Update dependency mongoose to v6 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
mongoose (source)	5.13.13 → 6.13.9

---

automattic/mongoose vulnerable to Prototype pollution via Schema.path

CVE-2022-2564 / GHSA-f825-f98c-gj3g

More information

Details

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

Severity

• CVSS Score: 7.0 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-2564
• https://github.com/automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8
• https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd
• https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md
• https://github.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141
• https://github.com/Automattic/mongoose/compare/6.4.5...6.4.6
• https://github.com/Automattic/mongoose/commit/99b418941e2fc974199b8e5bd9d382bb50bf680a
• https://github.com/advisories/GHSA-f825-f98c-gj3g

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Mongoose Prototype Pollution vulnerability

CVE-2023-3696 / GHSA-9m93-w8w6-76hh

More information

Details

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

Severity

• CVSS Score: 10.0 / 10 (Critical)
• Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-3696
• https://github.com/automattic/mongoose/commit/305ce4ff789261df7e3f6e72363d0703e025f80d
• https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467
• https://github.com/Automattic/mongoose/commit/e29578d2ec18a68aeb4717d66dd5eb66bae53de1
• https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2
• https://github.com/Automattic/mongoose/releases/tag/7.3.3
• https://github.com/advisories/GHSA-9m93-w8w6-76hh

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Mongoose Vulnerable to Prototype Pollution in Schema Object

CVE-2022-24304 / GHSA-h8hf-x3f4-xwgp

More information

Details

Description

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.

Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

Proof of Concept

// poc.js
const mongoose = require('mongoose');
const schema = new mongoose.Schema();

malicious_payload = '__proto__.toString'

schema.path(malicious_payload, [String])

x = {}
console.log(x.toString()) // crashed (Denial of service (DoS) attack)

Impact

This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-24304
• https://github.com/Automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8
• https://github.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141
• https://github.com/Automattic/mongoose/issues/12085
• https://github.com/Automattic/mongoose/commit/6a197316564742c0422309e1b5fecfa4faec126e
• https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd/
• https://github.com/advisories/GHSA-h8hf-x3f4-xwgp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Mongoose search injection vulnerability

CVE-2025-23061 / GHSA-vg7j-7cwx-8wgw

More information

Details

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Severity

• CVSS Score: 9.0 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-23061
• https://github.com/Automattic/mongoose/commit/64a9f9706f2428c49e0cfb8e223065acc645f7bc
• https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md
• https://github.com/Automattic/mongoose/releases/tag/8.9.5
• https://www.npmjs.com/package/mongoose?activeTab=versions
• https://github.com/Automattic/mongoose/compare/6.13.5...6.13.6
• https://github.com/Automattic/mongoose/compare/7.8.3...7.8.4
• https://github.com/Automattic/mongoose/compare/8.9.4...8.9.5
• https://github.com/Automattic/mongoose/releases/tag/6.13.6
• https://github.com/Automattic/mongoose/releases/tag/7.8.4
• https://github.com/advisories/GHSA-m7xq-9374-9rvx
• https://github.com/advisories/GHSA-vg7j-7cwx-8wgw

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Mongoose search injection vulnerability

CVE-2024-53900 / GHSA-m7xq-9374-9rvx

More information

Details

Mongoose versions prior to 8.8.3, 7.8.3, 6.13.5, and 5.13.23 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-53900
• https://github.com/Automattic/mongoose/commit/c9e86bff7eef477da75a29af62a06d41a835a156
• https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md
• https://github.com/Automattic/mongoose/releases
• https://www.npmjs.com/package/mongoose?activeTab=versions
• https://github.com/Automattic/mongoose/commit/33679bcf8ca43d74e3e8ecd4cc224826772d805b
• https://github.com/Automattic/mongoose/compare/6.13.4...6.13.5
• https://github.com/Automattic/mongoose/compare/7.8.2...7.8.3
• https://github.com/Automattic/mongoose/compare/8.8.2...8.8.3
• https://github.com/github/advisory-database/pull/6769
• https://github.com/github/advisory-database/pull/6776
• https://github.com/Automattic/mongoose/commit/bbb6fa7ecb44bbaf5bea955d886378a1247bce0b
• https://github.com/advisories/GHSA-m7xq-9374-9rvx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

CVE-2026-42334 / GHSA-wpg9-53fq-2r8h

More information

Details

Impact

This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator.

When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized.

This may lead to:

• Authentication bypass
• Unauthorized data access
• Data exfiltration

Affected users:

Applications that:

• Explicitly enable sanitizeFilter
• Pass unsanitized user-controlled input directly into query methods (e.g., Model.findOne(req.body)) and rely on sanitizeFilter to strip out query selectors

Applications that validate input schemas, whitelist fields, or avoid passing raw request bodies into queries are not affected. For example, Model.findOne({ user: req.body.user, pwd: req.body.pwd }) is not affected.

Patches

Patches have been released for all supported Mongoose release lines:

• ^6.13.9
• ^7.8.9
• ^8.22.1
• ^9.1.6

Workarounds

Delete $nor keys, use an additional schema validation library, or write middleware to strip out $nor from query filters.

Resources

sanitizeFilter documentation: https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()

Original blog post on sanitizeFilter: https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/Automattic/mongoose/security/advisories/GHSA-wpg9-53fq-2r8h
• https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()
• https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html
• https://github.com/advisories/GHSA-wpg9-53fq-2r8h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

Automattic/mongoose (mongoose)

v6.13.9

Compare Source

6.13.9 / 2026-02-04

• fix: handle other top-level query operators in sanitizeFilter
• types(aggregate): add $firstN, $lastN, $bottom, $bottomN, $minN and $maxN operators #​15303 #​15299
• docs(compatibility): add note that Mongoose ^6.5 works with MongoDB server 7.x #​15427

v6.13.8

Compare Source

===================

• chore: remove coverage output from bundle

v6.13.7

Compare Source

===================

• chore: re-release to force npm audit to pick up 6.x fix for CVE-2025-23061

v6.13.6

Compare Source

===================

• fix: disallow nested $where in populate match CVE-2025-23061

v6.13.5

Compare Source

===================

• fix: disallow using $where in match

v6.13.4

Compare Source

===================

• fix: save execution stack in query as string #​15043 #​15039
• docs: clarify strictQuery default will flip-flop in "Migrating to 6.x" #​14998 markstos

v6.13.3

Compare Source

===================

• docs(migrating_to_6): document that Lodash _.isEmpty() with ObjectId() as a parameter returns true in Mongoose 6 #​11152

v6.13.2

Compare Source

===================

• fix(document): make set() respect merge option on deeply nested objects #​14870 #​14878

v6.13.1

Compare Source

===================

• fix: remove empty $and, $or, $not that were made empty by scrict mode #​14749 #​13086 0x0a0d

v6.13.0

Compare Source

===================

• feat(model): add throwOnValidationError option for opting into getting MongooseBulkWriteError if all valid operations succeed in bulkWrite() and insertMany() #​14599 #​14587 #​14572 #​13410

v6.12.9

Compare Source

===================

• fix(cast): cast $comment to string in query filters #​14590 #​14576
• types(model): allow passing strict type checking override to create() #​14571 #​14548

v6.12.8

Compare Source

===================

• fix(document): handle virtuals that are stored as objects but getter returns string with toJSON #​14468 #​14446
• fix(schematype): consistently set wasPopulated to object with value property rather than boolean #​14418
• docs(model): add extra note about lean option for insertMany() skipping casting #​14415 #​14376

v6.12.7

Compare Source

===================

• perf(model): make insertMany() lean option skip hydrating Mongoose docs #​14376 #​14372
• perf(document+schema): small optimizations to make init() faster #​14383 #​14113
• fix(connection): don't modify passed options object to openUri() #​14370 #​13376 #​13335
• fix(ChangeStream): bubble up resumeTokenChanged changeStream event #​14355 #​14349 3150

v6.12.6

Compare Source

===================

• fix(collection): correctly handle buffer timeouts with find() #​14277
• fix(document): allow calling push() with different $position arguments #​14254

v6.12.5

Compare Source

===================

• perf(schema): remove unnecessary lookahead in numeric subpath check
• fix(document): allow setting nested path to null #​14226
• fix(document): avoid flattening dotted paths in mixed path underneath nested path #​14198 #​14178
• fix: add ignoreAtomics option to isModified() for better backwards compatibility with Mongoose 5 #​14213

v6.12.4

Compare Source

===================

• fix: upgrade mongodb driver -> 4.17.2
• fix(document): avoid treating nested projection as inclusive when applying defaults #​14173 #​14115
• fix: account for null values when assigning isNew property #​14172 #​13883

v6.12.3

Compare Source

===================

• fix(ChangeStream): correctly handle hydrate option when using change stream as stream instead of iterator #​14052
• fix(schema): fix dangling reference to virtual in tree after removeVirtual() #​14019 #​13085
• fix(document): avoid unmarking modified on nested path if no initial value stored and already modified #​14053 #​14024
• fix(document): consistently avoid marking subpaths of nested paths as modified #​14053 #​14022

