Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).
Release Notes
Automattic/mongoose
### [`v5.7.5`](https://togithub.com/Automattic/mongoose/blob/master/History.md#575--2019-10-14)
[Compare Source](https://togithub.com/Automattic/mongoose/compare/5.7.4...5.7.5)
==================
- fix(query): delete top-level `_bsontype` property in queries to prevent silent empty queries [#8222](https://togithub.com/Automattic/mongoose/issues/8222)
- fix(update): handle subdocument pre('validate') errors in update validation [#7187](https://togithub.com/Automattic/mongoose/issues/7187)
- fix(subdocument): make subdocument#isModified use parent document's isModified [#8223](https://togithub.com/Automattic/mongoose/issues/8223)
- docs(index): add favicon to home page [#8226](https://togithub.com/Automattic/mongoose/issues/8226)
- docs: add schema options to API docs [#8012](https://togithub.com/Automattic/mongoose/issues/8012)
- docs(middleware): add note about accessing the document being updated in pre('findOneAndUpdate') [#8218](https://togithub.com/Automattic/mongoose/issues/8218)
- refactor: remove redundant code in ValidationError [#8244](https://togithub.com/Automattic/mongoose/issues/8244) [AbdelrahmanHafez](https://togithub.com/AbdelrahmanHafez)
### [`v5.7.4`](https://togithub.com/Automattic/mongoose/blob/master/History.md#574--2019-10-09)
[Compare Source](https://togithub.com/Automattic/mongoose/compare/5.7.3...5.7.4)
==================
- fix(schema): handle `required: null` and `required: undefined` as `required: false` [#8219](https://togithub.com/Automattic/mongoose/issues/8219)
- fix(update): support updating array embedded discriminator props if discriminator key in $elemMatch [#8063](https://togithub.com/Automattic/mongoose/issues/8063)
- fix(populate): allow accessing populate virtual prop underneath array when virtual defined on top level [#8198](https://togithub.com/Automattic/mongoose/issues/8198)
- fix(model): support passing `options` to `Model.remove()` [#8211](https://togithub.com/Automattic/mongoose/issues/8211)
- fix(document): handle `Document#set()` merge option when setting underneath single nested schema [#8201](https://togithub.com/Automattic/mongoose/issues/8201)
- fix: use options constructor class for all schematypes [#8012](https://togithub.com/Automattic/mongoose/issues/8012)
### [`v5.7.3`](https://togithub.com/Automattic/mongoose/blob/master/History.md#573--2019-09-30)
[Compare Source](https://togithub.com/Automattic/mongoose/compare/5.7.1...5.7.3)
==================
- fix: make CoreMongooseArray#includes() handle `fromIndex` parameter [#8203](https://togithub.com/Automattic/mongoose/issues/8203)
- fix(update): cast right hand side of `$pull` as a query instead of an update for document arrays [#8166](https://togithub.com/Automattic/mongoose/issues/8166)
- fix(populate): handle virtual populate of an embedded discriminator nested path [#8173](https://togithub.com/Automattic/mongoose/issues/8173)
- docs(validation): remove deprecated `isAsync` from validation docs in favor of emphasizing promises [#8184](https://togithub.com/Automattic/mongoose/issues/8184)
- docs(documents): add overwriting section [#8178](https://togithub.com/Automattic/mongoose/issues/8178)
- docs(promises): add note about queries being thenable [#8110](https://togithub.com/Automattic/mongoose/issues/8110)
- perf: avoid update validators going into Mixed types [#8192](https://togithub.com/Automattic/mongoose/issues/8192) [birdofpreyru](https://togithub.com/birdofpreyru)
- refactor: remove async as a prod dependency [#8073](https://togithub.com/Automattic/mongoose/issues/8073)
### [`v5.7.1`](https://togithub.com/Automattic/mongoose/blob/master/History.md#5714--2019-12-06)
[Compare Source](https://togithub.com/Automattic/mongoose/compare/5.7.0...5.7.1)
===================
- fix(cursor): wait until all `eachAsync()` functions finish before resolving the promise [#8352](https://togithub.com/Automattic/mongoose/issues/8352)
- fix(update): handle embedded discriminator paths when discriminator key is defined in the update [#8378](https://togithub.com/Automattic/mongoose/issues/8378)
- fix(schematype): handle passing `message` function to `SchemaType#validate()` as positional arg [#8360](https://togithub.com/Automattic/mongoose/issues/8360)
- fix(map): handle cloning a schema that has a map of subdocuments [#8357](https://togithub.com/Automattic/mongoose/issues/8357)
- docs(schema): clarify that `uppercase`, `lowercase`, and `trim` options for SchemaString don't affect RegExp queries [#8333](https://togithub.com/Automattic/mongoose/issues/8333)
### [`v5.7.0`](https://togithub.com/Automattic/mongoose/blob/master/History.md#570--2019-09-09)
[Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.13...5.7.0)
==================
- feat(document+query): support conditionally immutable schema paths [#8001](https://togithub.com/Automattic/mongoose/issues/8001)
- perf(documentarray): refactor to use ES6 classes instead of mixins, ~30% speedup [#7895](https://togithub.com/Automattic/mongoose/issues/7895)
- feat: use MongoDB driver 3.3.x for MongoDB 4.2 support [#8083](https://togithub.com/Automattic/mongoose/issues/8083) [#8078](https://togithub.com/Automattic/mongoose/issues/8078)
- feat(schema+query): add pre('validate') and post('validate') hooks for update validation [#7984](https://togithub.com/Automattic/mongoose/issues/7984)
- fix(timestamps): ensure updatedAt gets incremented consistently using update with and without $set [#4768](https://togithub.com/Automattic/mongoose/issues/4768)
- feat(query): add `Query#get()` to make writing custom setters that handle both queries and documents easier [#7312](https://togithub.com/Automattic/mongoose/issues/7312)
- feat(document): run setters on defaults [#8012](https://togithub.com/Automattic/mongoose/issues/8012)
- feat(document): add `aliases: false` option to `Document#toObject()` [#7548](https://togithub.com/Automattic/mongoose/issues/7548)
- feat(timestamps): support skipping updatedAt and createdAt for individual save() and update() [#3934](https://togithub.com/Automattic/mongoose/issues/3934)
- docs: fix index creation link in guide [#8138](https://togithub.com/Automattic/mongoose/issues/8138) [joebowbeer](https://togithub.com/joebowbeer)
### [`v5.6.13`](https://togithub.com/Automattic/mongoose/blob/master/History.md#5613--2019-09-04)
[Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.12...5.6.13)
===================
- fix(parallel): fix parallelLimit when fns is empty [#8130](https://togithub.com/Automattic/mongoose/issues/8130) [#8128](https://togithub.com/Automattic/mongoose/issues/8128) [sibelius](https://togithub.com/sibelius)
- fix(document): ensure nested mixed validator gets called exactly once [#8117](https://togithub.com/Automattic/mongoose/issues/8117)
- fix(populate): handle `justOne = undefined` [#8125](https://togithub.com/Automattic/mongoose/issues/8125) [taxilian](https://togithub.com/taxilian)
### [`v5.6.12`](https://togithub.com/Automattic/mongoose/blob/master/History.md#5612--2019-09-03)
[Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.11...5.6.12)
===================
- fix(schema): handle required validator correctly with `clone()` [#8111](https://togithub.com/Automattic/mongoose/issues/8111)
- fix(schema): copy schematype getters and setters when cloning [#8124](https://togithub.com/Automattic/mongoose/issues/8124) [StphnDamon](https://togithub.com/StphnDamon)
- fix(discriminator): avoid unnecessarily cloning schema to avoid leaking memory on repeated `discriminator()` calls [#2874](https://togithub.com/Automattic/mongoose/issues/2874)
- docs(schematypes): clarify when Mongoose uses `toString()` to convert an object to a string [#8112](https://togithub.com/Automattic/mongoose/issues/8112) [TheTrueRandom](https://togithub.com/TheTrueRandom)
- docs(plugins): fix out of date link to npm docs [#8100](https://togithub.com/Automattic/mongoose/issues/8100)
- docs(deprecations): fix typo [#8109](https://togithub.com/Automattic/mongoose/issues/8109) [jgcmarins](https://togithub.com/jgcmarins)
- refactor(model): remove dependency on `async.parallelLimit()` for `insertMany()` [#8073](https://togithub.com/Automattic/mongoose/issues/8073)
### [`v5.6.11`](https://togithub.com/Automattic/mongoose/blob/master/History.md#5611--2019-08-25)
[Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.10...5.6.11)
===================
- fix(model): allow passing options to `exists()` [#8075](https://togithub.com/Automattic/mongoose/issues/8075)
- fix(document): make `validateUpdatedOnly` option handle pre-existing errors [#8091](https://togithub.com/Automattic/mongoose/issues/8091)
- fix: throw readable error if middleware callback isnt a function [#8087](https://togithub.com/Automattic/mongoose/issues/8087)
- fix: don't throw error if calling `find()` on a nested array [#8089](https://togithub.com/Automattic/mongoose/issues/8089)
- docs(middleware): clarify that you must add middleware before compiling your model [#5087](https://togithub.com/Automattic/mongoose/issues/5087)
- docs(query): add missing options to `setOptions()` [#8099](https://togithub.com/Automattic/mongoose/issues/8099)
### [`v5.6.10`](https://togithub.com/Automattic/mongoose/blob/master/History.md#5610--2019-08-20)
[Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.9...5.6.10)
===================
- fix(schema): fix require() path to work around yet another bug in Jest [#8053](https://togithub.com/Automattic/mongoose/issues/8053)
- fix(document): skip casting when initing a populated path [#8062](https://togithub.com/Automattic/mongoose/issues/8062)
- fix(document): prevent double-calling validators on mixed objects with nested properties [#8067](https://togithub.com/Automattic/mongoose/issues/8067)
- fix(query): handle schematype with `null` options when checking immutability [#8070](https://togithub.com/Automattic/mongoose/issues/8070) [rich-earth](https://togithub.com/rich-earth)
- fix(schema): support `Schema#path()` to get schema path underneath doc array [#8057](https://togithub.com/Automattic/mongoose/issues/8057)
- docs(faq): add disable color instruction [#8066](https://togithub.com/Automattic/mongoose/issues/8066)
### [`v5.6.9`](https://togithub.com/Automattic/mongoose/blob/master/History.md#569--2019-08-07)
[Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.8...5.6.9)
==================
- fix(model): delete versionError after saving to prevent memory leak [#8048](https://togithub.com/Automattic/mongoose/issues/8048)
- fix(cursor): correctly handle batchSize option with query cursor [#8039](https://togithub.com/Automattic/mongoose/issues/8039)
- fix(populate): handle virtual populate with count = 0 if virtual embedded in doc array [#7573](https://togithub.com/Automattic/mongoose/issues/7573)
- fix(schema): allow declaring ObjectId array with `{ type: 'ObjectID' }`, last 'D' case insensitive [#8034](https://togithub.com/Automattic/mongoose/issues/8034)
### [`v5.6.8`](https://togithub.com/Automattic/mongoose/blob/master/History.md#568--2019-08-02)
[Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.7...5.6.8)
==================
- fix(aggregate): allow modifying pipeline in pre('aggregate') hooks [#8017](https://togithub.com/Automattic/mongoose/issues/8017)
- fix(query): make `findOneAndReplace()` work with `orFail()` [#8030](https://togithub.com/Automattic/mongoose/issues/8030)
- fix(document): allow saving an unchanged document if required populated path is null [#8018](https://togithub.com/Automattic/mongoose/issues/8018)
- fix(debug): support disabling colors in debug mode [#8033](https://togithub.com/Automattic/mongoose/issues/8033) [Mangosteen-Yang](https://togithub.com/Mangosteen-Yang)
- docs: add async-await guide [#8028](https://togithub.com/Automattic/mongoose/issues/8028) [Rossh87](https://togithub.com/Rossh87)
- docs(plugins): rewrite plugins docs to be more modern and not use strange `= exports` syntax [#8026](https://togithub.com/Automattic/mongoose/issues/8026)
- docs(transactions): clarify relationship between `session` in docs and MongoDB driver ClientSession class, link to driver docs [#8009](https://togithub.com/Automattic/mongoose/issues/8009)
### [`v5.6.7`](https://togithub.com/Automattic/mongoose/blob/master/History.md#567--2019-07-26)
[Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.6...5.6.7)
==================
- fix(document): support validators on nested arrays [#7926](https://togithub.com/Automattic/mongoose/issues/7926)
- fix(timestamps): handle `timestamps: false` in child schema [#8007](https://togithub.com/Automattic/mongoose/issues/8007)
- fix(query): consistently support `new` option to `findOneAndX()` as an alternative to `returnOriginal` [#7846](https://togithub.com/Automattic/mongoose/issues/7846)
- fix(document): make `inspect()` never return `null`, because a document or nested path is never `== null` [#7942](https://togithub.com/Automattic/mongoose/issues/7942)
- docs(query+lean): add links to mongoose-lean-virtuals, mongoose-lean-getters, mongoose-lean-defaults [#5606](https://togithub.com/Automattic/mongoose/issues/5606)
- docs: add example for `Schema#pre(Array)` [#8022](https://togithub.com/Automattic/mongoose/issues/8022) [Mangosteen-Yang](https://togithub.com/Mangosteen-Yang)
- docs(schematype): updated comment from Schema.path to proper s.path [#8013](https://togithub.com/Automattic/mongoose/issues/8013) [chrisweilacker](https://togithub.com/chrisweilacker)
- chore: upgrade nyc [#8015](https://togithub.com/Automattic/mongoose/issues/8015) [kolya182](https://togithub.com/kolya182)
Renovate configuration
:date: Schedule: "" (UTC).
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or if you tick the rebase/retry checkbox below.
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
5.6.6
->5.7.5
GitHub Vulnerability Alerts
CVE-2019-17426
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).
Release Notes
Automattic/mongoose
### [`v5.7.5`](https://togithub.com/Automattic/mongoose/blob/master/History.md#575--2019-10-14) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.7.4...5.7.5) ================== - fix(query): delete top-level `_bsontype` property in queries to prevent silent empty queries [#8222](https://togithub.com/Automattic/mongoose/issues/8222) - fix(update): handle subdocument pre('validate') errors in update validation [#7187](https://togithub.com/Automattic/mongoose/issues/7187) - fix(subdocument): make subdocument#isModified use parent document's isModified [#8223](https://togithub.com/Automattic/mongoose/issues/8223) - docs(index): add favicon to home page [#8226](https://togithub.com/Automattic/mongoose/issues/8226) - docs: add schema options to API docs [#8012](https://togithub.com/Automattic/mongoose/issues/8012) - docs(middleware): add note about accessing the document being updated in pre('findOneAndUpdate') [#8218](https://togithub.com/Automattic/mongoose/issues/8218) - refactor: remove redundant code in ValidationError [#8244](https://togithub.com/Automattic/mongoose/issues/8244) [AbdelrahmanHafez](https://togithub.com/AbdelrahmanHafez) ### [`v5.7.4`](https://togithub.com/Automattic/mongoose/blob/master/History.md#574--2019-10-09) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.7.3...5.7.4) ================== - fix(schema): handle `required: null` and `required: undefined` as `required: false` [#8219](https://togithub.com/Automattic/mongoose/issues/8219) - fix(update): support updating array embedded discriminator props if discriminator key in $elemMatch [#8063](https://togithub.com/Automattic/mongoose/issues/8063) - fix(populate): allow accessing populate virtual prop underneath array when virtual defined on top level [#8198](https://togithub.com/Automattic/mongoose/issues/8198) - fix(model): support passing `options` to `Model.remove()` [#8211](https://togithub.com/Automattic/mongoose/issues/8211) - fix(document): handle `Document#set()` merge option when setting underneath single nested schema [#8201](https://togithub.com/Automattic/mongoose/issues/8201) - fix: use options constructor class for all schematypes [#8012](https://togithub.com/Automattic/mongoose/issues/8012) ### [`v5.7.3`](https://togithub.com/Automattic/mongoose/blob/master/History.md#573--2019-09-30) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.7.1...5.7.3) ================== - fix: make CoreMongooseArray#includes() handle `fromIndex` parameter [#8203](https://togithub.com/Automattic/mongoose/issues/8203) - fix(update): cast right hand side of `$pull` as a query instead of an update for document arrays [#8166](https://togithub.com/Automattic/mongoose/issues/8166) - fix(populate): handle virtual populate of an embedded discriminator nested path [#8173](https://togithub.com/Automattic/mongoose/issues/8173) - docs(validation): remove deprecated `isAsync` from validation docs in favor of emphasizing promises [#8184](https://togithub.com/Automattic/mongoose/issues/8184) - docs(documents): add overwriting section [#8178](https://togithub.com/Automattic/mongoose/issues/8178) - docs(promises): add note about queries being thenable [#8110](https://togithub.com/Automattic/mongoose/issues/8110) - perf: avoid update validators going into Mixed types [#8192](https://togithub.com/Automattic/mongoose/issues/8192) [birdofpreyru](https://togithub.com/birdofpreyru) - refactor: remove async as a prod dependency [#8073](https://togithub.com/Automattic/mongoose/issues/8073) ### [`v5.7.1`](https://togithub.com/Automattic/mongoose/blob/master/History.md#5714--2019-12-06) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.7.0...5.7.1) =================== - fix(cursor): wait until all `eachAsync()` functions finish before resolving the promise [#8352](https://togithub.com/Automattic/mongoose/issues/8352) - fix(update): handle embedded discriminator paths when discriminator key is defined in the update [#8378](https://togithub.com/Automattic/mongoose/issues/8378) - fix(schematype): handle passing `message` function to `SchemaType#validate()` as positional arg [#8360](https://togithub.com/Automattic/mongoose/issues/8360) - fix(map): handle cloning a schema that has a map of subdocuments [#8357](https://togithub.com/Automattic/mongoose/issues/8357) - docs(schema): clarify that `uppercase`, `lowercase`, and `trim` options for SchemaString don't affect RegExp queries [#8333](https://togithub.com/Automattic/mongoose/issues/8333) ### [`v5.7.0`](https://togithub.com/Automattic/mongoose/blob/master/History.md#570--2019-09-09) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.13...5.7.0) ================== - feat(document+query): support conditionally immutable schema paths [#8001](https://togithub.com/Automattic/mongoose/issues/8001) - perf(documentarray): refactor to use ES6 classes instead of mixins, ~30% speedup [#7895](https://togithub.com/Automattic/mongoose/issues/7895) - feat: use MongoDB driver 3.3.x for MongoDB 4.2 support [#8083](https://togithub.com/Automattic/mongoose/issues/8083) [#8078](https://togithub.com/Automattic/mongoose/issues/8078) - feat(schema+query): add pre('validate') and post('validate') hooks for update validation [#7984](https://togithub.com/Automattic/mongoose/issues/7984) - fix(timestamps): ensure updatedAt gets incremented consistently using update with and without $set [#4768](https://togithub.com/Automattic/mongoose/issues/4768) - feat(query): add `Query#get()` to make writing custom setters that handle both queries and documents easier [#7312](https://togithub.com/Automattic/mongoose/issues/7312) - feat(document): run setters on defaults [#8012](https://togithub.com/Automattic/mongoose/issues/8012) - feat(document): add `aliases: false` option to `Document#toObject()` [#7548](https://togithub.com/Automattic/mongoose/issues/7548) - feat(timestamps): support skipping updatedAt and createdAt for individual save() and update() [#3934](https://togithub.com/Automattic/mongoose/issues/3934) - docs: fix index creation link in guide [#8138](https://togithub.com/Automattic/mongoose/issues/8138) [joebowbeer](https://togithub.com/joebowbeer) ### [`v5.6.13`](https://togithub.com/Automattic/mongoose/blob/master/History.md#5613--2019-09-04) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.12...5.6.13) =================== - fix(parallel): fix parallelLimit when fns is empty [#8130](https://togithub.com/Automattic/mongoose/issues/8130) [#8128](https://togithub.com/Automattic/mongoose/issues/8128) [sibelius](https://togithub.com/sibelius) - fix(document): ensure nested mixed validator gets called exactly once [#8117](https://togithub.com/Automattic/mongoose/issues/8117) - fix(populate): handle `justOne = undefined` [#8125](https://togithub.com/Automattic/mongoose/issues/8125) [taxilian](https://togithub.com/taxilian) ### [`v5.6.12`](https://togithub.com/Automattic/mongoose/blob/master/History.md#5612--2019-09-03) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.11...5.6.12) =================== - fix(schema): handle required validator correctly with `clone()` [#8111](https://togithub.com/Automattic/mongoose/issues/8111) - fix(schema): copy schematype getters and setters when cloning [#8124](https://togithub.com/Automattic/mongoose/issues/8124) [StphnDamon](https://togithub.com/StphnDamon) - fix(discriminator): avoid unnecessarily cloning schema to avoid leaking memory on repeated `discriminator()` calls [#2874](https://togithub.com/Automattic/mongoose/issues/2874) - docs(schematypes): clarify when Mongoose uses `toString()` to convert an object to a string [#8112](https://togithub.com/Automattic/mongoose/issues/8112) [TheTrueRandom](https://togithub.com/TheTrueRandom) - docs(plugins): fix out of date link to npm docs [#8100](https://togithub.com/Automattic/mongoose/issues/8100) - docs(deprecations): fix typo [#8109](https://togithub.com/Automattic/mongoose/issues/8109) [jgcmarins](https://togithub.com/jgcmarins) - refactor(model): remove dependency on `async.parallelLimit()` for `insertMany()` [#8073](https://togithub.com/Automattic/mongoose/issues/8073) ### [`v5.6.11`](https://togithub.com/Automattic/mongoose/blob/master/History.md#5611--2019-08-25) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.10...5.6.11) =================== - fix(model): allow passing options to `exists()` [#8075](https://togithub.com/Automattic/mongoose/issues/8075) - fix(document): make `validateUpdatedOnly` option handle pre-existing errors [#8091](https://togithub.com/Automattic/mongoose/issues/8091) - fix: throw readable error if middleware callback isnt a function [#8087](https://togithub.com/Automattic/mongoose/issues/8087) - fix: don't throw error if calling `find()` on a nested array [#8089](https://togithub.com/Automattic/mongoose/issues/8089) - docs(middleware): clarify that you must add middleware before compiling your model [#5087](https://togithub.com/Automattic/mongoose/issues/5087) - docs(query): add missing options to `setOptions()` [#8099](https://togithub.com/Automattic/mongoose/issues/8099) ### [`v5.6.10`](https://togithub.com/Automattic/mongoose/blob/master/History.md#5610--2019-08-20) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.9...5.6.10) =================== - fix(schema): fix require() path to work around yet another bug in Jest [#8053](https://togithub.com/Automattic/mongoose/issues/8053) - fix(document): skip casting when initing a populated path [#8062](https://togithub.com/Automattic/mongoose/issues/8062) - fix(document): prevent double-calling validators on mixed objects with nested properties [#8067](https://togithub.com/Automattic/mongoose/issues/8067) - fix(query): handle schematype with `null` options when checking immutability [#8070](https://togithub.com/Automattic/mongoose/issues/8070) [rich-earth](https://togithub.com/rich-earth) - fix(schema): support `Schema#path()` to get schema path underneath doc array [#8057](https://togithub.com/Automattic/mongoose/issues/8057) - docs(faq): add disable color instruction [#8066](https://togithub.com/Automattic/mongoose/issues/8066) ### [`v5.6.9`](https://togithub.com/Automattic/mongoose/blob/master/History.md#569--2019-08-07) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.8...5.6.9) ================== - fix(model): delete versionError after saving to prevent memory leak [#8048](https://togithub.com/Automattic/mongoose/issues/8048) - fix(cursor): correctly handle batchSize option with query cursor [#8039](https://togithub.com/Automattic/mongoose/issues/8039) - fix(populate): handle virtual populate with count = 0 if virtual embedded in doc array [#7573](https://togithub.com/Automattic/mongoose/issues/7573) - fix(schema): allow declaring ObjectId array with `{ type: 'ObjectID' }`, last 'D' case insensitive [#8034](https://togithub.com/Automattic/mongoose/issues/8034) ### [`v5.6.8`](https://togithub.com/Automattic/mongoose/blob/master/History.md#568--2019-08-02) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.7...5.6.8) ================== - fix(aggregate): allow modifying pipeline in pre('aggregate') hooks [#8017](https://togithub.com/Automattic/mongoose/issues/8017) - fix(query): make `findOneAndReplace()` work with `orFail()` [#8030](https://togithub.com/Automattic/mongoose/issues/8030) - fix(document): allow saving an unchanged document if required populated path is null [#8018](https://togithub.com/Automattic/mongoose/issues/8018) - fix(debug): support disabling colors in debug mode [#8033](https://togithub.com/Automattic/mongoose/issues/8033) [Mangosteen-Yang](https://togithub.com/Mangosteen-Yang) - docs: add async-await guide [#8028](https://togithub.com/Automattic/mongoose/issues/8028) [Rossh87](https://togithub.com/Rossh87) - docs(plugins): rewrite plugins docs to be more modern and not use strange `= exports` syntax [#8026](https://togithub.com/Automattic/mongoose/issues/8026) - docs(transactions): clarify relationship between `session` in docs and MongoDB driver ClientSession class, link to driver docs [#8009](https://togithub.com/Automattic/mongoose/issues/8009) ### [`v5.6.7`](https://togithub.com/Automattic/mongoose/blob/master/History.md#567--2019-07-26) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.6.6...5.6.7) ================== - fix(document): support validators on nested arrays [#7926](https://togithub.com/Automattic/mongoose/issues/7926) - fix(timestamps): handle `timestamps: false` in child schema [#8007](https://togithub.com/Automattic/mongoose/issues/8007) - fix(query): consistently support `new` option to `findOneAndX()` as an alternative to `returnOriginal` [#7846](https://togithub.com/Automattic/mongoose/issues/7846) - fix(document): make `inspect()` never return `null`, because a document or nested path is never `== null` [#7942](https://togithub.com/Automattic/mongoose/issues/7942) - docs(query+lean): add links to mongoose-lean-virtuals, mongoose-lean-getters, mongoose-lean-defaults [#5606](https://togithub.com/Automattic/mongoose/issues/5606) - docs: add example for `Schema#pre(Array)` [#8022](https://togithub.com/Automattic/mongoose/issues/8022) [Mangosteen-Yang](https://togithub.com/Mangosteen-Yang) - docs(schematype): updated comment from Schema.path to proper s.path [#8013](https://togithub.com/Automattic/mongoose/issues/8013) [chrisweilacker](https://togithub.com/chrisweilacker) - chore: upgrade nyc [#8015](https://togithub.com/Automattic/mongoose/issues/8015) [kolya182](https://togithub.com/kolya182)Renovate configuration
:date: Schedule: "" (UTC).
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or if you tick the rebase/retry checkbox below.
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.