[Snyk] Upgrade mongodb from 3.5.9 to 7.0.0

[akanchhaS]

Snyk has created this PR to upgrade mongodb from 3.5.9 to 7.0.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 414 versions ahead of your current version.

• The recommended version was released 22 days ago.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Uninitialized Memory Exposure SNYK-JS-BL-608877	199	Proof of Concept

Release notes

Package name: mongodb

• 7.0.0 - 2025-11-06
  

  7.0.0 (2025-11-06)

  The MongoDB Node.js team is pleased to announce version 7.0.0 of the mongodb package!

  Release Notes

  The following is a detailed collection of the changes in the major v7 release of the mongodb package for Node.js.
  The main focus of this release was usability improvements and a streamlined API. Read on for details!

  Important

  This is a list of changes relative to v6.21.0 of the driver. ALL changes listed below are BREAKING unless indicated otherwise.
  Users migrating from an older version of the driver are advised to upgrade to at least v6.21.0 before adopting v7.

  🛠️ Runtime and dependency updates

  Minimum Node.js version is now v20.19.0

  The minimum supported Node.js version is now v20.19.0 and our TypeScript target has been updated to ES2023. We strive to keep our minimum supported Node.js version in sync with the runtime's release cadence to keep up with the latest security updates and modern language features.

  Notably, the driver now offers native support for explicit resource management. Symbol.asyncDispose implementations are available on the MongoClient, ClientSession, ChangeStream and on cursors.

  Note

  Explicit resource management is considered experimental in the driver and will be until the TC39 explicit resource management proposal is completed.

  bson and mongodb-connection-string-url versions 7.0.0

  This driver version has been updated to use [email protected] and [email protected], which match the driver's Node.js runtime version support. BSON functionality re-exported from the driver is furthermore subject to the changes outlined in the BSON V7 release notes.

  Optional peer dependency releases and version bumps

  • @ mongodb-js/zstd optional peer dependency minimum version raised to 7.0.0, dropped support for 1.x and 2.x (note that @ mongodb-js/zstd does not have 3.x-6.x version releases)
  • kerberos optional peer dependency minimum version raised to 7.0.0, dropped support for 2.x (note that kerberos does not have 3.x-6.x version releases)
  • mongodb-client-encryption optional peer dependency minimum version raised to 7.0.0, dropped support for 6.x

  Additionally, the driver is now compatible with the following packages:

  Dependency	Previous Range	New Allowed Range
  @ aws-sdk/credential-providers	^3.188.0	^3.806.0
  gcp-metadata	^5.2.0	^7.0.1
  socks	^2.7.1	^2.8.6

  🔐 AWS authentication

  To improve long-term maintainability and ensure compatibility with AWS updates, we’ve standardized AWS auth to use the official SDK in all cases and made a number of supporting changes outlined below.

  @ aws-sdk/credential-providers is now required for MONGODB-AWS authentication

  Previous versions of the driver contained two implementations for AWS authentication and could run the risk of the custom driver implementation not supporting all AWS authentication features as well as not being correct when AWS makes changes. Using the official AWS SDK in all cases alleviates these issues.

  npm install @ aws-sdk/credential-providers

  Custom AWS credential provider takes highest precedence

  When providing a custom AWS credential provider via the auth mechanism property AWS_CREDENTIAL_PROVIDER, it will now take the highest precedence over any other AWS auth method.

  Explicitly provided credentials no longer accepted with MONGODB-AWS authentication

  AWS environments (such as AWS Lambda) do not have credentials that are permanent and expire within a set amount of time. Providing credentials in the URI or options would mandate that those credentials would be valid for the life of the MongoClient, which is problematic. With this change, the fetching of credentials is fully handled by the installed required AWS SDK.

  This means that for AWS authentication, all client URIs MUST now be specified as:

  import { MongoClient } from 'mongodb';

  const client = new MongoClient('mongodb<+srv>://<host>:<port>/?authMechanism=MONGODB-AWS');

  The previous method of providing URI encoded credentials based on the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY directly in the connection string will no longer work.

  ⚙️ Error handling improvements

  Dropping a collection returns false instead of throwing when NS not found

  This change has been made for consistency with the common drivers specifications.

  Aggregate with write concern and explain no longer throws client-side

  This will now throw a MongoServerError instead.

  All encryption-related errors now subclass MongoError

  The driver aims to ensure that all errors it throws are subclasses of MongoError. However, when using CSFLE or QE, the driver's encryption implementation could sometimes throw errors that were not instances of MongoError.

  Now, all errors thrown during encryption are subclasses of MongoError.

  'PoolRequstedRetry' error label renamed to 'PoolRequestedRetry'

  The PoolClearedError thrown in cases where the connection pool was cleared now fixes the typo in the error label.

  💥 Misc breaking improvements

  Change streams no longer filter $changeStream stage options

  Users can now pass any option to collection.watch(). If an option is invalid for the $changeStream stage of the pipeline, the server will return an error. This change makes it possible to use newly introduced server options without waiting for them to become available in our public type definitions and eliminates the risk of valid but unrecognized options being silently ignored.

  Cursors no longer provide a default batchSize of 1000 for getMores

  In driver versions <7.0, the driver provides a default batchSize of 1000 for each getMore when iterating a cursor. This behavior is not ideal because the default is set regardless of the documents being fetched. For example, if a cursor fetches many small documents, the driver's default of 1000 can result in many round-trips to fetch all documents, when the server could fit all documents inside a single getMore if no batchSize were set.

  Now, cursors no longer provide a default batchSize when executing a getMore. A batchSize will only be set on getMore commands if a batchSize has been explicitly configured for the cursor.

  Auto encryption options now include default filenames in TS

  A common source of confusion for people configuring auto encryption is where to specify the path to mongocryptd and where to specify the path to crypt_shared. We've now made this clearer in our Typescript users. Typescript now reports errors if the specified filename doesn't match the default name of the file. Some examples:

  var path: AutoEncryptionOptions['extraOptions']['mongocryptdSpawnPath'] = 'some path'; // ERROR
  var path: AutoEncryptionOptions['extraOptions']['mongocryptdSpawnPath'] = 'mongocryptd'; // OK
  var path: AutoEncryptionOptions['extraOptions']['mongocryptdSpawnPath'] =
  '/usr/local/bin/mongocryptd'; // OK
  var path: AutoEncryptionOptions['extraOptions']['mongocryptdSpawnPath'] = 'mongocryptd.exe'; // OK

  var path: AutoEncryptionOptions['extraOptions']['cryptSharedLibPath'] = 'some path'; // ERROR
  var path: AutoEncryptionOptions['extraOptions']['cryptSharedLibPath'] = 'mongo_crypt_v1.so'; // OK
  var path: AutoEncryptionOptions['extraOptions']['cryptSharedLibPath'] = 'mongo_crypt_v1.dll'; // OK
  var path: AutoEncryptionOptions['extraOptions']['cryptSharedLibPath'] = 'mongo_crypt_v1.dylib'; // OK

  ☀️ Misc non-breaking improvements

  Improve MongoClient.connect() consistency across environments

  The MongoClient connect function will now run a handshake regardless of credentials being defined. The upshot of this change is that connect is more consistent at verifying some fail-fast preconditions regardless of environment. For example, previously, if connecting to a loadBalanced=true cluster without authentication there would not have been an error until a command was attempted.

  MongoClient.close() no longer sends endSessions if the topology does not have session support

  MongoClient.close() attempts to free up any server resources that the client has instantiated, including sessions. Previously, MongoClient.close() unconditionally attempted to kill all sessions, regardless of whether or not the topology actually supports sessions.

  Now, MongoClient.close() only attempts to clean up sessions if the topology supports sessions.

  Wrap socket write in a try/catch to ensure errors can be properly wrapped

  One socket.write call was not correctly wrapped in a try/catch block and network errors could bubble up to the driver. This call is now properly wrapped and will result in a retry.

  ClientEncryption.rewrapManyDataKey() options now correctly marked as optional

  The options parameter for the ClientEncryption.rewrapManyDataKey() method is now correctly marked as optional in its TypeScript definition. This change aligns the type signature with the method's implementation and documentation, resolving a type mismatch for TypeScript users.

  📜 Removal of deprecated functionality

  Cursor and ChangeStream stream() method no longer accepts a transform

  Cursors and ChangeStreams no longer accept a transform function. ReadableStream.map() can be used instead:

  // before
  const stream = cursor.stream({ transform: JSON.stringify });

  // after
  const stream = cursor.stream().map(JSON.stringify);

  MONGODB-CR AuthMechanism has been removed

  This mechanism has been unsupported as of MongoDB 4.0 and attempting to use it will still raise an error.

  Internal ClientMetadata properties have been removed from the public API

  Previous versions of the driver unintentionally exposed the following properties that have now been made internal:

  MongoClient.options.additionalDriverInfo
  MongoClient.options.metadata
  MongoClient.options.extendedMetadata
  MongoOptions.additionalDriverInfo
  MongoOptions.metadata
  MongoOptions.extendedMetadata
  ConnectionOptions.metadata
  ConnectionOptions.extendedMetadata
  

  CommandOptions.noResponse option removed

  This option was never intended to be public, and never worked properly for user-facing APIs. It has now been removed.

  Assorted deprecated type, class, and option removals

  GridFSFile.contentType;
  GridFSFile.aliases;
  GridFSBucketWriteStreamOptions.contentType;
  GridFSBucketWriteStreamOptions.aliases;
  CloseOptions;
  ResumeOptions;
  MongoClientOptions.useNewUrlParser;
  MongoClientOptions.useUnifiedTopology;
  CreateCollectionOptions.autoIndexId;
  FindOptions<TSchema>; // now no generic type
  ClientMetadataOptions;
  FindOneOptions.batchSize;
  FindOneOptions.limit;
  FindOneOptions.noCursorTimeout;
  ReadPreference.minWireVersion;
  ServerCapabilities;
  CommandOperationOptions.retryWrites; // is a global option on the MongoClient
  ClientSession.transaction;
  Transaction;
  CancellationToken;

  ⚠️ ALL BREAKING CHANGES

  • NODE-7286: Update dependencies to v7 (#4780)
  • NODE-5510: dont filter change stream options (#4723)
  • NODE-6296: remove cursor default batch size of 1000 (#4729)
  • NODE-7150: update peer dependency matrix for 3rd party peer deps (#4720)
  • NODE-7046: remove AWS uri/options support (#4689)
  • NODE-4808: remove support for stream() transform on cursors and change streams (#4728)
  • NODE-6377: remove noResponse option (#4724)
  • NODE-6473: remove MONGODB-CR auth (#4717)
  • NODE-5994: Remove metadata-related properties from public driver API (#4716)
  • NODE-7016: remove beta namespace and move resource management into driver (#4719)
  • NODE-4184: don't throw on aggregate with write concern and explain (#4718)
  • NODE-7043, NODE-7217: adopt mongodb-client-encryption v7 (#4705)
  • NODE-6065: throw MongoRuntimeError instead of MissingDependencyError in crypto connection (#4711)
  • NODE-6584: improve typing for filepaths in AutoEncryptionOptions (#4341)
  • NODE-6334: rename PoolRequstedRetry to PoolRequestedRetry (#4696)
  • NODE-7174: drop support for Node16 and Node18 (#4668)
  • NODE-7047: use custom credential provider first after URI (#4656)
  • NODE-6988: require aws sdk for aws auth (#4659)
  • NODE-5545: remove deprecated objects (#4704) (cfbada6)

  Non-breaking

  • NODE-4243: drop collection checks ns not found (#4742) (a8d7c5f)
  • NODE-7223: run checkout on connect regardless of credentials (#4715) (c5f74ab)
  • NODE-7232: only send endSessions during client close if the topology supports sessions (#4722) (cc85ebf)
  • NODE-7067: Wrap socket write in a try/catch to ensure errors can be properly wrapped (#4759) (66c18b7)
• 7.0.0-dev.20251125.sha.f433e11a - 2025-11-25
• 7.0.0-dev.20251121.sha.761b9bfa - 2025-11-21
• 7.0.0-dev.20251119.sha.49c5b6fe - 2025-11-19
• 7.0.0-dev.20251115.sha.287c98a9 - 2025-11-15
• 7.0.0-dev.20251114.sha.1cc3d1c9 - 2025-11-14
• 7.0.0-dev.20251113.sha.26eb0e61 - 2025-11-13
• 7.0.0-dev.20251112.sha.3cf02a8d - 2025-11-12
• 7.0.0-dev.20251111.sha.b183de39 - 2025-11-11
• 7.0.0-dev.20251107.sha.5db818c2 - 2025-11-07
• 6.21.0 - 2025-11-12
  

  6.21.0 (2025-11-05)

  The MongoDB Node.js team is pleased to announce version 6.21.0 of the mongodb package!

  Release Notes

  Deprecated items to be removed in 7.0.0

  The following items have been deprecated and will be removed in 7.0.0:

  MongoCredentials.authMechanismProperties.AWS_SESSION_TOKEN // URI & client options for AWS variables will no longer be respected
  CommandOptions.noResponse // Unused
  ConnectionOptions.cancellationToken // Unused
  CursorStreamOptions // Only option, transform, removed in favor of Stream#map

  Features

  • NODE-7230: add deprecations of items to be removed in v7 (#4774) (5104c0f)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.20.0 - 2025-09-18
  

  6.20.0 (2025-09-17)

  The MongoDB Node.js team is pleased to announce version 6.20.0 of the mongodb package!

  Release Notes

  Collection and Db objects now provide references to their Db and MongoClient

  import { MongoClient } from 'mongodb';

  const client = new MongoClient(process.env.MONGODB_URI);
  const db = client.db('test');
  assert(db.client === client); // returns the MongoClient associated with the Db object
  const collection = db.collection('test');
  assert(collection.db === db); // returns the Db associated with the Collection object

  Hint is supported with unacknowledged writes for delete, update and findAndModify commands on servers that support hint

  The driver no longer throws errors when hint is provided to unacknowledged writes for delete, update and findAndModify commands in the following circumstances:

  • No error is thrown for update commands.
  • No errors are thrown for delete and findAndModify commands on servers >=4.4.

  ServerCapabilities and ReadPreference.minWireVersion are deprecated

  Neither the ServerCapabilities class nor the ReadPreference.minWireVersion property were ever intended for public use and, internally, are effectively dead code with the driver's minimum supported server version being 4.2.

  Driver info and metadata MongoClient options have been deprecated.

  These will be made internal in a future major release:

  • driverInfo
  • additionalDriverInfo
  • metadata
  • extendedMetadata

  CommandOperationOptions.retryWrites is deprecated

  CommandOperationOptions.retryWrites is deprecated. This per‑command option has no effect; the Node.js driver only honors retryWrites when configured at the client level (MongoClient options) or via the connection string. Do not use this option on individual commands. There is no runtime behavior change because it was already ignored, but it will be removed in an upcoming major release and may cause type or build errors in code that references it. To control retryable writes, set retryWrites in MongoClient options or include retryWrites=true|false in the connection string.

  ChangeStream .tryNext() now updates resumeToken to prevent duplicates after resume

  When .tryNext() returns a change document, the driver now caches its resumeToken, aligning its behavior with .next() and the 'change' event. If .tryNext() returns null (no new changes), nothing is cached, which is unchanged from previous behavior.

  Previously, .tryNext() did not update the resumeToken, so a resumable error could cause a resume from an older token and re-deliver already processed changes. With this release, resumes continue from the latest token observed via .tryNext(), preventing duplicates.

  const changeStream = collection.watch([]);
  while (true) {
    const change = await changeStream.tryNext(); // prior versions could return duplicates
    await scheduler.wait(1000);  // delay since tryNext() does not wait for changes
  }

  Applications that poll change streams with .tryNext() in non-blocking loops benefit directly. There are no API changes; if you previously tracked and passed resumeAfter or startAfter manually, you can now rely on the driver’s built-in token caching.

  Huge thanks to @ rkistner for bringing this bug to our attention and for sharing code to reproduce it. Huge thanks as well to @ Omnicpie for investigating and implementing a fix.

  Change Streams now resume on MongoServerSelectionError

  When the driver encounters a MongoServerSelectionError while processing a Change Stream (e.g., due to a transient network issue or during an election), it now treats the error as resumable and attempts to resume using the latest cached resume token.

  This applies to both iterator and event-emitter usage:

  // Iterator form
  const changeStream = collection.watch([]);
  for await (const change of changeStream) {
    // process change
  }

  // Event-emitter form
  const changeStream = collection.watch([]);
  changeStream.on('change', (change) => {
    // process change
  });

  There are no API changes. If you previously caught MongoServerSelectionError and implemented manual resume logic, you can now rely on the driver’s built-in resume mechanism, which uses the cached resume token from the change event’s _id to continue without losing events.

  Huge thanks to @ grossbart for bringing this bug to our attention, investigating it and for sharing code to reproduce it!

  MongoClient.appendMetadata() ignores duplicate metadata

  MongoClient.appendMetadata() will no longer append metadata if it duplicates the metadata already appended to the MongoClient.

  Features

  • NODE-7125: add db and client properties to collection and database objects (#4640) (3469f86)
  • NODE-7134: allow hint with unacknowledged writes for delete, update and findAndModify commands (#4647) (82d6ce6)
  • NODE-7139: remove pre-4.2 logic and deprecate dead code (#4657) (14303bc)
  • NODE-7140: deprecate driver info options (#4654) (b813c85)
  • NODE-7157: deprecate retryWrites in CommandOperationOptions (#4661) (620972d)

  Bug Fixes

  • NODE-4763: cache resumeToken in ChangeStream.tryNext() (#4636) (8331a93)
  • NODE-6858: treat MongoServerSelectionError as a resumable error for Change Streams (#4653) (c6d64e7)
  • NODE-7138: prevent duplicate metadata from being appended to handshake metadata (#4651) (05c230c)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.20.0-dev.20251106.sha.696664cb - 2025-11-06
• 6.20.0-dev.20251101.sha.517da849 - 2025-11-01
• 6.20.0-dev.20251031.sha.76c98bb6 - 2025-10-31
• 6.20.0-dev.20251030.sha.8e95b0dc - 2025-10-30
• 6.20.0-dev.20251029.sha.66c18b7e - 2025-10-29
• 6.20.0-dev.20251028.sha.447dad7e - 2025-10-28
• 6.20.0-dev.20251026.sha.9b349535 - 2025-10-26
• 6.20.0-dev.20251025.sha.df3aaaa3 - 2025-10-25
• 6.20.0-dev.20251024.sha.51c1b9d2 - 2025-10-24
• 6.20.0-dev.20251023.sha.c2b988eb - 2025-10-23
• 6.20.0-dev.20251022.sha.e1ea14ce - 2025-10-22
• 6.20.0-dev.20251021.sha.b6ce345a - 2025-10-21
• 6.20.0-dev.20251018.sha.0451dae9 - 2025-10-18
• 6.20.0-dev.20251017.sha.e15d0fec - 2025-10-17
• 6.20.0-dev.20251016.sha.17029879 - 2025-10-16
• 6.20.0-dev.20251015.sha.9e9059a8 - 2025-10-15
• 6.20.0-dev.20251014.sha.c38df51e - 2025-10-14
• 6.20.0-dev.20251011.sha.cc85ebf2 - 2025-10-11
• 6.20.0-dev.20251010.sha.c5f74abe - 2025-10-10
• 6.20.0-dev.20251009.sha.fb2824ff - 2025-10-09
• 6.20.0-dev.20251008.sha.cfbada66 - 2025-10-08
• 6.20.0-dev.20251007.sha.3f7196eb - 2025-10-07
• 6.20.0-dev.20251004.sha.8a67346c - 2025-10-04
• 6.20.0-dev.20251002.sha.28f01524 - 2025-10-02
• 6.20.0-dev.20251001.sha.e7266b82 - 2025-10-01
• 6.20.0-dev.20250930.sha.23cafe94 - 2025-09-30
• 6.20.0-dev.20250927.sha.2bd2c3af - 2025-09-27
• 6.20.0-dev.20250926.sha.4740acf7 - 2025-09-26
• 6.20.0-dev.20250925.sha.a576b7d3 - 2025-09-25
• 6.20.0-dev.20250924.sha.81a7951f - 2025-09-24
• 6.20.0-dev.20250923.sha.4ab26329 - 2025-09-23
• 6.20.0-dev.20250920.sha.e8a91a91 - 2025-09-20
• 6.20.0-dev.20250919.sha.b7c67507 - 2025-09-19
• 6.19.0 - 2025-08-26
  

  6.19.0 (2025-08-26)

  The MongoDB Node.js team is pleased to announce version 6.19.0 of the mongodb package!

  Release Notes

  Experimental Support for Queryable Encryption Text Field Prefix, Suffix and Substring Queries

  Important

  Substring, prefix and suffix search are in preview and should be used for experimental workloads only. These features are unstable and their security is not guaranteed until released as Generally Available (GA). The GA version of these features may not be backwards compatible with the preview version.

  When using Queryable Encryption with both automatic encryption and explicit encryption, text fields can now be queried using prefix, suffix and substring queries. This feature requires mongodb-client-encryption@>=6.5.0.

  Allow a secureContext for Auto Encryption and Client Encryption TLS options

  This can be provided in the tlsOptions option both both objects.

  import * as tls from 'tls';
  import { ClientEncryption, MongoClient } from 'mongodb';

  const caFile = await fs.readFile(process.env.CSFLE_TLS_CA_FILE);
  const certFile = await fs.readFile(process.env.CSFLE_TLS_CLIENT_CERT_FILE);
  const secureContextOptions = {
  ca: caFile,
  key: certFile,
  cert: certFile
  };
  const options = {
  keyVaultNamespace: 'db.coll',
  kmsProviders: {
  aws: {}
  }
  },
  tlsOptions: {
  aws: {
  secureContext: tls.createSecureContext(secureContextOptions),
  }
  }
  };

  const client = this.configuration.newClient({}, { autoEncryption: { ...options, schemaMap } });
  const clientEncryption = new ClientEncryption(client, options);

  collection.findOne() and collection.find() will no longer potentially leave open cursors on the server

  The findOne command will now always set the limit option to 1 and singleBatch to true. The limit, noCursorResponse and batchSize options have also been deprecated, and the command will guarantee no more cursors can be orphaned and no killCursors command will be potentially executed.

  find will now set limit to batchSize + 1 when both options were equal, to avoid leaving cursors open.

  Clients no longer send a ping on connect

  When authentication is enabled, the MongoClient will no longer send a ping command when connecting since it is unnecessary. Instead it will check a connection out of the pool to force the initial handshake, and check it back in.

  Features

[akanchhaS]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.