chore(deps): update dependency mongodb to v3.6.10 [security] #580
+21
−6
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.5.8
->3.6.10
GitHub Vulnerability Alerts
CVE-2021-32050
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).
This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
Release Notes
mongodb/node-mongodb-native (mongodb)
v3.6.10
Compare Source
The MongoDB Node.js team is pleased to announce version 3.6.10 of the mongodb package!
Release Highlights
This patch addresses a few bugs listed below. Notably the
bsonRegExp
option is now respected by the underlying BSON library, you can use this to decode regular expressions that contain syntax not permitted in native JS RegExp objects. Take a look at this example:Also there was an issue with
Cursor.forEach
where user defined forEach callbacks that throw errors incorrectly handled catching errors. Take a look at the comments in this example:Bug Fixes
Documentation
We invite you to try the mongodb package immediately, and report any issues to the NODE project.
v3.6.9
Compare Source
The MongoDB Node.js team is pleased to announce version 3.6.9 of the driver!
Release Highlights
This release fixes a major performance bug in bulk write operations, which was inadvertently introduced by an incomplete code change in the previous release. The bug resulted in redundant array iterations and caused exponential increases in bulk operation completion times. Thank you Jan Schwalbe for bringing this to our attention!
Bug Fixes
Documentation
We invite you to try the mongodb package immediately, and report any issues to the NODE project.
v3.6.8
Compare Source
The MongoDB Node.js team is pleased to announce version 3.6.8 of the mongodb package!
Release Highlights
Thanks to the quick adoption of the previous new patch by the mongoose package (https://github.com/Automattic/mongoose/pull/10265) a small bug was identified when connections to mongodb would timeout causing unnecessary clean up operations to run. Thank you @vkarpov15!
Bug Fixes
beforeHandshake
flag for timeout errors (#2813) (6e3bab3)Documentation
We invite you to try the mongodb package immediately, and report any issues to the NODE project.
v3.6.7
Compare Source
The MongoDB Node.js team is pleased to announce version 3.6.7 of the driver
Release Highlights
This patch addresses a number of bug fixes. Notably, there was an interesting javascript related issue with sorting documents. It only impacts users using numerical keys in their documents.
In javascript, numerical keys are always iterated first when looping over the keys of an object followed by the chronological specification of each string key. This effectively changes the ordering of a sort document sent to mongodb. However our driver does accept sort specification in a variety of ways and one way to avoid this problem is passing an array of tuples:
This ensures that mongodb is sent the
'a'
key as the first sort key and'23'
as the second.Bug Fixes
Documentation
We invite you to try the driver immediately, and report any issues to the NODE project.
Thanks very much to all the community members who contributed to this release!
v3.6.6
Compare Source
The MongoDB Node.js team is pleased to announce version 3.6.6 of the driver
Release Highlights
This patch addresses a number of bugs listed below.
Most notably, for client side encryption users upgrading to this version of the driver along with the new version of mongodb-client-encryption@1.2.3 will alleviate the potential deadlock case if your connection pool was fully utilized. There will now be an internal MongoClient that will be used for metadata look ups (e.g,
listCollections
) when the pool size is under certain constraints. The events generated from this client are forwarded to the client instance you initialize so it is possible to monitor all events.Bug
Improvement
Documentation
We invite you to try the driver immediately, and report any issues to the NODE project.
Thanks very much to all the community members who contributed to this release!
v3.6.5
Compare Source
The MongoDB Node.js team is pleased to announce version 3.6.5 of the driver!
Notable Fixes
In this patch there is a fix surrounding an issue some users were encountering in serverless environments when using the Unified Topology. If the nodejs process went unused for a great amount of time there was an intermittent issue that would cause
startSession
to fail, however, issuing a dummy read request would resolve the problem. The session support check is now done after server selection meaning the driver has the most up to date information about the MongoDB deployment before utilizing sessions. We encourage any user's that implemented workarounds to updated their driver and make use of this fix.In addition, the previous release of our driver added a warning about an upcoming change in the v4 version of the driver about how users can specify their write concern options. We've updated the driver to use nodejs's
process.emitWarning
API in nearly all cases where the driver prints something out, as well as limit most warning messages to only be printed once.Bug
v3.6.4
Compare Source
MongoDB Driver v3.6.4
The MongoDB Node.js team is pleased to announce version 3.6.4 of the driver
Release Highlights
Explain Support
The full set of $explain verbosity settings are now supported:
queryPlanner
queryPlannerExtended
executionStats
allPlansExecution
In the following commands:
aggregate()
(MDB 3.0+)find()
(MDB 3.0+)remove()
(MDB 3.0+)update()
(MDB 3.0+)distinct()
(MDB 3.2+)findAndModify()
(MDB 3.2+)mapReduce()
(MDB 4.4+)You can get a lot of insight into the performance of a query or optimization using these fine grained reports.
To learn more about how to use explain read here.
Direct Connection Issue Revert
We removed automatic direct connection for the unified topology in the 3.6.3 release of the driver. This change was preparatory for the 4.0 version of the driver, where we'll always perform automatic discovery. To avoid making this kind of change in a patch release, this version restores automatic direct connection when connecting to a single host using the unified topology without a specified replicaSet and without directConnection: false, in line with previous 3.6 releases.
Support Azure and GCP keystores in FLE
There are no functional changes to the driver to support using Azure and GCP keystores but a new mongodb-client-encryption release (v1.2.0) can be found here which prominently features support for these key stores.
Documentation
We invite you to try the driver immediately, and report any issues to the NODE project.
Thanks very much to all the community members who contributed to this release!
Release Notes
Bug
Features
Improvement
Db
v3.6.3
Compare Source
The MongoDB Node.js team is pleased to announce version 3.6.3 of the driver
Release Highlights
MongoError: not master
when runningcreateIndex
A regression introduced in v3.6.2 meant that
createIndex
operations would not be executed with a fixedprimary read preference. This resulted in the driver selecting any server for the operation, which would
fail if a non-primary was selected.
Performance issues on AWS Lambda
The driver periodically monitors members of the replicaset for changes in the topology, but ensures that
the "monitoring thread" is never woken sooner than 500ms. Measuring this elapsed time depends on a
stable clock, which is not available to us in some virtualized environments like AWS Lambda. The result
was that periodically operations would think there were no available servers, and the driver would force
a wait of
heartbeatFrequencyMS
(10s by default) before reaching out to servers again for a newmonitoring check. The internal async interval timer has been improved to account for these environments
GSSAPI AuthProvider reuses single kerberos client
A regression introduced in v3.6.0 forced the driver to reuse a single kerberos client for all
authentication attempts. This would result in incomplete authentication flows, and occaisionally even
a crash in the
kerberos
module. The driver has been reverted to creating a kerberos client perauthentication attempt.
Performance regression due to use of
setImmediate
A change introduced in v3.6.1 switched all our usage of
process.nextTick
in the connection pool withsetImmediate
per Node.js core recommendation. This was observed to introduce noticeable latency when the event loopwas experiencing pressure, so the change was reverted for this release pending further investigation.
Community Contributions
package.json
for stricter package managers (pnpm, yarn2)Documentation
Reference: http://mongodb.github.io/node-mongodb-native/3.6/
API: http://mongodb.github.io/node-mongodb-native/3.6/api/
Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md
We invite you to try the driver immediately, and report any issues to the NODE project.
Thanks very much to all the community members who contributed to this release!
Release Notes
Bug
Improvement
v3.6.2
Compare Source
The MongoDB Node.js team is pleased to announce version 3.6.2 of the driver
Release Highlights
Updated
bl
dependency due to CVE-2020-8244See this link for more details: GHSA-pp7h-53gx-mx7r
Connection pool wait queue processing is too greedy
The logic for processing the wait queue in our connection pool ran the risk of
starving the event loop. Calls to process the wait queue are now wrapped in a
setImmediate
to prevent starvationDocumentation
Reference: http://mongodb.github.io/node-mongodb-native/3.6/
API: http://mongodb.github.io/node-mongodb-native/3.6/api/
Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md
We invite you to try the driver immediately, and report any issues to the NODE project.
