cnodejs / nodeclub

:baby_chick:Nodeclub 是使用 Node.js 和 MongoDB 开发的社区系统
http://cnodejs.org/
MIT License
9.34k stars 3.12k forks source link

[Snyk] Security upgrade mongoose from 5.3.8 to 5.12.3 #1129

Closed snyk-bot closed 5 months ago

snyk-bot commented 3 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 768/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-MQUERY-1089718
No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: mongoose The new version differs by 250 commits.
  • f8d2721 chore: release 5.12.3
  • 58cad73 fix(connection): use queueing instead of event emitter for `createCollection()` and other helpers to avoid event emitter warning
  • 5382408 fix(index.d.ts): add `transform` to PopulateOptions interface
  • dca1d70 Merge branch 'master' of github.com:Automattic/mongoose
  • 2648088 fix(index.d.ts): add DocumentQuery type for backwards compatibility
  • 966770f Merge pull request #10063 from Automattic/gh-10044
  • 9e4a083 style: fix lint
  • f3cd3a8 chore: use variable instead of function
  • f24953c fix(query): add `writeConcern()` method to avoid writeConcern deprecation warning
  • 7d2e9c9 chore: upgrade mquery -> 3.2.5 re: aheckmann/mquery#121
  • d1a9a1e made requested changes
  • cf1b666 Merge pull request #10078 from pezzu/master
  • 2aef528 Merge pull request #10062 from Automattic/gh-10025
  • 452c77c Fixes #10072
  • c9bfb30 Update model.indexes.test.js
  • 6f0133a removed comments
  • 9e98cd8 Merge pull request #10055 from emrebass/patch-1
  • 1c20044 Merge pull request #10054 from coro101/add-discriminator-type
  • 4e74ea7 TIL that includes() is also not supported in all browsers
  • f231d7b should work and is designed to handle multiple text fields
  • c4897f9 TIL Object.values in not supported on all browsers
  • 391ecec collation not added to text indexes
  • 7a93c16 linter fix
  • 6deb668 fix: connection ids are now scoped
See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic