[Snyk] Upgrade mongodb from 3.5.9 to 6.20.0

[akanchhaS]

Snyk has created this PR to upgrade mongodb from 3.5.9 to 6.20.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 385 versions ahead of your current version.

• The recommended version was released 22 days ago.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Uninitialized Memory Exposure SNYK-JS-BL-608877	199	Proof of Concept

Release notes

Package name: mongodb

• 6.20.0 - 2025-09-18
  

  6.20.0 (2025-09-17)

  The MongoDB Node.js team is pleased to announce version 6.20.0 of the mongodb package!

  Release Notes

  Collection and Db objects now provide references to their Db and MongoClient

  import { MongoClient } from 'mongodb';

  const client = new MongoClient(process.env.MONGODB_URI);
  const db = client.db('test');
  assert(db.client === client); // returns the MongoClient associated with the Db object
  const collection = db.collection('test');
  assert(collection.db === db); // returns the Db associated with the Collection object

  Hint is supported with unacknowledged writes for delete, update and findAndModify commands on servers that support hint

  The driver no longer throws errors when hint is provided to unacknowledged writes for delete, update and findAndModify commands in the following circumstances:

  • No error is thrown for update commands.
  • No errors are thrown for delete and findAndModify commands on servers >=4.4.

  ServerCapabilities and ReadPreference.minWireVersion are deprecated

  Neither the ServerCapabilities class nor the ReadPreference.minWireVersion property were ever intended for public use and, internally, are effectively dead code with the driver's minimum supported server version being 4.2.

  Driver info and metadata MongoClient options have been deprecated.

  These will be made internal in a future major release:

  • driverInfo
  • additionalDriverInfo
  • metadata
  • extendedMetadata

  CommandOperationOptions.retryWrites is deprecated

  CommandOperationOptions.retryWrites is deprecated. This per‑command option has no effect; the Node.js driver only honors retryWrites when configured at the client level (MongoClient options) or via the connection string. Do not use this option on individual commands. There is no runtime behavior change because it was already ignored, but it will be removed in an upcoming major release and may cause type or build errors in code that references it. To control retryable writes, set retryWrites in MongoClient options or include retryWrites=true|false in the connection string.

  ChangeStream .tryNext() now updates resumeToken to prevent duplicates after resume

  When .tryNext() returns a change document, the driver now caches its resumeToken, aligning its behavior with .next() and the 'change' event. If .tryNext() returns null (no new changes), nothing is cached, which is unchanged from previous behavior.

  Previously, .tryNext() did not update the resumeToken, so a resumable error could cause a resume from an older token and re-deliver already processed changes. With this release, resumes continue from the latest token observed via .tryNext(), preventing duplicates.

  const changeStream = collection.watch([]);
  while (true) {
    const change = await changeStream.tryNext(); // prior versions could return duplicates
    await scheduler.wait(1000);  // delay since tryNext() does not wait for changes
  }

  Applications that poll change streams with .tryNext() in non-blocking loops benefit directly. There are no API changes; if you previously tracked and passed resumeAfter or startAfter manually, you can now rely on the driver’s built-in token caching.

  Huge thanks to @ rkistner for bringing this bug to our attention and for sharing code to reproduce it. Huge thanks as well to @ Omnicpie for investigating and implementing a fix.

  Change Streams now resume on MongoServerSelectionError

  When the driver encounters a MongoServerSelectionError while processing a Change Stream (e.g., due to a transient network issue or during an election), it now treats the error as resumable and attempts to resume using the latest cached resume token.

  This applies to both iterator and event-emitter usage:

  // Iterator form
  const changeStream = collection.watch([]);
  for await (const change of changeStream) {
    // process change
  }

  // Event-emitter form
  const changeStream = collection.watch([]);
  changeStream.on('change', (change) => {
    // process change
  });

  There are no API changes. If you previously caught MongoServerSelectionError and implemented manual resume logic, you can now rely on the driver’s built-in resume mechanism, which uses the cached resume token from the change event’s _id to continue without losing events.

  Huge thanks to @ grossbart for bringing this bug to our attention, investigating it and for sharing code to reproduce it!

  MongoClient.appendMetadata() ignores duplicate metadata

  MongoClient.appendMetadata() will no longer append metadata if it duplicates the metadata already appended to the MongoClient.

  Features

  • NODE-7125: add db and client properties to collection and database objects (#4640) (3469f86)
  • NODE-7134: allow hint with unacknowledged writes for delete, update and findAndModify commands (#4647) (82d6ce6)
  • NODE-7139: remove pre-4.2 logic and deprecate dead code (#4657) (14303bc)
  • NODE-7140: deprecate driver info options (#4654) (b813c85)
  • NODE-7157: deprecate retryWrites in CommandOperationOptions (#4661) (620972d)

  Bug Fixes

  • NODE-4763: cache resumeToken in ChangeStream.tryNext() (#4636) (8331a93)
  • NODE-6858: treat MongoServerSelectionError as a resumable error for Change Streams (#4653) (c6d64e7)
  • NODE-7138: prevent duplicate metadata from being appended to handshake metadata (#4651) (05c230c)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.20.0-dev.20251010.sha.c5f74abe - 2025-10-10
• 6.20.0-dev.20251009.sha.fb2824ff - 2025-10-09
• 6.20.0-dev.20251008.sha.cfbada66 - 2025-10-08
• 6.20.0-dev.20251007.sha.3f7196eb - 2025-10-07
• 6.20.0-dev.20251004.sha.8a67346c - 2025-10-04
• 6.20.0-dev.20251002.sha.28f01524 - 2025-10-02
• 6.20.0-dev.20251001.sha.e7266b82 - 2025-10-01
• 6.20.0-dev.20250930.sha.23cafe94 - 2025-09-30
• 6.20.0-dev.20250927.sha.2bd2c3af - 2025-09-27
• 6.20.0-dev.20250926.sha.4740acf7 - 2025-09-26
• 6.20.0-dev.20250925.sha.a576b7d3 - 2025-09-25
• 6.20.0-dev.20250924.sha.81a7951f - 2025-09-24
• 6.20.0-dev.20250923.sha.4ab26329 - 2025-09-23
• 6.20.0-dev.20250920.sha.e8a91a91 - 2025-09-20
• 6.20.0-dev.20250919.sha.b7c67507 - 2025-09-19
• 6.19.0 - 2025-08-26
  

  6.19.0 (2025-08-26)

  The MongoDB Node.js team is pleased to announce version 6.19.0 of the mongodb package!

  Release Notes

  Experimental Support for Queryable Encryption Text Field Prefix, Suffix and Substring Queries

  Important

  Substring, prefix and suffix search are in preview and should be used for experimental workloads only. These features are unstable and their security is not guaranteed until released as Generally Available (GA). The GA version of these features may not be backwards compatible with the preview version.

  When using Queryable Encryption with both automatic encryption and explicit encryption, text fields can now be queried using prefix, suffix and substring queries. This feature requires mongodb-client-encryption@>=6.5.0.

  Allow a secureContext for Auto Encryption and Client Encryption TLS options

  This can be provided in the tlsOptions option both both objects.

  import * as tls from 'tls';
  import { ClientEncryption, MongoClient } from 'mongodb';

  const caFile = await fs.readFile(process.env.CSFLE_TLS_CA_FILE);
  const certFile = await fs.readFile(process.env.CSFLE_TLS_CLIENT_CERT_FILE);
  const secureContextOptions = {
  ca: caFile,
  key: certFile,
  cert: certFile
  };
  const options = {
  keyVaultNamespace: 'db.coll',
  kmsProviders: {
  aws: {}
  }
  },
  tlsOptions: {
  aws: {
  secureContext: tls.createSecureContext(secureContextOptions),
  }
  }
  };

  const client = this.configuration.newClient({}, { autoEncryption: { ...options, schemaMap } });
  const clientEncryption = new ClientEncryption(client, options);

  collection.findOne() and collection.find() will no longer potentially leave open cursors on the server

  The findOne command will now always set the limit option to 1 and singleBatch to true. The limit, noCursorResponse and batchSize options have also been deprecated, and the command will guarantee no more cursors can be orphaned and no killCursors command will be potentially executed.

  find will now set limit to batchSize + 1 when both options were equal, to avoid leaving cursors open.

  Clients no longer send a ping on connect

  When authentication is enabled, the MongoClient will no longer send a ping command when connecting since it is unnecessary. Instead it will check a connection out of the pool to force the initial handshake, and check it back in.

  Features

  • NODE-4179: allow secureContext in KMS TLS options (#4578) (0ea6eaa)
  • NODE-6472: findOne and find no longer keep open cursors (#4580) (be7f808)
  • NODE-7020: remove ping on connect (#4607) (3d296b7)
  • NODE-7059, NODE-7008: add support for text queries for QE string fields (#4597) (e4492f3)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.19.0-dev.20250918.sha.7c485ef7 - 2025-09-18
• 6.19.0-dev.20250917.sha.a6eca88c - 2025-09-17
• 6.19.0-dev.20250916.sha.14303bc8 - 2025-09-16
• 6.19.0-dev.20250911.sha.c6172940 - 2025-09-11
• 6.19.0-dev.20250910.sha.b813c858 - 2025-09-10
• 6.19.0-dev.20250909.sha.43c85189 - 2025-09-09
• 6.19.0-dev.20250906.sha.82d6ce6a - 2025-09-06
• 6.19.0-dev.20250903.sha.98c5d830 - 2025-09-03
• 6.19.0-dev.20250830.sha.d03a6bd9 - 2025-08-30
• 6.19.0-dev.20250829.sha.4a6447c9 - 2025-08-29
• 6.19.0-dev.20250828.sha.41034f16 - 2025-08-28
• 6.19.0-dev.20250827.sha.3c5bb1d5 - 2025-08-27
• 6.18.0 - 2025-07-22
  

  6.18.0 (2025-07-22)

  The MongoDB Node.js team is pleased to announce version 6.18.0 of the mongodb package!

  Release Notes

  New appendMetadata API allows clients to add handshake metadata post construction

  Driver information such as name, version, and platform are allowed:

  import { MongoClient } from 'mongodb';

  const client = new MongoClient(process.env.MONGODB_URI);
  client.appendMetadata({ name: 'my library', version: '1.0', platform: 'NodeJS' });

  Cursors lazily instantiate sessions

  In previous versions, sessions were eagerly allocated whenever a cursor was created, regardless of whether or not a cursor was actually iterated (and the session was actually needed). Some driver APIs (FindCursor.count(), AggregationCursor.explain() and FindCursor.explain()) don't actually iterate the cursor they are executed on. This can lead to client sessions being created and never being cleaned up.

  With this update, sessions are not allocated until the cursor is iterated.

  Idle connections are now pruned during periods of no activity even when minPoolSize=0

  A MongoClient configured with a maxIdleTimeMS and minPoolSize of 0 is advantageous for workloads that have sustained periods of little or no activity because it allows the connection pool to close connections that are unused during these periods of inactivity. However, due to a bug in the ConnectionPool implementation, idle / perished connections were not cleaned up unless minPoolSize was non-zero.

  With the changes in this PR, the ConnectionPool now always cleans up idle connections, regardless of minPoolSize.

  ChangeStream event interfaces include a wallTime property

  This property is available on all types with the exception of reshard collection and refine collection shard key events. Thanks to @ qhello for bringing this bug to our attention!

  CommandSucceededEvent and CommandFailedEvent events now have a databaseName property

  CommandSucceededEvent and CommandFailedEvent now include the name of the database against which the command was executed.

  Deprecations

  Transaction state getters are deprecated

  These were for internal use only and include:

  Transaction#options
  Transaction#recoveryToken
  Transaction#isPinned
  Transaction#isStarting
  Transaction#isActive
  Transaction#isCommitted

  ClientMetadata, ClientMetadataOptions, and CancellationToken have been deprecated

  These types will be removed in an upcoming major version of the driver.

  CommandOptions.noResponse is deprecated

  Caution

  noResponse is not intended for use outside of MongoClient.close(). Do not use this option.

  The Node driver has historically supported an option, noResponse, that is used internally when a MongoClient is closed. This option was accidentally public. This option will be removed in an upcoming major release.

  Features

  • NODE-5055: Add databaseName property to command monitoring events (#4586) (3faf0c9)
  • NODE-7009: add client metadata on demand (#4574) (b9636ee)
  • NODE-7053: deprecate noResponse option (#4589) (1115319)
  • NODE-6865: deprecate transaction getters (#4567) (da46aea)
  • NODE-6991: deprecate unintentionally public client metadata types (#4566) (ca6554b)

  Bug Fixes

  • NODE-4845: allocate sessions lazily in cursors (#4575) (5761703)
  • NODE-6589: background task does not prune idle connections when minPoolSize=0 (#4569) (7cbb641)
  • NODE-6955: add missing wallTime property TS change stream event interfaces (#4541) (f153c6f)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.18.0-dev.20250826.sha.66706f8e - 2025-08-26
• 6.18.0-dev.20250823.sha.c2166a50 - 2025-08-23
• 6.18.0-dev.20250822.sha.b717a5d9 - 2025-08-22
• 6.18.0-dev.20250821.sha.1ea3a41c - 2025-08-21
• 6.18.0-dev.20250820.sha.e4492f3f - 2025-08-20
• 6.18.0-dev.20250815.sha.fae8ac8a - 2025-08-15
• 6.18.0-dev.20250814.sha.33d340ef - 2025-08-14
• 6.18.0-dev.20250808.sha.8e06e72a - 2025-08-08
• 6.18.0-dev.20250806.sha.e628296a - 2025-08-06
• 6.18.0-dev.20250805.sha.ff9a7858 - 2025-08-05
• 6.18.0-dev.20250802.sha.be7f808c - 2025-08-02
• 6.18.0-dev.20250801.sha.aac76296 - 2025-08-01
• 6.18.0-dev.20250731.sha.c5365347 - 2025-07-31
• 6.18.0-dev.20250730.sha.2ef6c10c - 2025-07-30
• 6.18.0-dev.20250724.sha.acd86250 - 2025-07-24
• 6.18.0-dev.20250723.sha.d92acfc1 - 2025-07-23
• 6.17.0 - 2025-06-03
  

  6.17.0 (2025-06-03)

  The MongoDB Node.js team is pleased to announce version 6.17.0 of the mongodb package!

  Release Notes

  Support for MongoDB 4.0 is removed

  Warning

  When the driver connects to a MongoDB server of version 4.0 or less, it will now throw an error.

  OIDC machine workflows now retry on token expired errors during initial authentication

  This resolves issues of a cached OIDC token in the driver causing initial authentication to fail when the token had expired. The affected environments were "azure", "gcp", and "k8s".

  keepAliveInitialDelay may now be configured at the MongoClient level

  When not present will default to 120 seconds. The option value must be specified in milliseconds.

  import { MongoClient } from 'mongodb';

  const client = new MongoClient(process.env.MONGODB_URI, { keepAliveInitialDelay: 100000 });

  updateOne and replaceOne now support a sort option

  The updateOne and replaceOne operations in each of the ways they can be performed support a sort option starting in MongoDB 8.0. The driver now supports the sort option the same way it does for find or findOneAndModify-style commands:

  const sort = { fieldName: -1 };

  collection.updateOne({}, {}, { sort });
  collection.replaceOne({}, {}, { sort });

  collection.bulkWrite([
  { updateOne: { filter: {}, update: {}, sort } },
  { replaceOne: { filter: {}, replacement: {}, sort } },
  ]);

  client.bulkWrite([
  { name: 'updateOne', namespace: 'db.test', filter: {}, update: {}, sort },
  { name: 'replaceOne', namespace: 'db.test', filter: {}, replacement: {}, sort }
  ]);

  MongoClient close shuts outstanding in-use connections

  The MongoClient.close() method now shuts connections that are in-use allowing the event loop to close if the only remaining resource was the MongoClient.

  Support Added for Configuring the DEK cache expiration time.

  Default value is 60000. Requires using mongodb-client-encryption >= 6.4.0

  For ClientEncryption:

  import { MongoClient, ClientEncryption } from 'mongodb';
  const client = new MongoClient(process.env.MONGODB_URI);
  const clientEncryption = new ClientEncryption(client, { keyExpirationMS: 100000, kmsProviders: ... });

  For auto encryption:

  import { MongoClient, ClientEncryption } from 'mongodb';
  const client = new MongoClient(process.env.MONGODB_URI, {
    autoEncryption: {
      keyExpirationMS: 100000,
      kmsProviders: ...
    }
  });

  Update operations will now throw if ignoreUndefined is true and all operations are undefined.

  When using any of the following operations they will now throw if all atomic operations in the update are undefined and the ignoreUndefined option is true. This is to avoid accidental replacement of the entire document with an empty document. Examples of this scenario:

  import { MongoClient } from 'mongodb';

  const client = new MongoClient(process.env.MONGODB_URI);

  client.bulkWrite(
  [
  {
  name: 'updateMany',
  namespace: 'foo.bar',
  filter: { age: { $lte: 5 } },
  update: { $set: undefined, $unset: undefined }
  }
  ],
  { ignoreUndefined: true }
  );

  const collection = client.db('test').collection('test');

  collection.bulkWrite(
  [
  {
  updateMany: {
  filter: { age: { $lte: 5 } },
  update: { $set: undefined, $unset: undefined }
  }
  }
  ],
  { ignoreUndefined: true }
  );

  collection.findOneAndUpdate(
  { a: 1 },
  { $set: undefined, $unset: undefined },
  { ignoreUndefined: true }
  );

  collection.updateOne({ a: 1 }, { $set: undefined, $unset: undefined }, { ignoreUndefined: true });

  collection.updateMany({ a: 1 }, { $set: undefined, $unset: undefined }, { ignoreUndefined: true });

  Socket errors are always treated as network errors

  Network errors perform an important role in the driver, impacting topology monitoring processes and retryablity. A bug in the driver's socket implementation meant that in scenarios where server disconnects occurred while no operation was in progress on the socket resulted in errors that were not considered network errors.

  Socket errors are now unconditionally treated as network errors.

  Features

  • NODE-6245: add keepAliveInitialDelay config (#4510) (d6c0eb3)
  • NODE-6290: add sort support to updateOne and replaceOne (#4515) (28857b7)
  • NODE-6882: eagerly close checked out connections when client is closed (#4499) (64fdb3e)
  • NODE-6884: remove support for 4.0 (#4534) (6fe6ccc)
  • NODE-6952: support configuring DEK cache expiration (#4538) (c529f07)
  • NODE-6963: use BSON 6.10.4 (#4549) (aee490a)

  Bug Fixes

  • NODE-6638: throw if all atomic updates are undefined (#4519) (

[akanchhaS]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.