device-management-toolkit · dependabot · Nov 6, 2025 · Nov 7, 2025 · Nov 11, 2025 · Copilot
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -49,7 +49,7 @@
     "got": "^14.6.3",
     "http-z": "^7.0.0",
     "jws": "^4.0.0",
-    "mongodb": "^6.20.0",
+    "mongodb": "^7.0.0",
     "mqtt": "^5.14.1",
     "node-forge": "^1.3.1",
     "pg": "^8.16.3",

diff --git a/src/data/mongo/collections/device.ts b/src/data/mongo/collections/device.ts
@@ -55,8 +55,23 @@ export class MongoDeviceTable implements IDeviceTable {
   }
 
   async update(item: Device): Promise<WithId<Device>> {
+    if (!(item as any)._id) {
+      throw new Error('Device must have an _id for update operation')
+    }
+
+    const itemId = (item as any)._id
+    let objectId: ObjectId
+
+    if (ObjectId.isValid(itemId)) {
+      objectId = new ObjectId(itemId)
+    } else if (typeof itemId === 'number') {
+      objectId = new ObjectId(itemId.toString().padStart(24, '0'))
+    } else {
+      throw new Error(`Invalid _id format: ${itemId}`)
-    } else if (typeof itemId === 'number') {
-      objectId = new ObjectId(itemId.toString().padStart(24, '0'))
-    } else {
-      throw new Error(`Invalid _id format: ${itemId}`)
+    } else {
+      throw new Error(`Invalid _id format: ${itemId}. Only valid ObjectId strings are supported.`)
-    } else if (typeof itemId === 'number') {
-      objectId = new ObjectId(itemId.toString().padStart(24, '0'))
-    } else {
-      throw new Error(`Invalid _id format: ${itemId}`)
+    } else {
+      throw new Error(`Invalid _id format: ${itemId}. Only valid ObjectId strings are supported.`)
+    }
+
     const result = await this.collection.findOneAndUpdate(
-      { _id: new ObjectId((item as any)._id as number), tenantId: item.tenantId },
+      { _id: objectId, tenantId: item.tenantId },
       { $set: item },
       { returnDocument: 'after', includeResultMetadata: false }
     )

diff --git a/src/routes/devices/index.ts b/src/routes/devices/index.ts
@@ -25,7 +25,13 @@ deviceRouter.get('/', odataValidator(), metadataQueryValidator(), validateMiddle
 deviceRouter.get('/stats', stats)
 deviceRouter.get('/tags', getDistinctTags)
 deviceRouter.get('/:guid', param('guid').isUUID('loose'), validateMiddleware, getDevice)
-deviceRouter.get('/redirectstatus/:guid', param('guid').isUUID('loose'), validateMiddleware, ciraMiddleware, getRedirStatus)
+deviceRouter.get(
+  '/redirectstatus/:guid',
+  param('guid').isUUID('loose'),
+  validateMiddleware,
+  ciraMiddleware,
+  getRedirStatus
+)
 deviceRouter.post('/', validator(), validateMiddleware, insertDevice)
 deviceRouter.patch('/', validator(), validateMiddleware, updateDevice)
 deviceRouter.delete('/refresh/:guid', validator(), validateMiddleware, refreshDevice)