🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.\n\nAffected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).
This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).
This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
Updated our tr46 dependency, which brings along several fixes related to international domain names. Such as:
Empty domain name labels, as in https://xn--4-0bd15808a.../, no longer cause URL parsing to fail.
Invalid punycode-encoded domain name labels, as in http://xn--ls8h=/, now correctly cause URL parsing to fail.
Includes support for Unicode 15.0.0.
As part of this, we are now running against the newly-introduced test data derived from the Unicode Consortium-maintained IdnaTestV2.txt file, and passing them all.
Changed the characters allowed in domains vs. generic hosts, per whatwg/url@35e195a.
Changed the URL API's search and hash setters, as well as the URLSearchParams API, to always ensure the URL is serialize-parse roundtrippable, per whatwg/url@fdaa0e5.
The breaking changes in this release are only to the Low-level URL Standard API. No actual URL parsing or serialization behavior has changed, and users of the URL and URLSearchParams exports are not affected.
The breaking changes in this release are to the API exported by the whatwg-url/webidl2js-wrapper module. In particular it now is based on webidl2js v17, which changes some of the exported function signatures, and changes the realms of any errors thrown on misuse.
You don't seem to have any Continuous Integration service set up!
Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the
service we're trying to provide down to a point where it is more or less meaningless.
This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:
* [Circle CI](https://circleci.com), [Semaphore ](https://semaphoreci.com) and [Github Actions](https://docs.github.com/actions) are all excellent options.
* If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github.
* If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with `depfu/`.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu cancel merge
Cancels automatic merging of this PR
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ mongoose (6.0.8 → 8.2.1) · Repo · Changelog
Security Advisories 🚨
🚨 Mongoose Prototype Pollution vulnerability
🚨 Mongoose Prototype Pollution vulnerability
🚨 Prototype pollution Schema.path in automattic/mongoose
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by 46 commits:
chore: release 8.2.1
Merge pull request #14401 from Automattic/dependabot/npm_and_yarn/master/mocha-10.3.0
Merge pull request #14402 from Automattic/dependabot/npm_and_yarn/master/webpack-5.90.3
chore(deps-dev): bump webpack from 5.90.1 to 5.90.3
Merge pull request #14404 from Automattic/dependabot/npm_and_yarn/master/babel/core-7.24.0
Merge pull request #14411 from Automattic/dependabot/npm_and_yarn/master/tsd-0.30.7
Merge pull request #14412 from Automattic/dependabot/github_actions/master/actions/setup-node-4.0.2
test: bump TypeScript instantiations cap to fix tests until we release #14328
Merge pull request #14395 from Automattic/vkarpov15/gh-14353
chore(deps-dev): bump mocha from 10.2.0 to 10.3.0
chore(deps-dev): bump @babel/core from 7.23.9 to 7.24.0
Merge pull request #14406 from Automattic/dependabot/npm_and_yarn/master/dotenv-16.4.5
Merge pull request #14408 from Automattic/dependabot/npm_and_yarn/master/babel/preset-env-7.24.0
Merge pull request #14409 from Automattic/dependabot/npm_and_yarn/master/eslint-8.57.0
chore(deps): bump actions/setup-node from 4.0.1 to 4.0.2
chore(deps-dev): bump tsd from 0.30.4 to 0.30.7
chore(deps-dev): bump eslint from 8.56.0 to 8.57.0
chore(deps-dev): bump @babel/preset-env from 7.23.9 to 7.24.0
chore(deps-dev): bump dotenv from 16.4.1 to 16.4.5
Merge branch 'master' into vkarpov15/gh-14353
fix: address code review comments on #14395
Merge pull request #14390 from Automattic/vkarpov15/gh-14377
Merge pull request #14396 from Automattic/vkarpov15/bson-64
test: make tests succeed on bson@6.3 or bson@6.4
test: fix lean test for bson 6.4
Merge pull request #14391 from Automattic/vkarpov15/gh-11382
fix(document): make `$clone` avoid converting subdocs into POJOs
fix(schema): avoid applying default write concern to operations that are in a transaction
fix(connection): avoid unhandled error on createConnection() if on('error') handler registered
Merge pull request #14384 from Automattic/vkarpov15/gh-14374
Merge branch 'vkarpov15/gh-14374' of github.com:Automattic/mongoose into vkarpov15/gh-14374
test: add more rigorous type check for #14374
Update test/types/querycursor.test.ts
Merge pull request #14382 from FaizBShah/gh-14378
Update models.d.ts
Merge branch 'master' into gh-14378
Merge pull request #14379 from sderrow/mongoose-query-options-fix
Merge branch '7.x'
chore: release 7.6.9
style: fix lint
types(querycursor): correct cursor async iterator type with `populate()` support
fix: missing typescript details on options params of updateMany, updateOne, etc.
More lint
Lint
[fix] MongooseQueryOptions typing
Merge pull request #14371 from sderrow/sderrow/select-type-fix
↗️ @types/whatwg-url (indirect, 8.2.1 → 11.0.4) · Repo
Sorry, we couldn't find anything useful about this release.
↗️ bson (indirect, 4.5.2 → 6.4.0) · Repo · Changelog
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ mongodb (indirect, 4.1.1 → 6.3.0) · Repo · Changelog
Security Advisories 🚨
🚨 MongoDB Driver may publish events containing authentication-related data
🚨 MongoDB Driver may publish events containing authentication-related data
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ mongodb-connection-string-url (indirect, 2.1.0 → 3.0.0) · Repo
Commits
See the full diff on Github. The new version differs by 36 commits:
3.0.0
feat!: bump supported Node.js version range (#32)
fix: update whatwg-url version due to deprecation warning (#31)
2.6.0
Merge pull request #26 from mongodb-js/compass-6197-redact-password-without-string
fix(redact): handle empty username when redacting password
2.5.4
fix: remove regexp lookbehind usage COMPASS-5738 (#25)
2.5.3
fix: never allow literal unescaped @ as part of usernames COMPASS-5958 (#23)
2.5.2
fix: keep error messages for loose validation same as for strict validation (#22)
2.5.1
fix: use looseValidation for cloning ConnectionString instances (#21)
2.5.0
feat: add opt-in for looser connection string validation (#20)
2.4.2
Merge pull request #19 from mongodb-js/COMPASS-5471-check-missing-host-after-auth
refactor: regexp simplification
fix: check missing host after auth COMPASS-5471
chore: improve invalid connection string message when scheme/protocol is invalid
improve error message, we had it as 'schema' instead of 'scheme' in compass for years hah
Add error message when schema is invalid
2.4.1
fix: relax TS types for Compass TS config
2.4.0
feat: allow typing searchParams and record types (#14)
2.3.2
Merge pull request #13 from mongodb-js/always-start-matching-from-the-beginning-of-the-string
chore: Always start matching from the beginning of the string
2.3.1
chore: make redaction a bit more configurable COMPASS-5038 (#12)
2.3.0
feat: add connection string redaction utilities COMPASS-5308 (#11)
2.2.0
chore: bump whatwg-url to 11.0.0 (#9)
↗️ mpath (indirect, 0.8.4 → 0.9.0) · Repo · Changelog
Release Notes
0.9.0 (from changelog)
Does any of this look wrong? Please let us know.
↗️ mquery (indirect, 4.0.0 → 5.0.0) · Repo · Changelog
Release Notes
5.0.0 (from changelog)
4.0.3 (from changelog)
4.0.2 (from changelog)
4.0.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 69 commits:
chore: release 5.0.0
Merge pull request #138 from mongoosejs/vkarpov15/remove-ducktyping
BREAKING CHANGE: remove support for `mquery(collection)`, first param is always filter
fix couple of merge conflicts from #136
Merge pull request #136 from hasezoey/removeOldQueryFn
Merge branch 'master' into removeOldQueryFn
Merge pull request #137 from hasezoey/updateMongoDriver
feat: remove node 12 support
chore(package.json): actually let mocha exit after finished
docs(README): de-duplicate header names
docs(README): various style fixes
docs(README): update for async use
test: update tests for async
fix(mquery): rename cache "_distinct" to "_distinctDoc" to not conflict with the function
fix(mquery): rename cache "_update" to "_updateDoc" to not conflict with the function
fix(collection/node): add workarounds for removal of "remove" and "update"
fix(mquery): actually use parameters to ".then"
feat(collection/node): convert to promises
feat(utils): remove function "tick"
feat(mquery): remove "Query.Promise"
feat(mquery): remove function "Query.prototype.thunk"
feat(mquery): remove function "Query.prototype._wrapCallback"
feat(mquery): change most functions to be builder / executer
fix(mquery): update conditions for selecting if the input is a collection
test: update test utils to use promises for setup
deps: update mongodb to "5.x"
test: remove "update" from "stream -> throws"
feat: remove "snapshot"
feat: remove "maxScan"
feat: remove "update"
feat: remove "remove"
Merge pull request #135 from hasezoey/github
Merge pull request #134 from hasezoey/modernize
chore: change from "files"-property to ".npmignore"
chore(travis.yml): remove file
chore(github/workflows): add test workflow
chore: add issue & pull request template
style: apply updated eslint config
chore(eslintrc): update file with modified version from mongoose
chore(README): add link to empty link place
chore(README): add proper code blocks for script executions
chore(README): consistenize indent of lists
chore(README): lower size of seperators
chore(README): format TOC
style(mquery): remove empty space between jsdoc comments
style(mquery): add missing spaces for example code in JSDOC
