@lenne.tech/nest-server 11.23.1 → 11.24.1

package/migration-guides/11.23.x-to-11.24.0.md

@@ -0,0 +1,272 @@
+# Migration Guide: 11.23.x → 11.24.0
+
+## Overview
+
+| Category | Details |
+|----------|---------|
+| **Breaking Changes** | None (one edge-case: `checkRestricted` 4th parameter type changed — see below) |
+| **New Features** | `CrudService.pushToArray()`, `CrudService.pullFromArray()` |
+| **Bugfixes** | `checkRestricted` group member checks broken (concat bug), `prepareInput`/`prepareOutput` array element skipping (splice bug), RoleGuard missing `$pull.roles` guard |
+| **Performance** | `checkRestricted` sample-based array validation, `WeakSet` for circular reference detection, single-pass DFS in `prepareOutput` (secret removal + ObjectId conversion merged) |
+| **Security** | Recursive secret removal in `prepareOutput`, RoleGuard now guards `$pull.roles`, field-name validation on `pushToArray`/`pullFromArray` |
+| **Migration Effort** | 0 minutes (no code changes required) |
+
+---
+
+## Quick Migration
+
+No code changes required. All improvements activate automatically.
+
+```bash
+# Update package
+pnpm add @lenne.tech/nest-server@11.24.0
+
+# Verify build
+pnpm run build
+
+# Run tests
+pnpm test
+```
+
+---
+
+## What's New in 11.24.0
+
+### 1. `CrudService.pushToArray()` — Atomic Array Append
+
+New first-class method for appending items to array fields without loading the full array into memory. Bypasses the `process()` pipeline entirely, preventing OOM on large subdocument arrays. Mongoose plugins (Tenant, Audit, RoleGuard) remain active via `pre('findOneAndUpdate')`.
+
+```typescript
+// Append a single item
+await this.entityService.pushToArray(id, 'logs', newLog);
+
+// Append with $slice to cap array length (keep last 500)
+await this.entityService.pushToArray(id, 'logs', newLog, { $slice: -500 });
+
+// Append multiple items at once
+await this.entityService.pushToArray(id, 'tags', ['urgent', 'reviewed']);
+
+// Append with sort and position control
+await this.entityService.pushToArray(id, 'scores', newScore, {
+  $sort: { value: -1 },
+  $slice: 10,  // keep top 10
+});
+```
+
+**When to use:**
+- Appending logs, history, metrics, comments, tags
+- Any growing array regardless of size
+- Whenever you would have done `entity.field.push(item); await service.update(id, { field: entity.field })`
+
+**When to still use `CrudService.update()`:**
+- Replacing the entire array content
+- Small arrays (< 10 items) where full validation is desired
+- User-controlled field selection requiring `@Restricted` input checks
+
+### 2. `CrudService.pullFromArray()` — Atomic Array Removal
+
+New method for removing items from array fields by condition.
+
+```typescript
+// Remove by exact match
+await this.entityService.pullFromArray(id, 'tags', 'obsolete');
+
+// Remove by condition (all DEBUG logs)
+await this.entityService.pullFromArray(id, 'logs', { level: 'DEBUG' });
+```
+
+### 3. `checkRestricted()` Array Performance Optimization
+
+For typed arrays (all items share the same class), class-level `@Restricted` metadata is now validated once on the first item instead of on every item. Per-item checks are only performed when `S_CREATOR` or `S_SELF` restrictions exist (because `createdBy`/`id` differ per item).
+
+**Impact:** Reduces redundant class-level validation from O(n) to O(1) for homogeneous arrays. Property-level checks still run per item with cached metadata lookups.
+
+### 4. `checkRestricted()` Circular Reference Protection — WeakSet
+
+The `processedObjects` tracking changed from `Array` with O(n) `.includes()` to `WeakSet` with O(1) `.has()`. This improves performance for deeply nested object graphs and enables garbage collection of processed objects.
+
+### 5. Recursive Secret Removal in `prepareOutput()`
+
+Secret fields (`password`, `verificationToken`, `passwordResetToken`) are now removed **recursively** from nested objects and arrays, not just at the top level. Previously, `output.author.password` would survive — now it is correctly removed.
+
+**Note:** `refreshTokens` and `tempTokens` are intentionally NOT removed by `prepareOutput` — they are needed internally for token validation and process flows (password reset, email verification). The `CheckSecurityInterceptor` (Safety Net) removes these from HTTP responses as a separate layer.
+
+### 6. Recursive ObjectId Conversion in `prepareOutput()`
+
+ObjectId→string conversion now uses `processDeep()` (recursive) instead of a flat `Object.entries()` loop, consistent with `prepareInput()`. Previously, nested ObjectIds (e.g. `output.nested.refId`) were not converted.
+
+### 7. Single-Pass DFS in `prepareOutput()`
+
+Secret removal and ObjectId conversion are now merged into a single `processDeep()` traversal instead of two separate recursive walks. This halves the object graph traversal cost for API responses with nested objects.
+
+### 8. Field-Name Validation on `pushToArray()` / `pullFromArray()`
+
+Both methods now validate the `field` parameter at runtime. Field names starting with `$` or containing null bytes are rejected with an error. This prevents MongoDB operator injection when field names are accidentally derived from unvalidated sources.
+
+```typescript
+// Throws: "pushToArray: invalid field name "$where""
+await this.entityService.pushToArray(id, '$where', 'value');
+```
+
+### 9. `pushToArray()` Empty Array Guard
+
+Passing an empty array to `pushToArray()` now returns immediately without issuing a database round-trip. Previously, `$push: { field: { $each: [] } }` was sent to MongoDB as a valid no-op.
+
+---
+
+## Bugfixes
+
+### Fix: `checkRestricted` Group Member Checks Were Silently Broken
+
+**File:** `src/core/common/decorators/restricted.decorator.ts`
+
+`members.concat(items)` returned a new array but the result was discarded. This meant `@Restricted({ memberOf: 'members' })` group-based access checks **never worked** for array-valued membership properties.
+
+**Before:**
+```typescript
+members.concat(items);  // BUG: result discarded, members stays empty
+```
+
+**After:**
+```typescript
+members.push(...items);  // FIXED: items added to members array
+```
+
+**Impact:** If your project uses `@Restricted({ memberOf: 'propertyName' })` where the property is an array of user IDs, access was incorrectly denied for all users. After this fix, group member checks work correctly.
+
+### Fix: `prepareInput()` / `prepareOutput()` Array Element Skipping
+
+**File:** `src/core/common/helpers/service.helper.ts`
+
+Both functions used `splice(i, 1)` inside a forward `for` loop when `removeUndefined` was active. This caused array elements to be skipped after each removal because indices shifted.
+
+**Before:**
+```typescript
+for (let i = 0; i <= input.length - 1; i++) {
+  processedArray[i] = await prepareInput(input[i], ...);
+  if (processedArray[i] === undefined && config.removeUndefined) {
+    processedArray.splice(i, 1);  // BUG: shifts indices, next element skipped
+  }
+}
+```
+
+**After:**
+```typescript
+const result = [];
+for (let i = 0; i < input.length; i++) {
+  const processed = await prepareInput(input[i], ...);
+  if (processed !== undefined || !config.removeUndefined) {
+    result.push(processed);
+  }
+}
+return result;
+```
+
+**Impact:** Arrays with `undefined` elements (rare in practice) could have had elements silently dropped. The fix also ensures arrays are never mutated in place — a new array is always returned.
+
+### Fix: RoleGuard Plugin Did Not Guard `$pull.roles`
+
+**File:** `src/core/common/plugins/mongoose-role-guard.plugin.ts`
+
+The `mongooseRoleGuardPlugin` checked `$push.roles`, `$set.roles`, and `$addToSet.roles` for unauthorized role changes, but not `$pull.roles`. This meant `Model.findByIdAndUpdate(id, { $pull: { roles: 'admin' } })` could strip roles without authorization.
+
+**Impact:** The new `pullFromArray()` method exposed this gap. After this fix, `$pull.roles` is also guarded — unauthorized callers cannot remove roles via any MongoDB operator.
+
+---
+
+## Edge-Case Breaking Change
+
+### `checkRestricted()` 4th Parameter Type: `any[]` → `WeakSet<object>`
+
+The `processedObjects` parameter of the exported `checkRestricted()` function changed from `any[]` to `WeakSet<object>`. This parameter has a default value (`new WeakSet()`) and is only used internally for recursive calls.
+
+**Who is affected:** Only projects that call `checkRestricted()` directly AND pass a custom 4th argument. This is extremely unlikely — the function is typically called by the framework interceptors, not by consuming projects.
+
+**If you are affected:**
+```typescript
+// Before (11.23.x):
+checkRestricted(data, user, options, []);
+
+// After (11.24.0):
+checkRestricted(data, user, options, new WeakSet());
+// Or simply omit the 4th parameter (recommended):
+checkRestricted(data, user, options);
+```
+
+---
+
+## Deprecations
+
+### `getNewArray` Option in `PrepareInputOptions` / `PrepareOutputOptions`
+
+The `getNewArray` option is now deprecated. Array processing always returns a new array to prevent mutation bugs. The option is still accepted for backward compatibility but has no effect.
+
+---
+
+## Compatibility Notes
+
+### Existing Code
+
+All existing code continues to work without changes:
+
+- `CrudService.update()` works identically — the `process()` pipeline is unchanged
+- `@Restricted()` decorators behave the same (with the group member bug now fixed)
+- `prepareInput()` / `prepareOutput()` produce the same results (with bugs fixed)
+- Direct Mongoose operations (`Model.findByIdAndUpdate()`, `$push`, etc.) work as before
+
+### Adopting `pushToArray()` / `pullFromArray()` (Recommended)
+
+If your project has patterns like:
+
+```typescript
+entity.logs.push(newLog);
+await this.entityService.update(id, { logs: entity.logs });
+```
+
+Consider migrating to:
+
+```typescript
+await this.entityService.pushToArray(id, 'logs', newLog);
+```
+
+This is especially important for:
+- Arrays that grow over time (logs, history, comments)
+- Documents with hundreds of subdocument entries
+- High-frequency operations (monitoring, metrics)
+
+### Security Architecture
+
+The multi-layered security architecture ensures safety regardless of which method is used:
+
+| Layer | What it does | Active for pushToArray? |
+|-------|-------------|------------------------|
+| Mongoose Tenant Plugin | Scopes queries to tenant | Yes |
+| Mongoose Audit Plugin | Sets `updatedBy` | Yes |
+| Mongoose RoleGuard Plugin | Prevents unauthorized role changes | Yes |
+| `process()` pipeline | Input validation, authorization, output filtering | No (bypassed) |
+| CheckResponseInterceptor | Filters `@Restricted` fields from HTTP response | Yes (Safety Net) |
+| CheckSecurityInterceptor | Runs `securityCheck()`, removes secrets from HTTP response | Yes (Safety Net) |
+
+---
+
+## Troubleshooting
+
+### Group member checks now grant access where they were denied before
+
+This is expected — the `concat()` bug meant group member checks were silently broken. If your project relied on the (incorrect) denial behavior, review your `@Restricted({ memberOf: '...' })` usage.
+
+### Nested ObjectIds now appear as strings in API responses
+
+Previously, ObjectIds nested inside objects (e.g. `response.nested.refId`) were returned as ObjectId objects. They are now consistently converted to strings, matching the behavior of top-level ObjectIds. If your frontend parsed ObjectId objects, this is now a plain string.
+
+### Nested secret fields now removed from service-level output
+
+If your code accessed `result.author.password` after a CrudService call (within the service layer, not in API responses), this value is now `undefined`. This is the correct behavior — passwords should never be accessible in output. If you need the raw data, use `updateRaw()` / `getRaw()` or direct Mongoose queries.
+
+---
+
+## References
+
+- [SubDocument Array Optimization](../docs/subdocument-array-optimization-plan.md) — Detailed OOM analysis and implementation notes
+- [process() Performance Optimization](../docs/process-performance-optimization.md) — Pipeline optimization details
+- [nest-server-starter](https://github.com/lenneTech/nest-server-starter) — Reference implementation

package/migration-guides/11.24.0-to-11.24.1.md

@@ -0,0 +1,67 @@
+# Migration Guide: 11.24.0 → 11.24.1
+
+## Overview
+
+| Category | Details |
+|----------|---------|
+| **Breaking Changes** | None |
+| **New Features** | `pushToArray()`/`pullFromArray()` now accept `ObjectId` and objects with `id`/`_id` property |
+| **Migration Effort** | 0 minutes (no code changes required) |
+
+---
+
+## Quick Migration
+
+No code changes required.
+
+```bash
+# Update package
+pnpm add @lenne.tech/nest-server@11.24.1
+
+# Verify build
+pnpm run build
+
+# Run tests
+pnpm test
+```
+
+---
+
+## What's New in 11.24.1
+
+### Flexible `id` Parameter on `pushToArray()` / `pullFromArray()`
+
+Both methods now accept `string`, `Types.ObjectId`, or any object with an `id`/`_id` property (e.g. a Mongoose Document). IDs are normalized internally via `getStringIds()`, consistent with the rest of the framework.
+
+**Before (11.24.0):** Only `string` was accepted.
+```typescript
+await this.entityService.pushToArray(entity.id, 'logs', newLog);
+await this.entityService.pullFromArray(entity.id.toString(), 'tags', 'old');
+```
+
+**After (11.24.1):** All ID types work directly.
+```typescript
+// String (still works)
+await this.entityService.pushToArray('507f1f77bcf86cd799439011', 'logs', newLog);
+
+// ObjectId
+await this.entityService.pushToArray(new Types.ObjectId(id), 'logs', newLog);
+
+// Object with id property (e.g. Mongoose Document or entity reference)
+await this.entityService.pushToArray(entity, 'logs', newLog);
+
+// Same for pullFromArray
+await this.entityService.pullFromArray(entity, 'tags', 'obsolete');
+```
+
+---
+
+## Compatibility Notes
+
+Existing code using `string` IDs continues to work unchanged. The wider type signature is additive — no existing call sites break.
+
+---
+
+## References
+
+- [Migration Guide 11.23.x → 11.24.0](./11.23.x-to-11.24.0.md) — Full list of changes in 11.24.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "11.23.1",
+  "version": "11.24.1",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",

package/src/core/common/decorators/restricted.decorator.ts

@@ -124,7 +124,7 @@ export const checkRestricted = (
     removeUndefinedFromResultArray?: boolean;
     throwError?: boolean;
   } = {},
-  processedObjects: any[] = [],
+  processedObjects: WeakSet<object> = new WeakSet(),
 ) => {
   // Act like Roles handling: checkObjectItself = false & mergeRoles = true
   // For Input: throwError = true
@@ -147,15 +147,81 @@ export const checkRestricted = (
     return data;
   }
 
-  // Prevent infinite recourse
-  if (processedObjects.includes(data)) {
+  // Prevent infinite recursion
+  if (processedObjects.has(data)) {
     return data;
   }
-  processedObjects.push(data);
+  processedObjects.add(data);
 
   // Array
   if (Array.isArray(data)) {
-    // Check array items
+    if (data.length === 0) {
+      return data;
+    }
+
+    // Optimization for typed arrays: all items share the same class → same @Restricted metadata.
+    // Validate restrictions on the first item, then apply the result to all items.
+    // Per-item checks are only needed when S_CREATOR or S_SELF restrictions exist
+    // (because createdBy/id differ per item).
+    const sample = data[0];
+    if (
+      sample &&
+      typeof sample === 'object' &&
+      !Array.isArray(sample) &&
+      sample.constructor &&
+      sample.constructor !== Object
+    ) {
+      // Check class-level restrictions once
+      const classRestrictions = getRestricted(sample.constructor) || [];
+      if (classRestrictions.length) {
+        const hasCreatorOrSelf = classRestrictions.some(
+          (r) =>
+            // Bare role string: @Restricted(RoleEnum.S_CREATOR)
+            r === RoleEnum.S_CREATOR ||
+            r === RoleEnum.S_SELF ||
+            // Role array: @Restricted([RoleEnum.S_CREATOR, RoleEnum.ADMIN])
+            (Array.isArray(r) && (r.includes(RoleEnum.S_CREATOR) || r.includes(RoleEnum.S_SELF))) ||
+            // Object with roles: @Restricted({ roles: RoleEnum.S_CREATOR }) or { roles: [...] }
+            (typeof r === 'object' &&
+              !Array.isArray(r) &&
+              'roles' in r &&
+              r.roles &&
+              ((Array.isArray(r.roles) &&
+                (r.roles.includes(RoleEnum.S_CREATOR) || r.roles.includes(RoleEnum.S_SELF))) ||
+                r.roles === RoleEnum.S_CREATOR ||
+                r.roles === RoleEnum.S_SELF)),
+        );
+
+        if (!hasCreatorOrSelf) {
+          // No per-item ownership checks needed — validate one sample, apply to all.
+          // The sample check recurses into properties. With checkObjectItself=true, it
+          // also validates the class-level restriction as a standalone gate. With the
+          // default checkObjectItself=false, class restrictions are merged into each
+          // property's restrictions (properties get stripped if the class restriction denies).
+          const sampleResult = checkRestricted(sample, user, config, processedObjects);
+          if (sampleResult === undefined || sampleResult === null) {
+            // Class-level restriction blocks access → entire array is blocked
+            if (config.throwError) {
+              return data; // Exception was already thrown in sampleResult
+            }
+            return config.removeUndefinedFromResultArray ? [] : data.map(() => undefined);
+          }
+          // Sample passed — process remaining items with the same (cached) restriction lookups.
+          // Since getRestricted() uses a WeakMap cache, subsequent calls for the same class
+          // are O(1) lookups, but we still need to recurse into nested properties per item.
+          const result = [sampleResult];
+          for (let i = 1; i < data.length; i++) {
+            result.push(checkRestricted(data[i], user, config, processedObjects));
+          }
+          if (!config.throwError && config.removeUndefinedFromResultArray) {
+            return result.filter((item) => item !== undefined);
+          }
+          return result;
+        }
+      }
+    }
+
+    // Fallback: plain objects, mixed types, or S_CREATOR/S_SELF checks needed
     let result = data.map((item) => checkRestricted(item, user, config, processedObjects));
     if (!config.throwError && config.removeUndefinedFromResultArray) {
       result = result.filter((item) => item !== undefined);
@@ -243,7 +309,7 @@ export const checkRestricted = (
             const items = config.dbObject?.[property];
             if (items) {
               if (Array.isArray(items)) {
-                members.concat(items);
+                members.push(...items);
               } else {
                 members.push(items);
               }

