secure-code-warrior-for-github[bot]
commented
1 year ago Micro-Learning Topic: Denial of service (Detected by phrase)
Matched on "Denial of Service"
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service
Try a challenge in Secure Code Warrior
Micro-Learning Topic: Prototype pollution (Detected by phrase)
Matched on "Prototype Pollution"
By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).
renovate[bot]
This PR contains the following updates:
5.13.7->5.13.15GitHub Vulnerability Alerts
CVE-2022-2564
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.\n\nAffected versions of this package are vulnerable to Prototype Pollution. The
Schema.path()function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.Release Notes
Automattic/mongoose
### [`v5.13.15`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51315--2022-08-22) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.14...5.13.15) \==================== - fix: backport fix for CVE-2022-2564 [#12281](https://togithub.com/Automattic/mongoose/issues/12281) [shubanker](https://togithub.com/shubanker) - docs: fix broken link from findandmodify method deprecation [#11366](https://togithub.com/Automattic/mongoose/issues/11366) [laissonsilveira](https://togithub.com/laissonsilveira) ### [`v5.13.14`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51314--2021-12-27) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.13...5.13.14) \==================== - fix(timestamps): avoid setting createdAt on documents that already exist but dont have createdAt [#11024](https://togithub.com/Automattic/mongoose/issues/11024) - docs(models): fix up nModified example for 5.x [#11055](https://togithub.com/Automattic/mongoose/issues/11055) ### [`v5.13.13`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51313--2021-11-02) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.12...5.13.13) \==================== - fix: upgrade to mongodb@3.7.3 [#10909](https://togithub.com/Automattic/mongoose/issues/10909) [gaurav-sharma-gs](https://togithub.com/gaurav-sharma-gs) - fix: correctly emit end event in before close [#10916](https://togithub.com/Automattic/mongoose/issues/10916) [iovanom](https://togithub.com/iovanom) - fix(index.d.ts): improve ts types for query set [#10942](https://togithub.com/Automattic/mongoose/issues/10942) [jneal-afs](https://togithub.com/jneal-afs) ### [`v5.13.12`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51312--2021-10-19) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.11...5.13.12) \==================== - fix(cursor): use stream destroy method on close to prevent emitting duplicate 'close' [#10897](https://togithub.com/Automattic/mongoose/issues/10897) [iovanom](https://togithub.com/iovanom) - fix(index.d.ts): backport streamlining of FilterQuery and DocumentDefinition to avoid "excessively deep and possibly infinite" TS errors [#10617](https://togithub.com/Automattic/mongoose/issues/10617) ### [`v5.13.11`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51311--2021-10-12) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.10...5.13.11) \==================== - fix: upgrade mongodb -> 3.7.2 [#10871](https://togithub.com/Automattic/mongoose/issues/10871) [winstonralph](https://togithub.com/winstonralph) - fix(connection): call setMaxListeners(0) on MongoClient to avoid event emitter memory leak warnings with `useDb()` [#10732](https://togithub.com/Automattic/mongoose/issues/10732) ### [`v5.13.10`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#51310--2021-10-05) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.9...5.13.10) \==================== - fix(index.d.ts): allow using type: SchemaDefinitionProperty in schema definitions [#10674](https://togithub.com/Automattic/mongoose/issues/10674) - fix(index.d.ts): allow AnyObject as param to findOneAndReplace() [#10714](https://togithub.com/Automattic/mongoose/issues/10714) ### [`v5.13.9`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5139--2021-09-06) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.8...5.13.9) \=================== - fix(populate): avoid setting empty array on lean document when populate result is undefined [#10599](https://togithub.com/Automattic/mongoose/issues/10599) - fix(document): make depopulate() handle populated paths underneath document arrays [#10592](https://togithub.com/Automattic/mongoose/issues/10592) - fix: peg [@types/bson](https://togithub.com/types/bson) version to 1.x || 4.0.x to avoid stubbed 4.2.x release [#10678](https://togithub.com/Automattic/mongoose/issues/10678) - fix(index.d.ts): simplify UpdateQuery to avoid "excessively deep and possibly infinite" errors with `extends Document` and `any` [#10647](https://togithub.com/Automattic/mongoose/issues/10647) - fix(index.d.ts): allow specifying weights as an IndexOption [#10586](https://togithub.com/Automattic/mongoose/issues/10586) - fix: upgrade to mpath v0.8.4 re: security issue [#10683](https://togithub.com/Automattic/mongoose/issues/10683) ### [`v5.13.8`](https://togithub.com/Automattic/mongoose/blob/HEAD/CHANGELOG.md#5138--2021-08-23) [Compare Source](https://togithub.com/Automattic/mongoose/compare/5.13.7...5.13.8) \=================== - fix(populate): handle populating subdoc array virtual with sort [#10552](https://togithub.com/Automattic/mongoose/issues/10552) - fix(model): check for code instead of codeName when checking for existing collections for backwards compat with MongoDB 3.2 [#10420](https://togithub.com/Automattic/mongoose/issues/10420) - fix(index.d.ts): correct value of this for custom query helper methods [#10545](https://togithub.com/Automattic/mongoose/issues/10545) - fix(index.d.ts): allow strings for ObjectIds in nested properties [#10573](https://togithub.com/Automattic/mongoose/issues/10573) - fix(index.d.ts): add match to VirtualTypeOptions.options [#8749](https://togithub.com/Automattic/mongoose/issues/8749) - fix(index.d.ts): allow QueryOptions populate parameter type PopulateOptions [#10587](https://togithub.com/Automattic/mongoose/issues/10587) [osmanakol](https://togithub.com/osmanakol) - docs(api): add Document#$where to API docs [#10583](https://togithub.com/Automattic/mongoose/issues/10583)Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.