[Snyk] Upgrade mongoose from 8.1.2 to 8.19.2

[youngbryanyu]

Snyk has created this PR to upgrade mongoose from 8.1.2 to 8.19.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 80 versions ahead of your current version.

• The recommended version was released 21 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	624	No Known Exploit
	Improper Neutralization of Special Elements in Data Query Logic SNYK-JS-MONGOOSE-8446504	624	No Known Exploit
	Improper Neutralization of Special Elements in Data Query Logic SNYK-JS-MONGOOSE-8623536	624	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	624	No Known Exploit
	Open Redirect SNYK-JS-EXPRESS-6474509	624	No Known Exploit
	Cross-site Scripting SNYK-JS-EXPRESS-7926867	624	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-FASTXMLPARSER-7573289	624	No Known Exploit
	Predictable Value Range from Previous Values SNYK-JS-FORMDATA-10841150	624	Proof of Concept
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-GRPCGRPCJS-7242922	624	No Known Exploit
	Resource Exhaustion SNYK-JS-JOSE-6419224	624	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	624	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-8482416	624	Proof of Concept
	Cross-site Scripting SNYK-JS-SEND-7926862	624	No Known Exploit
	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	624	No Known Exploit

Release notes

Package name: mongoose

• 8.19.2 - 2025-10-20
  

  8.19.2 / 2025-10-20

  • perf(setDefaultsOnInsert): avoid computing all modified paths when running setDefaultsOnInsert and update validators, only calculate if there are defaults to set #15691 #15672
  • fix: correct handling of relative vs absolute paths with maps and subdocuments #15682 #15678 #15350
  • ci: add publish script with provenance #15684 #15680
• 8.19.1 - 2025-10-06
  

  8.19.1 / 2025-10-06

  • perf: avoid getting all modified paths in update when checking if versionKey needs to be set #15677 #15672
  • perf: Avoid needless path translation #15679 orgads
  • fix(query): throw error if using update operator with modifier and no path #15670 #15642
  • types: avoid making FilterQuery a conditional type because of how typescript handles distributed conditional unions #15676 #15671
  • docs: update installation instructions #15675 aalok-y
• 8.19.0 - 2025-10-02
  

  8.19.0 / 2025-10-02

  • feat: upgrade mongodb driver to 6.20.0 #15651 #15656
  • feat(model): add virtuals option to Model.hydrate() to set virtuals #15638 #15627
  • fix(schema): handle casting array filters underneath maps of Mixed #15655 #15653
  • types: optimize InferRawDocType #15588 ssalbdivad
  • types(schema): add lean schema option to TypeScript types #15646 #15583 #10090
• 8.18.3 - 2025-09-29
  

  8.18.3 / 2025-09-29

  • fix(update): avoid throwing error if update has a top-level $addToSet with no path #15648 #15642
  • types(query): allow passing arbitrary options #15644 #15643
  • docs(connection+mongoose): correct mongodb option name user -> username #15650 #15647
  • test: add tests covering vector search and text search using Atlas CLI #15649 #15645
• 8.18.2 - 2025-09-22
  

  8.18.2 / 2025-09-22

  • fix(document): prevent $clone() from converting mongoose arrays into vanilla arrays #15633 #15625
  • fix(connection): use correct collection name for model when using useConnection() #15637
  • fix(connection): propagate changes to _lastHeartbeatAt to useDb() child connections #15640 #15635
  • types: fix schema property type definition in SchemaType #15631
• 8.18.1 - 2025-09-08
  

  8.18.1 / 2025-09-08

  • types: correct type inference for maps of maps #15602
  • types(model): copy base model statics onto discriminator model #15623 #15600
  • types: fix types for a string of enums #15605 ruiaraujo
  • types(SchemaOptions): disallow versionKey: true, which fails at runtime #15606
  • docs(typescript): add example explaining how to use query helper overrides for handling lean() #15622 #15601
  • docs(transactions): add note about nested transactions #15624
• 8.18.0 - 2025-08-22
  

  8.18.0 / 2025-08-22

  • feat(schema): support for union types #15574 #10894
  • fix: trim long strings in minLength and maxLength error messages and display the string length #15571 #15550
  • types(connection+collection): make BaseCollection and BaseConnection usable as values #15575 #15548
  • types: remove logic that omits timestamps when virtuals, methods, etc. options set #15577 #12807
• 8.17.2 - 2025-08-18
  

  8.17.2 / 2025-08-18

  • fix: avoid Model.validate() hanging when all paths fail casting #15580 #15579 piotracalski
  • types(document): better support for flattenObjectIds and versionKey options for toObject() and toJSON() #15582 #15578
  • docs: fix docs jsdoc tags and add UUID to be listed #15585
  • docs(document): fix code sample that errors with "Cannot set properties of undefined" #15589
• 8.17.1 - 2025-08-07
  

  8.17.1 / 2025-08-07

  • fix(query): propagate read preference and read concern to populate if read() called after populate() #15567 #15553
  • fix(model): call correct function in autoSearchIndex #15569 #15565
  • fix(model): allow setting statics option on discriminator schema #15568 #15556
  • fix(model): remove unnecessary conversion of undefined -> null in findById #15566 #15551
  • types: allow passing in projections without as const #15564 #15557
  • types: support maxLength and minLength in SchemaTypeOptions #15570 #4720
• 8.17.0 - 2025-07-30
• 8.16.5 - 2025-07-25
• 8.16.4 - 2025-07-16
• 8.16.3 - 2025-07-10
• 8.16.2 - 2025-07-07
• 8.16.1 - 2025-06-26
• 8.16.0 - 2025-06-16
• 8.15.2 - 2025-06-12
• 8.15.1 - 2025-05-26
• 8.15.0 - 2025-05-16
• 8.14.3 - 2025-05-13
• 8.14.2 - 2025-05-08
• 8.14.1 - 2025-04-29
• 8.14.0 - 2025-04-25
• 8.13.3 - 2025-04-24
• 8.13.2 - 2025-04-03
• 8.13.1 - 2025-03-28
• 8.13.0 - 2025-03-24
• 8.12.2 - 2025-03-21
• 8.12.1 - 2025-03-04
• 8.12.0 - 2025-03-03
• 8.11.0 - 2025-02-26
• 8.10.2 - 2025-02-25
• 8.10.1 - 2025-02-14
• 8.10.0 - 2025-02-05
• 8.9.7 - 2025-02-04
• 8.9.6 - 2025-01-31
• 8.9.5 - 2025-01-13
• 8.9.4 - 2025-01-09
• 8.9.3 - 2024-12-30
• 8.9.2 - 2024-12-19
• 8.9.1 - 2024-12-16
• 8.9.0 - 2024-12-13
• 8.8.4 - 2024-12-05
• 8.8.3 - 2024-11-26
• 8.8.2 - 2024-11-18
• 8.8.1 - 2024-11-08
• 8.8.0 - 2024-10-31
• 8.7.3 - 2024-10-25
• 8.7.2 - 2024-10-17
• 8.7.1 - 2024-10-09
• 8.7.0 - 2024-09-27
• 8.6.4 - 2024-09-26
• 8.6.3 - 2024-09-17
• 8.6.2 - 2024-09-11
• 8.6.1 - 2024-09-03
• 8.6.0 - 2024-08-28
• 8.5.5 - 2024-08-28
• 8.5.4 - 2024-08-23
• 8.5.3 - 2024-08-13
• 8.5.2 - 2024-07-30
• 8.5.1 - 2024-07-12
• 8.5.0 - 2024-07-08
• 8.4.5 - 2024-07-05
• 8.4.4 - 2024-06-25
• 8.4.3 - 2024-06-17
• 8.4.2 - 2024-06-17
• 8.4.1 - 2024-05-31
• 8.4.0 - 2024-05-17
• 8.3.5 - 2024-05-15
• 8.3.4 - 2024-05-06
• 8.3.3 - 2024-04-29
• 8.3.2 - 2024-04-16
• 8.3.1 - 2024-04-08
• 8.3.0 - 2024-04-03
• 8.2.4 - 2024-03-28
• 8.2.3 - 2024-03-21
• 8.2.2 - 2024-03-15
• 8.2.1 - 2024-03-04
• 8.2.0 - 2024-02-22
• 8.1.3 - 2024-02-16
• 8.1.2 - 2024-02-11

from mongoose GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs