fix(deps): update dependency mongoose to v6.13.6 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
mongoose (source)	6.11.3 → 6.13.6

GitHub Vulnerability Alerts

CVE-2025-23061

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

---

Release Notes

Automattic/mongoose (mongoose)

v6.13.6

Compare Source

===================

• fix: disallow nested $where in populate match CVE-2025-23061

v6.13.5

Compare Source

===================

• fix: disallow using $where in match

v6.13.4

Compare Source

===================

• fix: save execution stack in query as string #​15043 #​15039
• docs: clarify strictQuery default will flip-flop in "Migrating to 6.x" #​14998 markstos

v6.13.3

Compare Source

===================

• docs(migrating_to_6): document that Lodash _.isEmpty() with ObjectId() as a parameter returns true in Mongoose 6 #​11152

v6.13.2

Compare Source

===================

• fix(document): make set() respect merge option on deeply nested objects #​14870 #​14878

v6.13.1

Compare Source

===================

• fix: remove empty $and, $or, $not that were made empty by scrict mode #​14749 #​13086 0x0a0d

v6.13.0

Compare Source

===================

• feat(model): add throwOnValidationError option for opting into getting MongooseBulkWriteError if all valid operations succeed in bulkWrite() and insertMany() #​14599 #​14587 #​14572 #​13410

v6.12.9

Compare Source

===================

• fix(cast): cast $comment to string in query filters #​14590 #​14576
• types(model): allow passing strict type checking override to create() #​14571 #​14548

v6.12.8

Compare Source

===================

• fix(document): handle virtuals that are stored as objects but getter returns string with toJSON #​14468 #​14446
• fix(schematype): consistently set wasPopulated to object with value property rather than boolean #​14418
• docs(model): add extra note about lean option for insertMany() skipping casting #​14415 #​14376

v6.12.7

Compare Source

===================

• perf(model): make insertMany() lean option skip hydrating Mongoose docs #​14376 #​14372
• perf(document+schema): small optimizations to make init() faster #​14383 #​14113
• fix(connection): don't modify passed options object to openUri() #​14370 #​13376 #​13335
• fix(ChangeStream): bubble up resumeTokenChanged changeStream event #​14355 #​14349 3150

v6.12.6

Compare Source

===================

• fix(collection): correctly handle buffer timeouts with find() #​14277
• fix(document): allow calling push() with different $position arguments #​14254

v6.12.5

Compare Source

===================

• perf(schema): remove unnecessary lookahead in numeric subpath check
• fix(document): allow setting nested path to null #​14226
• fix(document): avoid flattening dotted paths in mixed path underneath nested path #​14198 #​14178
• fix: add ignoreAtomics option to isModified() for better backwards compatibility with Mongoose 5 #​14213

v6.12.4

Compare Source

===================

• fix: upgrade mongodb driver -> 4.17.2
• fix(document): avoid treating nested projection as inclusive when applying defaults #​14173 #​14115
• fix: account for null values when assigning isNew property #​14172 #​13883

v6.12.3

Compare Source

===================

• fix(ChangeStream): correctly handle hydrate option when using change stream as stream instead of iterator #​14052
• fix(schema): fix dangling reference to virtual in tree after removeVirtual() #​14019 #​13085
• fix(document): avoid unmarking modified on nested path if no initial value stored and already modified #​14053 #​14024
• fix(document): consistently avoid marking subpaths of nested paths as modified #​14053 #​14022

v6.12.2

Compare Source

===================

• fix: add fullPath to ValidatorProps #​13995 Freezystem

v6.12.1

Compare Source

===================

• fix(mongoose): correctly handle global applyPluginsToChildSchemas option #​13945 #​13887 hasezoey
• fix: Document.prototype.isModified support for a string of keys as first parameter #​13940 #​13674 k-chop

v6.12.0

Compare Source

===================

• feat: use mongodb driver v4.17.1
• fix(model): make Model.bulkWrite() with empty array and ordered false not throw an error #​13664
• fix(document): correctly handle inclusive/exclusive projections when applying subdocument defaults #​13763 #​13720

v6.11.6

Compare Source

===================

• fix(model): avoid hanging on empty bulkWrite() with ordered: false #​13701 #​13684 JavaScriptBach
• types: augment bson.ObjectId instead of adding on own type #​13515 #​12537 hasezoey

v6.11.5

Compare Source

===================

• fix(schema): make Schema.prototype.clone() avoid creating different copies of subdocuments and single nested paths underneath single nested paths #​13671 #​13626
• fix: custom debug function not processing all args #​13418

v6.11.4

Compare Source

===================

• perf: speed up mapOfSubdocs benchmark by 4x by avoiding unnecessary O(n^2) loop in getPathsToValidate() #​13614

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[gemini-code-assist]

Code Review

This pull request updates the mongoose dependency to version 6.13.6 in the backend service. Feedback highlights that Mongoose 6.x is end-of-life and recommends migrating to version 8.x, which would involve refactoring database logic to remove callback support. Furthermore, the update creates a version mismatch between the root mongodb dependency and the transitive version used by mongoose, suggesting an alignment of these versions to reduce package bloat.

[gemini-code-assist]

Mongoose 6.x is End-of-Life (EOL) and no longer receives general updates. While this version addresses a specific security vulnerability (CVE-2025-23061), it is recommended to plan a migration to a supported version like Mongoose 8.x. Note that Mongoose 7+ introduced breaking changes, including the removal of callback support, which would require refactoring the database logic in files like routes/messages.js to use Promises or async/await.

[gemini-code-assist]

Updating mongoose to 6.13.6 brings in mongodb@4.17.2 as a transitive dependency. Since the root package.json explicitly pins mongodb to 4.17.1 (line 13), this results in duplicate versions of the MongoDB driver being installed. Consider updating the root mongodb dependency to 4.17.2 or removing it if it is not used directly in the codebase to maintain consistency and reduce package bloat.