fix(deps): update dependency mongoose to v6 [security]#259
Open
renovate[bot] wants to merge 1 commit into
Open
fix(deps): update dependency mongoose to v6 [security]#259renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
Author
⚠ Artifact update problemRenovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below: File name: backend/package-lock.json |
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
July 18, 2023 21:37
5843ae3 to
f3a3fec
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
August 6, 2024 09:20
f3a3fec to
07ad1ad
Compare
Author
|
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
2 times, most recently
from
August 13, 2025 15:16
40e4b56 to
44095ea
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
August 31, 2025 11:12
44095ea to
ab2dac3
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
September 25, 2025 20:01
ab2dac3 to
7079a44
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
2 times, most recently
from
October 22, 2025 17:31
bafb54e to
1a87442
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
from
November 10, 2025 16:46
1a87442 to
9488910
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
2 times, most recently
from
March 30, 2026 21:17
9488910 to
fc89a24
Compare
renovate
Bot
force-pushed
the
renovate/npm-mongoose-vulnerability
branch
2 times, most recently
from
April 27, 2026 23:07
fc89a24 to
e6963e4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.13.13→6.11.3automattic/mongoose vulnerable to Prototype pollution via Schema.path
CVE-2022-2564 / GHSA-f825-f98c-gj3g
More information
Details
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The
Schema.path()function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Mongoose Prototype Pollution vulnerability
CVE-2023-3696 / GHSA-9m93-w8w6-76hh
More information
Details
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.
Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
Automattic/mongoose (mongoose)
v6.11.3Compare Source
===================
v6.11.2Compare Source
===================
v6.11.1Compare Source
===================
v6.11.0Compare Source
===================
v6.10.5Compare Source
===================
v6.10.4Compare Source
===================
v6.10.3Compare Source
===================
v6.10.2Compare Source
===================
enginesinpackage.json#13124 lorand-horvathv6.10.1Compare Source
===================
$andand$or#13086 #12898Model.populate()#13070v6.10.0Compare Source
===================
v6.9.3Compare Source
==================
autoCreateandautoIndexuntil after initial connection established #13007 #12940 lpizzinidevv6.9.2Compare Source
==================
v6.9.1Compare Source
==================
v6.9.0Compare Source
==================
$orconditions after strict applied #12898 0x0a0dv6.8.4Compare Source
==================
v6.8.3Compare Source
==================
v6.8.2Compare Source
==================
v6.8.1Compare Source
==================
$localsparameters to getters/setters tutorial #12814 #12550 IslandRhythmsv6.8.0Compare Source
==================
localFieldandforeignFieldfor virtual populate #12657 #6963 IslandRhythmsv6.7.5Compare Source
==================
v6.7.4Compare Source
==================
v6.7.3Compare Source
==================
v6.7.2Compare Source
==================
applyPlugins == false#12613 #12604 lpizzinidevv6.7.1Compare Source
==================
v6.7.0Compare Source
==================
v6.6.7Compare Source
==================
v6.6.6Compare Source
==================
v6.6.5Compare Source
==================
v6.6.4Compare Source
==================
v6.6.3Compare Source
==================
v6.6.2Compare Source
==================
select: falseon map paths in query results #12467 lpizzinidevv6.6.1Compare Source
==================
v6.6.0Compare Source
==================
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.