[Snyk] Upgrade mongodb from 3.5.9 to 6.6.2 #1227
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR was automatically created by Snyk using the credentials of a real user.
![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123)
Snyk has created this PR to upgrade mongodb from 3.5.9 to 6.6.2.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 155 versions ahead of your current version.
The recommended version was released on 22 days ago.
Issues fixed by the recommended upgrade:
SNYK-JS-BL-608877
Release notes
Package name: mongodb
6.6.2 (2024-05-15)
The MongoDB Node.js team is pleased to announce version 6.6.2 of the
mongodb
package!Release Notes
Server Selection performance regression due to incorrect RTT measurement
Starting in version 6.6.0, when using the
stream
server monitoring mode, heartbeats were incorrectly timed as having a duration of 0, leading to server selection viewing each server as equally desirable for selection.Bug Fixes
Documentation
We invite you to try the
mongodb
library immediately, and report any issues to the NODE project.6.6.1 (2024-05-06)
The MongoDB Node.js team is pleased to announce version 6.6.1 of the
mongodb
package!Release Notes
ref()
-ed timer keeps event loop running untilclient.connect()
resolvesWhen the
MongoClient
is first starting up (client.connect()
) monitoring connections begin the process of discovering servers to make them selectable. Theref()
-edserverSelectionTimeoutMS
timer keeps Node.js' event loop running as the monitoring connections are created. In the last release we inadvertentlyunref()
-ed this initial timer which would allow Node.js to close before the monitors could create connections.Bug Fixes
Documentation
We invite you to try the
mongodb
library immediately, and report any issues to the NODE project.6.6.0 (2024-05-02)
The MongoDB Node.js team is pleased to announce version 6.6.0 of the
mongodb
package!Release Notes
Aggregation pipelines can now add stages manually
When creating an aggregation pipeline cursor, a new generic method
addStage()
has been added in the fluid API for users to add aggregation pipeline stages in a general manner.Thank you @ prenaissance for contributing this feature!
cause and package name included for
MongoMissingDependencyErrors
MongoMissingDependencyError
s now include acause
and adependencyName
field, which can be used to programmatically determine which package is missing and why the driver failed to load it.For example:
ServerDescription
Round Trip Time (RTT) measurement changes(1)
ServerDescription.roundTripTime
is now a moving averagePreviously,
ServerDescription.roundTripTime
was calculated as a weighted average of the most recently observed heartbeat duration and the previous duration. This update changes this behaviour to averageServerDescription.roundTripTime
over the last 10 observed heartbeats. This should reduce the likelihood that the selected server changes as a result of momentary spikes in server latency.(2) Added
minRoundTripTime
toServerDescription
A new
minRoundTripTime
property is now available on theServerDescription
class which gives the minimum RTT over the last 10 heartbeats. Note that this value will be reported as 0 when fewer than 2 samples have been observed.type
supported inSearchIndexDescription
It is now possible to specify the type of a search index when creating a search index:
Collection.findOneAndModify
'sUpdateFilter.$currentDate
no longer throws on collections with limited schemaExample:
TopologyDescription
now properly stringifies itself to JSONThe
TopologyDescription
class is exposed by the driver in server selection errors and topology monitoring events to provide insight into the driver's current representation of the server's topology and to aid in debugging. However, the TopologyDescription usesMap
s internally, which get serialized to{}
when JSON stringified. We recommend using Node'sutil.inspect()
helper to print topology descriptions becauseinspect
properly handles all JS types and all types we use in the driver. However, if JSON must be used, theTopologyDescription
now provides a customtoJSON()
hook:// recommended!
console.log('topology description changed', inspect(newDescription, { depth: Infinity, colors: true }))
});
Omit
readConcern
andwriteConcern
inCollection.listSearchIndexes
options argumentImportant
readConcern
andwriteConcern
are no longer viable keys in the options argument passed intoCollection.listSearchIndexes
This type change is a correctness fix.
Collection.listSearchIndexes
is an Atlas specific method, and Atlas' search indexes do not supportreadConcern
andwriteConcern
options. The types for this function now reflect this functionality.Don't throw error when non-read operation in a transaction has a
ReadPreferenceMode
other than'primary'
The following error will now only be thrown when a user provides a
ReadPreferenceMode
other thanprimary
and then tries to perform a command that involves a read:Prior to this change, the Node Driver would incorrectly throw this error even when the operation does not perform a read.
Note: a
RunCommandOperation
is treated as a read operation for this error.TopologyDescription.error
type isMongoError
Important
The
TopologyDescription.error
property type is nowMongoError
rather thanMongoServerError
.This type change is a correctness fix.
Before this change, the following errors that were not instances of
MongoServerError
were already passed intoTopologyDescription.error
at runtime:MongoNetworkError
(excludingMongoNetworkRuntimeError
)MongoError
with aMongoErrorLabel.HandshakeError
labelindexExists()
no longer supports thefull
optionThe
Collection.indexExists()
helper supported an option,full
, that modified the internals of the method. Whenfull
was set totrue
, the driver would always returnfalse
, regardless of whether or not the index exists.The
full
option is intended to modify the return type of index enumeration APIs (Collection.indexes()
andCollection.indexInformation()
, but since the return type ofCollection.indexExists()
this option does not make sense for theCollection.indexExists()
helper.We have removed support for this option.
indexExists()
,indexes()
andindexInformation()
support cursor options in TypescriptThese APIs have supported cursor options at runtime since the 4.x version of the driver, but our Typescript has incorrectly omitted cursor options from these APIs.
Index information helpers have accurate Typescript return types
Collection.indexInformation()
,Collection.indexes()
andDb.indexInformation()
are helpers that return index information for a given collection or database. These helpers take an option,full
, that configures whether the return value contains full index descriptions or a compact summary:However, the Typescript return type of these helpers was always
Document
. Thanks to @ prenaissance, these helpers now have accurate type information! The helpers return a new type,IndexDescriptionCompact | IndexDescriptionInfo[]
, which accurately reflects the return type of these helpers. The helpers also support type narrowing by providing a boolean literal as an option to the API:IndexDescriptionCompact | IndexDescriptionInfo[]
collection.indexes({ full: false }); // returns an
IndexDescriptionCompact
collection.indexes({ full: true }); // returns an
IndexDescriptionInfo[]
collection.indexInfo(); // returns
IndexDescriptionCompact | IndexDescriptionInfo[]
collection.indexInfo({ full: false }); // returns an
IndexDescriptionCompact
collection.indexInfo({ full: true }); // returns an
IndexDescriptionInfo[]
db.indexInfo(); // returns
IndexDescriptionCompact | IndexDescriptionInfo[]
db.indexInfo({ full: false }); // returns an
IndexDescriptionCompact
db.indexInfo({ full: true }); // returns an
IndexDescriptionInfo[]
AWS credentials with expirations no longer throw when using on-demand AWS KMS credentials
In addition to letting users provide KMS credentials manually, client-side encryption supports fetching AWS KMS credentials on-demand using the AWS SDK. However, AWS credential mechanisms that returned access keys with expiration timestamps caused the driver to throw an error.
The driver will no longer throw an error when receiving an expiration token from the AWS SDK.
ClusterTime
interfacesignature
optionalityThe
ClusterTime
interface incorrectly reported thesignature
field as required, the server may omit it, so the typescript has been updated to reflect reality.Summary
Features
timeoutMS
anddefaultTimeoutMS
(#4068) (ddd1e81)cause
and package name for allMongoMissingDependencyError
s (#4067) (62ea94b)minRoundTripTime
toServerDescription
and changeroundTripTime
to a moving average (#4059) (0e3d6ea)type
option in create search index helpers (#4060) (3598c23)bson
to ^6.5.0 (#4035) (8ab2055)bson
to ^6.7.0 (#4099) (7f191cf)Bug Fixes
Collection.findOneAndModify
UpdateFilter.$currentDate
(#4047) (a8670a7)ReadPreferenceMode
other thanprimary
(#4075) (39fc198)v
tocreateIndexes
command whenversion
is specified (#4043) (1879a04)TopologyDescription.error
type toMongoError
(#4028) (30432e8)full
is set totrue
(#4034) (0ebc1ac)libmongocrypt
after fetching AWS KMS credentials (#4057) (c604e74)ClusterTime.signature
can be undefined (#4069) (ce55ca9)Performance Improvements
setTimeout
callback (#4094) (6abc074)Documentation
We invite you to try the
mongodb
library immediately, and report any issues to the NODE project.6.5.0 (2024-03-11)
The MongoDB Node.js team is pleased to announce version 6.5.0 of the
mongodb
package!Release Notes
Bulk Write Operations Generate Ids using
pkFactory
When performing inserts, the driver automatically generates
_id
s for each document if there is no_id
present. By default, the driver generatesObjectId
s. An option,pkFactory
, can be used to configure the driver to generate_id
s that are not object ids.For a long time, only
Collection.insert
andCollection.insertMany
actually used thepkFactory
, if configured. Notably,Collection.bulkWrite()
,Collection.initializeOrderedBulkOp()
andCollection.initializeOrderedBulkOp()
always generatedObjectId
s, regardless of what was configured on collection.The driver always generates
_id
s for inserted documents using thepkFactory
.Caution
If you are using a
pkFactory
and performing bulk writes, you may have inserted data into your database that does not have_id
s generated by thepkFactory
.Fixed applying read preference to commands depending on topology
When connecting to a secondary in a replica set with a direct connection, if a read operation is performed, the driver attaches a read preference of
primaryPreferred
to the command.Fixed memory leak in Connection layer
The Connection class has recently been refactored to operate on our socket operations using promises. An oversight how we made async network operations interruptible made new promises for every operation. We've simplified the approach and corrected the leak.
Query SRV and TXT records in parallel
When connecting using a convenient SRV connection string (
mongodb+srv://
) hostnames are obtained from an SRV dns lookup and some configuration options are obtained from a TXT dns query. Those DNS operations are now performed in parallel to reduce first-time connection latency.Container and Kubernetes Awareness
The Node.js driver now keeps track of container metadata in the
client.env.container
field of the handshake document.If space allows, the following metadata will be included in
client.env.container
:Note: If neither Kubernetes nor Docker is present,
client.env
will not have thecontainer
property.Add property
errorResponse
to MongoServerErrorThe MongoServer error maps keys from the error document returned by the server on to itself. There are some use cases where the original error document is desirable to obtain in isolation. So now, the
mongoServerError.errorResponse
property stores a reference to the error document returned by the server.Deprecated unused
CloseOptions
interfaceThe
CloseOptions
interface was unintentionally made public and was only intended for use in the driver's internals. Due to recent refactoring (NODE-5915), this interface is no longer used in the driver. Since it was marked public, out of an abundance of caution we will not be removing it outside of a major version, but we have deprecated it and will be removing it in the next major version.Features
Bug Fixes
CERT_HAS_EXPIRED
(#4014) (057c223)Connection
class (#4022) (69de253)Performance Improvements
Documentation
We invite you to try the
mongodb
library immediately, and report any issues to the NODE project.6.4.0 (2024-02-29)
The MongoDB Node.js team is pleased to announce version 6.4.0 of the
mongodb
package!Release Notes
Server selection will use a different Mongos on retry
When retrying reads or writes on a sharded cluster, the driver will attempt to select a different mongos for the retry if multiple are present. This should heuristically avoid encountering the original error that caused the need to retry the operation.
Caching AWS credentials provider per client
Instead of creating a new AWS provider for each authentication, we cache the AWS credentials provider per client to prevent overwhelming the auth endpoint and ensure that cached credentials are not shared with other clients.
BSON upgraded to
^6.4.0
BSON has had a number of performance increases in the last two releases (6.3.0 and 6.4.0). Small basic latin (ASCII) only strings, small memory allocations (ObjectId and Decimal128) and numeric parsing operations (int32, doubles, and longs) have all had optimizations applied to them.
For details check out the release notes here: BSON 6.3.0 and BSON 6.4.0 🐎
ExceededTimeLimit was made a retryable reads error
Read operations will be retried after receiving an error with the
ExceededTimeLimit
label.Fixed unresolved request issue in KMS requester
Internal to the field-level encryption machinery is a helper that opens a TLS socket to the KMS provider endpoint and submits a KMS request. The code neglected to add a
'close'
event listener to the socket, which had the potential to improperly leave the promise pending indefinitely if no error was encountered.The base64 padding is now preserved in the saslContinue command
The authentication was rejected by the saslContinue command from mongosh due to missing "=" padding from the client. We fixed the way we parse payload to preserve trailing "="s.
countDocuments
now types the filter using the collection SchemaPreviously,
countDocuments
had a weakly typedDocument
type for the filter allowing any JS object as input. The filter is now typed asFilter<Schema>
to enable autocompletion, and, hopefully, catch minor bugs.Thank you to @ pashok88895 for contributing to this improvement.
The type error with
$addToSet
inbulkWrite
was fixedPreviously the following code sample would show a type error:
It happened because the driver's
Document
type falls back toany
, and internally we could not distinguish whether or not this assignment was intentional and should be allowed.After this change, users can extend their types from
Document
/any
, or use properties ofany
type and we skip the$addToSet
validation in those cases.Fixed heartbeat duration including socket creation
The ServerHeartbeatSucceeded and ServerHeartbeatFailed event have a duration property that represents the time it took to perform the
hello
handshake with MongoDB. The Monitor responsible for issuing heartbeats mistakenly included the time it took to create the socket in this field, which inflates the value with the time it takes to perform a DNS lookup, TCP, and TLS handshakes.Errors on cursor transform streams are now properly propagated.
These were previously swallowed and now will be emitted on the
error
event:The AWS token is now optional
Users may provide an
AWS_SESSION_TOKEN
as a client option or AWS configuration in addition to a username and password. But if the token is not provided, the driver won't throw an exception and let AWS SDK handle the request.Features
^6.4.0
(#4007) (90f2f70)^6.3.0
(#3983) (9401d09)Bug Fixes