Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency mongoose to v8.9.5 [SECURITY] #1572

Merged
merged 1 commit into from
Jan 16, 2025
Merged

Update dependency mongoose to v8.9.5 [SECURITY] #1572

merged 1 commit into from
Jan 16, 2025

Conversation

renovate-bot
Copy link
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
mongoose (source) 8.9.4 -> 8.9.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-23061

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Release Notes

Automattic/mongoose (mongoose)

v8.9.5

Compare Source

==================

  • fix: disallow nested $where in populate match
  • fix(schema): handle bitwise operators on Int32 #​15176 #​15170

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@forking-renovate forking-renovate bot added the dependencies Pull requests that update a dependency file label Jan 16, 2025
@ajhollid ajhollid merged commit 8d49ed5 into bluewave-labs:develop Jan 16, 2025
1 check passed
@renovate-bot renovate-bot deleted the renovate/npm-mongoose-vulnerability branch January 16, 2025 18:02
llamapreview[bot]
llamapreview bot reviewed Jan 16, 2025
View reviewed changes
Copy link

@llamapreview llamapreview bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto Pull Request Review from LlamaPReview

Review Status: Automated Review Skipped

Dear contributor,

Thank you for your Pull Request. LlamaPReview has analyzed your changes and determined that this PR does not require an automated code review.

Analysis Result:

All 1 files are skipped files

Technical Context:

All files in this PR were marked as skipped, which typically includes:

  • Generated files
  • Build artifacts
  • Pre-filtered content
  • Files marked with [SKIPPED] tag

We're continuously improving our PR analysis capabilities. Have thoughts on when and how LlamaPReview should perform automated reviews? Share your insights in our GitHub Discussions.

Best regards,
LlamaPReview Team

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@llamapreview llamapreview[bot] llamapreview[bot] left review comments

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@renovate-bot @ajhollid