[Snyk] Upgrade mongoose from 8.1.2 to 8.20.0

[youngbryanyu]

Snyk has created this PR to upgrade mongoose from 8.1.2 to 8.20.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 83 versions ahead of your current version.

• The recommended version was released 22 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	624	No Known Exploit
	Improper Neutralization of Special Elements in Data Query Logic SNYK-JS-MONGOOSE-8446504	624	Proof of Concept
	Improper Neutralization of Special Elements in Data Query Logic SNYK-JS-MONGOOSE-8623536	624	Proof of Concept
	Uncontrolled Recursion SNYK-JS-NODEFORGE-14125745	624	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	624	No Known Exploit
	Open Redirect SNYK-JS-EXPRESS-6474509	624	No Known Exploit
	Cross-site Scripting SNYK-JS-EXPRESS-7926867	624	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-FASTXMLPARSER-7573289	624	No Known Exploit
	Predictable Value Range from Previous Values SNYK-JS-FORMDATA-10841150	624	Proof of Concept
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-GRPCGRPCJS-7242922	624	No Known Exploit
	Resource Exhaustion SNYK-JS-JOSE-6419224	624	No Known Exploit
	Interpretation Conflict SNYK-JS-NODEFORGE-14114940	624	No Known Exploit
	Integer Overflow or Wraparound SNYK-JS-NODEFORGE-14125097	624	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	624	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-8482416	624	Proof of Concept
	Cross-site Scripting SNYK-JS-SEND-7926862	624	No Known Exploit
	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	624	No Known Exploit

Release notes

Package name: mongoose

• 8.20.0 - 2025-11-17
  

  8.20.0 / 2025-11-17

  • feat: cast id parameter based on schema _id type in DocumentArray.id() #15733 #15725 #15724 Lex-Ashu
  • fix: pass parent schema to SchemaType constructors in interpretAsType to make implementing custom container types easier #15700
  • types(models): default _id type to ObjectId for Document #15688 Catwallon
  • docs: add FAQ entry about DivergentArrayError #15743 Mario5T
  • docs: update browser.md with Mongoose limitations #15744 YashSharma64
  • chore: add benchmark for large nested array documents (related to #9588) #15742 Kundan-CR7
• 8.19.4 - 2025-11-14
  

  8.19.4 / 2025-11-14

  • fix(schema): avoid throwing error on array of unions #15720 #15718
  • fix: store original index on insertMany validation errors #15735 Jadu07
  • types: correct return type of discriminator to Model #15726 twentytwo777
  • docs: improve Next.js integration guide with comprehensive examples #15730 adarsh-priydarshi-5646
  • docs: add documentation for Union Schema Type #15721 TechGenie-awake
  • docs: removed the outdated callback and replaced them with async/await pattern #15723 hk2166
  • docs: fix lingering remove() call in statics docs #15737 Gautam-Bharadwaj
  • docs: fix inline doc typo in schematypes.d.ts #15738 hagid786
• 8.19.3 - 2025-11-04
  

  8.19.3 / 2025-11-04

  • fix(model+plugins): correctly apply shard key on deleteOne() #15705 #15701
  • fix(schema): correctly cache text indexes as 'text' not 1 #15695
  • types: make inferRawDocType correctly infer empty array type [] as any[] #15704 #15699
• 8.19.2 - 2025-10-20
• 8.19.1 - 2025-10-06
• 8.19.0 - 2025-10-02
• 8.18.3 - 2025-09-29
• 8.18.2 - 2025-09-22
• 8.18.1 - 2025-09-08
• 8.18.0 - 2025-08-22
• 8.17.2 - 2025-08-18
• 8.17.1 - 2025-08-07
• 8.17.0 - 2025-07-30
• 8.16.5 - 2025-07-25
• 8.16.4 - 2025-07-16
• 8.16.3 - 2025-07-10
• 8.16.2 - 2025-07-07
• 8.16.1 - 2025-06-26
• 8.16.0 - 2025-06-16
• 8.15.2 - 2025-06-12
• 8.15.1 - 2025-05-26
• 8.15.0 - 2025-05-16
• 8.14.3 - 2025-05-13
• 8.14.2 - 2025-05-08
• 8.14.1 - 2025-04-29
• 8.14.0 - 2025-04-25
• 8.13.3 - 2025-04-24
• 8.13.2 - 2025-04-03
• 8.13.1 - 2025-03-28
• 8.13.0 - 2025-03-24
• 8.12.2 - 2025-03-21
• 8.12.1 - 2025-03-04
• 8.12.0 - 2025-03-03
• 8.11.0 - 2025-02-26
• 8.10.2 - 2025-02-25
• 8.10.1 - 2025-02-14
• 8.10.0 - 2025-02-05
• 8.9.7 - 2025-02-04
• 8.9.6 - 2025-01-31
• 8.9.5 - 2025-01-13
• 8.9.4 - 2025-01-09
• 8.9.3 - 2024-12-30
• 8.9.2 - 2024-12-19
• 8.9.1 - 2024-12-16
• 8.9.0 - 2024-12-13
• 8.8.4 - 2024-12-05
• 8.8.3 - 2024-11-26
• 8.8.2 - 2024-11-18
• 8.8.1 - 2024-11-08
• 8.8.0 - 2024-10-31
• 8.7.3 - 2024-10-25
• 8.7.2 - 2024-10-17
• 8.7.1 - 2024-10-09
• 8.7.0 - 2024-09-27
• 8.6.4 - 2024-09-26
• 8.6.3 - 2024-09-17
• 8.6.2 - 2024-09-11
• 8.6.1 - 2024-09-03
• 8.6.0 - 2024-08-28
• 8.5.5 - 2024-08-28
• 8.5.4 - 2024-08-23
• 8.5.3 - 2024-08-13
• 8.5.2 - 2024-07-30
• 8.5.1 - 2024-07-12
• 8.5.0 - 2024-07-08
• 8.4.5 - 2024-07-05
• 8.4.4 - 2024-06-25
• 8.4.3 - 2024-06-17
• 8.4.2 - 2024-06-17
• 8.4.1 - 2024-05-31
• 8.4.0 - 2024-05-17
• 8.3.5 - 2024-05-15
• 8.3.4 - 2024-05-06
• 8.3.3 - 2024-04-29
• 8.3.2 - 2024-04-16
• 8.3.1 - 2024-04-08
• 8.3.0 - 2024-04-03
• 8.2.4 - 2024-03-28
• 8.2.3 - 2024-03-21
• 8.2.2 - 2024-03-15
• 8.2.1 - 2024-03-04
• 8.2.0 - 2024-02-22
• 8.1.3 - 2024-02-16
• 8.1.2 - 2024-02-11

from mongoose GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs