Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade mongodb from 3.5.9 to 6.3.0 #6

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade mongodb from 3.5.9 to 6.3.0 #6

wants to merge 1 commit into from

Conversation

mnathsnyk
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to upgrade mongodb from 3.5.9 to 6.3.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Warning: This is a major version upgrade, and may be a breaking change.

  • The recommended version is 108 versions ahead of your current version.
  • The recommended version was released 4 months ago, on 2023-11-16.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Remote Memory Exposure
SNYK-JS-BL-608877		 492/1000
Why? Proof of Concept exploit, CVSS 7.7		 Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: mongodb
  • 6.3.0 - 2023-11-16

    6.3.0 (2023-11-15)

    The MongoDB Node.js team is pleased to announce version 6.3.0 of the mongodb package!

    Release Notes

    New client option serverMonitoringMode

    For users that want to control the behaviour of the monitoring connection between each node in the topology, a new option, serverMonitoringMode, has been added. This defaults to auto but can be forced into a specific mode by providing a value of poll or stream. When the setting is auto the monitoring mode will be determined by the environment the driver is running in, specifically, FaaS environments prefer "polling" mode and all others prefer "streaming".

    A polling monitor periodically issues a hello command to the node at an interval of heartbeatFrequencyMS. A streaming monitor sends an initial hello and then will automatically get a response from the Node when a change in server configuration occurs or at a maximum time of heartbeatFrequencyMS. The value of that option defaults to 10000 milliseconds.

    This new option can be provided in the connection string or as an option to the MongoClient.

    // In the connection string.
    new MongoClient('mongodb://127.0.0.1:27017/?serverMonitoringMode=stream');

    // In the options
    new MongoClient('mongodb://127.0.0.1:27017/', { serverMonitoringMode: 'stream' });

    Fix connection leak when serverApi is enabled

    When enabling serverApi the driver's RTT measurement logic (used to determine the closest node) still sent the legacy hello command "isMaster" causing the server to return an error. Unfortunately, the error handling logic did not correctly destroy the socket which would cause a leak.

    Both sending the correct hello command and the error handling connection clean-up logic are fixed in this change.

    GridFS fields deprecated

    The GridFS contentType and aliases options are deprecated. According to the GridFS spec, applications wishing to store contentType and aliases should add a corresponding field to the metadata document instead.

    Remove deprecation warning about punycode

    The mongodb-connection-string-url package which parses connection strings relied on Node's punycode module, the package now imports the community package removing the deprecation warning on Node.js 20+.

    Features

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately and report any issues to the NODE project.

  • 6.3.0-dev.20240229.sha.99a0059 - 2024-02-29
  • 6.3.0-dev.20240228.sha.f26de76 - 2024-02-28
  • 6.3.0-dev.20240227.sha.09c9b0b - 2024-02-27
  • 6.3.0-dev.20240224.sha.233a2e0 - 2024-02-24
  • 6.3.0-dev.20240223.sha.17952d2 - 2024-02-23
  • 6.3.0-dev.20240222.sha.46b7bbb - 2024-02-22
  • 6.3.0-dev.20240221.sha.38742c2 - 2024-02-21
  • 6.3.0-dev.20240220.sha.90cb6fa - 2024-02-20
  • 6.3.0-dev.20240216.sha.10a5c5a - 2024-02-16
  • 6.3.0-dev.20240214.sha.ecfc615 - 2024-02-14
  • 6.3.0-dev.20240210.sha.a63fbc2 - 2024-02-10
  • 6.3.0-dev.20240209.sha.ca3780a - 2024-02-09
  • 6.3.0-dev.20240202.sha.9401d09 - 2024-02-02
  • 6.3.0-dev.20240131.sha.a42039b - 2024-01-31
  • 6.3.0-dev.20240127.sha.b7d28d3 - 2024-01-27
  • 6.3.0-dev.20240126.sha.8f7bb59 - 2024-01-26
  • 6.3.0-dev.20240125.sha.38fb2e4 - 2024-01-25
  • 6.3.0-dev.20240123.sha.7f97c2a - 2024-01-23
  • 6.3.0-dev.20240120.sha.f506b6a - 2024-01-20
  • 6.3.0-dev.20240119.sha.9b76a43 - 2024-01-19
  • 6.3.0-dev.20240113.sha.86e2659 - 2024-01-13
  • 6.3.0-dev.20240110.sha.8504d91 - 2024-01-10
  • 6.3.0-dev.20240108.sha.7f3ce0b - 2024-01-08
  • 6.2.0 - 2023-10-20

    6.2.0 (2023-10-19)

    The MongoDB Node.js team is pleased to announce version 6.2.0 of the mongodb package!

    Release Notes

    Updated to BSON 6.2.0

    BSON now prints in full color! 🌈 🚀

    See our release notes for BSON 6.2.0 here for more examples!

    insertedIds in bulk write now contain only successful insertions

    Prior to this fix, the bulk write error's result.insertedIds property contained the _id of each attempted insert in a bulk operation.

    Now, when a bulkwrite() or an insertMany() operation rejects one or more inserts, throwing an error, the error's result.insertedIds property will only contain the _id fields of successfully inserted documents.

    Fixed edge case leak in findOne()

    When running a findOne against a time series collection, the driver left the implicit session for the cursor un-ended due to the way the server returns the resulting cursor information. Now the cursor will always be cleaned up regardless of the outcome of the find operation.

    Removed client-side collection and database name validation

    Database and collection name checking will now be in sync with the MongoDB server's naming restrictions. Specifically, users can now create collections that start or end with the '.' character.

    Features

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 6.1.0 - 2023-09-14

    6.1.0 (2023-09-14)

    The MongoDB Node.js team is pleased to announce version 6.1.0 of the mongodb package!

    Release Notes

    Bump bson version to expose new Decimal128.fromStringWithRounding() method

    In this release, we have adopted the changes made to Decimal128 in bson version 6.1.0. We have added a new fromStringWithRounding() method which exposes the previously available inexact rounding behaviour.

    See the bson v6.1.0 release notes for more information.

    Use region settings for STS AWS credentials request

    When using IAM AssumeRoleWithWebIdentity AWS authentication the driver uses the @ aws-sdk/credential-providers package to contact the Security Token Service API for temporary credentials. AWS recommends using Regional AWS STS endpoints instead of the global endpoint to reduce latency, build-in redundancy, and increase session token validity. Unfortunately, environment variables AWS_STS_REGIONAL_ENDPOINTS and AWS_REGION do not directly control the region the SDK's STS client contacts for credentials.

    The driver now has added support for detecting these variables and setting the appropriate options when calling the SDK's API: fromNodeProviderChain().

    Important

    The driver will only set region options if BOTH environment variables are present. AWS_STS_REGIONAL_ENDPOINTS MUST be set to either 'legacy' or 'regional', and AWS_REGION must be set.

    Fix memory leak with ChangeStreams

    In a previous release, 5.7.0, we refactored cursor internals from callbacks to async/await. In particular, the next function that powers cursors was written with callbacks and would recursively call itself depending on the cursor type. For ChangeStreams, this function would call itself if there were no new changes to return to the user. After converting that code to async/await each recursive call created a new promise that saved the current async context. This would slowly build up memory usage if no new changes came in to unwind the recursive calls.

    The function is now implemented as a loop, memory leak be gone!

    Features

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 6.0.0 - 2023-08-28
    Read more
  • 6.0.0-alpha.2 - 2023-08-24
  • 6.0.0-alpha.1 - 2023-08-24
  • 6.0.0-alpha.0 - 2023-08-08
  • 5.9.2 - 2023-12-05
  • 5.9.1 - 2023-10-20

    5.9.1 (2023-10-18)

    The MongoDB Node.js team is pleased to announce version 5.9.1 of the mongodb package!

    Release Notes

    insertedIds in bulk write now contain only successful insertions

    Prior to this fix, the bulk write error's result.insertedIds property contained the _id of each attempted insert in a bulk operation.

    Now, when a bulkwrite() or an insertMany() operation rejects one or more inserts, throwing an error, the error's result.insertedIds property will only contain the _id fields of successfully inserted documents.

    Fixed edge case leak in findOne()

    When running a findOne against a time series collection, the driver left the implicit session for the cursor un-ended due to the way the server returns the resulting cursor information. Now the cursor will always be cleaned up regardless of the outcome of the find operation.

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 5.9.0 - 2023-09-14
    Read more
  • 5.8.1 - 2023-08-23

    5.8.1 (2023-08-23)

    The MongoDB Node.js team is pleased to announce version 5.8.1 of the mongodb package!

    Release Notes

    Import of saslprep updated to correct library.

    Fixes the import of saslprep to be the correct @ mongodb-js/saslprep library.

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 5.8.0 - 2023-08-21
    Read more
  • 5.7.0 - 2023-07-06
  • 5.6.0 - 2023-06-01
  • 5.6.0-dev.20230606.sha.2b83ea4 - 2023-06-06
  • 5.6.0-dev.20230603.sha.008fd6f - 2023-06-03
  • 5.5.0 - 2023-05-11
  • 5.4.0 - 2023-05-04
  • 5.3.0 - 2023-04-18
  • 5.2.0 - 2023-04-04
  • 5.1.0 - 2023-02-23
  • 5.0.1 - 2023-02-07
  • 5.0.0 - 2023-01-31
  • 5.0.0-alpha.0 - 2023-01-24
  • 4.17.2 - 2023-12-05
  • 4.17.1 - 2023-08-23
    Read more
  • 4.17.0 - 2023-08-17
    Read more
  • 4.16.0 - 2023-04-18
  • 4.15.0 - 2023-04-04
  • 4.14.0 - 2023-02-07
  • 4.13.0 - 2022-12-19
  • 4.12.1 - 2022-11-23
  • 4.12.0 - 2022-11-16
  • 4.11.0 - 2022-10-19
  • 4.10.0 - 2022-09-19
  • 4.9.1 - 2022-08-31
  • 4.9.0 - 2022-08-18
  • 4.8.1 - 2022-07-26
  • 4.8.0 - 2022-07-13
  • 4.7.0 - 2022-06-06
  • 4.6.0 - 2022-05-11
  • 4.6.0-alpha.0 - 2022-05-04
  • 4.5.0 - 2022-04-04
  • 4.4.1 - 2022-03-03
  • 4.4.0 - 2022-02-17
  • 4.3.1 - 2022-01-18
  • 4.3.0 - 2022-01-06
  • 4.2.2 - 2021-12-13
  • 4.2.1 - 2021-11-30
  • 4.2.0 - 2021-11-17
  • 4.1.4 - 2021-11-03
  • 4.1.3 - 2021-10-05
  • 4.1.2 - 2021-09-14
  • 4.1.1 - 2021-08-24
  • 4.1.0 - 2021-08-03
  • 4.0.1 - 2021-07-20
  • 4.0.0 - 2021-07-13
  • 4.0.0-beta.6 - 2021-07-01
  • 4.0.0-beta.5 - 2021-05-26
  • 4.0.0-beta.4 - 2021-05-18
  • 4.0.0-beta.3 - 2021-04-06
  • 4.0.0-beta.2 - 2021-03-16
  • 4.0.0-beta.1 - 2021-02-02
  • 4.0.0-beta.0 - 2021-01-19
  • 3.7.4 - 2023-06-21
  • 3.7.3 - 2021-10-20
  • 3.7.2 - 2021-10-05
  • 3.7.1 - 2021-09-14
  • 3.7.0 - 2021-08-31
  • 3.6.12 - 2021-08-30
  • 3.6.11 - 2021-08-05
  • 3.6.10 - 2021-07-06
  • 3.6.9 - 2021-05-26
  • 3.6.8 - 2021-05-21
  • 3.6.7 - 2021-05-18
  • 3.6.6 - 2021-04-06
  • 3.6.5 - 2021-03-16
  • 3.6.4 - 2021-02-02
  • 3.6.3 - 2020-11-06
  • 3.6.2 - 2020-09-10
  • 3.6.1 - 2020-09-02
  • 3.6.0 - 2020-07-30
  • 3.6.0-beta.0 - 2020-04-14
  • 3.5.11 - 2020-09-10
  • 3.5.10 - 2020-07-30
  • 3.5.9 - 2020-06-12
from mongodb GitHub release notes
Commit messages
Package name: mongodb
  • a837036 chore(main): release 6.3.0 [skip-ci] (#3904)
  • ebbfb8a fix(NODE-5749): RTTPinger always sends legacy hello (#3921)
  • ae4c94a feat(NODE-5197): add server monitoring mode (#3899)
  • 08c9fb4 fix(NODE-4863): do not use RetryableWriteError for non-server errors (#3914)
  • 54adc9f feat(NODE-4878): Add remaining log configurable client options (#3908)
  • c0506b1 docs(NODE-5730): update load balancer docs (#3910)
  • b602162 refactor(NODE-5696): add async-iterator based socket helpers (#3896)
  • 89cb092 test(NODE-5732): update data lake test scripts (#3913)
  • fd58eec feat(NODE-3881): require hello command + OP_MSG when 'loadBalanced=True' (#3907)
  • bb5fa43 feat(NODE-5452): Logging Cosmos Document DB Info Message (#3902)
  • 1c3dc02 fix(NODE-5709): bump mongodb-connection-string-url to 3.0.0 (#3909)
  • 1f63704 test(NODE-5707): update aws ecs task definition (#3906)
  • d2225da feat(NODE-5590): deprecate GridFS fields (#3905)
  • f495abb feat(NODE-4849): Add Typescript support for log path in client options (#3886)
  • 4125526 docs: 6.2.0 docs (#3903)
  • bcb97ff chore(main): release 6.2.0 [skip-ci] (#3876)
  • e1c8c3b test: remove mongosh integration tests (#3850)
  • 32b7176 feat: update bson to 6.2.0 (#3898)
  • 995d138 fix(NODE-5706): make findOne() close implicit session to avoid memory leak (#3897)
  • b50aadc feat(NODE-5613): add `awaited` field to SDAM heartbeat events (#3895)
  • db90293 refactor(NODE-5675): refactor server selection and connection checkout to use abort signals for timeout management (#3890)
  • 4ff8080 test(NODE-5704): fix explain tests (#3893)
  • e5cbdd8 test(NODE-5694): update azure configuration (#3891)
  • 8c562f4 ci(NODE-5615): unit test on Node18 and Node20 (#3879)

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@mnathsnyk @snyk-bot