fix(document): clean modified subpaths if unsetting map#15520
Merged
fix(document): clean modified subpaths if unsetting map#15520
Conversation
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR ensures that when a Map path is unset (assigned null or undefined), any modified subpaths are also cleared to prevent dangling change records. It adds the cleanup logic in Document.prototype.$set and a new test case verifying this behavior.
- Added
cleanModifiedSubpathscall for schema maps when unsetting a path inlib/document.js. - Introduced a test in
test/types.map.test.jsfor setting then unsetting the same map (GH-15519).
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| lib/document.js | Call cleanModifiedSubpaths for schema.$isSchemaMap when val == null. |
| test/types.map.test.js | New test "handles setting then unsetting the same map" covering the undefined case. |
Comments suppressed due to low confidence (2)
test/types.map.test.js:1368
- Consider adding a similar test case for
doc.settings = nullto ensure that unsetting the map tonullalso clears modified subpaths as expected.
doc.settings = undefined;
lib/document.js:1520
- [nitpick] Add a brief comment explaining why we need to clean modified subpaths for schema maps when unsetting (e.g., to avoid dangling change records), so future maintainers understand the intent.
} else if (schema.$isSchemaMap && val == null) {
hasezoey
approved these changes
Jul 9, 2025
mergify bot
added a commit
to reisene/HulajDusza-serwis
that referenced
this pull request
Aug 11, 2025
![snyk-io[bot]](https://badgen.net/badge/icon/snyk-io%5Bbot%5D/green?label=)  [<img width="16" alt="Powered by Pull Request Badge" src="https://user-images.githubusercontent.com/1393946/111216524-d2bb8e00-85d4-11eb-821b-ed4c00989c02.png">](https://pullrequestbadge.com/?utm_medium=github&utm_source=reisene&utm_campaign=badge_info)<!-- PR-BADGE: PLEASE DO NOT REMOVE THIS COMMENT -->  <h3>Snyk has created this PR to upgrade mongoose from 8.16.1 to 8.16.4.</h3> :information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project. <hr/> - The recommended version is **3 versions** ahead of your current version. - The recommended version was released **21 days ago**. #### Issues fixed by the recommended upgrade: | | Issue | Score | Exploit Maturity | :-------------------------:|:-------------------------|:-------------------------|:-------------------------  | Regular Expression Denial of Service (ReDoS)<br/>[SNYK-JS-BRACEEXPANSION-9789073](https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073) | **57** | Proof of Concept  | Regular Expression Denial of Service (ReDoS)<br/>[SNYK-JS-BRACEEXPANSION-9789073](https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073) | **57** | Proof of Concept <details> <summary><b>Release notes</b></summary> <br/> <details> <summary>Package name: <b>mongoose</b></summary> <ul> <li> <b>8.16.4</b> - <a href="https://redirect.github.com/Automattic/mongoose/releases/tag/8.16.4">2025-07-16</a></br><h1>8.16.4 / 2025-07-16</h1> <ul> <li>fix(connection): avoid calling connection.close() internally with force: Object <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3229728988" data-permission-text="Title is private" data-url="Automattic/mongoose#15534" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15534/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15534">#15534</a> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3228051020" data-permission-text="Title is private" data-url="Automattic/mongoose#15531" data-hovercard-type="issue" data-hovercard-url="/Automattic/mongoose/issues/15531/hovercard" href="https://redirect.github.com/Automattic/mongoose/issues/15531">#15531</a></li> <li>types(schema): handle required: string in schema definitions <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3233265778" data-permission-text="Title is private" data-url="Automattic/mongoose#15538" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15538/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15538">#15538</a> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3231854067" data-permission-text="Title is private" data-url="Automattic/mongoose#15536" data-hovercard-type="issue" data-hovercard-url="/Automattic/mongoose/issues/15536/hovercard" href="https://redirect.github.com/Automattic/mongoose/issues/15536">#15536</a></li> <li>types(document): allow calling $isDefault() with no args <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3219676033" data-permission-text="Title is private" data-url="Automattic/mongoose#15528" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15528/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15528">#15528</a> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3212867705" data-permission-text="Title is private" data-url="Automattic/mongoose#15522" data-hovercard-type="issue" data-hovercard-url="/Automattic/mongoose/issues/15522/hovercard" href="https://redirect.github.com/Automattic/mongoose/issues/15522">#15522</a></li> <li>types: infer Typescript string enums <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3224312454" data-permission-text="Title is private" data-url="Automattic/mongoose#15530" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15530/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15530">#15530</a> <a href="https://redirect.github.com/ruiaraujo">ruiaraujo</a></li> <li>types: pass TModelType down to schema statics <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3233226123" data-permission-text="Title is private" data-url="Automattic/mongoose#15537" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15537/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15537">#15537</a></li> </ul> </li> <li> <b>8.16.3</b> - <a href="https://redirect.github.com/Automattic/mongoose/releases/tag/8.16.3">2025-07-10</a></br><h1>8.16.3 / 2025-07-10</h1> <ul> <li>fix(document): clean modified subpaths if unsetting map <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3209687640" data-permission-text="Title is private" data-url="Automattic/mongoose#15520" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15520/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15520">#15520</a> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3209143317" data-permission-text="Title is private" data-url="Automattic/mongoose#15519" data-hovercard-type="issue" data-hovercard-url="/Automattic/mongoose/issues/15519/hovercard" href="https://redirect.github.com/Automattic/mongoose/issues/15519">#15519</a></li> <li>fix: make DocumentArray SchemaType pass all options to embedded SchemaType <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3213865906" data-permission-text="Title is private" data-url="Automattic/mongoose#15523" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15523/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15523">#15523</a></li> <li>types: support readonly array in query.select <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3217205824" data-permission-text="Title is private" data-url="Automattic/mongoose#15527" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15527/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15527">#15527</a> <a href="https://redirect.github.com/omermizr">omermizr</a></li> </ul> </li> <li> <b>8.16.2</b> - <a href="https://redirect.github.com/Automattic/mongoose/releases/tag/8.16.2">2025-07-07</a></br><h1>8.16.2 / 2025-07-07</h1> <ul> <li>fix(cursor): populate after hydrating in queryCursor so populated docs get parent() <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3193156560" data-permission-text="Title is private" data-url="Automattic/mongoose#15498" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15498/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15498">#15498</a> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3179946229" data-permission-text="Title is private" data-url="Automattic/mongoose#15494" data-hovercard-type="issue" data-hovercard-url="/Automattic/mongoose/issues/15494/hovercard" href="https://redirect.github.com/Automattic/mongoose/issues/15494">#15494</a></li> <li>fix(schema): support toJSONSchema() on mixed types and improve error message about unsupported types <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3179520029" data-permission-text="Title is private" data-url="Automattic/mongoose#15492" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15492/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15492">#15492</a> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3174597323" data-permission-text="Title is private" data-url="Automattic/mongoose#15489" data-hovercard-type="issue" data-hovercard-url="/Automattic/mongoose/issues/15489/hovercard" href="https://redirect.github.com/Automattic/mongoose/issues/15489">#15489</a></li> <li>types: add _id and __v to toObject/toJSON transform type <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3193864752" data-permission-text="Title is private" data-url="Automattic/mongoose#15501" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15501/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15501">#15501</a> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3145020558" data-permission-text="Title is private" data-url="Automattic/mongoose#15479" data-hovercard-type="issue" data-hovercard-url="/Automattic/mongoose/issues/15479/hovercard" href="https://redirect.github.com/Automattic/mongoose/issues/15479">#15479</a></li> <li>types(schema): use user-provided THydratedDocumentType as context for virtual get() and set() <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3205408388" data-permission-text="Title is private" data-url="Automattic/mongoose#15517" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15517/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15517">#15517</a> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3203768114" data-permission-text="Title is private" data-url="Automattic/mongoose#15516" data-hovercard-type="issue" data-hovercard-url="/Automattic/mongoose/issues/15516/hovercard" href="https://redirect.github.com/Automattic/mongoose/issues/15516">#15516</a></li> <li>types: improve typing for transform option to toJSON and toObject <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3165281132" data-permission-text="Title is private" data-url="Automattic/mongoose#15485" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15485/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15485">#15485</a></li> <li>docs: link to custom setter docs from lowercase, etc. options and note that setters run on query filters <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3179559608" data-permission-text="Title is private" data-url="Automattic/mongoose#15493" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15493/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15493">#15493</a> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3178037830" data-permission-text="Title is private" data-url="Automattic/mongoose#15491" data-hovercard-type="issue" data-hovercard-url="/Automattic/mongoose/issues/15491/hovercard" href="https://redirect.github.com/Automattic/mongoose/issues/15491">#15491</a></li> <li>docs(jest): add note about resetModules <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3200176577" data-permission-text="Title is private" data-url="Automattic/mongoose#15515" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15515/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15515">#15515</a></li> </ul> </li> <li> <b>8.16.1</b> - <a