Steps to reproduce

First, not sure where adapter-commons is in 4.5.3.

We have a query in the client (using the Feathers client):

    const item = await myService.get(this.id, {
      query: {
        $populate: ['user']
      }
    });

What's notable is myService does NOT whitelist $populate. I've confirmed at no point is it there.

I'm confused by this code in cleanQuery:

_.each(query, (value, key) => {
  if (key[0] === '$') {
    if (filters[key] !== undefined) {
      return;
    }

    if (!operators.includes(key)) {
      throw new BadRequest(`Invalid query parameter ${key}`, query);
    }
  }

The code thinks my $populate is part of the filters, so it sees that we have a filter with this operator and lets it through! What's the point of the operator check if things like $populate are not considered?

What does it mean for an operator to be part of the query vs the filter? I had trouble finding docs that explained it and this behavior.

This definitely worked at some point (where it would error out in this scenario).

Expected behavior

I would expect $populate to error in this case because I have not whitelisted it.

Actual behavior

The query succeeds and does the $populate

System configuration

Module versions (especially the part that's not working):
feathers-mongoose 8.3.0
adapter-commons 4.4.3 (because feathers-mongoose 8.3.0 specifies ^4.4.1)
feathersjs 4.5.3

NodeJS version:
12.16.3