package/src/core/common/helpers/service.helper.ts

@@ -13,6 +13,13 @@ import { ConfigService } from '../services/config.service';
 import { getStringIds } from './db.helper';
 import { clone, plainToInstanceClean, processDeep } from './input.helper';
 
+// Secret field names for recursive removal in prepareOutput — allocated once, never change.
+// Only fields that are NEVER needed internally (hashed passwords, one-time tokens).
+// Fields like refreshTokens/tempTokens are kept — they are needed for token validation
+// and process flows (password reset, email verification). The CheckSecurityInterceptor
+// removes those from HTTP responses as a separate layer.
+const SECRET_FIELD_NAMES = Object.freeze(['password', 'verificationToken', 'passwordResetToken']);
+
 /**
  * Helper class for services
  * @deprecated use functions directly
@@ -84,7 +91,6 @@ export async function prepareInput<T = any>(
     clone: false,
     convertObjectIdsToString: true,
     create: false,
-    getNewArray: false,
     proto: false,
     removeUndefined: true,
     sha256: ConfigService.configFastButReadOnly.sha256,
@@ -98,14 +104,14 @@ export async function prepareInput<T = any>(
 
   // Process array
   if (Array.isArray(input)) {
-    const processedArray = config.getNewArray ? ([] as any[] & T) : input;
-    for (let i = 0; i <= input.length - 1; i++) {
-      processedArray[i] = await prepareInput(input[i], currentUser, options);
-      if (processedArray[i] === undefined && config.removeUndefined) {
-        processedArray.splice(i, 1);
+    const result = [] as any[] & T;
+    for (let i = 0; i < input.length; i++) {
+      const processed = await prepareInput(input[i], currentUser, options);
+      if (processed !== undefined || !config.removeUndefined) {
+        result.push(processed);
       }
     }
-    return processedArray;
+    return result;
   }
 
   // Clone input
@@ -197,7 +203,6 @@ export async function prepareOutput<T = { [key: string]: any; map: (...args: any
   const config = {
     circles: false,
     clone: false,
-    getNewArray: false,
     objectIdsToStrings: true,
     proto: false,
     removeSecrets: true,
@@ -213,14 +218,14 @@ export async function prepareOutput<T = { [key: string]: any; map: (...args: any
 
   // Process array
   if (Array.isArray(output)) {
-    const processedArray = config.getNewArray ? [] : output;
-    for (let i = 0; i <= output.length - 1; i++) {
-      processedArray[i] = await prepareOutput(output[i], options);
-      if (processedArray[i] === undefined && config.removeUndefined) {
-        processedArray.splice(i, 1);
+    const result = [];
+    for (let i = 0; i < output.length; i++) {
+      const processed = await prepareOutput(output[i], options);
+      if (processed !== undefined || !config.removeUndefined) {
+        result.push(processed);
       }
     }
-    return processedArray;
+    return result;
   }
 
   // Clone output
@@ -241,21 +246,6 @@ export async function prepareOutput<T = { [key: string]: any; map: (...args: any
     }
   }
 
-  // Remove password if exists
-  if (config.removeSecrets && output.password) {
-    output.password = undefined;
-  }
-
-  // Remove verification token if exists
-  if (config.removeSecrets && output.verificationToken) {
-    output.verificationToken = undefined;
-  }
-
-  // Remove password reset token if exists
-  if (config.removeSecrets && output.passwordResetToken) {
-    output.passwordResetToken = undefined;
-  }
-
   // Remove undefined properties to avoid unwanted overwrites
   if (config.removeUndefined) {
     for (const [key, value] of Object.entries(output)) {
@@ -263,13 +253,29 @@ export async function prepareOutput<T = { [key: string]: any; map: (...args: any
     }
   }
 
-  // Convert ObjectIds into strings
-  if (config.objectIdsToStrings) {
-    for (const [key, value] of Object.entries(output)) {
-      if (value instanceof Types.ObjectId) {
-        output[key] = value.toHexString();
-      }
-    }
+  // Single-pass DFS: convert ObjectIds to strings AND remove secret fields recursively.
+  // Merging both operations into one processDeep traversal halves the object graph walk
+  // compared to separate removeSecretsDeep + processDeep calls.
+  if (config.objectIdsToStrings || config.removeSecrets) {
+    const doSecrets = config.removeSecrets;
+    const doObjectIds = config.objectIdsToStrings;
+    output = processDeep(
+      output,
+      (property) => {
+        if (doObjectIds && property instanceof Types.ObjectId) {
+          return property.toHexString();
+        }
+        if (doSecrets && property && typeof property === 'object' && !Array.isArray(property)) {
+          for (const field of SECRET_FIELD_NAMES) {
+            if (field in property && property[field] !== undefined) {
+              property[field] = undefined;
+            }
+          }
+        }
+        return property;
+      },
+      { specialClasses: ['ObjectId'] },
+    );
   }
 
   // Add translated values of current selected language if _translations object exists

package/src/core/common/interfaces/prepare-input-options.interface.ts

@@ -7,6 +7,7 @@ export interface PrepareInputOptions {
   clone?: boolean;
   convertObjectIdsToString?: boolean;
   create?: boolean;
+  /** @deprecated No longer used — array processing always returns a new array to prevent mutation bugs */
   getNewArray?: boolean;
   removeUndefined?: boolean;
   targetModel?: new (...args: any[]) => any;

package/src/core/common/interfaces/prepare-output-options.interface.ts

@@ -4,6 +4,7 @@
 export interface PrepareOutputOptions {
   [key: string]: any;
   clone?: boolean;
+  /** @deprecated No longer used — array processing always returns a new array to prevent mutation bugs */
   getNewArray?: boolean;
   removeSecrets?: boolean;
   removeUndefined?: boolean;

package/src/core/common/plugins/mongoose-role-guard.plugin.ts

@@ -181,7 +181,13 @@ function isRoleChangeAllowed(): boolean {
 }
 
 function hasRolesInUpdate(update: any): boolean {
-  return !!(update?.roles || update?.$set?.roles || update?.$push?.roles || update?.$addToSet?.roles);
+  return !!(
+    update?.roles ||
+    update?.$set?.roles ||
+    update?.$push?.roles ||
+    update?.$addToSet?.roles ||
+    update?.$pull?.roles
+  );
 }
 
 function handleUpdateRoleGuard(update: any) {
@@ -189,7 +195,8 @@ function handleUpdateRoleGuard(update: any) {
     return;
   }
 
-  const hasRolesUpdate = update.roles || update.$set?.roles || update.$push?.roles || update.$addToSet?.roles;
+  const hasRolesUpdate =
+    update.roles || update.$set?.roles || update?.$push?.roles || update.$addToSet?.roles || update.$pull?.roles;
   if (!hasRolesUpdate) {
     return;
   }
@@ -211,4 +218,7 @@ function handleUpdateRoleGuard(update: any) {
   if (update.$addToSet?.roles) {
     delete update.$addToSet.roles;
   }
+  if (update.$pull?.roles) {
+    delete update.$pull.roles;
+  }
 }