[Snyk] Security upgrade mongoose from 4.11.14 to 6.13.9

[Robthreefold]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') SNYK-JS-MONGOOSE-16425765	710

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[Robthreefold]

This is a major upgrade spanning two major versions (v4 to v6) and introduces a large number of significant breaking changes. A direct upgrade is not recommended without extensive testing and code modification. It is highly advised to first migrate from v4 to v5, and then from v5 to v6, following the official migration guides.

Key Breaking Changes from v4 to v5:

• Promises: Mongoose now uses native promises by default. The previously used mpromise library is removed. [2, 6]
• Connection Management: The mongoose.connect() method has been updated. The useMongoClient option is removed and its behavior is now default. Connection strings are handled more strictly. [1]
• Middleware: Query middleware must be defined before mongoose.model() is called, otherwise it will not be triggered. [1]
• Boolean Casting: Type casting for Booleans is much stricter. For example, a string like 'false' will now cause a CastError instead of being coerced. [1]

Key Breaking Changes from v5 to v6:

• MongoDB Driver v4: Mongoose 6 uses the MongoDB Node.js driver v4, which has its own breaking changes. The connection options useNewUrlParser and useUnifiedTopology are removed and are now default behavior. [3, 5]
• strictQuery Default: The strictQuery option is true by default in Mongoose 6. This causes Mongoose to strip out any query filter properties that are not defined in the schema, which can silently change query results. [5]
• Update and Delete Results: The structure of the result objects from updateOne(), updateMany(), deleteOne(), and deleteMany() has changed. [5]
• execPopulate() Removed: The doc.execPopulate() method has been removed. Use doc.populate() which now returns a promise. [5]

Sources:

• Mongoose 4.x to 5.x Migration Guide [1]
• Mongoose 5.x to 6.x Migration Guide [5]

Recommendation: This upgrade requires significant developer effort. Do not merge without a dedicated migration plan. Follow the official guides to upgrade incrementally (4 -> 5, then 5 -> 6) and conduct thorough testing at each stage, paying close attention to query behavior and connection logic.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[Robthreefold]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Robthreefold]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Robthreefold]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Robthreefold]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Robthreefold]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Robthreefold]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Robthreefold]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Robthreefold]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.