOne()`, `deleteMany()` [#10122](https://redirect.github.com/Automattic/mongoose/issues/10122)
- docs(mongoose): make `useCreateIndex` always `false` in docs [#10033](https://redirect.github.com/Automattic/mongoose/issues/10033)
- docs(schema): fix incorrect links from schema API docs [#10111](https://redirect.github.com/Automattic/mongoose/issues/10111)
### [`v5.12.4`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5124--2021-04-15)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.3...5.12.4)
\===================
- fix: upgrade mongodb driver -> 3.6.6 [#10079](https://redirect.github.com/Automattic/mongoose/issues/10079)
- fix: store fields set with select:false at schema-level when saving a new document [#10101](https://redirect.github.com/Automattic/mongoose/issues/10101) [ptantiku](https://redirect.github.com/ptantiku)
- fix(populate): avoid turning already populated field to null when populating an existing lean document [#10068](https://redirect.github.com/Automattic/mongoose/issues/10068) [IslandRhythms](https://redirect.github.com/IslandRhythms)
- fix(populate): correctly populate lean subdocs with `_id` property [#10069](https://redirect.github.com/Automattic/mongoose/issues/10069)
- fix(model): insertedDocs may contain docs that weren't inserted [#10098](https://redirect.github.com/Automattic/mongoose/issues/10098) [olnazx](https://redirect.github.com/olnazx)
- fix(schemaType): make type Mixed cast error objects to pojos [#10131](https://redirect.github.com/Automattic/mongoose/issues/10131) [AbdelrahmanHafez](https://redirect.github.com/AbdelrahmanHafez)
- fix(populate): support populating embedded discriminators in nested arrays [#9984](https://redirect.github.com/Automattic/mongoose/issues/9984)
- fix(populate): handle populating map paths using trailing `.$*` [#10123](https://redirect.github.com/Automattic/mongoose/issues/10123)
- fix(populate): allow returning primitive from `transform()` function for single conventional populate [#10064](https://redirect.github.com/Automattic/mongoose/issues/10064)
- fix(index.d.ts): allow generic classes of `T` to use `T & Document` internally [#10046](https://redirect.github.com/Automattic/mongoose/issues/10046)
- fix(index.d.ts): allow `$pull` with `$` paths [#10075](https://redirect.github.com/Automattic/mongoose/issues/10075)
- fix(index.d.ts): use correct `Date` type for `$currentDate` [#10058](https://redirect.github.com/Automattic/mongoose/issues/10058)
- fix(index.d.ts): add missing asyncInterator to Query type def [#10094](https://redirect.github.com/Automattic/mongoose/issues/10094) [borfig](https://redirect.github.com/borfig)
- fix(index.d.ts): allow RHS of `$unset` properties to be any value [#10066](https://redirect.github.com/Automattic/mongoose/issues/10066)
- fix(index.d.ts): allow setting SchemaType `index` property to a string [#10077](https://redirect.github.com/Automattic/mongoose/issues/10077)
- refactor(index.d.ts): move discriminator() to common interface [#10109](https://redirect.github.com/Automattic/mongoose/issues/10109) [LoneRifle](https://redirect.github.com/LoneRifle)
### [`v5.12.3`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5123--2021-03-31)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.2...5.12.3)
\===================
- fix: avoid setting schema-level collation on text indexes [#10044](https://redirect.github.com/Automattic/mongoose/issues/10044) [IslandRhythms](https://redirect.github.com/IslandRhythms)
- fix(query): add `writeConcern()` method to avoid writeConcern deprecation warning [#10009](https://redirect.github.com/Automattic/mongoose/issues/10009)
- fix(connection): use queueing instead of event emitter for `createCollection()` and other helpers to avoid event emitter warning [#9778](https://redirect.github.com/Automattic/mongoose/issues/9778)
- fix(connection): scope `Connection#id` to Mongoose instance so id always lines up with `mongoose.connections` index [#10025](https://redirect.github.com/Automattic/mongoose/issues/10025) [IslandRhythms](https://redirect.github.com/IslandRhythms)
- fix: avoid throwing in `promiseOrCallback()` if 3rd param isn't an EventEmitter [#10055](https://redirect.github.com/Automattic/mongoose/issues/10055) [emrebass](https://redirect.github.com/emrebass)
- fix(index.d.ts): add Model as 2nd generic param to `Model.discriminator()` [#10054](https://redirect.github.com/Automattic/mongoose/issues/10054) [coro101](https://redirect.github.com/coro101)
- fix(index.d.ts): add docs to `next()` callback for `pre('insertMany')` hooks [#10078](https://redirect.github.com/Automattic/mongoose/issues/10078) [#10072](https://redirect.github.com/Automattic/mongoose/issues/10072) [pezzu](https://redirect.github.com/pezzu)
- fix(index.d.ts): add `transform` to PopulateOptions interface [#10061](https://redirect.github.com/Automattic/mongoose/issues/10061)
- fix(index.d.ts): add DocumentQuery type for backwards compatibility [#10036](https://redirect.github.com/Automattic/mongoose/issues/10036)
### [`v5.12.2`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5122--2021-03-22)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.1...5.12.2)
\===================
- fix(QueryCursor): consistently execute `post('find')` hooks with an array of docs [#10015](https://redirect.github.com/Automattic/mongoose/issues/10015) [#9982](https://redirect.github.com/Automattic/mongoose/issues/9982) [IslandRhythms](https://redirect.github.com/IslandRhythms)
- fix(schema): support setting `ref` as an option on an array SchemaType [#10029](https://redirect.github.com/Automattic/mongoose/issues/10029)
- fix(query): apply schema-level `select` option from array schematypes [#10029](https://redirect.github.com/Automattic/mongoose/issues/10029)
- fix(schema): avoid possible prototype pollution with `Schema()` constructor [#10035](https://redirect.github.com/Automattic/mongoose/issues/10035) [zpbrent](https://redirect.github.com/zpbrent)
- fix(model): make bulkWrite skip timestamps with timestamps: false [#10050](https://redirect.github.com/Automattic/mongoose/issues/10050) [SoftwareSing](https://redirect.github.com/SoftwareSing)
- fix(index.d.ts): make query methods return `QueryWithHelpers` so query helpers pass through chaining [#10040](https://redirect.github.com/Automattic/mongoose/issues/10040)
- fix(index.d.ts): add `upserted` array to `updateOne()`, `updateMany()`, `update()` result [#10042](https://redirect.github.com/Automattic/mongoose/issues/10042)
- fix(index.d.ts): add back `Aggregate#project()` types that were mistakenly removed in 5.12.0 [#10043](https://redirect.github.com/Automattic/mongoose/issues/10043)
- fix(index.d.ts): always allow setting `type` in Schema to a SchemaType class or a Schema instance [#10030](https://redirect.github.com/Automattic/mongoose/issues/10030)
- docs(transactions): introduce `session.withTransaction()` before `session.startTransaction()` because `withTransaction()` is the recommended approach [#10008](https://redirect.github.com/Automattic/mongoose/issues/10008)
- docs(mongoose+browser): fix broken links to info about `mongoose.Types` [#10016](https://redirect.github.com/Automattic/mongoose/issues/10016)
### [`v5.12.1`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51215--2021-06-25)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.0...5.12.1)
\====================
- fix(index.d.ts): add extra TInstanceMethods generic param to `Schema` for cases when we can't infer from Model [#10358](https://redirect.github.com/Automattic/mongoose/issues/10358)
- fix(index.d.ts): added typings for near() in model aggregation [#10373](https://redirect.github.com/Automattic/mongoose/issues/10373) [tbhaxor](https://redirect.github.com/tbhaxor)
- fix(index.d.ts): correct function signature for `Query#cast()` [#10388](https://redirect.github.com/Automattic/mongoose/issues/10388) [lkho](https://redirect.github.com/lkho)
- docs(transactions): add import statement [#10365](https://redirect.github.com/Automattic/mongoose/issues/10365) [JimLynchCodes](https://redirect.github.com/JimLynchCodes)
- docs(schema): add missing `discriminatorKey` schema option [#10386](https://redirect.github.com/Automattic/mongoose/issues/10386) [#10376](https://redirect.github.com/Automattic/mongoose/issues/10376) [IslandRhythms](https://redirect.github.com/IslandRhythms)
- docs(index.d.ts): fix typo [#10363](https://redirect.github.com/Automattic/mongoose/issues/10363) [houssemchebeb](https://redirect.github.com/houssemchebeb)
### [`v5.12.0`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5120--2021-03-11)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.11.20...5.12.0)
\===================
- feat(populate): add `transform` option that Mongoose will call on every populated doc [#3775](https://redirect.github.com/Automattic/mongoose/issues/3775)
- feat(query): make `Query#pre()` and `Query#post()` public [#9784](https://redirect.github.com/Automattic/mongoose/issues/9784)
- feat(document): add `Document#getPopulatedDocs()` to return an array of all populated documents in a document [#9702](https://redirect.github.com/Automattic/mongoose/issues/9702) [IslandRhythms](https://redirect.github.com/IslandRhythms)
- feat(document): add `Document#getAllSubdocs()` to return an array of all single nested and array subdocuments [#9764](https://redirect.github.com/Automattic/mongoose/issues/9764) [IslandRhythms](https://redirect.github.com/IslandRhythms)
- feat(schema): allow `schema` as a schema path name [#8798](https://redirect.github.com/Automattic/mongoose/issues/8798) [IslandRhythms](https://redirect.github.com/IslandRhythms)
- feat(QueryCursor): Add batch processing for eachAsync [#9902](https://redirect.github.com/Automattic/mongoose/issues/9902) [khaledosama999](https://redirect.github.com/khaledosama999)
- feat(connection): add `noListener` option to help with use cases where you're using `useDb()` on every request [#9961](https://redirect.github.com/Automattic/mongoose/issues/9961)
- feat(index): emit 'createConnection' event when user calls `mongoose.createConnection()` [#9985](https://redirect.github.com/Automattic/mongoose/issues/9985)
- feat(connection+index): emit 'model' and 'deleteModel' events on connections when creating and deleting models [#9983](https://redirect.github.com/Automattic/mongoose/issues/9983)
- feat(query): allow passing `explain` option to `Model.exists()` [#8098](https://redirect.github.com/Automattic/mongoose/issues/8098) [IslandRhythms](https://redirect.github.com/IslandRhythms)
### [`v5.11.20`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51120--2021-03-11)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.11.19...5.11.20)
\====================
- fix(query+populate): avoid unnecessarily projecting in subpath when populating a path that uses an elemMatch projection [#9973](https://redirect.github.com/Automattic/mongoose/issues/9973)
- fix(connection): avoid `db` events deprecation warning with 'close' events [#10004](https://redirect.github.com/Automattic/mongoose/issues/10004) [#9930](https://redirect.github.com/Automattic/mongoose/issues/9930)
- fix(index.d.ts): make `$pull` more permissive to allow dotted paths [#9993](https://redirect.github.com/Automattic/mongoose/issues/9993)
### [`v5.11.19`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51119--2021-03-05)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.11.18...5.11.19)
\====================
- fix(document): skip validating array elements that aren't modified when `validateModifiedOnly` is set [#9963](https://redirect.github.com/Automattic/mongoose/issues/9963)
- fix(timestamps): apply timestamps on `findOneAndReplace()` [#9951](https://redirect.github.com/Automattic/mongoose/issues/9951)
- fix(schema): correctly handle trailing array filters when looking up schema paths [#9977](https://redirect.github.com/Automattic/mongoose/issues/9977)
- fix(schema): load child class getter for virtuals instead of base class when using `loadClass()` [#9975](https://redirect.github.com/Automattic/mongoose/issues/9975)
- fix(index.d.ts): allow creating statics without passing generics to `Schema` constructor [#9969](https://redirect.github.com/Automattic/mongoose/issues/9969)
- fix(index.d.ts): add QueryHelpers generic to schema and model, make all query methods instead return QueryWithHelpers [#9850](https://redirect.github.com/Automattic/mongoose/issues/9850)
- fix(index.d.ts): support setting `type` to an array of schemas when using SchemaDefinitionType [#9962](https://redirect.github.com/Automattic/mongoose/issues/9962)
- fix(index.d.ts): add generic to plugin schema definition [#9968](https://redirect.github.com/Automattic/mongoose/issues/9968) [emiljanitzek](https://redirect.github.com/emiljanitzek)
- docs: small typo fix [#9964](https://redirect.github.com/Automattic/mongoose/issues/9964) [KrishnaMoorthy12](https://redirect.github.com/KrishnaMoorthy12)
### [`v5.11.18`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51118--2021-02-23)
[Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.11.17...5.11.18)
\====================
- fix(connection): set connection state to `disconnected` if connecting string failed to parse [#9921](https://redirect.github.com/Automattic/mongoose/issues/9921)
- fix(connec
Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Enabled.
ā» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
5.6.7
->5.13.20
GitHub Vulnerability Alerts
CVE-2019-17426
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a
_bsontype
attribute is ignored. For example, adding"_bsontype":"a"
can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).CVE-2022-2564
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The
Schema.path()
function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.CVE-2023-3696
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.
CVE-2022-24304
Description
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.
Affected versions of this package are vulnerable to Prototype Pollution. The
Schema.path()
function is vulnerable to prototype pollution when setting theschema
object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.Proof of Concept
Impact
This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.
Release Notes
Automattic/mongoose (mongoose)
### [`v5.13.20`](https://redirect.github.com/Automattic/mongoose/compare/5.13.19...5.13.20) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.19...5.13.20) ### [`v5.13.19`](https://redirect.github.com/Automattic/mongoose/compare/5.13.18...5.13.19) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.18...5.13.19) ### [`v5.13.18`](https://redirect.github.com/Automattic/mongoose/compare/5.13.17...5.13.18) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.17...5.13.18) ### [`v5.13.17`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51317--2023-04-04) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.16...5.13.17) \==================== - fix: backport fix for array filters handling $or and $and [#13195](https://redirect.github.com/Automattic/mongoose/issues/13195) [#13192](https://redirect.github.com/Automattic/mongoose/issues/13192) [#10696](https://redirect.github.com/Automattic/mongoose/issues/10696) [raj-goguardian](https://redirect.github.com/raj-goguardian) - fix: update the isIndexEqual function to take into account non-text indexes when checking compound indexes that include both text and non-text indexes [#13138](https://redirect.github.com/Automattic/mongoose/issues/13138) [#13136](https://redirect.github.com/Automattic/mongoose/issues/13136) [rdeavila94](https://redirect.github.com/rdeavila94) ### [`v5.13.16`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51316--2023-02-20) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.15...5.13.16) \==================== - fix: make access to process.versions lazy [#12584](https://redirect.github.com/Automattic/mongoose/issues/12584) [maciasello](https://redirect.github.com/maciasello) - fix(types): add missing type definitions for `bulkSave()` [#12019](https://redirect.github.com/Automattic/mongoose/issues/12019) - docs: backport documentation URL updates [#12692](https://redirect.github.com/Automattic/mongoose/issues/12692) [hasezoey](https://redirect.github.com/hasezoey) ### [`v5.13.15`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51315--2022-08-22) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.14...5.13.15) \==================== - fix: backport fix for CVE-2022-2564 [#12281](https://redirect.github.com/Automattic/mongoose/issues/12281) [shubanker](https://redirect.github.com/shubanker) - docs: fix broken link from findandmodify method deprecation [#11366](https://redirect.github.com/Automattic/mongoose/issues/11366) [laissonsilveira](https://redirect.github.com/laissonsilveira) ### [`v5.13.14`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51314--2021-12-27) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.13...5.13.14) \==================== - fix(timestamps): avoid setting createdAt on documents that already exist but dont have createdAt [#11024](https://redirect.github.com/Automattic/mongoose/issues/11024) - docs(models): fix up nModified example for 5.x [#11055](https://redirect.github.com/Automattic/mongoose/issues/11055) ### [`v5.13.13`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51313--2021-11-02) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.12...5.13.13) \==================== - fix: upgrade to mongodb@3.7.3 [#10909](https://redirect.github.com/Automattic/mongoose/issues/10909) [gaurav-sharma-gs](https://redirect.github.com/gaurav-sharma-gs) - fix: correctly emit end event in before close [#10916](https://redirect.github.com/Automattic/mongoose/issues/10916) [iovanom](https://redirect.github.com/iovanom) - fix(index.d.ts): improve ts types for query set [#10942](https://redirect.github.com/Automattic/mongoose/issues/10942) [jneal-afs](https://redirect.github.com/jneal-afs) ### [`v5.13.12`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51312--2021-10-19) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.11...5.13.12) \==================== - fix(cursor): use stream destroy method on close to prevent emitting duplicate 'close' [#10897](https://redirect.github.com/Automattic/mongoose/issues/10897) [iovanom](https://redirect.github.com/iovanom) - fix(index.d.ts): backport streamlining of FilterQuery and DocumentDefinition to avoid "excessively deep and possibly infinite" TS errors [#10617](https://redirect.github.com/Automattic/mongoose/issues/10617) ### [`v5.13.11`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51311--2021-10-12) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.10...5.13.11) \==================== - fix: upgrade mongodb -> 3.7.2 [#10871](https://redirect.github.com/Automattic/mongoose/issues/10871) [winstonralph](https://redirect.github.com/winstonralph) - fix(connection): call setMaxListeners(0) on MongoClient to avoid event emitter memory leak warnings with `useDb()` [#10732](https://redirect.github.com/Automattic/mongoose/issues/10732) ### [`v5.13.10`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51310--2021-10-05) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.9...5.13.10) \==================== - fix(index.d.ts): allow using type: SchemaDefinitionProperty in schema definitions [#10674](https://redirect.github.com/Automattic/mongoose/issues/10674) - fix(index.d.ts): allow AnyObject as param to findOneAndReplace() [#10714](https://redirect.github.com/Automattic/mongoose/issues/10714) ### [`v5.13.9`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5139--2021-09-06) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.8...5.13.9) \=================== - fix(populate): avoid setting empty array on lean document when populate result is undefined [#10599](https://redirect.github.com/Automattic/mongoose/issues/10599) - fix(document): make depopulate() handle populated paths underneath document arrays [#10592](https://redirect.github.com/Automattic/mongoose/issues/10592) - fix: peg [@types/bson](https://redirect.github.com/types/bson) version to 1.x || 4.0.x to avoid stubbed 4.2.x release [#10678](https://redirect.github.com/Automattic/mongoose/issues/10678) - fix(index.d.ts): simplify UpdateQuery to avoid "excessively deep and possibly infinite" errors with `extends Document` and `any` [#10647](https://redirect.github.com/Automattic/mongoose/issues/10647) - fix(index.d.ts): allow specifying weights as an IndexOption [#10586](https://redirect.github.com/Automattic/mongoose/issues/10586) - fix: upgrade to mpath v0.8.4 re: security issue [#10683](https://redirect.github.com/Automattic/mongoose/issues/10683) ### [`v5.13.8`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5138--2021-08-23) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.7...5.13.8) \=================== - fix(populate): handle populating subdoc array virtual with sort [#10552](https://redirect.github.com/Automattic/mongoose/issues/10552) - fix(model): check for code instead of codeName when checking for existing collections for backwards compat with MongoDB 3.2 [#10420](https://redirect.github.com/Automattic/mongoose/issues/10420) - fix(index.d.ts): correct value of this for custom query helper methods [#10545](https://redirect.github.com/Automattic/mongoose/issues/10545) - fix(index.d.ts): allow strings for ObjectIds in nested properties [#10573](https://redirect.github.com/Automattic/mongoose/issues/10573) - fix(index.d.ts): add match to VirtualTypeOptions.options [#8749](https://redirect.github.com/Automattic/mongoose/issues/8749) - fix(index.d.ts): allow QueryOptions populate parameter type PopulateOptions [#10587](https://redirect.github.com/Automattic/mongoose/issues/10587) [osmanakol](https://redirect.github.com/osmanakol) - docs(api): add Document#$where to API docs [#10583](https://redirect.github.com/Automattic/mongoose/issues/10583) ### [`v5.13.7`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5137--2021-08-11) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/477afdc8aa1297b87e784085133617765a059a4d...5.13.7) \=================== - perf(index.d.ts): loosen up restrictions on ModelType generic for Schema for a ~50% perf improvement when compiling TypeScript and using intellisense [#10536](https://redirect.github.com/Automattic/mongoose/issues/10536) [#10515](https://redirect.github.com/Automattic/mongoose/issues/10515) [#10349](https://redirect.github.com/Automattic/mongoose/issues/10349) - fix(index.d.ts): fix broken `Schema#index()` types [#10562](https://redirect.github.com/Automattic/mongoose/issues/10562) [JaredReisinger](https://redirect.github.com/JaredReisinger) - fix(index.d.ts): allow using SchemaTypeOptions with array of raw document interfaces [#10537](https://redirect.github.com/Automattic/mongoose/issues/10537) - fix(index.d.ts): define IndexOptions in terms of mongodb.IndexOptions [#10563](https://redirect.github.com/Automattic/mongoose/issues/10563) [JaredReisinger](https://redirect.github.com/JaredReisinger) - fix(index.d.ts): improve intellisense for DocumentArray `push()` [#10546](https://redirect.github.com/Automattic/mongoose/issues/10546) - fix(index.d.ts): correct type for expires [#10529](https://redirect.github.com/Automattic/mongoose/issues/10529) - fix(index.d.ts): add Query#model property to ts bindings [#10531](https://redirect.github.com/Automattic/mongoose/issues/10531) - refactor(index.d.ts): make callbacks use the new Callback and CallbackWithoutResult types [#10550](https://redirect.github.com/Automattic/mongoose/issues/10550) [thiagokisaki](https://redirect.github.com/thiagokisaki) ### [`v5.13.6`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5136--2021-08-09) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.5...477afdc8aa1297b87e784085133617765a059a4d) \=================== - fix: upgrade mongodb driver -> 3.6.11 [#10543](https://redirect.github.com/Automattic/mongoose/issues/10543) [maon-fp](https://redirect.github.com/maon-fp) - fix(schema): throw more helpful error when defining a document array using a schema from a different copy of the Mongoose module [#10453](https://redirect.github.com/Automattic/mongoose/issues/10453) - fix: add explicit check on constructor property to avoid throwing an error when checking objects with null prototypes [#10512](https://redirect.github.com/Automattic/mongoose/issues/10512) - fix(cursor): make sure to clear stack every 1000 docs when calling `next()` to avoid stack overflow with large batch size [#10449](https://redirect.github.com/Automattic/mongoose/issues/10449) - fix(index.d.ts): allow calling new Model(...) with generic Model param [#10526](https://redirect.github.com/Automattic/mongoose/issues/10526) - fix(index.d.ts): update type declarations of Schema.index method [#10538](https://redirect.github.com/Automattic/mongoose/issues/10538) [#10530](https://redirect.github.com/Automattic/mongoose/issues/10530) [Raader](https://redirect.github.com/Raader) - fix(index.d.ts): add useNewUrlParser and useUnifiedTopology to ConnectOptions [#10500](https://redirect.github.com/Automattic/mongoose/issues/10500) - fix(index.d.ts): add missing type for diffIndexes [#10547](https://redirect.github.com/Automattic/mongoose/issues/10547) [bvgusak](https://redirect.github.com/bvgusak) - fix(index.d.ts): fixed incorrect type definition for Query's .map function [#10544](https://redirect.github.com/Automattic/mongoose/issues/10544) [GCastilho](https://redirect.github.com/GCastilho) - docs(schema): add more info and examples to Schema#indexes() docs [#10446](https://redirect.github.com/Automattic/mongoose/issues/10446) - chore: add types property to package.json [#10557](https://redirect.github.com/Automattic/mongoose/issues/10557) [thiagokisaki](https://redirect.github.com/thiagokisaki) ### [`v5.13.5`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5135--2021-07-30) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.4...5.13.5) \=================== - perf(index.d.ts): improve typescript type checking performance [#10515](https://redirect.github.com/Automattic/mongoose/issues/10515) [andreialecu](https://redirect.github.com/andreialecu) - fix(index.d.ts): fix debug type in MongooseOptions [#10510](https://redirect.github.com/Automattic/mongoose/issues/10510) [thiagokisaki](https://redirect.github.com/thiagokisaki) - docs(api): clarify that `depopulate()` with no args depopulates all [#10501](https://redirect.github.com/Automattic/mongoose/issues/10501) [gfrancz](https://redirect.github.com/gfrancz) ### [`v5.13.4`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5134--2021-07-28) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.3...5.13.4) \=================== - fix: avoid pulling non-schema paths from documents into nested paths [#10449](https://redirect.github.com/Automattic/mongoose/issues/10449) - fix(update): support overwriting nested map paths [#10485](https://redirect.github.com/Automattic/mongoose/issues/10485) - fix(update): apply timestamps to subdocs that would be newly created by `$setOnInsert` [#10460](https://redirect.github.com/Automattic/mongoose/issues/10460) - fix(map): correctly clone subdocs when calling toObject() on a map [#10486](https://redirect.github.com/Automattic/mongoose/issues/10486) - fix(cursor): cap parallel batchSize for populate at 5000 [#10449](https://redirect.github.com/Automattic/mongoose/issues/10449) - fix(index.d.ts): improve autocomplete for new Model() by making `doc` an object with correct keys [#10475](https://redirect.github.com/Automattic/mongoose/issues/10475) - fix(index.d.ts): add MongooseOptions interface [#10471](https://redirect.github.com/Automattic/mongoose/issues/10471) [thiagokisaki](https://redirect.github.com/thiagokisaki) - fix(index.d.ts): make LeanDocument work with PopulatedDoc [#10494](https://redirect.github.com/Automattic/mongoose/issues/10494) - docs(mongoose+connection): correct default value for bufferTimeoutMS [#10476](https://redirect.github.com/Automattic/mongoose/issues/10476) - chore: remove unnecessary 'eslint-disable' comments [#10466](https://redirect.github.com/Automattic/mongoose/issues/10466) [thiagokisaki](https://redirect.github.com/thiagokisaki) ### [`v5.13.3`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5133--2021-07-16) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.2...5.13.3) \=================== - fix(model): avoid throwing error when bulkSave() called on a document with no changes [#10437](https://redirect.github.com/Automattic/mongoose/issues/10437) - fix(timestamps): apply timestamps when creating new subdocs with `$addToSet` and with positional operator [#10447](https://redirect.github.com/Automattic/mongoose/issues/10447) - fix(schema): allow calling Schema#loadClass() with class that has a static getter with no setter [#10436](https://redirect.github.com/Automattic/mongoose/issues/10436) - fix(model): handle re-applying object defaults after explicitly unsetting [#10442](https://redirect.github.com/Automattic/mongoose/issues/10442) [semirturgay](https://redirect.github.com/semirturgay) - fix: bump mongodb driver -> 3.6.10 [#10440](https://redirect.github.com/Automattic/mongoose/issues/10440) [AbdelrahmanHafez](https://redirect.github.com/AbdelrahmanHafez) - fix(index.d.ts): consistently use NativeDate instead of Date for Date validators and timestamps functions [#10426](https://redirect.github.com/Automattic/mongoose/issues/10426) - fix(index.d.ts): allow calling `discriminator()` with non-document [#10452](https://redirect.github.com/Automattic/mongoose/issues/10452) [#10421](https://redirect.github.com/Automattic/mongoose/issues/10421) [DouglasGabr](https://redirect.github.com/DouglasGabr) - fix(index.d.ts): allow passing ResultType generic to Schema#path() [#10435](https://redirect.github.com/Automattic/mongoose/issues/10435) ### [`v5.13.2`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5132--2021-07-03) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.1...5.13.2) \=================== - fix: hardcode [@types/node](https://redirect.github.com/types/node) version for now to avoid breaking changes from [DefinitelyTyped/DefinitelyTyped#53669](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/issues/53669) [#10415](https://redirect.github.com/Automattic/mongoose/issues/10415) - fix(index.d.ts): allow using type: Date with Date paths in SchemaDefinitionType [#10409](https://redirect.github.com/Automattic/mongoose/issues/10409) - fix(index.d.ts): allow extra VirtualTypeOptions for better plugin support [#10412](https://redirect.github.com/Automattic/mongoose/issues/10412) - docs(api): add SchemaArray to docs [#10397](https://redirect.github.com/Automattic/mongoose/issues/10397) - docs(schema+validation): fix broken links [#10396](https://redirect.github.com/Automattic/mongoose/issues/10396) - docs(transactions): add note about creating a connection to transactions docs [#10406](https://redirect.github.com/Automattic/mongoose/issues/10406) ### [`v5.13.1`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51317--2023-04-04) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.13.0...5.13.1) \==================== - fix: backport fix for array filters handling $or and $and [#13195](https://redirect.github.com/Automattic/mongoose/issues/13195) [#13192](https://redirect.github.com/Automattic/mongoose/issues/13192) [#10696](https://redirect.github.com/Automattic/mongoose/issues/10696) [raj-goguardian](https://redirect.github.com/raj-goguardian) - fix: update the isIndexEqual function to take into account non-text indexes when checking compound indexes that include both text and non-text indexes [#13138](https://redirect.github.com/Automattic/mongoose/issues/13138) [#13136](https://redirect.github.com/Automattic/mongoose/issues/13136) [rdeavila94](https://redirect.github.com/rdeavila94) ### [`v5.13.0`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5130--2021-06-28) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.15...5.13.0) \=================== - feat(query): add sanitizeProjection option to opt in to automatically sanitizing untrusted query projections [#10243](https://redirect.github.com/Automattic/mongoose/issues/10243) - feat(model): add `bulkSave()` function that saves multiple docs in 1 `bulkWrite()` [#9727](https://redirect.github.com/Automattic/mongoose/issues/9727) [#9673](https://redirect.github.com/Automattic/mongoose/issues/9673) [AbdelrahmanHafez](https://redirect.github.com/AbdelrahmanHafez) - feat(document): allow passing a list of virtuals or `pathsToSkip` to apply in `toObject()` and `toJSON()` [#10120](https://redirect.github.com/Automattic/mongoose/issues/10120) - fix(model): make Model.validate use object under validation as context by default [#10360](https://redirect.github.com/Automattic/mongoose/issues/10360) [AbdelrahmanHafez](https://redirect.github.com/AbdelrahmanHafez) - feat(document): add support for pathsToSkip in validate and validateSync [#10375](https://redirect.github.com/Automattic/mongoose/issues/10375) [AbdelrahmanHafez](https://redirect.github.com/AbdelrahmanHafez) - feat(model): add `diffIndexes()` function that calculates what indexes `syncIndexes()` will create/drop without actually executing any changes [#10362](https://redirect.github.com/Automattic/mongoose/issues/10362) [IslandRhythms](https://redirect.github.com/IslandRhythms) - feat(document): avoid using sessions that have ended, so you can use documents that were loaded in the session after calling `endSession()` [#10306](https://redirect.github.com/Automattic/mongoose/issues/10306) ### [`v5.12.15`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51215--2021-06-25) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.14...5.12.15) \==================== - fix(index.d.ts): add extra TInstanceMethods generic param to `Schema` for cases when we can't infer from Model [#10358](https://redirect.github.com/Automattic/mongoose/issues/10358) - fix(index.d.ts): added typings for near() in model aggregation [#10373](https://redirect.github.com/Automattic/mongoose/issues/10373) [tbhaxor](https://redirect.github.com/tbhaxor) - fix(index.d.ts): correct function signature for `Query#cast()` [#10388](https://redirect.github.com/Automattic/mongoose/issues/10388) [lkho](https://redirect.github.com/lkho) - docs(transactions): add import statement [#10365](https://redirect.github.com/Automattic/mongoose/issues/10365) [JimLynchCodes](https://redirect.github.com/JimLynchCodes) - docs(schema): add missing `discriminatorKey` schema option [#10386](https://redirect.github.com/Automattic/mongoose/issues/10386) [#10376](https://redirect.github.com/Automattic/mongoose/issues/10376) [IslandRhythms](https://redirect.github.com/IslandRhythms) - docs(index.d.ts): fix typo [#10363](https://redirect.github.com/Automattic/mongoose/issues/10363) [houssemchebeb](https://redirect.github.com/houssemchebeb) ### [`v5.12.14`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51214--2021-06-15) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.13...5.12.14) \==================== - fix(schema): check that schema type is an object when setting isUnderneathDocArray [#10361](https://redirect.github.com/Automattic/mongoose/issues/10361) [vmo-khanus](https://redirect.github.com/vmo-khanus) - fix(document): avoid infinite recursion when setting single nested subdoc to array [#10351](https://redirect.github.com/Automattic/mongoose/issues/10351) - fix(populate): allow populating nested path in schema using `Model.populate()` [#10335](https://redirect.github.com/Automattic/mongoose/issues/10335) - fix(drivers): emit operation-start/operation-end events to allow inspecting when operations start and end - fix(index.d.ts): improve typings for virtuals [#10350](https://redirect.github.com/Automattic/mongoose/issues/10350) [thiagokisaki](https://redirect.github.com/thiagokisaki) - fix(index.d.ts): correct constructor type for Document [#10328](https://redirect.github.com/Automattic/mongoose/issues/10328) - fix(index.d.ts): add `ValidationError` as a possible type for `ValidationError#errors` [#10320](https://redirect.github.com/Automattic/mongoose/issues/10320) [IslandRhythms](https://redirect.github.com/IslandRhythms) - fix: remove unnecessary async devDependency that's causing npm audit warnings [#10281](https://redirect.github.com/Automattic/mongoose/issues/10281) - docs(typescript): add schemas guide [#10308](https://redirect.github.com/Automattic/mongoose/issues/10308) - docs(model): add options parameter description to `Model.exists()` [#10336](https://redirect.github.com/Automattic/mongoose/issues/10336) [Aminoiz](https://redirect.github.com/Aminoiz) ### [`v5.12.13`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51213--2021-06-04) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.12...5.12.13) \==================== - perf(document): avoid creating nested paths when running `$getAllSubdocs()` [#10275](https://redirect.github.com/Automattic/mongoose/issues/10275) - fix: make returnDocument option work with `findOneAndUpdate()` [#10232](https://redirect.github.com/Automattic/mongoose/issues/10232) [#10231](https://redirect.github.com/Automattic/mongoose/issues/10231) [cnwangjie](https://redirect.github.com/cnwangjie) - fix(document): correctly reset subdocument when resetting a map subdocument underneath a single nested subdoc after save [#10295](https://redirect.github.com/Automattic/mongoose/issues/10295) - perf(query): avoid setting non-null sessions to avoid overhead from $getAllSubdocs() [#10275](https://redirect.github.com/Automattic/mongoose/issues/10275) - perf(document): pre split schematype paths when compiling schema to avoid extra overhead of splitting when hydrating documents [#10275](https://redirect.github.com/Automattic/mongoose/issues/10275) - perf(schema): pre-calculate mapPaths to avoid looping over every path for each path when initing doc [#10275](https://redirect.github.com/Automattic/mongoose/issues/10275) - fix(index.d.ts): drill down into nested arrays when creating LeanDocument type [#10293](https://redirect.github.com/Automattic/mongoose/issues/10293) ### [`v5.12.12`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51212--2021-05-28) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.11...5.12.12) \==================== - fix(documentarray): retain atomics when setting to a new array [#10272](https://redirect.github.com/Automattic/mongoose/issues/10272) - fix(query+model): fix deprecation warning for `returnOriginal` with `findOneAndUpdate()` [#10298](https://redirect.github.com/Automattic/mongoose/issues/10298) [#10297](https://redirect.github.com/Automattic/mongoose/issues/10297) [#10292](https://redirect.github.com/Automattic/mongoose/issues/10292) [#10285](https://redirect.github.com/Automattic/mongoose/issues/10285) [IslandRhythms](https://redirect.github.com/IslandRhythms) - fix(index.d.ts): make `map()` result an array if used over an array [#10288](https://redirect.github.com/Automattic/mongoose/issues/10288) [quantumsheep](https://redirect.github.com/quantumsheep) ### [`v5.12.11`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51211--2021-05-24) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.10...5.12.11) \==================== - fix(populate): skip applying setters when casting arrays for populate() to avoid issues with arrays of immutable elements [#10264](https://redirect.github.com/Automattic/mongoose/issues/10264) - perf(schematype): avoid cloning setters every time we run setters [#9588](https://redirect.github.com/Automattic/mongoose/issues/9588) - perf(get): add benchmarks and extra cases to speed up get() [#9588](https://redirect.github.com/Automattic/mongoose/issues/9588) - perf(array): improve array constructor performance on small arrays to improve nested array perf [#9588](https://redirect.github.com/Automattic/mongoose/issues/9588) - fix(index.d.ts): allow using type: \[String] with string\[] when using SchemaDefinition with generic [#10261](https://redirect.github.com/Automattic/mongoose/issues/10261) - fix(index.d.ts): support ReadonlyArray as well as regular array where possible in schema definitions [#10260](https://redirect.github.com/Automattic/mongoose/issues/10260) - docs(connection): document noListener option to useDb [#10278](https://redirect.github.com/Automattic/mongoose/issues/10278) [stuartpb](https://redirect.github.com/stuartpb) - docs: migrate raw tutorial content from pug / JS to markdown [#10271](https://redirect.github.com/Automattic/mongoose/issues/10271) - docs: fix typo [#10269](https://redirect.github.com/Automattic/mongoose/issues/10269) [sanjib](https://redirect.github.com/sanjib) ### [`v5.12.10`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51210--2021-05-18) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.9...5.12.10) \==================== - fix(query): allow setting `defaults` option on result documents from query options [#7287](https://redirect.github.com/Automattic/mongoose/issues/7287) [IslandRhythms](https://redirect.github.com/IslandRhythms) - fix(populate): handle populating embedded discriminator with custom tiedValue [#10231](https://redirect.github.com/Automattic/mongoose/issues/10231) - fix(document): allow passing space-delimited string of `pathsToValidate` to `validate()` and `validateSync()` [#10258](https://redirect.github.com/Automattic/mongoose/issues/10258) - fix(model+schema): support `loadClass()` on classes that have `collection` as a static property [#10257](https://redirect.github.com/Automattic/mongoose/issues/10257) [#10254](https://redirect.github.com/Automattic/mongoose/issues/10254) [IslandRhythms](https://redirect.github.com/IslandRhythms) - fix(SchemaArrayOptions): correct property name [#10236](https://redirect.github.com/Automattic/mongoose/issues/10236) - fix(index.d.ts): add any to all query operators to minimize likelihood of "type instantiation is excessively deep" when querying docs with 4-level deep subdocs [#10189](https://redirect.github.com/Automattic/mongoose/issues/10189) - fix(index.d.ts): add $parent() in addition to parent() in TS definitions - fix(index.d.ts): correct async iterator return type for QueryCursor [#10253](https://redirect.github.com/Automattic/mongoose/issues/10253) [#10252](https://redirect.github.com/Automattic/mongoose/issues/10252) [#10251](https://redirect.github.com/Automattic/mongoose/issues/10251) [borfig](https://redirect.github.com/borfig) - fix(index.d.ts): add `virtualsOnly` parameter to `loadClass()` function signature [IslandRhythms](https://redirect.github.com/IslandRhythms) - docs(typescript): add typescript populate docs [#10212](https://redirect.github.com/Automattic/mongoose/issues/10212) - docs: switch from AWS to Azure Functions for search [#10244](https://redirect.github.com/Automattic/mongoose/issues/10244) ### [`v5.12.9`](https://redirect.github.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5129--2021-05-13) [Compare Source](https://redirect.github.com/Automattic/mongoose/compare/5.12.8...5.12.9) \=================== - fix(schema): ensure add() overwrites existing schema paths by default [#10208](https://redirect.github.com/Automattic/mongoose/issues/10208) [#10203](https://redirect.github.com/Automattic/mongoose/issues/10203) - fix(schema): support creating nested paths underneath document arrays [#10193](https://redirect.github.com/Automattic/mongoose/issues/10193) - fix(update): convert nested dotted paths in update to nested paths to avoid ending up with dotted properties in update [#10200](https://redirect.github.com/Automattic/mongoose/issues/10200) - fix(document): allow calling validate() and validateSync() with `options` as first parameter [#10216](https://redirect.github.com/Automattic/mongoose/issues/10216) - fix(schema): apply static properties to model when using loadClass() [#10206](https://redirect.github.com/Automattic/mongoose/issues/10206) - fix(index.d.ts): allow returning PromiseConfiguration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Enabled.
ā» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.