[Snyk] Upgrade mongodb from 3.6.3 to 3.6.4

[TomWFox]

Snyk has created this PR to upgrade mongodb from 3.6.3 to 3.6.4.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 1 version ahead of your current version.
• The recommended version was released 21 days ago, on 2021-02-02.

Release notes

Package name: mongodb

• 3.6.4 - 2021-02-02
  

  MongoDB Driver v3.6.4

  The MongoDB Node.js team is pleased to announce version 3.6.4 of the driver

  Release Highlights

  Explain Support

  The full set of $explain verbosity settings are now supported:

  • queryPlanner
  • queryPlannerExtended
  • executionStats
  • allPlansExecution

  In the following commands:

  • aggregate() (MDB 3.0+)
  • find() (MDB 3.0+)
  • remove() (MDB 3.0+)
  • update() (MDB 3.0+)
  • distinct() (MDB 3.2+)
  • findAndModify() (MDB 3.2+)
  • mapReduce() (MDB 4.4+)

  You can get a lot of insight into the performance of a query or optimization using these fine grained reports.
  To learn more about how to use explain read here.

  Direct Connection Issue Revert

  We removed automatic direct connection for the unified topology in the 3.6.3 release of the driver. This change was preparatory for the 4.0 version of the driver, where we'll always perform automatic discovery. To avoid making this kind of change in a patch release, this version restores automatic direct connection when connecting to a single host using the unified topology without a specified replicaSet and without directConnection: false, in line with previous 3.6 releases.

  NOTE: In the next major version the unifiedTopology is the only Topology and it is required to either specify a replicaSet name or enable directConnection in order to connect to single nodes in a replica set.

  Support Azure and GCP keystores in FLE

  There are no functional changes to the driver to support using Azure and GCP keystores but a new mongodb-client-encryption release (v1.2.0) can be found here which prominently features support for these key stores.

  Documentation

  • Reference: http://mongodb.github.io/node-mongodb-native/3.6
  • API: http://mongodb.github.io/node-mongodb-native/3.6/api
  • Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

  We invite you to try the driver immediately, and report any issues to the NODE project.

  Thanks very much to all the community members who contributed to this release!

  Release Notes

  Bug

  • [NODE-2355] - GridFSBucketWriteStream doesn't implement stream.Writable properly
  • [NODE-2828] - noCursorTimeout does not seem to for find()
  • [NODE-2874] - Setting connectionTimeoutMS to 0 will result in a disconnection every heartbeatFrequencyMS
  • [NODE-2876] - Race condition when resetting server monitor
  • [NODE-2916] - Legacy topology hangs with unlimited socket timeout
  • [NODE-2945] - ignoreUndefined not works on findOneAndUpdate when { upsert: true }
  • [NODE-2965] - MongoClient.readPreference returns "primary" ignoring readPref from connection string
  • [NODE-2966] - Unified topology: server selection fails when trying to connect to a remote replica set with a member whose 'host' attribute resolves to 'localhost'
  • [NODE-2977] - Query parameters with path in connection string not working on windows
  • [NODE-2986] - MongoError: pool destroyed

  Features

  • [NODE-2762] - Comprehensive Support for Explain
  • [NODE-2852] - Add explain support to non-cursor commands
  • [NODE-2853] - Add explain support to cursor-based commands

  Improvement

  • [NODE-1726] - Deprecate Topology events in Db
  • [NODE-2825] - Support Azure and GCP keystores in FLE
  • [NODE-2880] - Improve stack traces in the session leak checker
  • [NODE-2895] - Update AggregateCursor "unwind" method to match the native driver
  • [NODE-2995] - Sharing a MongoClient for metadata lookup can lead to deadlock in drivers using automatic encryption
• 3.6.3 - 2020-11-06
  

  The MongoDB Node.js team is pleased to announce version 3.6.3 of the driver

  Release Highlights

  MongoError: not master when running createIndex

  A regression introduced in v3.6.2 meant that createIndex operations would not be executed with a fixed
  primary read preference. This resulted in the driver selecting any server for the operation, which would
  fail if a non-primary was selected.

  Performance issues on AWS Lambda

  The driver periodically monitors members of the replicaset for changes in the topology, but ensures that
  the "monitoring thread" is never woken sooner than 500ms. Measuring this elapsed time depends on a
  stable clock, which is not available to us in some virtualized environments like AWS Lambda. The result
  was that periodically operations would think there were no available servers, and the driver would force
  a wait of heartbeatFrequencyMS (10s by default) before reaching out to servers again for a new
  monitoring check. The internal async interval timer has been improved to account for these environments

  GSSAPI AuthProvider reuses single kerberos client

  A regression introduced in v3.6.0 forced the driver to reuse a single kerberos client for all
  authentication attempts. This would result in incomplete authentication flows, and occaisionally even
  a crash in the kerberos module. The driver has been reverted to creating a kerberos client per
  authentication attempt.

  Performance regression due to use of setImmediate

  A change introduced in v3.6.1 switched all our usage of process.nextTick in the connection pool with
  setImmediate per Node.js core recommendation. This was observed to introduce noticeable latency when the event loop
  was experiencing pressure, so the change was reverted for this release pending further investigation.

  Community Contributions

  • @ jswangjunsheng submitted a fix for a rare scenario when wait queue members time out before connection establishment
  • @ through-a-haze submitted a fix for incorrect construction of an X509 authentication message
  • @ andreialecu helped us indicate peer optional dependencies in our package.json for stricter package managers (pnpm, yarn2)

  Documentation

  Reference: http://mongodb.github.io/node-mongodb-native/3.6/
  API: http://mongodb.github.io/node-mongodb-native/3.6/api/
  Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

  We invite you to try the driver immediately, and report any issues to the NODE project.

  Thanks very much to all the community members who contributed to this release!

  Release Notes

  Bug

  • [NODE-2172] - Change stream breaks on disconnection when there's something piped into it.
  • [NODE-2784] - MongoError: Not Master when running createIndex in 3.6.0
  • [NODE-2807] - MongoClient.readPreference always returns primary
  • [NODE-2827] - Connecting to single mongos makes driver think it is connected to a standalone
  • [NODE-2829] - MongoDB Driver 3.6+ Performance issues on AWS Lambda
  • [NODE-2835] - Remove default timeout for read operations
  • [NODE-2859] - GSSAPI AuthProvider causing crashes in Compass
  • [NODE-2861] - Performance Regression for usage of mongodb connections (queries, inserts, ...)
  • [NODE-2865] - Connections can be leaked if wait queue members are cancelled
  • [NODE-2869] - Invalid assignment of X509 username makes authentication impossible

  Improvement

  • [NODE-2834] - Remove deprecation of AggregationCursor#geoNear
  • [NODE-2867] - Use peerDependenciesMeta field to mark peer optional dependencies

from mongodb GitHub release notes

Commit messages

Package name: mongodb

• a485346 chore(release): 3.6.4
• 2fffb52 test: Adding test for cursor cloning removing session (Adds exporting vars after success #2723)
• 6314f5a chore(ci): fix aws auth tests (handleUpdateToRevocableSession cause HTTP 500 error #2720)
• 617d9de fix: restore auto direct connection behavior (Update jasmine to version 2.5.2 🚀 #2719)
• 8082c89 fix(cursor): don't use other operation's session for cloned cursor operation ( Saved filename fixed so that clients display it correctly #2415 #2705)
• f89e4c1 fix: dont parse tls/ssl file paths in uri (Parse issue in Swift 3 #2718)
• b657c8c fix: respect readPreference and writeConcern from connection string (Json parser seems to be eating up a lot of response time #2711)
• b5e9d67 fix: Allow GridFS write stream to destroy (Cross Domain Issue #2702)
• e257e6b fix(find): correctly translate timeout option into noCursorTimeout (Session token without expiry date #2700)
• 60936dc fix: hasAtomicOperator check respects toBSON transformation (parse server push only sent to part of the audience #2696)
• 7e89e47 test: add tests for azure and GCP CSFLE (Adds more expressive schema mismatch errors #2662)
• 8daff7f chore: Remove unused CI files (Revert "Tries a new travis configuration" #2684)
• f557c8a chore(ci): continuous matrix integration [3.6] (Crash if logout is made to not existing user #2667)
• a25b67c fix: honor ignoreUndefined on findAndModify commands (Parse server not uploading file > 1mb, logs in server: "client intended to send too large body" #2671)
• db3f800 docs: fix type for aggregation cursor unwind param (Add NullCacheAdapter #2636)
• cdb614d test: write concern command construction test cleanup (Parse.FacebookUtils.isLinked(user) returns false since parse-server 2.2.6 #2342)
• 3f2f987 chore(ci): test on windows (Reverts calling next() after handling response #2634)
• b365c50 fix: awaitable isMaster timeout must respect connectTimeoutMS (Sets spec reporter for jasmine #2627)
• a827807 feat: add explain support (Different errors assigned to the same code 209 #2626)
• 0516d93 feat: Deprecate top-level write concern option keys (Update jasmine to version 2.5.0 🚀 #2624)
• e0d0119 docs: update api-doc link to version 3.6 (Does Parse-Server verify if the client is legitimate for every request? #2640)
• 9df093c fix: transition topology state before async calls (change log level to debug for classes without subscribers (#2594) #2637)
• dd356f0 docs: Display ES2017 usage by default (Update mongodb to version 2.2.8 🚀 #2575)
• 8897259 fix: don't add empty query string items to connection string

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[codecov]

Codecov Report

Merging #7223 (170038d) into master (f71b63b) will decrease coverage by 8.18%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #7223      +/-   ##
==========================================
- Coverage   94.00%   85.81%   -8.19%     
==========================================
  Files         172      172              
  Lines       12873    12873              
==========================================
- Hits        12101    11047    -1054     
- Misses        772     1826    +1054     

Impacted Files	Coverage Δ
...dapters/Cache/RedisCacheAdapter/KeyPromiseQueue.js	0.00% <0.00%> (-95.46%)	⬇️
src/Adapters/Storage/Mongo/MongoCollection.js	4.76% <0.00%> (-92.86%)	⬇️
src/Adapters/Storage/Mongo/MongoStorageAdapter.js	8.84% <0.00%> (-84.08%)	⬇️
src/Adapters/Cache/RedisCacheAdapter/index.js	12.50% <0.00%> (-82.15%)	⬇️
src/Adapters/Files/GridFSBucketAdapter.js	10.65% <0.00%> (-68.86%)	⬇️
...rc/Adapters/Storage/Mongo/MongoSchemaCollection.js	37.07% <0.00%> (-60.68%)	⬇️
src/Adapters/Storage/Mongo/MongoTransform.js	51.10% <0.00%> (-37.71%)	⬇️
src/Adapters/Files/GridStoreAdapter.js	13.04% <0.00%> (-33.34%)	⬇️
src/Routers/SessionsRouter.js	64.70% <0.00%> (-26.48%)	⬇️
src/GraphQL/transformers/mutation.js	68.47% <0.00%> (-25.00%)	⬇️
... and 20 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f71b63b...1bb2006. Read the comment docs.

[dplewis]

The tests are failing because of the driver. There is a PR open for a fix.

mongodb/node-mongodb-native#2744