Skip to content

fix: bump mongodb and mongoose#589

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/multi-12fc310550
Open

fix: bump mongodb and mongoose#589
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/multi-12fc310550

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 29, 2025
edited
Loading

Bumps mongodb and mongoose. These dependencies needed to be updated together.
Updates mongodb from 4.14.0 to 6.15.0

Release notes

Sourced from mongodb's releases.

v6.15.0

6.15.0 (2025-03-18)

The MongoDB Node.js team is pleased to announce version 6.15.0 of the mongodb package!

Release Notes

Support for custom AWS credential providers

The driver now supports a user supplied custom AWS credentials provider for both authentication and for KMS requests when using client side encryption. The signature for the custom provider must be of () => Promise<AWSCredentials> which matches that of the official AWS SDK provider API. Provider chains from the actual AWS SDK can also be provided, allowing users to customize any of those options.

Example for authentication with a provider chain from the AWS SDK:

import { fromNodeProviderChain } from '@aws-sdk/credential-providers';
const client = new MongoClient(process.env.MONGODB_URI, {
authMechanismProperties: {
AWS_CREDENTIAL_PROVIDER: fromNodeProviderChain()
}
});

Example for using a custom provider for KMS requests only:

import { fromNodeProviderChain } from '@aws-sdk/credential-providers';
const client = new MongoClient(process.env.MONGODB_URI, {
autoEncryption: {
keyVaultNamespace: 'keyvault.datakeys',
kmsProviders: { aws: {} },
credentialProviders: {
aws: fromNodeProviderChain()
}
}
}

Custom providers do not need to come from the AWS SDK, they just need to be an async function that returns credentials:

const client = new MongoClient(process.env.MONGODB_URI, {
  authMechanismProperties: {
    AWS_CREDENTIAL_PROVIDER: async () => {
      return {
        accessKeyId: process.env.ACCESS_KEY_ID,
        secretAccessKey: process.env.SECRET_ACCESS_KEY
</tr></table>

... (truncated)

Changelog

Sourced from mongodb's changelog.

6.15.0 (2025-03-18)

Features

Bug Fixes

  • NODE-6845: ensure internal rejections are handled (#4448) (06e941a)

6.14.2 (2025-03-04)

Bug Fixes

  • NODE-6803: kms proxy socket creates unhandled rejection (#4444) (ed69cf9)

6.14.1 (2025-03-03)

Bug Fixes

  • NODE-6801: set token on connection from cache (#4438) (cb13746)

6.14.0 (2025-02-28)

Features

  • NODE-6676: add support for nsType in change stream create events (#4431) (7800067)
  • NODE-6773: add support for $lookup with automatic encryption (#4427) (965b21a)

Bug Fixes

  • NODE-6765: FindOneAndUpdateOptions supports aggregation expressions (#4423) (421ddeb)
  • NODE-6792: use isUint8Array from driver's utils instead of util/types (#4436) (dfe1fba)
  • NODE-6794: revert @aws-sdk/credential-providers peer compatibility change (#4437) (488c407)

6.13.1 (2025-02-20)

Bug Fixes

  • NODE-6407: use conversationId returned from server in saslContinue (#4368) (fbefa6b)
  • NODE-6613: Update error messages when primaries go stale (#4397) (6528c8d)
  • NODE-6690: Remove extraneous Document in replaceOne return type (#4383) (6c81d4e)
  • NODE-6763: pass WriteConcernOptions instead on WriteConcernSettings (#4421) (26f15d7)

... (truncated)

Commits
  • aa5a979 chore(main): release 6.15.0 [skip-ci] (#4463)
  • 8a9f251 ci: skip flaky test in CSOT test suite (#4475)
  • 78d951b docs: generate docs from latest main [skip-ci] (#4450)
  • 2295824 ci: skip flaky test in abort signal test suite (#4470)
  • e927f97 ci: skip flaky test in CSOT test suite (#4469)
  • b36976e docs(NODE-6819): remove mention of yarn from readme and update server compa...
  • d341a72 ci: skip flaky tests in FLE test suite (#4467)
  • 0083b8e ci: skip flaky test in CSOT test suite (#4471)
  • cd09d43 ci: skip flaky tests in retryable reads and sdam suites (#4466)
  • 86d4ca1 ci(NODE-6519,NODE-6702): fix flaky listIndexes APM test and rtt calculation t...
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by dbx-node, a new releaser for mongodb since your current version.


Updates mongoose from 6.10.4 to 6.13.8

Release notes

Sourced from mongoose's releases.

6.13.8 / 2025-01-20

  • chore: remove coverage output from bundle

6.13.7 / 2025-01-20

  • chore: re-release to force npm audit to pick up 6.x fix for CVE-2025-23061

6.13.6 / 2025-01-13

  • fix: disallow nested $where in populate match
Changelog

Sourced from mongoose's changelog.

6.13.8 / 2025-01-20

  • chore: remove coverage output from bundle

7.8.5 / 2025-01-20

  • chore: re-release to force npm audit to pick up 6.x fix for CVE-2025-23061

6.13.7 / 2025-01-20

  • chore: re-release to force npm audit to pick up 6.x fix for CVE-2025-23061

8.9.5 / 2025-01-13

7.8.4 / 2025-01-13

6.13.6 / 2025-01-13

8.9.4 / 2025-01-09

  • fix(document): fix document not applying manual populate when using a function in schema.options.ref #15138 IchirokuXVI
  • fix(model): make Model.validate() static correctly cast document arrays #15169 #15164
  • fix(model): allow passing validateBeforeSave option to bulkSave() to skip validation #15161 #15156
  • fix(schema): allow multiple self-referencing discriminator schemas using Schema.prototype.discriminator #15142 #15120
  • types: avoid BufferToBinary<> wiping lean types when passed to generic functions #15160 #15158
  • docs: fix <code> in header ids #15159
  • docs: fix header in field-level-encryption.md #15137 damieng

8.9.3 / 2024-12-30

  • fix(schema): make duplicate index error a warning for now to prevent blocking upgrading #15135 #15112 #15109
  • fix(model): handle document array paths set to non-array values in Model.castObject() #15124 #15075
  • fix(document): avoid using childSchemas.path for compatibility with pre-Mongoose-8.8 schemas #15131 #15071
  • fix(model): avoid throwing unnecessary error if updateOne() returns null in save() #15126
  • perf(cursor): clear the stack every time if using populate with batchSize to avoid stack overflows with large docs #15136 #10449
  • types: make BufferToBinary avoid Document instances #15123 #15122
  • types(model+query): avoid stripping out virtuals when calling populate with paths generic #15132 #15111
  • types(schema): add missing removeIndex #15134
  • types: add cleanIndexes() to IndexManager interface #15127
  • docs: move search endpoint to netlify #15119

8.9.2 / 2024-12-19

... (truncated)

Commits

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot
fix: bump mongodb and mongoose
023d0ea 
Bumps [mongodb](https://github.com/mongodb/node-mongodb-native) and [mongoose](https://github.com/Automattic/mongoose). These dependencies needed to be updated together.

Updates `mongodb` from 4.14.0 to 6.15.0
- [Release notes](https://github.com/mongodb/node-mongodb-native/releases)
- [Changelog](https://github.com/mongodb/node-mongodb-native/blob/main/HISTORY.md)
- [Commits](mongodb/node-mongodb-native@v4.14.0...v6.15.0)

Updates `mongoose` from 6.10.4 to 6.13.8
- [Release notes](https://github.com/Automattic/mongoose/releases)
- [Changelog](https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md)
- [Commits](Automattic/mongoose@6.10.4...6.13.8)

---
updated-dependencies:
- dependency-name: mongodb
  dependency-version: 6.15.0
  dependency-type: indirect
- dependency-name: mongoose
  dependency-version: 6.13.8
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Maintenance work relating to dependency bumps javascript Pull requests that update Javascript code labels Sep 29, 2025
@dependabot dependabot bot requested a review from rowanmanning as a code owner September 29, 2025 17:08
@dependabot dependabot bot mentioned this pull request Sep 29, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rowanmanning rowanmanning Awaiting requested review from rowanmanning rowanmanning is a code owner

Assignees

No one assigned

Labels

dependencies Maintenance work relating to dependency bumps javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants