[Snyk] Upgrade mongodb from 3.5.9 to 6.19.0 #1620
Open
+788
−240
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Snyk has created this PR to upgrade mongodb from 3.5.9 to 6.19.0. See this package in npm: mongodb See this project in Snyk: https://app.snyk.io/org/panda-co/project/ebfb2282-581e-4b1b-afb0-8a0e07b1b540?utm_source=github&utm_medium=referral&page=upgrade-pr
🎉 Snyk checks have passed. No issues have been found so far.✅ security/snyk check is complete. No issues have been found. (View Details) ✅ license/snyk check is complete. No issues have been found. (View Details) ✅ code/snyk check is complete. No issues have been found. (View Details) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade mongodb from 3.5.9 to 6.19.0.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 368 versions ahead of your current version.
The recommended version was released 21 days ago.
Issues fixed by the recommended upgrade:
SNYK-JS-BL-608877
Release notes
Package name: mongodb
6.19.0 (2025-08-26)
The MongoDB Node.js team is pleased to announce version 6.19.0 of the
mongodbpackage!Release Notes
Experimental Support for Queryable Encryption Text Field Prefix, Suffix and Substring Queries
Important
Substring, prefix and suffix search are in preview and should be used for experimental workloads only. These features are unstable and their security is not guaranteed until released as Generally Available (GA). The GA version of these features may not be backwards compatible with the preview version.
When using Queryable Encryption with both automatic encryption and explicit encryption, text fields can now be queried using prefix, suffix and substring queries. This feature requires
mongodb-client-encryption@>=6.5.0.Allow a
secureContextfor Auto Encryption and Client Encryption TLS optionsThis can be provided in the
tlsOptionsoption both both objects.import { ClientEncryption, MongoClient } from 'mongodb';
const caFile = await fs.readFile(process.env.CSFLE_TLS_CA_FILE);
const certFile = await fs.readFile(process.env.CSFLE_TLS_CLIENT_CERT_FILE);
const secureContextOptions = {
ca: caFile,
key: certFile,
cert: certFile
};
const options = {
keyVaultNamespace: 'db.coll',
kmsProviders: {
aws: {}
}
},
tlsOptions: {
aws: {
secureContext: tls.createSecureContext(secureContextOptions),
}
}
};
const client = this.configuration.newClient({}, { autoEncryption: { ...options, schemaMap } });
const clientEncryption = new ClientEncryption(client, options);
collection.findOne()andcollection.find()will no longer potentially leave open cursors on the serverThe
findOnecommand will now always set thelimitoption to1andsingleBatchtotrue. Thelimit,noCursorResponseandbatchSizeoptions have also been deprecated, and the command will guarantee no more cursors can be orphaned and nokillCursorscommand will be potentially executed.findwill now setlimittobatchSize + 1when both options were equal, to avoid leaving cursors open.Clients no longer send a ping on connect
When authentication is enabled, the
MongoClientwill no longer send apingcommand when connecting since it is unnecessary. Instead it will check a connection out of the pool to force the initial handshake, and check it back in.Features
Documentation
We invite you to try the
mongodblibrary immediately, and report any issues to the NODE project.6.18.0 (2025-07-22)
The MongoDB Node.js team is pleased to announce version 6.18.0 of the
mongodbpackage!Release Notes
New
appendMetadataAPI allows clients to add handshake metadata post constructionDriver information such as name, version, and platform are allowed:
const client = new MongoClient(process.env.MONGODB_URI);
client.appendMetadata({ name: 'my library', version: '1.0', platform: 'NodeJS' });
Cursors lazily instantiate sessions
In previous versions, sessions were eagerly allocated whenever a cursor was created, regardless of whether or not a cursor was actually iterated (and the session was actually needed). Some driver APIs (
FindCursor.count(),AggregationCursor.explain()andFindCursor.explain()) don't actually iterate the cursor they are executed on. This can lead to client sessions being created and never being cleaned up.With this update, sessions are not allocated until the cursor is iterated.