style(mquery): change "Note" headers to be consistent
style(mquery): add missing ":" to headers
style(mquery): change headers to have a space
chore(.eslintignore): remove file
chore(package.json): add "files" property
chore(Makefile): remove unused file
chore(gitignore): add yarn.lock
chore: release 4.0.3
fix: allow using `comment` with `findOneAndUpdate()`, `count()`, `distinct()` and `hint` with `findOneAndUpdate()`
Merge pull request #133 from herrmannplatz/patch-1
ci: remove unsupported node versions
chore: release 4.0.2
Merge pull request #131 from Uzlopak/replace-regexp-clone
even simpler
add missing new
replace regexp-clone with native functionality
chore: release 4.0.1
Merge pull request #130 from Uzlopak/remove-sliced
remove sliced, microoptimizations
Merge pull request #128 from jimmywarting/classify
Convert NodeCollection to a class
Merge pull request #127 from jimmywarting/rm-utils.isArray
replace utils.isArray with Array.isArray
↗️ punycode (indirect, 2.1.1 → 2.3.1) · Repo
Commits
See the full diff on Github. The new version differs by 25 commits:
Release v2.3.1
Prepare v2.3.1 release
Update `version`
ci(deps): update GitHub Actions workflows to run on Node.js 20 (LTS) (#130)
Update dependencies (#128)
Fix broken reference
Add README section for maintainers
Release v2.3.0
Rename package.json#name before publishing `punycode.js`
Release v2.2.2
Update repo URL
Add jsDelivr hits badge (#69)
Update mocha dependency (#103)
Set up GitHub Actions
Add test for #115
Do not encode DEL (#115)
Update browser support section in README (#118)
Replace `let` with `const` where applicable (#93)
Release v2.2.1
Do not decode non-ASCII-alphanumerics in Punycode labels (#124)
Release v2.2.0
fix: upstream node.js changes (#121)
fix: update jsdoc definitions (#120)
Fix usage instructions in README (#113)
Add LTS Node.js version to CI settings (#92)
↗️ sift (indirect, 13.5.2 → 16.0.1) · Repo · Changelog
Release Notes
16.0.0 (from changelog)
Does any of this look wrong? Please let us know.
↗️ webidl-conversions (indirect, 6.1.0 → 7.0.0) · Repo
Commits
See the full diff on Github. The new version differs by 14 commits:
v7.0.0
Rename "void" to "undefined"
Support environments without SharedArrayBuffer
Remove dead code
Remove type() internal helper function
Style updates
Fix toNumber BigInt exception
Remove Function and VoidFunction support
Move assertThrows test helper to a subdirectory
Remove Node.js v10 workaround in the tests
Update lint config
Update dev dependencies and require Node v12
Switch CI to GitHub Actions
Fix typo and dead code
↗️ whatwg-url (indirect, 9.1.0 → 13.0.0) · Repo
Release Notes
13.0.0
12.0.1
12.0.0
11.0.0
10.0.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 35 commits:
13.0.0
Require Node v16+; update dev dependencies
Change blob: URL origin serialization for inner non-http(s): URL
Implement value argument for URLSearchParams has() and delete()
Implement URL.canParse()
Implement URLSearchParam's size
Overhaul the test runner
12.0.1
Update dev dependencies
Upgrade tr46 dependency to fix IDNA issues
12.0.0
Ensure the URL API roundtrips for opaque paths
Live viewer: rename "URL" field to "input"
Live viewer: add escape support
Live viewer: remove another IE-ism
Live viewer: update the UI and fragment on load
Live viewer: don't generate new history entries
Live viewer: stop using iframes
Live viewer: switch to using modules
Live viewer: stop using duplicate IDs
Live viewer: display the origin too
Update dev dependencies
Update dependencies and require Node v14
Update specification and test commit SHAs
Split forbidden host/domain code-points
Live viewer: fix empty string URL inputs in shared links
Live viewer: switch from browserify to esbuild
Simplify cannotHaveAUsernamePasswordPort
11.0.0
Update URL Standard API to remove cannot-be-a-base-URL
10.0.0
Update webidl2js
Update dependencies and dev dependencies
Remove license year
Remove source transform and add benchmark
🆕 @mongodb-js/saslprep (added, 1.1.4)
🗑️ @types/node (removed)
🗑️ base64-js (removed)
🗑️ buffer (removed)
🗑️ denque (removed)
🗑️ ieee754 (removed)
🗑️ regexp-clone (removed)
🗑️ saslprep (removed)
🗑️ sliced (removed)
👉 No CI detected
You don't seem to have any Continuous Integration service set up!
Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.
This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:
* [Circle CI](https://circleci.com), [Semaphore ](https://semaphoreci.com) and [Github Actions](https://docs.github.com/actions) are all excellent options. * If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github. * If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with `depfu/`.Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands