[Snyk] Upgrade mongodb from 3.1.8 to 6.5.0

[baby636]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade mongodb from 3.1.8 to 6.5.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

Warning: This is a major version upgrade, and may be a breaking change.

• The recommended version is 178 versions ahead of your current version.

• The recommended version was released 2 months ago, on 2024-03-11.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Prototype Pollution SNYK-JS-LODASH-608086	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-6139239	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Command Injection SNYK-JS-LODASHTEMPLATE-1088054	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	372/1000 Why? Proof of Concept exploit, CVSS 5.3	No Known Exploit
	Internal Property Tampering SNYK-JS-BSON-6056525	372/1000 Why? Proof of Concept exploit, CVSS 5.3	No Known Exploit
	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ACORN-559469	372/1000 Why? Proof of Concept exploit, CVSS 5.3	No Known Exploit
	Prototype Pollution SNYK-JS-AJV-584908	372/1000 Why? Proof of Concept exploit, CVSS 5.3	No Known Exploit
	Remote Memory Exposure SNYK-JS-BL-608877	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Uncontrolled resource consumption SNYK-JS-BRACES-6838727	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Internal Property Tampering SNYK-JS-BSON-561052	372/1000 Why? Proof of Concept exploit, CVSS 5.3	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-URLREGEX-569472	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Arbitrary Code Execution SNYK-JS-ESLINTUTILS-460220	372/1000 Why? Proof of Concept exploit, CVSS 5.3	No Known Exploit
	Information Exposure SNYK-JS-SIMPLEGET-2361683	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Prototype Pollution SNYK-JS-Y18N-1021887	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Denial of Service (DoS) SNYK-JS-MONGODB-473855	372/1000 Why? Proof of Concept exploit, CVSS 5.3	No Known Exploit
	Prototype Pollution SNYK-JS-INI-1048974	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Arbitrary Code Execution SNYK-JS-JSYAML-174129	372/1000 Why? Proof of Concept exploit, CVSS 5.3	No Known Exploit
	Command Injection SNYK-JS-LODASH-1040724	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-450202	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-567746	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-DECOMPRESS-557358	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-DECOMPRESS-557358	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Prototype Pollution SNYK-JS-DOTPROP-543489	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	372/1000 Why? Proof of Concept exploit, CVSS 5.3	No Known Exploit
	Timing Attack SNYK-JS-ELLIPTIC-511941	372/1000 Why? Proof of Concept exploit, CVSS 5.3	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BROWSERSLIST-1090194	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Prototype Pollution SNYK-JS-YARGSPARSER-560381	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Uninitialized Memory Exposure npm:tunnel-agent:20170305	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	372/1000 Why? Proof of Concept exploit, CVSS 5.3	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-559764	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-559764	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Prototype Pollution SNYK-JS-JSON5-3182856	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Denial of Service (DoS) SNYK-JS-JSYAML-173999	372/1000 Why? Proof of Concept exploit, CVSS 5.3	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-2429795	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-2429795	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept
	Validation Bypass SNYK-JS-KINDOF-537849	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: mongodb

• 6.5.0 - 2024-03-11
  

  6.5.0 (2024-03-11)

  The MongoDB Node.js team is pleased to announce version 6.5.0 of the mongodb package!

  Release Notes

  Bulk Write Operations Generate Ids using pkFactory

  When performing inserts, the driver automatically generates _ids for each document if there is no _id present. By default, the driver generates ObjectIds. An option, pkFactory, can be used to configure the driver to generate _ids that are not object ids.

  For a long time, only Collection.insert and Collection.insertMany actually used the pkFactory, if configured. Notably, Collection.bulkWrite(), Collection.initializeOrderedBulkOp() and Collection.initializeOrderedBulkOp() always generated ObjectIds, regardless of what was configured on collection.

  The driver always generates _ids for inserted documents using the pkFactory.

  Caution

  If you are using a pkFactory and performing bulk writes, you may have inserted data into your database that does not have _ids generated by the pkFactory.

  Fixed applying read preference to commands depending on topology

  When connecting to a secondary in a replica set with a direct connection, if a read operation is performed, the driver attaches a read preference of primaryPreferred to the command.

  Fixed memory leak in Connection layer

  The Connection class has recently been refactored to operate on our socket operations using promises. An oversight how we made async network operations interruptible made new promises for every operation. We've simplified the approach and corrected the leak.

  Query SRV and TXT records in parallel

  When connecting using a convenient SRV connection string (mongodb+srv://) hostnames are obtained from an SRV dns lookup and some configuration options are obtained from a TXT dns query. Those DNS operations are now performed in parallel to reduce first-time connection latency.

  Container and Kubernetes Awareness

  The Node.js driver now keeps track of container metadata in the client.env.container field of the handshake document.

  If space allows, the following metadata will be included in client.env.container:

  env?: { 
    container?: {
      orchestrator?: 'kubernetes' // if process.env.KUBERNETES_SERVICE_HOST is set
      runtime?: 'docker' // if the '/.dockerenv' file exists
    } 
  }
  

  Note: If neither Kubernetes nor Docker is present, client.env will not have the container property.

  Add property errorResponse to MongoServerError

  The MongoServer error maps keys from the error document returned by the server on to itself. There are some use cases where the original error document is desirable to obtain in isolation. So now, the mongoServerError.errorResponse property stores a reference to the error document returned by the server.

  Deprecated unused CloseOptions interface

  The CloseOptions interface was unintentionally made public and was only intended for use in the driver's internals. Due to recent refactoring (NODE-5915), this interface is no longer used in the driver. Since it was marked public, out of an abundance of caution we will not be removing it outside of a major version, but we have deprecated it and will be removing it in the next major version.

  Features

  • NODE-5968: container and Kubernetes awareness in client metadata (#4005) (28b7040)
  • NODE-5988: Provide access to raw results doc on MongoServerError (#4016) (c023242)
  • NODE-6008: deprecate CloseOptions interface (#4030) (f6cd8d9)

  Bug Fixes

  • NODE-5636: generate _ids using pkFactory in bulk write operations (#4025) (fbb5059)
  • NODE-5981: read preference not applied to commands properly (#4010) (937c9c8)
  • NODE-5985: throw Nodejs' certificate expired error when TLS fails to connect instead of CERT_HAS_EXPIRED (#4014) (057c223)
  • NODE-5993: memory leak in the Connection class (#4022) (69de253)

  Performance Improvements

  • NODE-5986: parallelize SRV/TXT resolution (#4012) (eab8f23)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.5.0-dev.20240503.sha.7f191cf - 2024-05-03
• 6.5.0-dev.20240502.sha.9d73f45 - 2024-05-02
• 6.5.0-dev.20240426.sha.6d8ad33 - 2024-04-26
• 6.5.0-dev.20240424.sha.6abc074 - 2024-04-24
• 6.5.0-dev.20240423.sha.4a62ec6 - 2024-04-23
• 6.5.0-dev.20240420.sha.eece8c1 - 2024-04-20
• 6.5.0-dev.20240419.sha.c213679 - 2024-04-19
• 6.5.0-dev.20240418.sha.af18c53 - 2024-04-18
• 6.5.0-dev.20240417.sha.f1f816f - 2024-04-17
• 6.5.0-dev.20240416.sha.6248174 - 2024-04-16
• 6.5.0-dev.20240413.sha.8845206 - 2024-04-13
• 6.5.0-dev.20240412.sha.232bf3c - 2024-04-12
• 6.5.0-dev.20240411.sha.ddd1e81 - 2024-04-11
• 6.5.0-dev.20240409.sha.30cac05 - 2024-04-09
• 6.5.0-dev.20240406.sha.62ea94b - 2024-04-06
• 6.5.0-dev.20240405.sha.ce55ca9 - 2024-04-05
• 6.5.0-dev.20240404.sha.0e3d6ea - 2024-04-04
• 6.5.0-dev.20240403.sha.cb5903f - 2024-04-03
• 6.5.0-dev.20240328.sha.458cf6d - 2024-03-28
• 6.5.0-dev.20240326.sha.918fe69 - 2024-03-26
• 6.5.0-dev.20240323.sha.d94439f - 2024-03-23
• 6.5.0-dev.20240322.sha.a8670a7 - 2024-03-22
• 6.5.0-dev.20240321.sha.1879a04 - 2024-03-21
• 6.5.0-dev.20240320.sha.8b91c30 - 2024-03-20
• 6.5.0-dev.20240319.sha.0ebc1ac - 2024-03-19
• 6.5.0-dev.20240316.sha.159ea81 - 2024-03-16
• 6.5.0-dev.20240315.sha.77d0b47 - 2024-03-15
• 6.5.0-dev.20240314.sha.8ab2055 - 2024-03-14
• 6.5.0-dev.20240312.sha.55abb4b - 2024-03-12
• 6.4.0 - 2024-02-29
  

  6.4.0 (2024-02-29)

  The MongoDB Node.js team is pleased to announce version 6.4.0 of the mongodb package!

  Release Notes

  Server selection will use a different Mongos on retry

  When retrying reads or writes on a sharded cluster, the driver will attempt to select a different mongos for the retry if multiple are present. This should heuristically avoid encountering the original error that caused the need to retry the operation.

  Caching AWS credentials provider per client

  Instead of creating a new AWS provider for each authentication, we cache the AWS credentials provider per client to prevent overwhelming the auth endpoint and ensure that cached credentials are not shared with other clients.

  BSON upgraded to ^6.4.0

  BSON has had a number of performance increases in the last two releases (6.3.0 and 6.4.0). Small basic latin (ASCII) only strings, small memory allocations (ObjectId and Decimal128) and numeric parsing operations (int32, doubles, and longs) have all had optimizations applied to them.

  For details check out the release notes here: BSON 6.3.0 and BSON 6.4.0 🐎

  ExceededTimeLimit was made a retryable reads error

  Read operations will be retried after receiving an error with the ExceededTimeLimit label.

  Fixed unresolved request issue in KMS requester

  Internal to the field-level encryption machinery is a helper that opens a TLS socket to the KMS provider endpoint and submits a KMS request. The code neglected to add a 'close' event listener to the socket, which had the potential to improperly leave the promise pending indefinitely if no error was encountered.

  The base64 padding is now preserved in the saslContinue command

  The authentication was rejected by the saslContinue command from mongosh due to missing "=" padding from the client. We fixed the way we parse payload to preserve trailing "="s.

  countDocuments now types the filter using the collection Schema

  Previously, countDocuments had a weakly typed Document type for the filter allowing any JS object as input. The filter is now typed as Filter<Schema> to enable autocompletion, and, hopefully, catch minor bugs.

  Thank you to @ pashok88895 for contributing to this improvement.

  The type error with $addToSet in bulkWrite was fixed

  Previously the following code sample would show a type error:

  interface IndexSingatureTestDocument extends Document {
      readonly myId: number;
      readonly mySet: number[];
    }
  const indexSingatureCollection = undefined as unknown as Collection<IndexSingatureTestDocument>;
  indexSingatureCollection.bulkWrite([
    {
      updateOne: {
        filter: { myId: 0 },
        update: {
          $addToSet: { mySet: 0 } // The type error! Type 'number' is not assignable to type 'never'.
        }
      }
    }
  ]);

  It happened because the driver's Document type falls back to any, and internally we could not distinguish whether or not this assignment was intentional and should be allowed.

  After this change, users can extend their types from Document/any, or use properties of any type and we skip the $addToSet validation in those cases.

  Fixed heartbeat duration including socket creation

  The ServerHeartbeatSucceeded and ServerHeartbeatFailed event have a duration property that represents the time it took to perform the hello handshake with MongoDB. The Monitor responsible for issuing heartbeats mistakenly included the time it took to create the socket in this field, which inflates the value with the time it takes to perform a DNS lookup, TCP, and TLS handshakes.

  Errors on cursor transform streams are now properly propagated.

  These were previously swallowed and now will be emitted on the error event:

  const transform = new Transform({
    transform(data, encoding, callback) {
      callback(null, data);
    },
  });
  const stream = db.collection('tests').find().sort({ studentId: -1 }).stream({ transform });
  stream.on('error', err => {
    // The error will properly be emitted here.
  });

  The AWS token is now optional

  Users may provide an AWS_SESSION_TOKEN as a client option or AWS configuration in addition to a username and password. But if the token is not provided, the driver won't throw an exception and let AWS SDK handle the request.

  Features

  • NODE-3449: Add serverConnectionId to Command Monitoring Spec (735f7aa)
  • NODE-3470: retry selects another mongos (#3963) (84959ee)
  • NODE-3689: require hello command for connection handshake to use OP_MSG disallowing OP_QUERY (#3938) (ce7df0f)
  • NODE-5717: make ExceededTimeLimit retryable reads error (#3947) (106ab09)
  • NODE-5939: Implement 6.x: cache the AWS credentials provider in the MONGODB-AWS auth logic (#3991) (e0a37e5)
  • NODE-5978: upgrade BSON to ^6.4.0 (#4007) (90f2f70)
    • NODE-5885: upgrade BSON to ^6.3.0 (#3983) (9401d09)

  Bug Fixes

  • NODE-5127: implement reject kmsRequest on server close (#3964) (568e05f)
  • NODE-5609: node driver omits base64 padding in sasl-continue command (#3975) (b7d28d3)
  • NODE-5765: change type for countDocuments (#3932) (22cae0f)
  • NODE-5791: type error with $addToSet in bulkWrite (#3953) (b93d405)
  • NODE-5840: heartbeat duration includes socket creation (#3973) (a42039b)
  • NODE-5901: propagate errors to transformed stream in cursor (#3985) (ecfc615)
  • NODE-5944: make AWS session token optional (#4002) (f26de76)

  Performance Improvements

  • NODE-5771: improve new connection (#3948) (a4776cf)
  • NODE-5928: consolidate signal use and abort promise wrap (#3992) (38742c2)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.4.0-dev.20240307.sha.28b7040 - 2024-03-07
• 6.4.0-dev.20240306.sha.057c223 - 2024-03-06
• 6.4.0-dev.20240305.sha.eab8f23 - 2024-03-05
• 6.4.0-dev.20240301.sha.f2b3484 - 2024-03-01
• 6.3.0 - 2023-11-16
  

  6.3.0 (2023-11-15)

  The MongoDB Node.js team is pleased to announce version 6.3.0 of the mongodb package!

  Release Notes

  New client option serverMonitoringMode

  For users that want to control the behaviour of the monitoring connection between each node in the topology, a new option, serverMonitoringMode, has been added. This defaults to auto but can be forced into a specific mode by providing a value of poll or stream. When the setting is auto the monitoring mode will be determined by the environment the driver is running in, specifically, FaaS environments prefer "polling" mode and all others prefer "streaming".

  A polling monitor periodically issues a hello command to the node at an interval of heartbeatFrequencyMS. A streaming monitor sends an initial hello and then will automatically get a response from the Node when a change in server configuration occurs or at a maximum time of heartbeatFrequencyMS. The value of that option defaults to 10000 milliseconds.

  This new option can be provided in the connection string or as an option to the MongoClient.

  // In the connection string.
  new MongoClient('mongodb://127.0.0.1:27017/?serverMonitoringMode=stream');

  // In the options
  new MongoClient('mongodb://127.0.0.1:27017/', { serverMonitoringMode: 'stream' });

  Fix connection leak when serverApi is enabled

  When enabling serverApi the driver's RTT measurement logic (used to determine the closest node) still sent the legacy hello command "isMaster" causing the server to return an error. Unfortunately, the error handling logic did not correctly destroy the socket which would cause a leak.

  Both sending the correct hello command and the error handling connection clean-up logic are fixed in this change.

  GridFS fields deprecated

  The GridFS contentType and aliases options are deprecated. According to the GridFS spec, applications wishing to store contentType and aliases should add a corresponding field to the metadata document instead.

  Remove deprecation warning about punycode

  The mongodb-connection-string-url package which parses connection strings relied on Node's punycode module, the package now imports the community package removing the deprecation warning on Node.js 20+.

  Features

  • NODE-3881: require hello command + OP_MSG when 'loadBalanced=True' (#3907) (fd58eec)
  • NODE-5197: add server monitoring mode (#3899) (ae4c94a)
  • NODE-5590: deprecate GridFS fields (#3905) (d2225da)

  Bug Fixes

  • NODE-4863: do not use RetryableWriteError for non-server errors (#3914) (08c9fb4)
  • NODE-5709: bump mongodb-connection-string-url to 3.0.0 (#3909) (1c3dc02)
  • NODE-5749: RTTPinger always sends legacy hello (#3921) (ebbfb8a)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately and report any issues to the NODE project.

• 6.3.0-dev.20240229.sha.99a0059 - 2024-02-29
• 6.3.0-dev.20240228.sha.f26de76 - 2024-02-28
• 6.3.0-dev.20240227.sha.09c9b0b - 2024-02-27
• 6.3.0-dev.20240224.sha.233a2e0 - 2024-02-24
• 6.3.0-dev.20240223.sha.17952d2 - 2024-02-23
• 6.3.0-dev.20240222.sha.46b7bbb - 2024-02-22
• 6.3.0-dev.20240221.sha.38742c2 - 2024-02-21
• 6.3.0-dev.20240220.sha.90cb6fa - 2024-02-20
• 6.3.0-dev.20240216.sha.10a5c5a - 2024-02-16
• 6.3.0-dev.20240214.sha.ecfc615 - 2024-02-14
• 6.3.0-dev.20240210.sha.a63fbc2 - 2024-02-10
• 6.3.0-dev.20240209.sha.ca3780a - 2024-02-09
• 6.3.0-dev.20240202.sha.9401d09 - 2024-02-02
• 6.3.0-dev.20240131.sha.a42039b - 2024-01-31
• 6.3.0-dev.20240127.sha.b7d28d3 - 2024-01-27
• 6.3.0-dev.20240126.sha.8f7bb59 - 2024-01-26
• 6.3.0-dev.20240125.sha.38fb2e4 - 2024-01-25
• 6.3.0-dev.20240123.sha.7f97c2a - 2024-01-23
• 6.3.0-dev.20240120.sha.f506b6a - 2024-01-20
• 6.3.0-dev.20240119.sha.9b76a43 - 2024-01-19
• 6.3.0-dev.20240113.sha.86e2659 - 2024-01-13
• 6.3.0-dev.20240110.sha.8504d91 - 2024-01-10
• 6.3.0-dev.20240108.sha.7f3ce0b - 2024-01-08
• 6.2.0 - 2023-10-20
  

  6.2.0 (2023-10-19)

  The MongoDB Node.js team is pleased to announce version 6.2.0 of the mongodb package!

  Release Notes

  Updated to BSON 6.2.0

  BSON now prints in full color! 🌈 🚀

  

  See our release notes for BSON 6.2.0 here for more examples!

  insertedIds in bulk write now contain only successful insertions

  Prior to this fix, the bulk write error's result.insertedIds property contained the _id of each attempted insert in a bulk operation.

  Now, when a bulkwrite() or an insertMany() operation rejects one or more inserts, throwing an error, the error's result.insertedIds property will only contain the _id fields of successfully inserted documents.

  Fixed edge case leak in findOne()

  When running a findOne against a time series collection, the driver left the implicit session for the cursor un-ended due to the way the server returns the resulting cursor information. Now the cursor will always be cleaned up regardless of the outcome of the find operation.

  Removed client-side collection and database name validation

  Database and collection name checking will now be in sync with the MongoDB server's naming restrictions. Specifically, users can now create collections that start or end with the '.' character.

  Features

  • NODE-5613: add awaited field to SDAM heartbeat events (#3895) (b50aadc)
  • update bson to 6.2.0 (#3898) (32b7176)

  Bug Fixes

  • NODE-5496: remove client-side collection and database name check validation (#3873) (98550c6)
  • NODE-5628: bulkWriteResult.insertedIds does not filter out _ids that are not actually inserted (#3867) (09f2a67)
  • NODE-5706: make findOne() close implicit session to avoid memory leak (#3897) (995d138)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.1.0 - 2023-09-14
• 6.0.0 - 2023-08-28
• 6.0.0-alpha.2 - 2023-08-24
• 6.0.0-alpha.1 - 2023-08-24
• 6.0.0-alpha.0 - 2023-08-08
• 5.9.2 - 2023-12-05
  

  5.9.2 (2023-11-16)

  The MongoDB Node.js team is pleased to announce version 5.9.2 of the mongodb package!

  Release Notes

  Fix connection leak when serverApi is enabled

  When enabling serverApi the driver's RTT mesurment logic (used to determine the closest node) still sent the legacy hello command "isMaster" causing the server to return an error. Unfortunately, the error handling logic did not correctly destroy the socket which would cause a leak.

  Both sending the correct hello command and the error handling connection clean up logic are fixed in this change.

  Bug Fixes

  • NODE-5750: RTTPinger always sends legacy hello (#3922) (8e56872)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library ...