Idle connections are now pruned during periods of no activity even when
minPoolSize=0A
MongoClientconfigured with amaxIdleTimeMSandminPoolSizeof 0 is advantageous for workloads that have sustained periods of little or no activity because it allows the connection pool to close connections that are unused during these periods of inactivity. However, due to a bug in theConnectionPoolimplementation, idle / perished connections were not cleaned up unlessminPoolSizewas non-zero.With the changes in this PR, the
ConnectionPoolnow always cleans up idle connections, regardless ofminPoolSize.ChangeStream event interfaces include a
wallTimepropertyThis property is available on all types with the exception of reshard collection and refine collection shard key events. Thanks to @ qhello for bringing this bug to our attention!
CommandSucceededEventandCommandFailedEventevents now have adatabaseNamepropertyCommandSucceededEventandCommandFailedEventnow include the name of the database against which the command was executed.Deprecations
Transaction state getters are deprecated
These were for internal use only and include:
ClientMetadata,ClientMetadataOptions, andCancellationTokenhave been deprecatedThese types will be removed in an upcoming major version of the driver.
CommandOptions.noResponseis deprecatedCaution
noResponseis not intended for use outside ofMongoClient.close(). Do not use this option.The Node driver has historically supported an option,
noResponse, that is used internally when a MongoClient is closed. This option was accidentally public. This option will be removed in an upcoming major release.Features
Bug Fixes
wallTimeproperty TS change stream event interfaces (#4541) (f153c6f)Documentation
We invite you to try the
mongodblibrary immediately, and report any issues to the NODE project.6.17.0 (2025-06-03)
The MongoDB Node.js team is pleased to announce version 6.17.0 of the
mongodbpackage!Release Notes
Support for MongoDB 4.0 is removed
Warning
When the driver connects to a MongoDB server of version 4.0 or less, it will now throw an error.
OIDC machine workflows now retry on token expired errors during initial authentication
This resolves issues of a cached OIDC token in the driver causing initial authentication to fail when the token had expired. The affected environments were
"azure","gcp", and"k8s".keepAliveInitialDelaymay now be configured at theMongoClientlevelWhen not present will default to 120 seconds. The option value must be specified in milliseconds.
const client = new MongoClient(process.env.MONGODB_URI, { keepAliveInitialDelay: 100000 });
updateOneandreplaceOnenow support asortoptionThe updateOne and replaceOne operations in each of the ways they can be performed support a sort option starting in MongoDB 8.0. The driver now supports the sort option the same way it does for find or findOneAndModify-style commands:
collection.updateOne({}, {}, { sort });
collection.replaceOne({}, {}, { sort });
collection.bulkWrite([
{ updateOne: { filter: {}, update: {}, sort } },
{ replaceOne: { filter: {}, replacement: {}, sort } },
]);
client.bulkWrite([
{ name: 'updateOne', namespace: 'db.test', filter: {}, update: {}, sort },
{ name: 'replaceOne', namespace: 'db.test', filter: {}, replacement: {}, sort }
]);
MongoClient close shuts outstanding in-use connections
The
MongoClient.close()method now shuts connections that are in-use allowing the event loop to close if the only remaining resource was the MongoClient.Support Added for Configuring the DEK cache expiration time.
Default value is 60000. Requires using mongodb-client-encryption >= 6.4.0
For
ClientEncryption:For auto encryption:
Update operations will now throw if
ignoreUndefinedis true and all operations are undefined.When using any of the following operations they will now throw if all atomic operations in the update are undefined and the
ignoreUndefinedoption istrue. This is to avoid accidental replacement of the entire document with an empty document. Examples of this scenario:const client = new MongoClient(process.env.MONGODB_URI);
client.bulkWrite(
[
{
name: 'updateMany',
namespace: 'foo.bar',
filter: { age: { $lte: 5 } },
update: { $set: undefined, $unset: undefined }
}
],
{ ignoreUndefined: true }
);
const collection = client.db('test').collection('test');
collection.bulkWrite(
[
{
updateMany: {
filter: { age: { $lte: 5 } },
update: { $set: undefined, $unset: undefined }
}
}
],
{ ignoreUndefined: true }
);
collection.findOneAndUpdate(
{ a: 1 },
{ $set: undefined, $unset: undefined },
{ ignoreUndefined: true }
);
collection.updateOne({ a: 1 }, { $set: undefined, $unset: undefined }, { ignoreUndefined: true });
collection.updateMany({ a: 1 }, { $set: undefined, $unset: undefined }, { ignoreUndefined: true });
Socket errors are always treated as network errors
Network errors perform an important role in the driver, impacting topology monitoring processes and retryablity. A bug in the driver's socket implementation meant that in scenarios where server disconnects occurred while no operation was in progress on the socket resulted in errors that were not considered network errors.
Socket errors are now unconditionally treated as network errors.
Features
Bug Fixes
Documentation
We invite you to try the
mongodblibrary immediately, and report any issues to the NODE project.6.16.0 (2025-04-21)
The MongoDB Node.js team is pleased to announce version 6.16.0 of the
mongodbpackage!Release Notes
distinct commands now support an index hint
The
Collection.distinct()method now supports an optionalhint, which can be used to tell the server which index to use for the command:await collection.distinct('my-key', {
hint: { 'my-key': 1 }
});
// providing an index name
await collection.distinct('my-key', {
hint: 'my-key'
});
This requires server 7.1+.
Driver support for servers <=4.0 deprecated
Warning
Node driver support for server 4.0 will be removed in an upcoming minor release. Reference: MongoDB Software Lifecycle Schedules.
Fix processing of multiple messages within one network data chunk
During elections, or other scenarios where the server is pushing multiple topology updates to the driver in a short period of time, a bug in the driver's socket code led to backlog of topology updates that would remain in the buffer until another heartbeat arrived from the server. This could lead to delays in the driver recovering from an election and/or an increase in MongoServerSelectionErrors.
Now, all messages in the current buffer are returned to the driver leading to faster processing times.
Huge thank you to @ andreim-brd for sharing a self-contained reproduction that proved to be instrumental in the identification of the underlying issue!
FindCursor.rewind() throws
documents?.clear() is not a functionerrors in certain scenariosIn certain scenarios where limit and batchSize are both set on a FindCursor, an internal driver optimization intended to prevent unnecessary requests to the server when the driver knows the cursor is exhausted would prevent the cursor from being rewound. This issue has been resolved.
Features
hinton distinct commands (#4487) (40d0e87)Bug Fixes
Documentation
We invite you to try the
mongodblibrary immediately, and report any issues to the NODE project.6.15.0 (2025-03-18)
The MongoDB Node.js team is pleased to announce version 6.15.0 of the
mongodbpackage!Release Notes
Support for custom AWS credential providers
The driver now supports a user supplied custom AWS credentials provider for both authentication and for KMS requests when using client side encryption. The signature for the custom provider must be of
() => Promise<AWSCredentials>which matches that of the official AWS SDK provider API. Provider chains from the actual AWS SDK can also be provided, allowing users to customize any of those options.Example for authentication with a provider chain from the AWS SDK:
const client = new MongoClient(process.env.MONGODB_URI, {
authMechanismProperties: {
AWS_CREDENTIAL_PROVIDER: fromNodeProviderChain()
}
});
Example for using a custom provider for KMS requests only:
const client = new MongoClient(process.env.MONGODB_URI, {
autoEncryption: {
keyVaultNamespace: 'keyvault.datakeys',
kmsProviders: { aws: {} },
credentialProviders: {
aws: fromNodeProviderChain()
}
}
}
Custom providers do not need to come from the AWS SDK, they just need to be an async function that returns credentials:
Fix misc unhandled rejections under special conditions
We identified an issue with our test suite that suppressed catching unhandled rejections and surfacing them to us so we can ensure the driver handles any possible rejections. Luckily only 3 cases were identified and each was under a flagged or specialized code path that may not have been in use:
OIDC<...