v6

[vkarpov15]

Summary

Branch for v6 release, changes:

1. Remove debug as prod dependency due to the recent security issue. I don't think it is worth the risk to Mongoose to have debug as a direct dependency of mquery, especially since Mongoose itself doesn't use debug.
2. Upgrade to MongoDB Node driver v6 in tests: requires changing includeResultMetadata because MongoDB driver v6 returns just the document from findOneAndUpdate() by default.
3. Remove count and findOneAndRemove
4. add findOneAndDelete, findOneAndReplace, countDocuments, estimatedDocumentCount
5. Make calling updateOne(), updateMany(), and findOneAndX() with one arg set the query filter rather than the update based on Remove single-argument findOneAndUpdate behavior Automattic/mongoose#15363: the fact that updateOne(v) is equivalent to updateOne(null, v) is surprising and not very idiomatic these days. Devs tend to think more in terms of TypeScript's optional arguments rules, and chaining APIs are less popular.

Examples

[Copilot]

Pull Request Overview

This PR prepares the mquery library for a v6 release with two main changes: removing the debug dependency for security reasons and upgrading to MongoDB Node driver v6.

• Remove debug production dependency due to security concerns
• Upgrade MongoDB Node driver from v5 to v6 in dev dependencies and upgrade Mocha from v9 to v11
• Update test code to handle MongoDB driver v6's new return format for findOneAndUpdate() operations

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
package.json	Removes debug dependency, upgrades MongoDB driver to v6 and Mocha to v11
lib/mquery.js	Removes debug import and all debug logging statements throughout the codebase
test/index.js	Updates tests to handle MongoDB driver v6's changed return format for findOneAndUpdate operations

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[aheckmann]

From the looks of our dependent graph, no active open source projects of size, outside mongoose, are using this module. That does not mean there aren't other non-public, internal applications using this (that's how I used this module).

Back when I developed this and was actively using it outside mongoose, it was a very convenient way to see what was happening within my apps. There are other tools for debugging but in very locked down production environments, sometimes DEBUG= is all you have available. We might consider replacing debug with debuglog so we keep the functionality but lose the 3rd party dep.

As for security being a reason to remove debug: I see the risk as the same as any other module on npm, including mongoose itself.

[vkarpov15]

That's a fair concern re: internal applications. I'm open to using Node's debuglog instead if that helps. It looks like debuglog behaves almost exactly the same as debug, is that correct?

Re: "I see the risk as the same as any other module on npm, including mongoose itself.", I don't entirely agree. Because debug is so widely used (6th most depended on package on npm), it is more likely to be targeted. I see debug integration as more of a nice-to-have for this package, and I imagine users are more likely to write debugging logic in their own code, but I could be wrong.

[aheckmann]

I don't feel strongly. I'm +1 on whatever direction you feel is best.

[aheckmann]

Maybe CI failed b/c we also need uses: actions/setup-node@v4 here to support nvm syntax. Worth a try. Here's how I'm using it.