Thanks very much to all the community members who contributed to this release!
Release Notes
Bug
v3.6.1
Compare Source
The MongoDB Node.js team is pleased to announce version 3.6.1 of the driver
Release Highlights
Kerberos
A bug in introducing the new CMAP
Connection
prevented some users from properly authenticating with thekerberos
module.Index options are not respected with
createIndex
The logic for building the
createIndex
command was changed in v3.6.0 to use an allowlist rather than a blocklist, but omitted a number of index types in that list. This release reintroduces all supported index types to the allowlist.Remove strict mode for
createCollection
Since v3.6.0
createCollection
will no longer returned a cachedCollection
instance if a collection already exists in the database, rather it will return a server error stating that the collection already exists. This is the same behavior provided by thestrict
option forcreateCollection
, so that option has been removed from documentation.Documentation
Reference: http://mongodb.github.io/node-mongodb-native/3.6/
API: http://mongodb.github.io/node-mongodb-native/3.6/api/
Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md
We invite you to try the driver immediately, and report any issues to the NODE project.
Thanks very much to all the community members who contributed to this release!
Release Notes
Bug
Improvement
v3.6.0
Compare Source
The MongoDB Node.js team is pleased to announce version 3.6.0 of the driver
NOTE: This version begins our official support for MongoDB 4.4
Release Highlights
Streaming topology changes
MongoDB drivers maintain a local view of the topology they are connected to, and ensure the accuracy of that view by polling connected nodes on average every ~10s. In MongoDB 4.4, drivers are now able to receive push notifications about topology updates, effectively reducing the time for client recovery in failover scenarios to the time it takes for the server to make the election and report the outcome.
This feature is enabled by default when connecting to MongoDB 4.4, no changes are needed for user code.
Authentication
MONGODB-AWS authentication mechanism
The MONGODB-AWS authentication mechanism uses your Amazon Web Services Identity and Access Management (AWS IAM) credentials to authenticate users on MongoDB 4.4+. Please read more about this new authentication mechanism in our documentation.
Performance improvements
There were two projects to transparently improve performance of authentication in MongoDB 4.4:
A driver can now include the first
saslStart
command in its initial handshake with server. This so-called "speculative authentication" allows us to reduce one roundtrip to the server for authentication a connection. This feature is only support for X.509, SCRAM-SHA-1 and SCRAM-SHA-256 (default) authentication mechanisms.The SCRAM conversation between driver and server can now skip one of it's empty exchanges which also serves to reduce the roundtrips during a SCRAM authentication.
Changes in behavior of
Db.prototype.createCollection
The
createCollection
helper used to internally run alistCollections
command in order to see if a collection already existed before running the command. If it determined a collection with the same name existed, it would skip running the command and return an instance ofCollection
. This behavior was changed in v3.6.0 to avoid potentially serious bugs, specifically that the driver was not considering options passed intocreateCollection
as part of the collection equality check. Imagine the following scenario:The
createCollection
call which defines a JSON schema validator would be completely bypassed because of the existence ofbar
, which was implicitly created in the first command. Our policy is strictly adhere to semver, but in rare cases like this where we feel there is potential for a data corrupting bug, we make breaking behavioral changes to protect the user.Documentation
Reference: http://mongodb.github.io/node-mongodb-native/3.6/
API: http://mongodb.github.io/node-mongodb-native/3.6/api/
Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md
We invite you to try the driver immediately, and report any issues to the NODE project.
Thanks very much to all the community members who contributed to this release!
Release Notes
Epic
New Feature
Improvement
Bug
v3.5.11
Compare Source
The MongoDB Node.js team is pleased to announce version 3.5.11 of the driver
Release Highlights
Kerberos
A bug in introducing the new CMAP
Connection
prevented some users from properlyauthenticating with the
kerberos
module.Updated
bl
dependency due to CVE-2020-8244See this link for more details: GHSA-pp7h-53gx-mx7r
Documentation
Reference: http://mongodb.github.io/node-mongodb-native/3.5/
API: http://mongodb.github.io/node-mongodb-native/3.5/api/
Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.5/HISTORY.md
We invite you to try the driver immediately, and report any issues to the NODE project.
Thanks very much to all the community members who contributed to this release!
Release Notes
Bug
v3.5.10
Compare Source
The MongoDB Node.js team is pleased to announce version 3.5.10 of the driver
NOTE: This will be the final release in the 3.5.x branch, please consider upgrading to 3.6.0
Release Highlights
TypeError: Cannot read property 'documents' of null
@adrian-gierakowski helped us identify a bug with our ChangeStreamCursor, specifically when the cursor
was complete it would not return a valid document but instead a
null
value.Command helper not respecting server selection specification rules
The server selection specification indicates that the "runCommand" helper should act
as a read operation for the purposes of server selection, and that it should use a default read
preference of "primary" which can only be overridden by the helper itself. The driver had a bug
where it would inherit the read preference from its "parent" type (
Collection
,Db
,MongoClient
)which is at odds with the specified behavior.
mongodb+srv
invalid IPv6 supportDue to a bug in how we referred to ipv6 addresses internal to the driver, if a
mongodb+srv
connection string was provided with an ipv6 address the driver would never be able to connect
and would result in a the following error
RangeError: Maximum call stack size exceeded
.maxStalenessSeconds
not accepted when provided via optionsThere was a bug in our connection string and
MongoClient
options parsing where a value providedfor
maxStalenessSeconds
would not end up being reflected in theReadPreference
used internalto the driver.
Sessions are prohibited with unacknowledged writes
MongoDB can provide no guarantees around unacknowledged writes when used within a session. The
driver will now silently remove the
lsid
field from all writes issued with{ w: 0 }
, andwill return an error in these situations in the upcoming 4.0 major release.
Documentation
Reference: http://mongodb.github.io/node-mongodb-native/3.5/
API: http://mongodb.github.io/node-mongodb-native/3.5/api/
Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.5/HISTORY.md
We invite you to try the driver immediately, and report any issues to the NODE project.
Thanks very much to all the community members who contributed to this release!
Release Notes
Bug
Improvement
v3.5.9
Compare Source
The MongoDB Node.js team is pleased to announce version 3.5.9 of the driver
Release Highlights
Use duration of handshake if no previous roundTripTime exists
The default
roundTripTime
of aServerDescription
is -1, which means if that value is used we can potentially calculate a negativeroundTripTime
. Instead, if no previousroundTripTime
exists, we use the duration of the initial handshake.the options [maxIdleTimeMS] is not supported
A number of new options were added when the CMAP compliant connection pool was introduced in 3.5.x. Unfortunately, these options were not documented properly. Now they are mentioned in the
MongoClient
documentation, with a notice that they are only supported with the unified topology.TypeError: Reduce of empty array with no initial value
A fix in 3.5.8 which ensured proper filtering of servers during server selection exposed an issue in max staleness calculations when the topology type is
ReplicaSetNoPrimary
and no servers are currently known. In order to estimate an upper bound of max staleness when there is no primary, the most stale known server is known to compare the others to - if there are no known servers, you can't reduce the array!Server monitoring is prevented under heavy request load
In certain very high load fail-over scenarios the driver is unable to reschedule a monitoring check in order to update its view of the topology for retryability. This would result in a high number of failed operations, as they were unable to determine a new viable server.
Documentation
Reference: http://mongodb.github.io/node-mongodb-native/3.5/
API: http://mongodb.github.io/node-mongodb-native/3.5/api/
Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.5/HISTORY.md
We invite you to try the driver immediately, and report any issues to the NODE project.
Thanks very much to all the community members who contributed to this release!
Release Notes
Bug
Improvement
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.