search

jonluca / Anubis-DB

Database to store previously found subdomains
56 stars 11 forks source link

Update dependency mongoose to v5.7.5 [SECURITY] - autoclosed #32

Closed renovate[bot] closed 4 years ago

renovate[bot] commented 4 years ago

This PR contains the following updates:

Package Type Update Change
mongoose (source) dependencies minor 5.6.6 -> 5.7.5

GitHub Vulnerability Alerts

CVE-2019-17426

Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).

Release Notes

Automattic/mongoose ### [`v5.7.5`](https://togithub.com/Automattic/mongoose/blob/master/History.md#​575--2019-10-14) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.7.4...5.7.5) ================== - fix(query): delete top-level `_bsontype` property in queries to prevent silent empty queries [#​8222](https://togithub.com/Automattic/mongoose/issues/8222) - fix(update): handle subdocument pre('validate') errors in update validation [#​7187](https://togithub.com/Automattic/mongoose/issues/7187) - fix(subdocument): make subdocument#isModified use parent document's isModified [#​8223](https://togithub.com/Automattic/mongoose/issues/8223) - docs(index): add favicon to home page [#​8226](https://togithub.com/Automattic/mongoose/issues/8226) - docs: add schema options to API docs [#​8012](https://togithub.com/Automattic/mongoose/issues/8012) - docs(middleware): add note about accessing the document being updated in pre('findOneAndUpdate') [#​8218](https://togithub.com/Automattic/mongoose/issues/8218) - refactor: remove redundant code in ValidationError [#​8244](https://togithub.com/Automattic/mongoose/issues/8244) [AbdelrahmanHafez](https://togithub.com/AbdelrahmanHafez) ### [`v5.7.4`](https://togithub.com/Automattic/mongoose/blob/master/History.md#​574--2019-10-09) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.7.3...5.7.4) ================== - fix(schema): handle `required: null` and `required: undefined` as `required: false` [#​8219](https://togithub.com/Automattic/mongoose/issues/8219) - fix(update): support updating array embedded discriminator props if discriminator key in $elemMatch [#​8063](https://togithub.com/Automattic/mongoose/issues/8063) - fix(populate): allow accessing populate virtual prop underneath array when virtual defined on top level [#​8198](https://togithub.com/Automattic/mongoose/issues/8198) - fix(model): support passing `options` to `Model.remove()` [#​8211](https://togithub.com/Automattic/mongoose/issues/8211) - fix(document): handle `Document#set()` merge option when setting underneath single nested schema [#​8201](https://togithub.com/Automattic/mongoose/issues/8201) - fix: use options constructor class for all schematypes [#​8012](https://togithub.com/Automattic/mongoose/issues/8012) ### [`v5.7.3`](https://togithub.com/Automattic/mongoose/blob/master/History.md#​573--2019-09-30) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.7.1...5.7.3) ================== - fix: make CoreMongooseArray#includes() handle `fromIndex` parameter [#​8203](https://togithub.com/Automattic/mongoose/issues/8203) - fix(update): cast right hand side of `$pull` as a query instead of an update for document arrays [#​8166](https://togithub.com/Automattic/mongoose/issues/8166) - fix(populate): handle virtual populate of an embedded discriminator nested path [#​8173](https://togithub.com/Automattic/mongoose/issues/8173) - docs(validation): remove deprecated `isAsync` from validation docs in favor of emphasizing promises [#​8184](https://togithub.com/Automattic/mongoose/issues/8184) - docs(documents): add overwriting section [#​8178](https://togithub.com/Automattic/mongoose/issues/8178) - docs(promises): add note about queries being thenable [#​8110](https://togithub.com/Automattic/mongoose/issues/8110) - perf: avoid update validators going into Mixed types [#​8192](https://togithub.com/Automattic/mongoose/issues/8192) [birdofpreyru](https://togithub.com/birdofpreyru) - refactor: remove async as a prod dependency [#​8073](https://togithub.com/Automattic/mongoose/issues/8073) ### [`v5.7.1`](https://togithub.com/Automattic/mongoose/blob/master/History.md#​5714--2019-12-06) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.7.0...5.7.1) =================== - fix(cursor): wait until all `eachAsync()` functions finish before resolving the promise [#​8352](https://togithub.com/Automattic/mongoose/issues/8352) - fix(update): handle embedded discriminator paths when discriminator key is defined in the update [#​8378](https://togithub.com/Automattic/mongoose/issues/8378) - fix(schematype): handle passing `message` function to `SchemaType#validate()` as positional arg [#​8360](https://togithub.com/Automattic/mongoose/issues/8360) - fix(map): handle cloning a schema that has a map of subdocuments [#​8357](https://togithub.com/Automattic/mongoose/issues/8357) - docs(schema): clarify that `uppercase`, `lowercase`, and `trim` options for SchemaString don't affect RegExp queries [#​8333](https://togithub.com/Automattic/mongoose/issues/8333) ### [`v5.7.0`](https://togithub.com/Automattic/mongoose/blob/master/History.md#​570--2019-09-09) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.13...5.7.0) ================== - feat(document+query): support conditionally immutable schema paths [#​8001](https://togithub.com/Automattic/mongoose/issues/8001) - perf(documentarray): refactor to use ES6 classes instead of mixins, ~30% speedup [#​7895](https://togithub.com/Automattic/mongoose/issues/7895) - feat: use MongoDB driver 3.3.x for MongoDB 4.2 support [#​8083](https://togithub.com/Automattic/mongoose/issues/8083) [#​8078](https://togithub.com/Automattic/mongoose/issues/8078) - feat(schema+query): add pre('validate') and post('validate') hooks for update validation [#​7984](https://togithub.com/Automattic/mongoose/issues/7984) - fix(timestamps): ensure updatedAt gets incremented consistently using update with and without $set [#​4768](https://togithub.com/Automattic/mongoose/issues/4768) - feat(query): add `Query#get()` to make writing custom setters that handle both queries and documents easier [#​7312](https://togithub.com/Automattic/mongoose/issues/7312) - feat(document): run setters on defaults [#​8012](https://togithub.com/Automattic/mongoose/issues/8012) - feat(document): add `aliases: false` option to `Document#toObject()` [#​7548](https://togithub.com/Automattic/mongoose/issues/7548) - feat(timestamps): support skipping updatedAt and createdAt for individual save() and update() [#​3934](https://togithub.com/Automattic/mongoose/issues/3934) - docs: fix index creation link in guide [#​8138](https://togithub.com/Automattic/mongoose/issues/8138) [joebowbeer](https://togithub.com/joebowbeer) ### [`v5.6.13`](https://togithub.com/Automattic/mongoose/blob/master/History.md#​5613--2019-09-04) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.12...5.6.13) =================== - fix(parallel): fix parallelLimit when fns is empty [#​8130](https://togithub.com/Automattic/mongoose/issues/8130) [#​8128](https://togithub.com/Automattic/mongoose/issues/8128) [sibelius](https://togithub.com/sibelius) - fix(document): ensure nested mixed validator gets called exactly once [#​8117](https://togithub.com/Automattic/mongoose/issues/8117) - fix(populate): handle `justOne = undefined` [#​8125](https://togithub.com/Automattic/mongoose/issues/8125) [taxilian](https://togithub.com/taxilian) ### [`v5.6.12`](https://togithub.com/Automattic/mongoose/blob/master/History.md#​5612--2019-09-03) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.11...5.6.12) =================== - fix(schema): handle required validator correctly with `clone()` [#​8111](https://togithub.com/Automattic/mongoose/issues/8111) - fix(schema): copy schematype getters and setters when cloning [#​8124](https://togithub.com/Automattic/mongoose/issues/8124) [StphnDamon](https://togithub.com/StphnDamon) - fix(discriminator): avoid unnecessarily cloning schema to avoid leaking memory on repeated `discriminator()` calls [#​2874](https://togithub.com/Automattic/mongoose/issues/2874) - docs(schematypes): clarify when Mongoose uses `toString()` to convert an object to a string [#​8112](https://togithub.com/Automattic/mongoose/issues/8112) [TheTrueRandom](https://togithub.com/TheTrueRandom) - docs(plugins): fix out of date link to npm docs [#​8100](https://togithub.com/Automattic/mongoose/issues/8100) - docs(deprecations): fix typo [#​8109](https://togithub.com/Automattic/mongoose/issues/8109) [jgcmarins](https://togithub.com/jgcmarins) - refactor(model): remove dependency on `async.parallelLimit()` for `insertMany()` [#​8073](https://togithub.com/Automattic/mongoose/issues/8073) ### [`v5.6.11`](https://togithub.com/Automattic/mongoose/blob/master/History.md#​5611--2019-08-25) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.10...5.6.11) =================== - fix(model): allow passing options to `exists()` [#​8075](https://togithub.com/Automattic/mongoose/issues/8075) - fix(document): make `validateUpdatedOnly` option handle pre-existing errors [#​8091](https://togithub.com/Automattic/mongoose/issues/8091) - fix: throw readable error if middleware callback isnt a function [#​8087](https://togithub.com/Automattic/mongoose/issues/8087) - fix: don't throw error if calling `find()` on a nested array [#​8089](https://togithub.com/Automattic/mongoose/issues/8089) - docs(middleware): clarify that you must add middleware before compiling your model [#​5087](https://togithub.com/Automattic/mongoose/issues/5087) - docs(query): add missing options to `setOptions()` [#​8099](https://togithub.com/Automattic/mongoose/issues/8099) ### [`v5.6.10`](https://togithub.com/Automattic/mongoose/blob/master/History.md#​5610--2019-08-20) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.9...5.6.10) =================== - fix(schema): fix require() path to work around yet another bug in Jest [#​8053](https://togithub.com/Automattic/mongoose/issues/8053) - fix(document): skip casting when initing a populated path [#​8062](https://togithub.com/Automattic/mongoose/issues/8062) - fix(document): prevent double-calling validators on mixed objects with nested properties [#​8067](https://togithub.com/Automattic/mongoose/issues/8067) - fix(query): handle schematype with `null` options when checking immutability [#​8070](https://togithub.com/Automattic/mongoose/issues/8070) [rich-earth](https://togithub.com/rich-earth) - fix(schema): support `Schema#path()` to get schema path underneath doc array [#​8057](https://togithub.com/Automattic/mongoose/issues/8057) - docs(faq): add disable color instruction [#​8066](https://togithub.com/Automattic/mongoose/issues/8066) ### [`v5.6.9`](https://togithub.com/Automattic/mongoose/blob/master/History.md#​569--2019-08-07) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.8...5.6.9) ================== - fix(model): delete versionError after saving to prevent memory leak [#​8048](https://togithub.com/Automattic/mongoose/issues/8048) - fix(cursor): correctly handle batchSize option with query cursor [#​8039](https://togithub.com/Automattic/mongoose/issues/8039) - fix(populate): handle virtual populate with count = 0 if virtual embedded in doc array [#​7573](https://togithub.com/Automattic/mongoose/issues/7573) - fix(schema): allow declaring ObjectId array with `{ type: 'ObjectID' }`, last 'D' case insensitive [#​8034](https://togithub.com/Automattic/mongoose/issues/8034) ### [`v5.6.8`](https://togithub.com/Automattic/mongoose/blob/master/History.md#​568--2019-08-02) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.7...5.6.8) ================== - fix(aggregate): allow modifying pipeline in pre('aggregate') hooks [#​8017](https://togithub.com/Automattic/mongoose/issues/8017) - fix(query): make `findOneAndReplace()` work with `orFail()` [#​8030](https://togithub.com/Automattic/mongoose/issues/8030) - fix(document): allow saving an unchanged document if required populated path is null [#​8018](https://togithub.com/Automattic/mongoose/issues/8018) - fix(debug): support disabling colors in debug mode [#​8033](https://togithub.com/Automattic/mongoose/issues/8033) [Mangosteen-Yang](https://togithub.com/Mangosteen-Yang) - docs: add async-await guide [#​8028](https://togithub.com/Automattic/mongoose/issues/8028) [Rossh87](https://togithub.com/Rossh87) - docs(plugins): rewrite plugins docs to be more modern and not use strange `= exports` syntax [#​8026](https://togithub.com/Automattic/mongoose/issues/8026) - docs(transactions): clarify relationship between `session` in docs and MongoDB driver ClientSession class, link to driver docs [#​8009](https://togithub.com/Automattic/mongoose/issues/8009) ### [`v5.6.7`](https://togithub.com/Automattic/mongoose/blob/master/History.md#​567--2019-07-26) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.6...5.6.7) ================== - fix(document): support validators on nested arrays [#​7926](https://togithub.com/Automattic/mongoose/issues/7926) - fix(timestamps): handle `timestamps: false` in child schema [#​8007](https://togithub.com/Automattic/mongoose/issues/8007) - fix(query): consistently support `new` option to `findOneAndX()` as an alternative to `returnOriginal` [#​7846](https://togithub.com/Automattic/mongoose/issues/7846) - fix(document): make `inspect()` never return `null`, because a document or nested path is never `== null` [#​7942](https://togithub.com/Automattic/mongoose/issues/7942) - docs(query+lean): add links to mongoose-lean-virtuals, mongoose-lean-getters, mongoose-lean-defaults [#​5606](https://togithub.com/Automattic/mongoose/issues/5606) - docs: add example for `Schema#pre(Array)` [#​8022](https://togithub.com/Automattic/mongoose/issues/8022) [Mangosteen-Yang](https://togithub.com/Mangosteen-Yang) - docs(schematype): updated comment from Schema.path to proper s.path [#​8013](https://togithub.com/Automattic/mongoose/issues/8013) [chrisweilacker](https://togithub.com/chrisweilacker) - chore: upgrade nyc [#​8015](https://togithub.com/Automattic/mongoose/issues/8015) [kolya182](https://togithub.com/kolya182)

Renovate configuration

:date: Schedule: "" (UTC).

:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.

:recycle: Rebasing: Whenever PR becomes conflicted, or if you tick the rebase/retry checkbox below.

:no_bell: Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by WhiteSource Renovate. View repository job log here.