href="https://redirect.github.com/Automattic/mongoose/releases/tag/8.16.1">2025-06-26</a></br><h1>8.16.1 / 2025-06-26</h1> <ul> <li>fix(document): avoid setting _skipMarkModified when setting nested path with merge option <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3164370267" data-permission-text="Title is private" data-url="Automattic/mongoose#15484" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15484/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15484">#15484</a> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1265052748" data-permission-text="Title is private" data-url="Automattic/mongoose#11913" data-hovercard-type="issue" data-hovercard-url="/Automattic/mongoose/issues/11913/hovercard" href="https://redirect.github.com/Automattic/mongoose/issues/11913">#11913</a></li> <li>fix(model): make sure post save error handler gets doc as param on VersionError <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3164302491" data-permission-text="Title is private" data-url="Automattic/mongoose#15483" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15483/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15483">#15483</a> <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3153142469" data-permission-text="Title is private" data-url="Automattic/mongoose#15480" data-hovercard-type="issue" data-hovercard-url="/Automattic/mongoose/issues/15480/hovercard" href="https://redirect.github.com/Automattic/mongoose/issues/15480">#15480</a></li> <li>fix: consistent $conditionalHandlers setup between schematypes <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3176350747" data-permission-text="Title is private" data-url="Automattic/mongoose#15490" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15490/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15490">#15490</a></li> <li>docs(compatibility): note that mongodb 4.0 is not supported anymore since 8.16.0 <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3171918500" data-permission-text="Title is private" data-url="Automattic/mongoose#15487" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15487/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15487">#15487</a> <a href="https://redirect.github.com/hasezoey">hasezoey</a></li> <li>docs: remove unnecessary --save flag from npm install instruction <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3167998752" data-permission-text="Title is private" data-url="Automattic/mongoose#15486" data-hovercard-type="pull_request" data-hovercard-url="/Automattic/mongoose/pull/15486/hovercard" href="https://redirect.github.com/Automattic/mongoose/pull/15486">#15486</a> <a href="https://redirect.github.com/Thahirgeek">Thahirgeek</a></li> </ul> </li> </ul> from <a href="https://redirect.github.com/Automattic/mongoose/releases">mongoose GitHub release notes</a> </details> </details> --- > [!IMPORTANT] > > - Check the changes in this PR to ensure they won't cause issues with your project. > - This PR was automatically created by Snyk using the credentials of a real user. > - Max score is 1000. Note that the real score may have changed since the PR was raised. --- **Note:** _You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs._ **For more information:** <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiIxNGEyYzRlYy0zYjdjLTRiYTgtOGQ2MC1lNjE2NmM2YmI3MDMiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjE0YTJjNGVjLTNiN2MtNGJhOC04ZDYwLWU2MTY2YzZiYjcwMyJ9fQ==" width="0" height="0"/> > - 🧐 [View latest project report](https://app.snyk.io/org/reisene/project/55e114f8-489e-4f14-b900-20574b041e59?utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr) > - 📜 [Customise PR templates](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests/customize-pr-templates?utm_source=&utm_content=fix-pr-template) > - 🛠 [Adjust upgrade PR settings](https://app.snyk.io/org/reisene/project/55e114f8-489e-4f14-b900-20574b041e59/settings/integration?utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr) > - 🔕 [Ignore this dependency or unsubscribe from future upgrade PRs](https://app.snyk.io/org/reisene/project/55e114f8-489e-4f14-b900-20574b041e59/settings/integration?pkg=mongoose&utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr#auto-dep-upgrades) [//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"mongoose","from":"8.16.1","to":"8.16.4"}],"env":"prod","hasFixes":true,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":["SNYK-JS-BRACEEXPANSION-9789073","SNYK-JS-BRACEEXPANSION-9789073"],"prId":"14a2c4ec-3b7c-4ba8-8d60-e6166c6bb703","prPublicId":"14a2c4ec-3b7c-4ba8-8d60-e6166c6bb703","packageManager":"npm","priorityScoreList":[57],"projectPublicId":"55e114f8-489e-4f14-b900-20574b041e59","projectUrl":"https://app.snyk.io/org/reisene/project/55e114f8-489e-4f14-b900-20574b041e59?utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr","prType":"upgrade","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":["priorityScore"],"type":"auto","upgrade":["SNYK-JS-BRACEEXPANSION-9789073","SNYK-JS-BRACEEXPANSION-9789073"],"upgradeInfo":{"versionsDiff":3,"publishedDate":"2025-07-16T22:31:03.488Z"},"vulns":["SNYK-JS-BRACEEXPANSION-9789073","SNYK-JS-BRACEEXPANSION-9789073"]}'
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
<!--](https://user-images.githubusercontent.com/1393946/111216524-d2bb8e00-85d4-11eb-821b-ed4c00989c02.png">](https://pullrequestbadge.com/?utm_medium=github&utm_source=reisene&utm_campaign=badge_info)<!--){kind=link}
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix #15519
Summary
If setting a map to null/undefined, need to clean modified subpaths. Otherwise we have dangling modified paths which cause issues like #15519.
Examples