Mongoose

registrynpm

package namemongoose

maintainerMongoose Contributors

Mongoose is the standard ODM (Object Document Mapper) for MongoDB in Node.js, providing schema definition, validation, and query building. It is used in Express, NestJS, and Next.js applications that store data in MongoDB. Mongoose reads the MongoDB connection URI from application code or environment variables.

api usage

Checking Mongoose

mongoose 8.5.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=mongoose&version=8.5.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "mongoose",
  "version": "8.5.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

ODM packages hold the MongoDB connection URI, which often embeds username and password. A backdoored version can exfiltrate the URI and execute arbitrary MongoDB queries against the production database.

Attestd monitors mongoose using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages Express NestJS Core Prisma Client mongodb CVE coverage Response fields