v6.12.2

Compare Source

===================

• fix: add fullPath to ValidatorProps #​13995 Freezystem

v6.12.1

Compare Source

===================

• fix(mongoose): correctly handle global applyPluginsToChildSchemas option #​13945 #​13887 hasezoey
• fix: Document.prototype.isModified support for a string of keys as first parameter #​13940 #​13674 k-chop

v6.12.0

Compare Source

===================

• feat: use mongodb driver v4.17.1
• fix(model): make Model.bulkWrite() with empty array and ordered false not throw an error #​13664
• fix(document): correctly handle inclusive/exclusive projections when applying subdocument defaults #​13763 #​13720

v6.11.6

Compare Source

===================

• fix(model): avoid hanging on empty bulkWrite() with ordered: false #​13701 #​13684 JavaScriptBach
• types: augment bson.ObjectId instead of adding on own type #​13515 #​12537 hasezoey

v6.11.5

Compare Source

===================

• fix(schema): make Schema.prototype.clone() avoid creating different copies of subdocuments and single nested paths underneath single nested paths #​13671 #​13626
• fix: custom debug function not processing all args #​13418

v6.11.4

Compare Source

===================

• perf: speed up mapOfSubdocs benchmark by 4x by avoiding unnecessary O(n^2) loop in getPathsToValidate() #​13614

v6.11.3

Compare Source

===================

• fix: avoid prototype pollution on init
• fix(schema): correctly handle uuids with populate() #​13317 #​13595

v6.11.2

Compare Source

===================

• fix(cursor): allow find middleware to modify query cursor options #​13476 #​13453 #​13435

v6.11.1

Compare Source

===================

• fix(query): apply schema-level paths before calculating projection for findOneAndUpdate() #​13348 #​13340
• fix: add SUPPRESS_JEST_WARNINGS environment variable to hide jest warnings #​13384 #​13373
• types(model): allow overwriting expected param type for bulkWrite() #​13292 hasezoey

v6.11.0

Compare Source

===================

• feat: upgrade to mongodb 4.16.0 for Deno+Atlas connection fix #​13337 #​13075
• perf: speed up creating maps of subdocuments #​13280 #​13191 #​13271
• fix(query): set ObjectParameterError if calling findOneAndX() with filter as non-object #​13338
• fix(document): merge Document $inc calls instead of overwriting #​13322
• fix(update): handle casting doubly nested arrays with $pullAll #​13285
• docs: backport documentation versioning changes to 6.x #​13253 #​13190 hasezoey

v6.10.5

Compare Source

===================

• perf(document): avoid unnecessary loops, conditionals, string manipulation on Document.prototype.get() for 10x speedup on top-level properties #​12953
• fix(model): execute valid write operations if calling bulkWrite() with ordered: false #​13218 #​13176
• fix(array): pass-through all parameters #​13202 #​13201 hasezoey
• fix: improve error message when sorting by empty string #​13249 #​10182
• docs: add version support and check version docs #​13251 #​13193

v6.10.4

Compare Source

===================

• fix(document): apply setters on resulting value when calling Document.prototype.$inc() #​13178 #​13158
• fix(model): add results property to unordered insertMany() to make it easy to identify exactly which documents were inserted #​13163 #​12791
• docs(guide+schematypes): add UUID to schematypes guide #​13184

v6.10.3

Compare Source

===================

• fix(connection): add stub implementation of doClose to base connection class #​13157
• fix(types): add cursor.eachAsync index parameter #​13162 #​13153 hasezoey
• docs: fix 6.x docs sidebar links #​13147 #​13144 hasezoey
• docs(validation): clarify that validation runs as first pre(save) middleware #​13062

v6.10.2

Compare Source

===================

• fix(document): avoid setting array default if document array projected out by sibling projection #​13135 #​13043 #​13003
• fix(documentarray): set correct document array path if making map of document arrays #​13133
• fix: undo accidental change to engines in package.json #​13124 lorand-horvath
• docs: quick improvement to Model.init() docs #​13054

v6.10.1

Compare Source

===================

• fix: avoid removing empty query filters in $and and $or #​13086 #​12898
• fix(schematype): fixed validation for required UUID field #​13018 lpizzinidev
• fix(types): add missing Paths generic param to Model.populate() #​13070
• docs(migrating_to_6): added info about removal of reconnectTries and reconnectInterval options #​13083 lpizzinidev
• docs: fix code in headers for migrating_to_5 #​13077 hasezoey
• docs: backport misc documentation changes into 6.x #​13091 hasezoey

v6.10.0

Compare Source

===================

• feat: upgrade to mongodb driver 4.14.0 #​13036
• feat: added Schema.prototype.omit() function #​12939 #​12931 lpizzinidev
• feat(index): added createInitialConnection option to Mongoose constructor #​13021 #​12965 lpizzinidev

v6.9.3

Compare Source

==================

• fix(connection): delay calculating autoCreate and autoIndex until after initial connection established #​13007 #​12940 lpizzinidev
• fix(discriminator): allows update doc with discriminatorKey #​13056 #​13055 abarriel
• fix(query): avoid sending unnecessary empty projection to MongoDB server #​13059 #​13050
• fix(model): avoid sending null session option with document operations #​13053 #​13052 lpizzinidev
• fix(types): use MergeTypes for type overrides in HydratedDocument #​13066 #​13040
• docs(middleware): list validate as a potential query middleware #​13057 #​12680
• docs(getters-setters): explain that getters do not run by default on toJSON() #​13058 #​13049
• docs: refactor docs generation scripts #​13044 hasezoey

v6.9.2

Compare Source

==================

• fix(model): fixed post('save') callback parameter #​13030 #​13026 lpizzinidev
• fix(UUID): added null check to prevent error on binaryToString conversion #​13034 #​13032 #​13029 lpizzinidev Freezystem
• fix(query): revert breaking changes introduced by #​12797 #​12999 lpizzinidev
• fix(document): make array $shift() use $pop instead of overwriting array #​13004
• docs: update & remove old links #​13019 hasezoey
• docs(middleware): describe how to access model from document middleware #​13031 AxeOfMen
• docs: update broken & outdated links #​13001 hasezoey
• chore: change deno tests to also use MMS #​12918 hasezoey

v6.9.1

Compare Source

==================

• fix(document): isModified should not be triggered when setting a nested boolean to the same value as previously #​12994 lpizzinidev
• fix(document): save newly set defaults underneath single nested subdocuments #​13002 #​12905
• fix(update): handle custom discriminator model name when casting update #​12947 wassil
• fix(connection): handles unique autoincrement ID for connections #​12990 lpizzinidev
• fix(types): fix type of options of Model.aggregate #​12933 ghost91-
• fix(types): fix "near" aggregation operator input type #​12954 Jokero
• fix(types): add missing Top operator to AccumulatorOperator type declaration #​12952 lpizzinidev
• docs(transactions): added example for Connection.transaction() method #​12943 #​12934 lpizzinidev
• docs(populate): fix out of date comment referencing onModel property #​13000
• docs(transactions): fix typo in transactions.md #​12995 Parth86

v6.9.0

Compare Source

==================

• feat(schema): add removeVirtual(path) function to schema #​12920 IslandRhythms
• fix(cast): remove empty $or conditions after strict applied #​12898 0x0a0d
• docs: fixed typo #​12946 Gbengstar

v6.8.4

Compare Source

==================

• fix(collection): handle creating model when connection disconnected with bufferCommands = false #​12889
• fix(populate): merge instead of overwrite when match is on _id #​12891
• fix: add guard to stop loadClass copying Document if Document is used as base of loaded class (same hack as implemented for Model already) #​12820 sgpinkus
• fix(types): correctly infer types on document arrays #​12884 #​12882 JavaScriptBach
• fix(types): added omit for ArraySubdocument type in LeanType declaration #​12903 piyushk96
• fix(types): add returnDocument type safety #​12906 AbdelrahmanHafez
• docs(typescript): add notes about virtual context to Mongoose 6 migration and TypeScript virtuals docs #​12912 #​12806
• docs(schematypes): removed dead link and fixed formatting #​12897 #​12885 lpizzinidev
• docs: fix link to lean api #​12910 manniL
• docs: list all possible strings for schema.pre in one place #​12868
• docs: add list of known incompatible npm packages #​12892 IslandRhythms

v6.8.3

Compare Source

==================

• perf: improve performance of assignRawDocsToIdStructure for faster populate on large docs #​12867 Uzlopak
• fix(model): ensure consistent ordering of validation errors in insertMany() with ordered: false and rawResult: true #​12866
• fix: avoid passing final callback to pre hook, because calling the callback can mess up hook execution #​12836
• fix(types): avoid inferring timestamps if methods, virtuals, or statics set #​12871
• fix(types): correctly infer string enums on const arrays #​12870 JavaScriptBach
• fix(types): allow virtuals to be invoked in the definition of other virtuals #​12874 sffc
• fix(types): add type def for Aggregate#model without arguments #​12864 hasezoey
• docs(discriminators): add section about changing discriminator key #​12861
• docs(typescript): explain that virtuals inferred from schema only show up on Model, not raw document type #​12860 #​12684

