[Snyk] Upgrade mongodb from 3.5.9 to 6.3.0 #6
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to upgrade mongodb from 3.5.9 to 6.3.0.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
Warning: This is a major version upgrade, and may be a breaking change.
The recommended version fixes:
SNYK-JS-BL-608877
Why? Proof of Concept exploit, CVSS 7.7
(*) Note that the real score may have changed since the PR was raised.
Release notes
Package name: mongodb
6.3.0 (2023-11-15)
The MongoDB Node.js team is pleased to announce version 6.3.0 of the
mongodb
package!Release Notes
New client option
serverMonitoringMode
For users that want to control the behaviour of the monitoring connection between each node in the topology, a new option,
serverMonitoringMode
, has been added. This defaults toauto
but can be forced into a specific mode by providing a value ofpoll
orstream
. When the setting isauto
the monitoring mode will be determined by the environment the driver is running in, specifically, FaaS environments prefer "polling" mode and all others prefer "streaming".A polling monitor periodically issues a
hello
command to the node at an interval ofheartbeatFrequencyMS
. A streaming monitor sends an initialhello
and then will automatically get a response from the Node when a change in server configuration occurs or at a maximum time ofheartbeatFrequencyMS
. The value of that option defaults to 10000 milliseconds.This new option can be provided in the connection string or as an option to the
MongoClient
.new MongoClient('mongodb://127.0.0.1:27017/?serverMonitoringMode=stream');
// In the options
new MongoClient('mongodb://127.0.0.1:27017/', { serverMonitoringMode: 'stream' });
Fix connection leak when
serverApi
is enabledWhen enabling
serverApi
the driver's RTT measurement logic (used to determine the closest node) still sent the legacy hello command "isMaster" causing the server to return an error. Unfortunately, the error handling logic did not correctly destroy the socket which would cause a leak.Both sending the correct hello command and the error handling connection clean-up logic are fixed in this change.
GridFS fields deprecated
The GridFS
contentType
andaliases
options are deprecated. According to the GridFS spec, applications wishing to storecontentType
andaliases
should add a corresponding field to themetadata
document instead.Remove deprecation warning about punycode
The
mongodb-connection-string-url
package which parses connection strings relied on Node's punycode module, the package now imports the community package removing the deprecation warning on Node.js 20+.Features
Bug Fixes
Documentation
We invite you to try the
mongodb
library immediately and report any issues to the NODE project.6.2.0 (2023-10-19)
The MongoDB Node.js team is pleased to announce version 6.2.0 of the
mongodb
package!Release Notes
Updated to BSON 6.2.0
BSON now prints in full color! 🌈 🚀
See our release notes for BSON 6.2.0 here for more examples!
insertedIds
in bulk write now contain only successful insertionsPrior to this fix, the bulk write error's
result.insertedIds
property contained the_id
of each attempted insert in a bulk operation.Now, when a
bulkwrite()
or aninsertMany()
operation rejects one or more inserts, throwing an error, the error'sresult.insertedIds
property will only contain the_id
fields of successfully inserted documents.Fixed edge case leak in
findOne()
When running a
findOne
against a time series collection, the driver left the implicit session for the cursor un-ended due to the way the server returns the resulting cursor information. Now the cursor will always be cleaned up regardless of the outcome of the find operation.Removed client-side collection and database name validation
Database and collection name checking will now be in sync with the MongoDB server's naming restrictions. Specifically, users can now create collections that start or end with the '.' character.
Features
awaited
field to SDAM heartbeat events (#3895) (b50aadc)Bug Fixes
Documentation
We invite you to try the
mongodb
library immediately, and report any issues to the NODE project.6.1.0 (2023-09-14)
The MongoDB Node.js team is pleased to announce version 6.1.0 of the
mongodb
package!Release Notes
Bump bson version to expose new
Decimal128.fromStringWithRounding()
methodIn this release, we have adopted the changes made to Decimal128 in bson version 6.1.0. We have added a new
fromStringWithRounding()
method which exposes the previously available inexact rounding behaviour.See the bson v6.1.0 release notes for more information.
Use region settings for STS AWS credentials request
When using IAM AssumeRoleWithWebIdentity AWS authentication the driver uses the @ aws-sdk/credential-providers package to contact the Security Token Service API for temporary credentials. AWS recommends using Regional AWS STS endpoints instead of the global endpoint to reduce latency, build-in redundancy, and increase session token validity. Unfortunately, environment variables
AWS_STS_REGIONAL_ENDPOINTS
andAWS_REGION
do not directly control the region the SDK's STS client contacts for credentials.The driver now has added support for detecting these variables and setting the appropriate options when calling the SDK's API: fromNodeProviderChain().
Important
The driver will only set region options if BOTH environment variables are present.
AWS_STS_REGIONAL_ENDPOINTS
MUST be set to either'legacy'
or'regional'
, andAWS_REGION
must be set.Fix memory leak with ChangeStreams
In a previous release, 5.7.0, we refactored cursor internals from callbacks to async/await. In particular, the
next
function that powers cursors was written with callbacks and would recursively call itself depending on the cursor type. ForChangeStreams
, this function would call itself if there were no new changes to return to the user. After converting that code to async/await each recursive call created a new promise that saved the current async context. This would slowly build up memory usage if no new changes came in to unwind the recursive calls.The function is now implemented as a loop, memory leak be gone!
Features
Bug Fixes
Documentation
We invite you to try the
mongodb
library immediately, and report any issues to the NODE project.Read more
5.9.1 (2023-10-18)
The MongoDB Node.js team is pleased to announce version 5.9.1 of the
mongodb
package!Release Notes
insertedIds
in bulk write now contain only successful insertionsPrior to this fix, the bulk write error's
result.insertedIds
property contained the_id
of each attempted insert in a bulk operation.Now, when a
bulkwrite()
or aninsertMany()
operation rejects one or more inserts, throwing an error, the error'sresult.insertedIds
property will only contain the_id
fields of successfully inserted documents.Fixed edge case leak in
findOne()
When running a
findOne
against a time series collection, the driver left the implicit session for the cursor un-ended due to the way the server returns the resulting cursor information. Now the cursor will always be cleaned up regardless of the outcome of the find operation.Bug Fixes
Documentation
We invite you to try the
mongodb
library immediately, and report any issues to the NODE project.Read more
5.8.1 (2023-08-23)
The MongoDB Node.js team is pleased to announce version 5.8.1 of the
mongodb
package!Release Notes
Import of
saslprep
updated to correct library.Fixes the import of saslprep to be the correct
@ mongodb-js/saslprep
library.Bug Fixes
Documentation
We invite you to try the
mongodb
library immediately, and report any issues to the NODE project.Read more
Read more
Read more
Commit messages
Package name: mongodb
Compare
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs