[Snyk] Upgrade mongodb from 6.13.0 to 6.17.0 #40
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Snyk has created this PR to upgrade mongodb from 6.13.0 to 6.17.0. See this package in npm: mongodb See this project in Snyk: https://app.snyk.io/org/contentstack-devex/project/37228d36-21e6-4276-b625-091727e0f9ed?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade mongodb from 6.13.0 to 6.17.0.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 71 versions ahead of your current version.
The recommended version was released 2 months ago.
Release notes
Package name: mongodb
6.17.0 (2025-06-03)
The MongoDB Node.js team is pleased to announce version 6.17.0 of the
mongodbpackage!Release Notes
Support for MongoDB 4.0 is removed
Warning
When the driver connects to a MongoDB server of version 4.0 or less, it will now throw an error.
OIDC machine workflows now retry on token expired errors during initial authentication
This resolves issues of a cached OIDC token in the driver causing initial authentication to fail when the token had expired. The affected environments were
"azure","gcp", and"k8s".keepAliveInitialDelaymay now be configured at theMongoClientlevelWhen not present will default to 120 seconds. The option value must be specified in milliseconds.
const client = new MongoClient(process.env.MONGODB_URI, { keepAliveInitialDelay: 100000 });
updateOneandreplaceOnenow support asortoptionThe updateOne and replaceOne operations in each of the ways they can be performed support a sort option starting in MongoDB 8.0. The driver now supports the sort option the same way it does for find or findOneAndModify-style commands:
collection.updateOne({}, {}, { sort });
collection.replaceOne({}, {}, { sort });
collection.bulkWrite([
{ updateOne: { filter: {}, update: {}, sort } },
{ replaceOne: { filter: {}, replacement: {}, sort } },
]);
client.bulkWrite([
{ name: 'updateOne', namespace: 'db.test', filter: {}, update: {}, sort },
{ name: 'replaceOne', namespace: 'db.test', filter: {}, replacement: {}, sort }
]);
MongoClient close shuts outstanding in-use connections
The
MongoClient.close()method now shuts connections that are in-use allowing the event loop to close if the only remaining resource was the MongoClient.Support Added for Configuring the DEK cache expiration time.
Default value is 60000. Requires using mongodb-client-encryption >= 6.4.0
For
ClientEncryption:For auto encryption:
Update operations will now throw if
ignoreUndefinedis true and all operations are undefined.When using any of the following operations they will now throw if all atomic operations in the update are undefined and the
ignoreUndefinedoption istrue. This is to avoid accidental replacement of the entire document with an empty document. Examples of this scenario:const client = new MongoClient(process.env.MONGODB_URI);
client.bulkWrite(
[
{
name: 'updateMany',
namespace: 'foo.bar',
filter: { age: { $lte: 5 } },
update: { $set: undefined, $unset: undefined }
}
],
{ ignoreUndefined: true }
);
const collection = client.db('test').collection('test');
collection.bulkWrite(
[
{
updateMany: {
filter: { age: { $lte: 5 } },
update: { $set: undefined, $unset: undefined }
}
}
],
{ ignoreUndefined: true }
);
collection.findOneAndUpdate(
{ a: 1 },
{ $set: undefined, $unset: undefined },
{ ignoreUndefined: true }
);
collection.updateOne({ a: 1 }, { $set: undefined, $unset: undefined }, { ignoreUndefined: true });
collection.updateMany({ a: 1 }, { $set: undefined, $unset: undefined }, { ignoreUndefined: true });
Socket errors are always treated as network errors
Network errors perform an important role in the driver, impacting topology monitoring processes and retryablity. A bug in the driver's socket implementation meant that in scenarios where server disconnects occurred while no operation was in progress on the socket resulted in errors that were not considered network errors.
Socket errors are now unconditionally treated as network errors.
Features
Bug Fixes
Documentation
We invite you to try the
mongodblibrary immediately, and report any issues to the NODE project.6.16.0 (2025-04-21)
The MongoDB Node.js team is pleased to announce version 6.16.0 of the
mongodbpackage!Release Notes
distinct commands now support an index hint
The
Collection.distinct()method now supports an optionalhint, which can be used to tell the server which index to use for the command:await collection.distinct('my-key', {
hint: { 'my-key': 1 }
});
// providing an index name
await collection.distinct('my-key', {
hint: 'my-key'
});
This requires server 7.1+.
Driver support for servers <=4.0 deprecated
Warning
Node driver support for server 4.0 will be removed in an upcoming minor release. Reference: MongoDB Software Lifecycle Schedules.
Fix processing of multiple messages within one network data chunk
During elections, or other scenarios where the server is pushing multiple topology updates to the driver in a short period of time, a bug in the driver's socket code led to backlog of topology updates that would remain in the buffer until another heartbeat arrived from the server. This could lead to delays in the driver recovering from an election and/or an increase in MongoServerSelectionErrors.
Now, all messages in the current buffer are returned to the driver leading to faster processing times.
Huge thank you to @ andreim-brd for sharing a self-contained reproduction that proved to be instrumental in the identification of the underlying issue!
FindCursor.rewind() throws
documents?.clear() is not a functionerrors in certain scenariosIn certain scenarios where limit and batchSize are both set on a FindCursor, an internal driver optimization intended to prevent unnecessary requests to the server when the driver knows the cursor is exhausted would prevent the cursor from being rewound. This issue has been resolved.
Features
hinton distinct commands (#4487) (40d0e87)Bug Fixes
Documentation
We invite you to try the
mongodblibrary immediately, and report any issues to the NODE project.6.15.0 (2025-03-18)
The MongoDB Node.js team is pleased to announce version 6.15.0 of the
mongodbpackage!Release Notes
Support for custom AWS credential providers
The driver now supports a user supplied custom AWS credentials provider for both authentication and for KMS requests when using client side encryption. The signature for the custom provider must be of
() => Promise<AWSCredentials>which matches that of the official AWS SDK provider API. Provider chains from the actual AWS SDK can also be provided, allowing users to customize any of those options.Example for authentication with a provider chain from the AWS SDK:
const client = new MongoClient(process.env.MONGODB_URI, {
authMechanismProperties: {
AWS_CREDENTIAL_PROVIDER: fromNodeProviderChain()
}
});
Example for using a custom provider for KMS requests only:
const client = new MongoClient(process.env.MONGODB_URI, {
autoEncryption: {
keyVaultNamespace: 'keyvault.datakeys',
kmsProviders: { aws: {} },
credentialProviders: {
aws: fromNodeProviderChain()
}
}
}
Custom providers do not need to come from the AWS SDK, they just need to be an async function that returns credentials:
Fix misc unhandled rejections under special conditions
We identified an issue with our test suite that suppressed catching unhandled rejections and surfacing them to us so we can ensure the driver handles any possible rejections. Luckily only 3 cases were identified and each was under a flagged or specialized code path that may not have been in use:
OIDCand anAbortSignalwas aborted on cursor at the same time the client was reauthenticating, if the reauth process was rejected it would have been unhandled.timeoutMSwas used and the timeout expired before an operation reached the server selection step the operation would throw the expected timeout error but a promise representing the timeout would also raise an unhandled rejection.Features
Bug Fixes
Documentation
We invite you to try the
mongodblibrary immediately, and report any issues to the NODE project.6.14.2 (2025-03-04)
The MongoDB Node.js team is pleased to announce version 6.14.2 of the
mongodbpackage!Release Notes
KMS Requests can cause unhandled rejection
When using explicit encryption or automatic encryption, the driver makes requests to a Key Management System when to fetch key encryption keys. The driver supports connecting to a KMS provider through a Socks5 proxy. However, the socket used for the socks5 proxy was created in all circumstances, regardless of proxy configuration. This leads to unhandled rejection errors when closing the socket the driver attempts to clean up the unused socket.
With the changes in this release, the socket is only created if a proxy is configured and the any promises created for the proxy are properly handled.
Bug Fixes
Documentation
We invite you to try the
mongodblibrary immediately, and report any issues to the NODE project.6.14.1 (2025-03-03)
The MongoDB Node.js team is pleased to announce version 6.14.1 of the
mongodbpackage!Release Notes
Fixed occasional OIDC reauthentication failure
Error code 391 is intended to make the driver internally reauthenticate the connection to the server, however, occasionally this was being raised to the user. This was due to a bug in setting the cached access token on newly created connections.
Bug Fixes
Documentation
We invite you to try the
mongodblibrary immediately, and report any issues to the NODE project.6.14.0 (2025-02-28)
The MongoDB Node.js team is pleased to announce version 6.14.0 of the
mongodbpackage!Release Notes
Add support for $lookup on encrypted collections
Starting in the upcoming MongoDB server 8.1, the aggregation stage
$lookupcan now be used with clients configured for automatic encryption after upgrading tomongodb-client-encryption@>=6.3.0! 🔒 🎉Use
isUint8Arraydefined in the driver rather thanutil/typesSome users of bundlers for next.js and our very own mongosh noticed a new import from "util/types" that would need to be supported in environments that don't have that module. We already have an internal implementation of
isUint8Arrayso we do not need to add an import for "util/types".Revert
@ aws-sdk/credential-providerscompatiblity changeIn v6.13.1 we inadvertantly raised the version compatibility of
@ aws-sdk/credential-providers, that change has been reverted.Features
nsTypein change stream create events (#4431) (7800067)Bug Fixes
@ aws-sdk/credential-providerspeer compatibility change (#4437) (488c407)Documentation
We invite you to try the
mongodblibrary immediately, and report any issues to the NODE project.6.13.1 (2025-02-20)
The MongoDB Node.js team is pleased to announce version 6.13.1 of the
mongodbpackage!Release Notes
Remove extraneous
Promise<Document>inCollection.replaceOnereturn typeThe return type signature of the
replaceOnemethod no longer includes the generalPromise<Document>type. Thanks to @ arturmuller, thereplaceOnetype signature is now more accurate! 🎉Fix writeConcern omitted when timeoutMS is provided
When
timeoutMSand a write concern were provided, thewriteConcernwas incorrectly omitted from the final command executed by the driver.Thanks @ stepanho for contributing the fix!
Update BSON version requirement to 6.10.3
This pulls in fixes made in
bsonversions 6.10.3 and 6.10.2 into the driver.BSON 6.10.2 fixed an issue in
calculateObjectSizeignoring the size contributed byBigIntvalues to a BSON document. This impacted batch splitting logic inbulkWriteoperations: if the actual BSON was over the size returned bycalculateObjectSizethe server would return an error.Warning
BSON 6.10.3 addresses a potential data corruption risk with the use of
useBigInt64flag introduced in BSON 6.4.0, where negativeLongvalues would be deserialized intoBigIntas unsigned integers when theuseBigInt64flag was enabled. (Thanks to @ rkistner for reporting this issue!)Bug Fixes
Documentation
We invite you to try the
mongodblibrary immediately, and report any issues to the NODE project.6.13.0 (2025-01-30)
The MongoDB Node.js team is pleased to announce version 6.13.0 of the
mongodbpackage!Release Notes
MongoDB Standardized Logging 📝
The driver's standardized logger is now available! The primary goal of our driver's logger is to enable insight into database operations without code changes so enabling and configuring the logger are primarily done through our environment variables.
TL;DR Show me the logs!
Tip
If you are a CLI app developer (or otherwise take great care of your std outputs): The client options constructor argument takes precedence over environment variables, permitting you to disable or otherwise customize the logger so your app does not automatically respond to the current environment.
Check out the in-depth logging docs here: https://www.mongodb.com/docs/drivers/node/current/fundamentals/logging/
🚀 Improved command monitoring performance
Previously, when command monitoring was enabled, the driver would make deep copies of command and reply objects, which have the potential to be very large documents. These copies have been eliminated, providing a speed and memory efficiency bump to command monitoring.
Warning
Since we no longer make deep copies of commands/replies in Command Monitoring Events, directly modifying the command/reply objects on
CommandStartedEvents andCommandSucceededEvents may lead to undefined behaviour.🧪 Experimental AbortSignal support added to Find and Aggregate! 🚥
A
signalargument can now be passed to the following APIs:collection.find()&collection.findOne()collection.aggregate()&collection.countDocuments()In order to support field level encryption properly, also:
db.listCollections()db.command()When aborted, the signal will interrupt the execution of each of each of these APIs. For the cursor-based APIs, this will be observed when attempting to consume from the cursor via toArray(), next(), for-await, etc.
There is a known limitation: aborting a signal closes a perfectly healthy conne...