v6.8.2

Compare Source

==================

• fix(schema): propagate strictQuery to implicitly created schemas for embedded discriminators #​12827 #​12796
• fix(model): respect discriminators with Model.validate() #​12824 #​12621
• fix(query): fix unexpected validation error when doing findOneAndReplace() with a nullish value #​12826 #​12821
• fix(discriminator): apply built-in plugins to discriminator schema even if mergeHooks and mergePlugins are both false #​12833 #​12696
• fix(types): add option "overwriteModels" as a schema option #​12817 #​12816 hasezoey
• fix(types): add property "defaultOptions" #​12818 hasezoey
• docs: make search bar respect documentation version, so you can search 5.x docs #​12548
• docs(typescript): make note about recommending strict mode when using auto typed schemas #​12825 #​12420
• docs: add section on sorting to query docs #​12588 IslandRhythms
• test(query.test): add write-concern option #​12829 hasezoey

v6.8.1

Compare Source

==================

• fix(query): avoid throwing circular dependency error if same object is used in multiple properties #​12774 orgads
• fix(map): return value from super.delete() #​12777 danbrud
• fix(populate): handle virtual populate underneath document array with justOne=true and sort set where 1 element has only 1 result #​12815 #​12730
• fix(update): handle embedded discriminators when casting array filters #​12802 #​12565
• fix(populate): avoid calling transform if there's no populate results and using lean #​12804 #​12739
• fix(model): prevent index creation on syncIndexes if not necessary #​12785 #​12250 lpizzinidev
• fix(types): correctly infer this when using pre('updateOne') with { document: true, query: false } #​12778
• fix(types): make InferSchemaType: consider { required: boolean } required if it isn't explicitly false #​12784 JavaScriptBach
• docs: replace many occurrences of "localhost" with "127.0.0.1" #​12811 #​12741 hasezoey SadiqOnGithub
• docs(mongoose): Added missing options to set #​12810 lpizzinidev
• docs: add info on $locals parameters to getters/setters tutorial #​12814 #​12550 IslandRhythms
• docs: make Document.prototype.$clone() public #​12803
• docs(query): updated explanation for slice #​12776 #​12474 lpizzinidev
• docs(middleware): fix broken links #​12787 lpizzinidev
• docs(queries): fixed broken links [#​1279

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

/usr/local/bin/docker: line 4: .: filename argument required
.: usage: . filename [arguments]
npm notice 
npm notice New major version of npm available! 8.19.4 -> 9.8.0
npm notice Changelog: <https://github.com/npm/cli/releases/tag/v9.8.0>
npm notice Run `npm install -g npm@9.8.0` to update!
npm notice 
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: mongoose-auto-increment@5.0.1
npm ERR! Found: mongoose@5.13.20
npm ERR! node_modules/mongoose
npm ERR!   mongoose@"5.13.20" from the root project
npm ERR!   peer mongoose@"*" from mongoose-legacy-pluralize@1.0.2
npm ERR!   node_modules/mongoose-legacy-pluralize
npm ERR!     mongoose-legacy-pluralize@"1.0.2" from mongoose@5.13.20
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer mongoose@"^4.1.12" from mongoose-auto-increment@5.0.1
npm ERR! node_modules/mongoose-auto-increment
npm ERR!   mongoose-auto-increment@"5.0.1" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: mongoose@4.13.21
npm ERR! node_modules/mongoose
npm ERR!   peer mongoose@"^4.1.12" from mongoose-auto-increment@5.0.1
npm ERR!   node_modules/mongoose-auto-increment
npm ERR!     mongoose-auto-increment@"5.0.1" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /tmp/worker/fbf20c/13d46d/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/worker/fbf20c/13d46d/cache/others/npm/_logs/2023-07-18T22_57_07_859Z-debug-0.log

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: mongoose-auto-increment@5.0.1
npm ERR! Found: mongoose@6.13.9
npm ERR! node_modules/mongoose
npm ERR!   mongoose@"6.13.9" from the root project
npm ERR!   peer mongoose@"*" from mongoose-legacy-pluralize@1.0.2
npm ERR!   node_modules/mongoose-legacy-pluralize
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer mongoose@"^4.1.12" from mongoose-auto-increment@5.0.1
npm ERR! node_modules/mongoose-auto-increment
npm ERR!   mongoose-auto-increment@"5.0.1" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: mongoose@4.13.21
npm ERR! node_modules/mongoose
npm ERR!   peer mongoose@"^4.1.12" from mongoose-auto-increment@5.0.1
npm ERR!   node_modules/mongoose-auto-increment
npm ERR!     mongoose-auto-increment@"5.0.1" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /runner/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /runner/cache/others/npm/_logs/2026-05-07T05_39_58_048Z-debug-0.log