Skip to content

[Snyk] Upgrade mongodb from 6.13.0 to 6.18.0 #42

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade mongodb from 6.13.0 to 6.18.0 #42

wants to merge 1 commit into from

Conversation

harshithad0703
Copy link
Contributor

snyk-top-banner

Snyk has created this PR to upgrade mongodb from 6.13.0 to 6.18.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 81 versions ahead of your current version.

  • The recommended version was released 22 days ago.

Release notes
Package name: mongodb
  • 6.18.0 - 2025-07-22

    6.18.0 (2025-07-22)

    The MongoDB Node.js team is pleased to announce version 6.18.0 of the mongodb package!

    Release Notes

    New appendMetadata API allows clients to add handshake metadata post construction

    Driver information such as name, version, and platform are allowed:

    import { MongoClient } from 'mongodb';

    const client = new MongoClient(process.env.MONGODB_URI);
    client.appendMetadata({ name: 'my library', version: '1.0', platform: 'NodeJS' });

    Cursors lazily instantiate sessions

    In previous versions, sessions were eagerly allocated whenever a cursor was created, regardless of whether or not a cursor was actually iterated (and the session was actually needed). Some driver APIs (FindCursor.count(), AggregationCursor.explain() and FindCursor.explain()) don't actually iterate the cursor they are executed on. This can lead to client sessions being created and never being cleaned up.

    With this update, sessions are not allocated until the cursor is iterated.

    Idle connections are now pruned during periods of no activity even when minPoolSize=0

    A MongoClient configured with a maxIdleTimeMS and minPoolSize of 0 is advantageous for workloads that have sustained periods of little or no activity because it allows the connection pool to close connections that are unused during these periods of inactivity. However, due to a bug in the ConnectionPool implementation, idle / perished connections were not cleaned up unless minPoolSize was non-zero.

    With the changes in this PR, the ConnectionPool now always cleans up idle connections, regardless of minPoolSize.

    ChangeStream event interfaces include a wallTime property

    This property is available on all types with the exception of reshard collection and refine collection shard key events. Thanks to @ qhello for bringing this bug to our attention!

    CommandSucceededEvent and CommandFailedEvent events now have a databaseName property

    CommandSucceededEvent and CommandFailedEvent now include the name of the database against which the command was executed.

    Deprecations

    Transaction state getters are deprecated

    These were for internal use only and include:

    Transaction#options
Transaction#recoveryToken
Transaction#isPinned
Transaction#isStarting
Transaction#isActive
Transaction#isCommitted

    ClientMetadata, ClientMetadataOptions, and CancellationToken have been deprecated

    These types will be removed in an upcoming major version of the driver.

    CommandOptions.noResponse is deprecated

    Caution

    noResponse is not intended for use outside of MongoClient.close(). Do not use this option.

    The Node driver has historically supported an option, noResponse, that is used internally when a MongoClient is closed. This option was accidentally public. This option will be removed in an upcoming major release.

    Features

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 6.18.0-dev.20250808.sha.8e06e72a - 2025-08-08
  • 6.18.0-dev.20250806.sha.e628296a - 2025-08-06
  • 6.18.0-dev.20250805.sha.ff9a7858 - 2025-08-05
  • 6.18.0-dev.20250802.sha.be7f808c - 2025-08-02
  • 6.18.0-dev.20250801.sha.aac76296 - 2025-08-01
  • 6.18.0-dev.20250731.sha.c5365347 - 2025-07-31
  • 6.18.0-dev.20250730.sha.2ef6c10c - 2025-07-30
  • 6.18.0-dev.20250724.sha.acd86250 - 2025-07-24
  • 6.18.0-dev.20250723.sha.d92acfc1 - 2025-07-23
  • 6.17.0 - 2025-06-03

    6.17.0 (2025-06-03)

    The MongoDB Node.js team is pleased to announce version 6.17.0 of the mongodb package!

    Release Notes

    Support for MongoDB 4.0 is removed

    Warning

    When the driver connects to a MongoDB server of version 4.0 or less, it will now throw an error.

    OIDC machine workflows now retry on token expired errors during initial authentication

    This resolves issues of a cached OIDC token in the driver causing initial authentication to fail when the token had expired. The affected environments were "azure", "gcp", and "k8s".

    keepAliveInitialDelay may now be configured at the MongoClient level

    When not present will default to 120 seconds. The option value must be specified in milliseconds.

    import { MongoClient } from 'mongodb';

    const client = new MongoClient(process.env.MONGODB_URI, { keepAliveInitialDelay: 100000 });

    updateOne and replaceOne now support a sort option

    The updateOne and replaceOne operations in each of the ways they can be performed support a sort option starting in MongoDB 8.0. The driver now supports the sort option the same way it does for find or findOneAndModify-style commands:

    const sort = { fieldName: -1 };

    collection.updateOne({}, {}, { sort });
    collection.replaceOne({}, {}, { sort });

    collection.bulkWrite([
    { updateOne: { filter: {}, update: {}, sort } },
    { replaceOne: { filter: {}, replacement: {}, sort } },
    ]);

    client.bulkWrite([
    { name: 'updateOne', namespace: 'db.test', filter: {}, update: {}, sort },
    { name: 'replaceOne', namespace: 'db.test', filter: {}, replacement: {}, sort }
    ]);

    MongoClient close shuts outstanding in-use connections

    The MongoClient.close() method now shuts connections that are in-use allowing the event loop to close if the only remaining resource was the MongoClient.

