fix(deps): update dependency mongoose to v6.13.6 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mongoose (source)	6.11.3 -> 6.13.6

GitHub Vulnerability Alerts

CVE-2024-53900

Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

CVE-2025-23061

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

---

Release Notes

Automattic/mongoose (mongoose)

v6.13.6

Compare Source

===================

• fix: disallow nested $where in populate match CVE-2025-23061

v6.13.5

Compare Source

v6.13.4

Compare Source

v6.13.3

Compare Source

v6.13.2

Compare Source

===================

• fix(document): make set() respect merge option on deeply nested objects #​14870 #​14878

v6.13.1

Compare Source

v6.13.0

Compare Source

v6.12.9

Compare Source

v6.12.8

Compare Source

===================

• fix(document): handle virtuals that are stored as objects but getter returns string with toJSON #​14468 #​14446
• fix(schematype): consistently set wasPopulated to object with value property rather than boolean #​14418
• docs(model): add extra note about lean option for insertMany() skipping casting #​14415 #​14376

v6.12.7

Compare Source

v6.12.6

Compare Source

v6.12.5

Compare Source

v6.12.4

Compare Source

v6.12.3

Compare Source

v6.12.2

Compare Source

v6.12.1

Compare Source

v6.12.0

Compare Source

===================

• feat: use mongodb driver v4.17.1
• fix(model): make Model.bulkWrite() with empty array and ordered false not throw an error #​13664
• fix(document): correctly handle inclusive/exclusive projections when applying subdocument defaults #​13763 #​13720

v6.11.6

Compare Source

===================

• fix(model): avoid hanging on empty bulkWrite() with ordered: false #​13701 #​13684 JavaScriptBach
• types: augment bson.ObjectId instead of adding on own type #​13515 #​12537 hasezoey

v6.11.5

Compare Source

===================

• fix(schema): make Schema.prototype.clone() avoid creating different copies of subdocuments and single nested paths underneath single nested paths #​13671 #​13626
• fix: custom debug function not processing all args #​13418

v6.11.4

Compare Source

===================

• perf: speed up mapOfSubdocs benchmark by 4x by avoiding unnecessary O(n^2) loop in getPathsToValidate() #​13614

7.3.4 / 2023-07-12

• chore: release 7.4.4 to overwrite accidental publish of 5.13.20 to latest tag

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[gcf-merge-on-green]

Merge-on-green attempted to merge your PR for 6 hours, but it was not mergeable because either one of your required status checks failed, one of your required reviews was not approved, or there is a do not merge label. Learn more about your required status checks here: https://help.github.com/en/github/administering-a-repository/enabling-required-status-checks. You can remove and reapply the label to re-run the bot.

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun