Bump mongoose from 8.16.0 to 9.6.1

[dependabot]

Bumps mongoose from 8.16.0 to 9.6.1.

Release notes

Sourced from mongoose's releases.

9.6.1 / 2026-04-29

• types(objectid): fix _id getter helper on ObjectId #16251 noseworthy

9.6.0 / 2026-04-28

• feat: upgrade mongodb node driver to 7.2 #16245
• feat(schematype): support allowNull option to disallow null values even if not required #16237 #15905
• types(query): make QueryFilter respect string unions and enums #16242 #16240
• types: export Projector and ArrayProjectionOperators #16243 #16235

9.5.0 / 2026-04-20

• feat(debug): add timestamp option to debug output #16216 rejunp
• feat(query): add cloneUpdate option to explicitly disable update cloning #16230 #16202
• feat(query): extend defaults query option to find() #16226 sderrow
• fix(query): avoid cloning update until absolutely necessary to better support updates with __proto__ #16230 #16202
• fix(query): avoid treating documents with a $set() method as objects with a $set property when casting updates #16230
• fix(queryHelpers): pass default options to discriminators #16227 #16226
• fix(document): handle including and excluding nested paths with optimistic concurrency #16177 #16054
• fix(model): throw ObjectParameterError in insertOne() if doc is not an object #16221 IshitaSingh0822
• fix(cast): preserve reason in CastError message after setModel() #16167 White-Devil2839
• perf(model): remove unnecessary clone in findOneAndUpdate() #16230
• perf: use kareem 3.3.0 mongoosejs/kareem#45 #16229
• chore: use TSTyche assertions #16222 mrazauskas

9.4.1 / 2026-04-03

• Revert "fix(setDefaultsOnInsert): run setters on default values during upsert" #16218 #16051

9.4.0 / 2026-04-03

• perf(document+model): avoid parallel save error instantiation, simplify resetting atomics, streamline validation and collection handling
• feat(document): add $getChanges() alias, deprecate getChanges() #15959 techcodie
• fix(schema): support toJSONSchema on unions #16179
• fix(schema): implement validation for Union schemas and subdocuments techcodie
• fix(connection): snapshot Date in heartbeat handler and flush queue on recovery #16183 andreialecu
• fix(model): use duck-typing with version check to validate the argument to useConnection() is actually a connection #16098
• fix(setDefaultsOnInsert): run setters on default values during upsert #16051 mahmoodhamdi
• fix(utils): properly compare Set objects in deepEqual KhanjarSingh
• fix(utils): wrap discriminator merge check in parentheses to fix precedence Necro-Rohan
• fix(schema): correct template literal in encryptionType error message Mridul012
• fix(schema): correct error when unsupported query operator with number #16062
• fix(types): make MergeType and UnpackedIntersection distributive over union types techcodie
• types: add id to HydratedDocument virtuals by default unless explicitly set #16178
• types(populate): use marker type to track populated vs depopulated type for perf
• types(populate): retain populated paths in toObject() and toJSON() unless depopulate: true set #16085
• types(query): make TypeScript error on $and with unrecognized query operator
• chore: use TSTyche assertions mrazauskas
• docs(connection): remove references to useUnifiedTopology and fix backtick

... (truncated)

Changelog

Sourced from mongoose's changelog.

9.6.1 / 2026-04-29

• types(objectid): fix _id getter helper on ObjectId #16251 noseworthy

9.6.0 / 2026-04-28

• feat: upgrade mongodb node driver to 7.2 #16245
• feat(schematype): support allowNull option to disallow null values even if not required #16237 #15905
• types(query): make QueryFilter respect string unions and enums #16242 #16240
• types: export Projector and ArrayProjectionOperators #16243 #16235

9.5.0 / 2026-04-20

• feat(debug): add timestamp option to debug output #16216 rejunp
• feat(query): add cloneUpdate option to explicitly disable update cloning #16230 #16202
• feat(query): extend defaults query option to find() #16226 sderrow
• fix(query): avoid cloning update until absolutely necessary to better support updates with __proto__ #16230 #16202
• fix(query): avoid treating documents with a $set() method as objects with a $set property when casting updates #16230
• fix(queryHelpers): pass default options to discriminators #16227 #16226
• fix(document): handle including and excluding nested paths with optimistic concurrency #16177 #16054
• fix(model): throw ObjectParameterError in insertOne() if doc is not an object #16221 IshitaSingh0822
• fix(cast): preserve reason in CastError message after setModel() #16167 White-Devil2839
• perf(model): remove unnecessary clone in findOneAndUpdate() #16230
• perf: use kareem 3.3.0 mongoosejs/kareem#45 #16229
• chore: use TSTyche assertions #16222 mrazauskas

9.4.1 / 2026-04-03

• Revert "fix(setDefaultsOnInsert): run setters on default values during upsert" #16218 #16051

9.4.0 / 2026-04-03

• perf(document+model): avoid parallel save error instantiation, simplify resetting atomics, streamline validation and collection handling
• feat(document): add $getChanges() alias, deprecate getChanges() #15959 techcodie
• fix(schema): support toJSONSchema on unions #16179
• fix(schema): implement validation for Union schemas and subdocuments techcodie
• fix(connection): snapshot Date in heartbeat handler and flush queue on recovery #16183 andreialecu
• fix(model): use duck-typing with version check to validate the argument to useConnection() is actually a connection #16098
• fix(setDefaultsOnInsert): run setters on default values during upsert #16051 mahmoodhamdi
• fix(utils): properly compare Set objects in deepEqual KhanjarSingh
• fix(utils): wrap discriminator merge check in parentheses to fix precedence Necro-Rohan
• fix(schema): correct template literal in encryptionType error message Mridul012
• fix(schema): correct error when unsupported query operator with number #16062
• fix(types): make MergeType and UnpackedIntersection distributive over union types techcodie
• types: add id to HydratedDocument virtuals by default unless explicitly set #16178
• types(populate): use marker type to track populated vs depopulated type for perf
• types(populate): retain populated paths in toObject() and toJSON() unless depopulate: true set #16085
• types(query): make TypeScript error on $and with unrecognized query operator
• chore: use TSTyche assertions mrazauskas
• docs(connection): remove references to useUnifiedTopology and fix backtick

... (truncated)

Commits

• 00c14c7 chore: release 9.6.1
• 704ce83 Merge pull request #16251 from noseworthy/fix-object-id-getter-type-augmentation
• 76f464f types(objectid): fix _id getter helper on ObjectId
• 96b7de2 chore: release 9.6.0
• 909a5e7 Merge pull request #16245 from Automattic/vkarpov15/mongodb-7.2
• f5b7a43 feat: upgrade mongodb node driver to 7.2
• 33007eb Merge pull request #16242 from Automattic/vkarpov15/gh-16240
• 2b3d129 Merge pull request #16243 from Automattic/vkarpov15/gh-16235
• 890cad9 types: export Projector and ArrayProjectionOperators
• 128eb8a Merge pull request #16237 from Automattic/vkarpov15/gh-15905
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for mongoose since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Greptile Summary

This PR bumps mongoose from 8.16.0 to 9.6.1, a major version upgrade. The codebase uses mongoose minimally — a basic connect() call and two simple schemas (User, oAuthToken) with no UUID fields, no deprecated caster/casterConstructor usage, and no TypeScript generics — so the known breaking changes in mongoose 9 (UUID type representation, removed internal SchemaType properties, stricter QueryFilter types) do not apply here.

Confidence Score: 5/5

Safe to merge — the application's minimal mongoose usage is fully compatible with the 9.x breaking changes.

The codebase only uses mongoose for a basic connection and two simple schemas with standard primitive types and ObjectId refs. None of the mongoose 9 breaking changes (UUID type representation, removed SchemaType internal properties, stricter TypeScript QueryFilter) apply to this project's code. Only lockfiles and package.json are touched.

No files require special attention.

Important Files Changed

Filename	Overview
package.json	Bumps mongoose from 8.16.0 to 9.6.1 (major version); no other dependency changes.
package-lock.json	Auto-generated lockfile update reflecting the mongoose major version bump and its transitive dependency tree changes.
pnpm-lock.yaml	Auto-generated pnpm lockfile update reflecting the mongoose major version bump.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[package.json\nmongoose 8.16.0 → 9.6.1] --> B[helpers/ORMs/Mongoose/index.js\nmongoose.connect]
    B --> C[schemas/users.js\nSimple schema: String, ObjectId fields]
    B --> D[schemas/oauthtokens.js\nSimple schema: ObjectId, String, Number fields]
    C --> E[No UUID types\nNo removed APIs used]
    D --> E
    E --> F[✅ Compatible with Mongoose 9.x]

Loading

_{Reviews (1): Last reviewed commit: "Bump mongoose from 8.16.0 to 9.6.1" | Re-trigger Greptile}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	✅ 0 (≤ 2 duplication)

View in Codacy

AI Reviewer: run a review on demand. To trigger the first review automatically, go to your organization or repository integration settings. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}