chore(deps): update dependency mongoose to v8.9.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
mongoose (source)	8.9.4 -> 8.9.5

---

Mongoose search injection vulnerability

CVE-2025-23061 / GHSA-vg7j-7cwx-8wgw

More information

Details

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Severity

• CVSS Score: 9.0 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-23061
• https://github.com/Automattic/mongoose/commit/64a9f9706f2428c49e0cfb8e223065acc645f7bc
• https://github.com/Automattic/mongoose
• https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md
• https://github.com/Automattic/mongoose/releases/tag/8.9.5
• https://www.npmjs.com/package/mongoose?activeTab=versions

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

Automattic/mongoose (mongoose)

v8.9.5

Compare Source

==================

• fix: disallow nested $where in populate match
• fix(schema): handle bitwise operators on Int32 #​15176 #​15170

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Madrid, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.