Bump mongoose from 7.5.3 to 8.13.2

[dependabot]

Bumps mongoose from 7.5.3 to 8.13.2.

Release notes

Sourced from mongoose's releases.

8.13.2 / 2025-04-03

• fix: avoid double calling validators on paths in document arrays underneath subdocuments #15338 #15335

8.13.1 / 2025-03-28

• fix(populate): handle virtual populate on array of UUIDs #15329 #15315
• types: allow default function returning undefined with DocType override #15328

8.13.0 / 2025-03-24

• feat: bump mongodb driver -> 6.15.0
• feat: support custom types exported from driver #15321

8.12.2 / 2025-03-21

• fix(document): avoid stripping out fields in discriminator schema after select: false field #15322 #15308
• fix(AggregationCursor): make next() error if schema pre('aggregate') middleware throws error #15293 #15279
• fix(populate): correctly get schematypes when deep populating under a map #15302 #9359
• fix(model): avoid returning null from bulkSave() if error doesn't have writeErrors property #15323
• types: add WithTimestamps utility type #15318 baruchiro
• docs: update references to the ms module in date schema documentation #15319 baruchiro
• docs: fix typo in schematypes.md #15305 skyran1278

8.12.1 / 2025-03-04

• fix: match bson version with mongodb's bson version #15297 hasezoey

8.12.0 / 2025-03-03

• feat: bump mongodb driver to 6.14
• feat: expose "SchemaTypeOptions" in browser #15277 hasezoey
• docs: update field-level-encryption.md #15272 dphrag

8.11.0 / 2025-02-26

• feat(model): make bulkWrite results include MongoDB bulk write errors as well as validation errors #15271 #15265
• feat(document): add schemaFieldsOnly option to toObject() and toJSON() #15259 #15218
• feat: introduce populate ordered option for populating in series rather than in parallel for transactions #15239 #15231 #15210
• fix(bigint): throw error when casting BigInt that's outside of the bounds of what MongoDB can safely store #15230 #15200

8.10.2 / 2025-02-25

• fix(model+connection): return MongoDB BulkWriteResult instance even if no valid ops #15266 #15265
• fix(debug): avoid printing trusted symbol in debug output #15267 #15263
• types: make type inference logic resilient to no Buffer type due to missing @​types/node #15261

8.10.1 / 2025-02-14

• perf(document): only call undoReset() 1x/document #15257 #15255

... (truncated)

Changelog

Sourced from mongoose's changelog.

8.13.2 / 2025-04-03

• fix: avoid double calling validators on paths in document arrays underneath subdocuments #15338 #15335

8.13.1 / 2025-03-28

• fix(populate): handle virtual populate on array of UUIDs #15329 #15315
• types: allow default function returning undefined with DocType override #15328

8.13.0 / 2025-03-24

• feat: bump mongodb driver -> 6.15.0
• feat: support custom types exported from driver #15321

8.12.2 / 2025-03-21

• fix(document): avoid stripping out fields in discriminator schema after select: false field #15322 #15308
• fix(AggregationCursor): make next() error if schema pre('aggregate') middleware throws error #15293 #15279
• fix(populate): correctly get schematypes when deep populating under a map #15302 #9359
• fix(model): avoid returning null from bulkSave() if error doesn't have writeErrors property #15323
• types: add WithTimestamps utility type #15318 baruchiro
• docs: update references to the ms module in date schema documentation #15319 baruchiro
• docs: fix typo in schematypes.md #15305 skyran1278

8.12.1 / 2025-03-04

• fix: match bson version with mongodb's bson version #15297 hasezoey

8.12.0 / 2025-03-03

• feat: bump mongodb driver to 6.14
• feat: expose "SchemaTypeOptions" in browser #15277 hasezoey
• docs: update field-level-encryption.md #15272 dphrag

8.11.0 / 2025-02-26

• feat(model): make bulkWrite results include MongoDB bulk write errors as well as validation errors #15271 #15265
• feat(document): add schemaFieldsOnly option to toObject() and toJSON() #15259 #15218
• feat: introduce populate ordered option for populating in series rather than in parallel for transactions #15239 #15231 #15210
• fix(bigint): throw error when casting BigInt that's outside of the bounds of what MongoDB can safely store #15230 #15200

8.10.2 / 2025-02-25

• fix(model+connection): return MongoDB BulkWriteResult instance even if no valid ops #15266 #15265
• fix(debug): avoid printing trusted symbol in debug output #15267 #15263
• types: make type inference logic resilient to no Buffer type due to missing @​types/node #15261

8.10.1 / 2025-02-14

• perf(document): only call undoReset() 1x/document #15257 #15255

... (truncated)

Commits

• 2032038 chore: release 8.13.2
• eae96bb Merge pull request #15343 from Automattic/dependabot/github_actions/master/ac...
• 6960eda Merge pull request #15341 from Automattic/dependabot/npm_and_yarn/master/babe...
• 1ac3e74 Merge pull request #15340 from Automattic/dependabot/npm_and_yarn/master/sino...
• 5597808 Merge pull request #15338 from Automattic/vkarpov15/gh-15335
• 99b9b42 chore(deps): bump actions/setup-node from 4.2.0 to 4.3.0
• 3559fc7 chore(deps-dev): bump @​babel/core from 7.26.9 to 7.26.10
• de45792 chore(deps-dev): bump sinon from 19.0.2 to 20.0.0
• 46cf99b fix: only run unmodified subdoc validation logic on top-level subdocs
• fa4d6eb fix(document): avoid double calling validators on paths in document arrays un...
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.
• ⚠️ 1 packages with OpenSSF Scorecard issues.

See the Details below.

License Issues

package-lock.json

Package	Version	License	Issue Type
@mongodb-js/saslprep	1.4.4	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@mongodb-js/saslprep	1.4.4	Unknown	Unknown
npm/@types/whatwg-url	13.0.0	🟢 7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 9 Found 26/28 approved changesets -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy 🟢 10 security policy file detected License 🟢 9 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/bson	7.0.0	🟢 6.3	Details Check Score Reason Maintained 🟢 10 27 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST 🟢 9 SAST tool detected but not run on all commits
npm/kareem	3.0.0	Unknown	Unknown
npm/minimist	1.2.8	🟢 5.9	Details Check Score Reason Code-Review 🟢 4 Found 10/25 approved changesets -- score normalized to 4 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/mongodb	7.0.0	🟢 6.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 10 license file detected Security-Policy ⚠️ 0 security policy file not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 7 3 existing vulnerabilities detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
npm/mongodb-connection-string-url	7.0.0	🟢 6.2	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 12 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
npm/mongoose	9.0.2	🟢 6.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 6 Found 5/8 approved changesets -- score normalized to 6 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 Vulnerabilities 🟢 10 0 existing vulnerabilities detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 7 SAST tool detected but not run on all commits
npm/mquery	6.0.0	Unknown	Unknown
npm/punycode	2.3.1	🟢 3.8	Details Check Score Reason Code-Review 🟢 4 Found 13/30 approved changesets -- score normalized to 4 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/sift	17.1.3	⚠️ 2.3	Details Check Score Reason Code-Review ⚠️ 2 Found 4/16 approved changesets -- score normalized to 2 Dangerous-Workflow ⚠️ -1 no workflows found Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Token-Permissions ⚠️ -1 No tokens found Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ -1 no dependencies found Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/tr46	5.1.1	🟢 4.2	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 1 Found 5/26 approved changesets -- score normalized to 1 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 9 1 existing vulnerabilities detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/whatwg-url	14.2.0	🟢 4	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 0 Found 1/27 approved changesets -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• package-lock.json

[ronaldsg20]

@dependabot recreate