    Support Added for Configuring the DEK cache expiration time.

    Default value is 60000. Requires using mongodb-client-encryption >= 6.4.0

    For ClientEncryption:

    import { MongoClient, ClientEncryption } from 'mongodb';
const client = new MongoClient(process.env.MONGODB_URI);
const clientEncryption = new ClientEncryption(client, { keyExpirationMS: 100000, kmsProviders: ... });

    For auto encryption:

    import { MongoClient, ClientEncryption } from 'mongodb';
const client = new MongoClient(process.env.MONGODB_URI, {
  autoEncryption: {
    keyExpirationMS: 100000,
    kmsProviders: ...
  }
});

    Update operations will now throw if ignoreUndefined is true and all operations are undefined.

    When using any of the following operations they will now throw if all atomic operations in the update are undefined and the ignoreUndefined option is true. This is to avoid accidental replacement of the entire document with an empty document. Examples of this scenario:

    import { MongoClient } from 'mongodb';

    const client = new MongoClient(process.env.MONGODB_URI);

    client.bulkWrite(
    [
    {
    name: 'updateMany',
    namespace: 'foo.bar',
    filter: { age: { $lte: 5 } },
    update: { $set: undefined, $unset: undefined }
    }
    ],
    { ignoreUndefined: true }
    );

    const collection = client.db('test').collection('test');

    collection.bulkWrite(
    [
    {
    updateMany: {
    filter: { age: { $lte: 5 } },
    update: { $set: undefined, $unset: undefined }
    }
    }
    ],
    { ignoreUndefined: true }
    );

    collection.findOneAndUpdate(
    { a: 1 },
    { $set: undefined, $unset: undefined },
    { ignoreUndefined: true }
    );

    collection.updateOne({ a: 1 }, { $set: undefined, $unset: undefined }, { ignoreUndefined: true });

    collection.updateMany({ a: 1 }, { $set: undefined, $unset: undefined }, { ignoreUndefined: true });

    Socket errors are always treated as network errors

    Network errors perform an important role in the driver, impacting topology monitoring processes and retryablity. A bug in the driver's socket implementation meant that in scenarios where server disconnects occurred while no operation was in progress on the socket resulted in errors that were not considered network errors.

    Socket errors are now unconditionally treated as network errors.

    Features

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 6.17.0-dev.20250722.sha.6e240d41 - 2025-07-22
  • 6.17.0-dev.20250719.sha.3faf0c96 - 2025-07-19
  • 6.17.0-dev.20250715.sha.ec82ae97 - 2025-07-15
  • 6.17.0-dev.20250711.sha.b9636ee3 - 2025-07-11
  • 6.17.0-dev.20250710.sha.a09212a4 - 2025-07-10
  • 6.17.0-dev.20250708.sha.bff57ed8 - 2025-07-08
  • 6.17.0-dev.20250706.sha.57617039 - 2025-07-06
  • 6.17.0-dev.20250702.sha.52ed3d12 - 2025-07-02
  • 6.17.0-dev.20250627.sha.da46aeaf - 2025-06-27
  • 6.17.0-dev.20250625.sha.4c1fa54e - 2025-06-25
  • 6.17.0-dev.20250624.sha.83534ff3 - 2025-06-24
  • 6.17.0-dev.20250612.sha.8ab5d19b - 2025-06-12
  • 6.17.0-dev.20250611.sha.d7426ce5 - 2025-06-11
  • 6.17.0-dev.20250605.sha.57ef31be - 2025-06-05
  • 6.17.0-dev.20250604.sha.441186ae - 2025-06-04
  • 6.16.0 - 2025-04-21

    6.16.0 (2025-04-21)

    The MongoDB Node.js team is pleased to announce version 6.16.0 of the mongodb package!

    Release Notes

    distinct commands now support an index hint

    The Collection.distinct() method now supports an optional hint, which can be used to tell the server which index to use for the command:

    // providing an index description
    await collection.distinct('my-key', {
    hint: { 'my-key': 1 }
    });

    // providing an index name
    await collection.distinct('my-key', {
    hint: 'my-key'
    });

    This requires server 7.1+.

    Driver support for servers <=4.0 deprecated

    Warning

    Node driver support for server 4.0 will be removed in an upcoming minor release. Reference: MongoDB Software Lifecycle Schedules.

    Fix processing of multiple messages within one network data chunk

    During elections, or other scenarios where the server is pushing multiple topology updates to the driver in a short period of time, a bug in the driver's socket code led to backlog of topology updates that would remain in the buffer until another heartbeat arrived from the server. This could lead to delays in the driver recovering from an election and/or an increase in MongoServerSelectionErrors.

    Now, all messages in the current buffer are returned to the driver leading to faster processing times.

    Huge thank you to @ andreim-brd for sharing a self-contained reproduction that proved to be instrumental in the identification of the underlying issue!

    FindCursor.rewind() throws documents?.clear() is not a function errors in certain scenarios

    In certain scenarios where limit and batchSize are both set on a FindCursor, an internal driver optimization intended to prevent unnecessary requests to the server when the driver knows the cursor is exhausted would prevent the cursor from being rewound. This issue has been resolved.

    Features

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 6.16.0-dev.20250603.sha.352b7ea6 - 2025-06-03
  • 6.16.0-dev.20250531.sha.7ef6edd5 - 2025-05-31
  • 6.16.0-dev.20250529.sha.25f5bb97 - 2025-05-29
  • 6.16.0-dev.20250523.sha.c33c2f5c - 2025-05-23
  • 6.16.0-dev.20250514.sha.c529f07c - 2025-05-14
  • 6.16.0-dev.20250510.sha.6fe6ccc8 - 2025-05-10
  • 6.16.0-dev.20250507.sha.fcbc6edf - 2025-05-07
  • 6.16.0-dev.20250506.sha.6a35701d - 2025-05-06
  • 6.16.0-dev.20250505.sha.ae617568 - 2025-05-05
  • 6.16.0-dev.20250503.sha.64fdb3ef - 2025-05-03
  • 6.16.0-dev.20250501.sha.f57c51b9 - 2025-05-01
  • 6.16.0-dev.20250429.sha.de2c9552 - 2025-04-29
  • 6.16.0-dev.20250426.sha.9625b2d1 - 2025-04-26
  • 6.16.0-dev.20250425.sha.3139a92d - 2025-04-25
  • 6.16.0-dev.20250424.sha.82303f3d - 2025-04-24
  • 6.16.0-dev.20250423.sha.28857b79 - 2025-04-23
  • 6.16.0-dev.20250422.sha.746af47a - 2025-04-22
  • 6.15.0 - 2025-03-18

    6.15.0 (2025-03-18)

    The MongoDB Node.js team is pleased to announce version 6.15.0 of the mongodb package!

    Release Notes

    Support for custom AWS credential providers

    The driver now supports a user supplied custom AWS credentials provider for both authentication and for KMS requests when using client side encryption. The signature for the custom provider must be of () => Promise<AWSCredentials> which matches that of the official AWS SDK provider API. Provider chains from the actual AWS SDK can also be provided, allowing users to customize any of those options.

    Example for authentication with a provider chain from the AWS SDK:

    import { fromNodeProviderChain } from '@ aws-sdk/credential-providers';

    const client = new MongoClient(process.env.MONGODB_URI, {
    authMechanismProperties: {
    AWS_CREDENTIAL_PROVIDER: fromNodeProviderChain()
    }
    });

    Example for using a custom provider for KMS requests only:

    import { fromNodeProviderChain } from '@ aws-sdk/credential-providers';

    const client = new MongoClient(process.env.MONGODB_URI, {
    autoEncryption: {
    keyVaultNamespace: 'keyvault.datakeys',
    kmsProviders: { aws: {} },
    credentialProviders: {
    aws: fromNodeProviderChain()
    }
    }
    }

    Custom providers do not need to come from the AWS SDK, they just need to be an async function that returns credentials:

    const client = new MongoClient(process.env.MONGODB_URI, {
  authMechanismProperties: {
    AWS_CREDENTIAL_PROVIDER: async () => {
      return {
        accessKeyId: process.env.ACCESS_KEY_ID,
        secretAccessKey: process.env.SECRET_ACCESS_KEY
      }
    }
  }
});

    Fix misc unhandled rejections under special conditions

    We identified an issue with our test suite that suppressed catching unhandled rejections and surfacing them to us so we can ensure the driver handles any possible rejections. Luckily only 3 cases were identified and each was under a flagged or specialized code path that may not have been in use:

    • If the MongoClient was configured to use OIDC and an AbortSignal was aborted on cursor at the same time the client was reauthenticating, if the reauth process was rejected it would have been unhandled.
    • If timeoutMS was used and the timeout expired before an operation reached the server selection step the operation would throw the expected timeout error but a promise representing the timeout would also raise an unhandled rejection.
    • If a change stream was closed while processing a change event it was possible for the "change stream is closed" error to be emitted as an error event and reject an internal promise representing fetching the "next" change.

