orfattal / snyk-goof-master

0 stars 3 forks source link

[Snyk] Security upgrade mongoose from 4.2.4 to 5.11.7 #21

Open snyk-bot opened 3 years ago

snyk-bot commented 3 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 651/1000
Why? Recently disclosed, Has a fix available, CVSS 7.3
Prototype Pollution
SNYK-JS-MQUERY-1050858
Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: mongoose The new version differs by 250 commits.
  • d7fc59c chore: release 5.11.7
  • d318339 fix(index.d.ts): make `Document#id` optional so types that use `id` can use `Model<IMyType & Document>`
  • a9b317a chore: upgrade mquery -> 3.2.3
  • 43f88db fix(document): ensure calling `get()` with empty string returns undefined for mongoose-plugin-autoinc
  • 369efe1 Merge pull request #9692 from sahasayan/patch-4
  • f879c4d chore: update opencollective sponsors
  • 1be4d87 fix(model): set `isNew` to false for documents that were successfully inserted by `insertMany` with `ordered = false` when an error occurred
  • b2da840 test(model): repro #9677
  • 15d6660 fix(index.d.ts): add missing Aggregate#skip() & Aggregate#limit()
  • dd348b1 chore: release 5.11.6
  • 3ec01fa fix(index.d.ts): allow calling `mongoose.model()` and `Connection#model()` with model as generic param
  • ccfa041 Merge pull request #9686 from cjroebuck/patch-1
  • 7a52e45 Merge pull request #9685 from sahasayan/patch-3
  • a5c98c2 Allow array of validators in SchemaTypeOptions
  • 48907ea fix(index.d.ts): allow 2 generic types in mongoose.model function
  • a17a2c3 Merge pull request #9683 from isengartz/master
  • 61595f0 fix(index.d.ts): allow passing ObjectId properties as strings to `create()` and `findOneAndReplace()`
  • 8e20ee6 optional next() parameter for post middleware
  • 8a52485 Merge pull request #9680 from orgads/aggregate
  • 1ef8274 fix(middleware): ensure sync errors in pre hooks always bubble up to the calling code
  • 067e3a2 fix(index.d.ts): Fix return type of Model#aggregate()
  • 0e2058d chore: release 5.11.5
  • 6d9fb4d fix(index.d.ts): add missing `SchemaTypeOpts` and `ConnectionOptions` aliases for backwards compat
  • a85adb9 test: fix tests re: #9669
See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic