chore(deps): update dependency mongoose to v6.13.6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
mongoose (source)	6.12.5 → 6.13.6

GitHub Vulnerability Alerts

CVE-2025-23061

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

CVE-2024-53900

Mongoose versions prior to 8.8.3, 7.8.3, 6.13.5, and 5.13.23 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.

---

Release Notes

Automattic/mongoose (mongoose)

v6.13.6

Compare Source

===================

• fix: disallow nested $where in populate match CVE-2025-23061

v6.13.5

Compare Source

===================

• fix: disallow using $where in match

v6.13.4

Compare Source

===================

• fix: save execution stack in query as string #​15043 #​15039
• docs: clarify strictQuery default will flip-flop in "Migrating to 6.x" #​14998 markstos

v6.13.3

Compare Source

===================

• docs(migrating_to_6): document that Lodash _.isEmpty() with ObjectId() as a parameter returns true in Mongoose 6 #​11152

v6.13.2

Compare Source

===================

• fix(document): make set() respect merge option on deeply nested objects #​14870 #​14878

v6.13.1

Compare Source

===================

• fix: remove empty $and, $or, $not that were made empty by scrict mode #​14749 #​13086 0x0a0d

v6.13.0

Compare Source

===================

• feat(model): add throwOnValidationError option for opting into getting MongooseBulkWriteError if all valid operations succeed in bulkWrite() and insertMany() #​14599 #​14587 #​14572 #​13410

v6.12.9

Compare Source

===================

• fix(cast): cast $comment to string in query filters #​14590 #​14576
• types(model): allow passing strict type checking override to create() #​14571 #​14548

v6.12.8

Compare Source

===================

• fix(document): handle virtuals that are stored as objects but getter returns string with toJSON #​14468 #​14446
• fix(schematype): consistently set wasPopulated to object with value property rather than boolean #​14418
• docs(model): add extra note about lean option for insertMany() skipping casting #​14415 #​14376

v6.12.7

Compare Source

===================

• perf(model): make insertMany() lean option skip hydrating Mongoose docs #​14376 #​14372
• perf(document+schema): small optimizations to make init() faster #​14383 #​14113
• fix(connection): don't modify passed options object to openUri() #​14370 #​13376 #​13335
• fix(ChangeStream): bubble up resumeTokenChanged changeStream event #​14355 #​14349 3150

v6.12.6

Compare Source

===================

• fix(collection): correctly handle buffer timeouts with find() #​14277
• fix(document): allow calling push() with different $position arguments #​14254

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.