    Features

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 6.15.0-dev.20250419.sha.efffb500 - 2025-04-19
  • 6.15.0-dev.20250417.sha.f0b87396 - 2025-04-17
  • 6.15.0-dev.20250416.sha.4f033594 - 2025-04-16
  • 6.15.0-dev.20250410.sha.b2511f06 - 2025-04-10
  • 6.15.0-dev.20250409.sha.46cb56de - 2025-04-09
  • 6.15.0-dev.20250408.sha.85124c25 - 2025-04-08
  • 6.15.0-dev.20250405.sha.cb88b05d - 2025-04-05
  • 6.15.0-dev.20250403.sha.9111f98c - 2025-04-03
  • 6.15.0-dev.20250328.sha.32b3e34e - 2025-03-28
  • 6.15.0-dev.20250327.sha.cfdb8ec2 - 2025-03-27
  • 6.15.0-dev.20250326.sha.d01ecc79 - 2025-03-26
  • 6.15.0-dev.20250325.sha.5ce0a4ec - 2025-03-25
  • 6.15.0-dev.20250322.sha.892c14de - 2025-03-22
  • 6.15.0-dev.20250321.sha.20f7db7f - 2025-03-21
  • 6.15.0-dev.20250320.sha.af30db93 - 2025-03-20
  • 6.15.0-dev.20250319.sha.f176de4f - 2025-03-19
  • 6.14.2 - 2025-03-04

    6.14.2 (2025-03-04)

    The MongoDB Node.js team is pleased to announce version 6.14.2 of the mongodb package!

    Release Notes

    KMS Requests can cause unhandled rejection

    When using explicit encryption or automatic encryption, the driver makes requests to a Key Management System when to fetch key encryption keys. The driver supports connecting to a KMS provider through a Socks5 proxy. However, the socket used for the socks5 proxy was created in all circumstances, regardless of proxy configuration. This leads to unhandled rejection errors when closing the socket the driver attempts to clean up the unused socket.

    With the changes in this release, the socket is only created if a proxy is configured and the any promises created for the proxy are properly handled.

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 6.14.2-dev.20250318.sha.78d951b9 - 2025-03-18
  • 6.14.2-dev.20250315.sha.cd09d435 - 2025-03-15
  • 6.14.2-dev.20250314.sha.6895b258 - 2025-03-14
  • 6.14.2-dev.20250313.sha.54d29e56 - 2025-03-13
  • 6.14.2-dev.20250312.sha.5783db21 - 2025-03-12
  • 6.14.2-dev.20250310.sha.39c76999 - 2025-03-10
  • 6.14.2-dev.20250306.sha.21072009 - 2025-03-06
  • 6.14.2-dev.20250305.sha.398e361f - 2025-03-05
  • 6.14.1 - 2025-03-03

    6.14.1 (2025-03-03)

    The MongoDB Node.js team is pleased to announce version 6.14.1 of the mongodb package!

    Release Notes

    Fixed occasional OIDC reauthentication failure

    Error code 391 is intended to make the driver internally reauthenticate the connection to the server, however, occasionally this was being raised to the user. This was due to a bug in setting the cached access token on newly created connections.

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 6.14.1-dev.20250304.sha.3cc3a6b2 - 2025-03-04
  • 6.14.0 - 2025-02-28

    6.14.0 (2025-02-28)

    The MongoDB Node.js team is pleased to announce version 6.14.0 of the mongodb package!

    Release Notes

    Add support for $lookup on encrypted collections

    Starting in the upcoming MongoDB server 8.1, the aggregation stage $lookup can now be used with clients configured for automatic encryption after upgrading to mongodb-client-encryption@>=6.3.0! 🔒 🎉

    Use isUint8Array defined in the driver rather than util/types

    Some users of bundlers for next.js and our very own mongosh noticed a new import from "util/types" that would need to be supported in environments that don't have that module. We already have an internal implementation of isUint8Array so we do not need to add an import for "util/types".

    Revert @ aws-sdk/credential-providers compatiblity change

    In v6.13.1 we inadvertantly raised the version compatibility of @ aws-sdk/credential-providers, that change has been reverted.

    Features

    Bug Fixes

    Documentation

@snyk-bot
fix: upgrade mongodb from 6.13.0 to 6.18.0
4fef9b7 
Snyk has created this PR to upgrade mongodb from 6.13.0 to 6.18.0.

See this package in npm:
mongodb

See this project in Snyk:
https://app.snyk.io/org/contentstack-devex/project/37228d36-21e6-4276-b625-091727e0f9ed?utm_source=github&utm_medium=referral&page=upgrade-pr
@harshithad0703 harshithad0703 requested a review from a team as a code owner August 13, 2025 12:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@harshithad0703 @snyk-bot