chore(deps): update dependency mongoose to v8.9.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
mongoose (source)	8.8.3 → 8.9.5

GitHub Vulnerability Alerts

CVE-2025-23061

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

---

Release Notes

Automattic/mongoose (mongoose)

v8.9.5

Compare Source

==================

• fix: disallow nested $where in populate match CVE-2025-23061
• fix(schema): handle bitwise operators on Int32 #​15176 #​15170

v8.9.4

Compare Source

==================

• fix(document): fix document not applying manual populate when using a function in schema.options.ref #​15138 IchirokuXVI
• fix(model): make Model.validate() static correctly cast document arrays #​15169 #​15164
• fix(model): allow passing validateBeforeSave option to bulkSave() to skip validation #​15161 #​15156
• fix(schema): allow multiple self-referencing discriminator schemas using Schema.prototype.discriminator #​15142 #​15120
• types: avoid BufferToBinary<> wiping lean types when passed to generic functions #​15160 #​15158
• docs: fix <code> in header ids #​15159
• docs: fix header in field-level-encryption.md #​15137 damieng

v8.9.3

Compare Source

==================

• fix(schema): make duplicate index error a warning for now to prevent blocking upgrading #​15135 #​15112 #​15109
• fix(model): handle document array paths set to non-array values in Model.castObject() #​15124 #​15075
• fix(document): avoid using childSchemas.path for compatibility with pre-Mongoose-8.8 schemas #​15131 #​15071
• fix(model): avoid throwing unnecessary error if updateOne() returns null in save() #​15126
• perf(cursor): clear the stack every time if using populate with batchSize to avoid stack overflows with large docs #​15136 #​10449
• types: make BufferToBinary avoid Document instances #​15123 #​15122
• types(model+query): avoid stripping out virtuals when calling populate with paths generic #​15132 #​15111
• types(schema): add missing removeIndex #​15134
• types: add cleanIndexes() to IndexManager interface #​15127
• docs: move search endpoint to netlify #​15119

v8.9.2

Compare Source

==================

• fix(schema): avoid throwing duplicate index error if index spec keys have different order or index has a custom name #​15112 #​15109
• fix(map): clean modified subpaths when overwriting values in map of subdocs #​15114 #​15108
• fix(aggregate): pull session from transaction local storage for aggregation cursors #​15094 IchirokuXVI
• types: correctly handle union types in BufferToBinary and related helpers #​15103 #​15102 #​15057
• types: add UUID to RefType #​15115 #​15101
• docs: remove link to Mongoose 5.x docs from dropdown #​15116
• docs(connection+document+model): remove remaining references to remove(), clarify that deleteOne() does not execute until then() or exec() #​15113 #​15107

v8.9.1

Compare Source

==================

• fix(connection): remove heartbeat check in load balanced mode #​15089 #​15042 #​14812
• fix(discriminator): gather childSchemas when creating discriminator to ensure $getAllSubdocs() can properly get all subdocs #​15099 #​15088 #​15092
• fix(model): handle discriminators in castObject() #​15096 #​15075
• fix(schema): throw error if duplicate index definition using unique in schema path and subsequent .index() call #​15093 #​15056
• fix: mark documents that are populated using hydratedPopulatedDocs option as populated in top-level doc #​15080 #​15048
• fix(document+schema): improve error message for get() on invalid path #​15098 #​15071
• docs: remove more callback doc references & some small other changes #​15095

v8.9.0

Compare Source

==================

• feat: upgrade mongodb -> 6.12
• feat: add int32 schematype #​15054 aditi-khare-mongoDB
• feat: add double schematype #​15061 aditi-khare-mongoDB
• feat: allow specifying error message override for duplicate key errors unique: true #​15059 #​12844
• feat(connection): add support for Connection.prototype.bulkWrite() with MongoDB server 8.0 #​15058 #​15028
• feat: add forceRepopulate option for populate() to allow avoiding repopulating already populated docs #​15044 #​14979
• fix(connection): remove heartbeat check in load balanced mode #​15089 #​15042
• fix(query): clone PopulateOptions when setting _localModel to avoid state leaking between subpopulate instances #​15082 #​15026
• types: add splice() to DocumentArray to allow adding partial objects with splice() #​15085 #​15041
• types(aggregate): add $firstN, $lastN, $bottom, $bottomN, $minN and $maxN operators #​15087 mlomnicki
• docs: Remove merge conflict markers #​15090 sponrad

v8.8.4

Compare Source

==================

• fix: cast using overwritten embedded discriminator key when set #​15076 #​15051
• fix: avoid throwing error if saveOptions undefined when invalidating subdoc cache #​15062

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (^8.0.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.