[Snyk] Upgrade mongodb from 6.15.0 to 6.17.0 #69
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Snyk has created this PR to upgrade mongodb from 6.15.0 to 6.17.0. See this package in npm: mongodb See this project in Snyk: https://app.snyk.io/org/contentstack-devex/project/0fbb9cb2-10b2-4f4d-840e-d483a9991f3b?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade mongodb from 6.15.0 to 6.17.0.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 34 versions ahead of your current version.
The recommended version was released 2 months ago.
Release notes
Package name: mongodb
-
6.17.0 - 2025-06-03
import { MongoClient } from 'mongodb';
const sort = { fieldName: -1 };
import { MongoClient } from 'mongodb';
- NODE-6245: add keepAliveInitialDelay config (#4510) (d6c0eb3)
- NODE-6290: add sort support to updateOne and replaceOne (#4515) (28857b7)
- NODE-6882: eagerly close checked out connections when client is closed (#4499) (64fdb3e)
- NODE-6884: remove support for 4.0 (#4534) (6fe6ccc)
- NODE-6952: support configuring DEK cache expiration (#4538) (c529f07)
- NODE-6963: use BSON 6.10.4 (#4549) (aee490a)
- NODE-6638: throw if all atomic updates are undefined (#4519) (9625b2d)
- NODE-6864: socket errors are not always converted to MongoNetworkErrors (#4473) (2d86095)
- NODE-6962: OIDC machine workflows use OIDCCallbacks internally (#4546) (bd6030f)
- Reference
- API
- Changelog
-
6.17.0-dev.20250722.sha.6e240d41 - 2025-07-22
-
6.17.0-dev.20250719.sha.3faf0c96 - 2025-07-19
-
6.17.0-dev.20250715.sha.ec82ae97 - 2025-07-15
-
6.17.0-dev.20250711.sha.b9636ee3 - 2025-07-11
-
6.17.0-dev.20250710.sha.a09212a4 - 2025-07-10
-
6.17.0-dev.20250708.sha.bff57ed8 - 2025-07-08
-
6.17.0-dev.20250706.sha.57617039 - 2025-07-06
-
6.17.0-dev.20250702.sha.52ed3d12 - 2025-07-02
-
6.17.0-dev.20250627.sha.da46aeaf - 2025-06-27
-
6.17.0-dev.20250625.sha.4c1fa54e - 2025-06-25
-
6.17.0-dev.20250624.sha.83534ff3 - 2025-06-24
-
6.17.0-dev.20250612.sha.8ab5d19b - 2025-06-12
-
6.17.0-dev.20250611.sha.d7426ce5 - 2025-06-11
-
6.17.0-dev.20250605.sha.57ef31be - 2025-06-05
-
6.17.0-dev.20250604.sha.441186ae - 2025-06-04
-
6.16.0 - 2025-04-21
// providing an index description
- NODE-6494: add support for
- NODE-6515: deprecate driver support for server 4.0 (#4517) (4c1a8a7)
- NODE-6630: read all messages in buffer when chunk arrives (#4512) (8c86e30)
- NODE-6878: documents.clear() throws a TypeError after cursor is rewound (#4488) (a1fffeb)
- Reference
- API
- Changelog
-
6.16.0-dev.20250603.sha.352b7ea6 - 2025-06-03
-
6.16.0-dev.20250531.sha.7ef6edd5 - 2025-05-31
-
6.16.0-dev.20250529.sha.25f5bb97 - 2025-05-29
-
6.16.0-dev.20250523.sha.c33c2f5c - 2025-05-23
-
6.16.0-dev.20250514.sha.c529f07c - 2025-05-14
-
6.16.0-dev.20250510.sha.6fe6ccc8 - 2025-05-10
-
6.16.0-dev.20250507.sha.fcbc6edf - 2025-05-07
-
6.16.0-dev.20250506.sha.6a35701d - 2025-05-06
-
6.16.0-dev.20250505.sha.ae617568 - 2025-05-05
-
6.16.0-dev.20250503.sha.64fdb3ef - 2025-05-03
-
6.16.0-dev.20250501.sha.f57c51b9 - 2025-05-01
-
6.16.0-dev.20250429.sha.de2c9552 - 2025-04-29
-
6.16.0-dev.20250426.sha.9625b2d1 - 2025-04-26
-
6.16.0-dev.20250425.sha.3139a92d - 2025-04-25
-
6.16.0-dev.20250424.sha.82303f3d - 2025-04-24
-
6.16.0-dev.20250423.sha.28857b79 - 2025-04-23
-
6.16.0-dev.20250422.sha.746af47a - 2025-04-22
-
6.15.0 - 2025-03-18
import { fromNodeProviderChain } from '@ aws-sdk/credential-providers';
import { fromNodeProviderChain } from '@ aws-sdk/credential-providers';
- If the MongoClient was configured to use
- If
- If a change stream was closed while processing a change event it was possible for the "change stream is closed" error to be emitted as an error event and reject an internal promise representing fetching the "next" change.
- NODE-6141: allow custom aws sdk config (#4373) (3d047ed)
- NODE-6845: ensure internal rejections are handled (#4448) (06e941a)
- Reference
- API
- Changelog
from mongodb GitHub release notes6.17.0 (2025-06-03)
The MongoDB Node.js team is pleased to announce version 6.17.0 of the
mongodbpackage!Release Notes
Support for MongoDB 4.0 is removed
Warning
When the driver connects to a MongoDB server of version 4.0 or less, it will now throw an error.
OIDC machine workflows now retry on token expired errors during initial authentication
This resolves issues of a cached OIDC token in the driver causing initial authentication to fail when the token had expired. The affected environments were
"azure","gcp", and"k8s".keepAliveInitialDelaymay now be configured at theMongoClientlevelWhen not present will default to 120 seconds. The option value must be specified in milliseconds.
const client = new MongoClient(process.env.MONGODB_URI, { keepAliveInitialDelay: 100000 });
updateOneandreplaceOnenow support asortoptionThe updateOne and replaceOne operations in each of the ways they can be performed support a sort option starting in MongoDB 8.0. The driver now supports the sort option the same way it does for find or findOneAndModify-style commands:
collection.updateOne({}, {}, { sort });
collection.replaceOne({}, {}, { sort });
collection.bulkWrite([
{ updateOne: { filter: {}, update: {}, sort } },
{ replaceOne: { filter: {}, replacement: {}, sort } },
]);
client.bulkWrite([
{ name: 'updateOne', namespace: 'db.test', filter: {}, update: {}, sort },
{ name: 'replaceOne', namespace: 'db.test', filter: {}, replacement: {}, sort }
]);
MongoClient close shuts outstanding in-use connections
The
MongoClient.close()method now shuts connections that are in-use allowing the event loop to close if the only remaining resource was the MongoClient.Support Added for Configuring the DEK cache expiration time.
Default value is 60000. Requires using mongodb-client-encryption >= 6.4.0
For
ClientEncryption:For auto encryption:
Update operations will now throw if
ignoreUndefinedis true and all operations are undefined.When using any of the following operations they will now throw if all atomic operations in the update are undefined and the
ignoreUndefinedoption istrue. This is to avoid accidental replacement of the entire document with an empty document. Examples of this scenario:const client = new MongoClient(process.env.MONGODB_URI);
client.bulkWrite(
[
{
name: 'updateMany',
namespace: 'foo.bar',
filter: { age: { $lte: 5 } },
update: { $set: undefined, $unset: undefined }
}
],
{ ignoreUndefined: true }
);
const collection = client.db('test').collection('test');
collection.bulkWrite(
[
{
updateMany: {
filter: { age: { $lte: 5 } },
update: { $set: undefined, $unset: undefined }
}
}
],
{ ignoreUndefined: true }
);
collection.findOneAndUpdate(
{ a: 1 },
{ $set: undefined, $unset: undefined },
{ ignoreUndefined: true }
);
collection.updateOne({ a: 1 }, { $set: undefined, $unset: undefined }, { ignoreUndefined: true });
collection.updateMany({ a: 1 }, { $set: undefined, $unset: undefined }, { ignoreUndefined: true });
Socket errors are always treated as network errors
Network errors perform an important role in the driver, impacting topology monitoring processes and retryablity. A bug in the driver's socket implementation meant that in scenarios where server disconnects occurred while no operation was in progress on the socket resulted in errors that were not considered network errors.
Socket errors are now unconditionally treated as network errors.
Features
Bug Fixes
Documentation
We invite you to try the
mongodblibrary immediately, and report any issues to the NODE project.6.16.0 (2025-04-21)
The MongoDB Node.js team is pleased to announce version 6.16.0 of the
mongodbpackage!Release Notes
distinct commands now support an index hint
The
Collection.distinct()method now supports an optionalhint, which can be used to tell the server which index to use for the command:await collection.distinct('my-key', {
hint: { 'my-key': 1 }
});
// providing an index name
await collection.distinct('my-key', {
hint: 'my-key'
});
This requires server 7.1+.
Driver support for servers <=4.0 deprecated
Warning
Node driver support for server 4.0 will be removed in an upcoming minor release. Reference: MongoDB Software Lifecycle Schedules.
Fix processing of multiple messages within one network data chunk
During elections, or other scenarios where the server is pushing multiple topology updates to the driver in a short period of time, a bug in the driver's socket code led to backlog of topology updates that would remain in the buffer until another heartbeat arrived from the server. This could lead to delays in the driver recovering from an election and/or an increase in MongoServerSelectionErrors.
Now, all messages in the current buffer are returned to the driver leading to faster processing times.
Huge thank you to @ andreim-brd for sharing a self-contained reproduction that proved to be instrumental in the identification of the underlying issue!
FindCursor.rewind() throws
documents?.clear() is not a functionerrors in certain scenariosIn certain scenarios where limit and batchSize are both set on a FindCursor, an internal driver optimization intended to prevent unnecessary requests to the server when the driver knows the cursor is exhausted would prevent the cursor from being rewound. This issue has been resolved.
Features
hinton distinct commands (#4487) (40d0e87)Bug Fixes
Documentation
We invite you to try the
mongodblibrary immediately, and report any issues to the NODE project.6.15.0 (2025-03-18)
The MongoDB Node.js team is pleased to announce version 6.15.0 of the
mongodbpackage!Release Notes
Support for custom AWS credential providers
The driver now supports a user supplied custom AWS credentials provider for both authentication and for KMS requests when using client side encryption. The signature for the custom provider must be of
() => Promise<AWSCredentials>which matches that of the official AWS SDK provider API. Provider chains from the actual AWS SDK can also be provided, allowing users to customize any of those options.Example for authentication with a provider chain from the AWS SDK:
const client = new MongoClient(process.env.MONGODB_URI, {
authMechanismProperties: {
AWS_CREDENTIAL_PROVIDER: fromNodeProviderChain()
}
});
Example for using a custom provider for KMS requests only:
const client = new MongoClient(process.env.MONGODB_URI, {
autoEncryption: {
keyVaultNamespace: 'keyvault.datakeys',
kmsProviders: { aws: {} },
credentialProviders: {
aws: fromNodeProviderChain()
}
}
}
Custom providers do not need to come from the AWS SDK, they just need to be an async function that returns credentials:
Fix misc unhandled rejections under special conditions
We identified an issue with our test suite that suppressed catching unhandled rejections and surfacing them to us so we can ensure the driver handles any possible rejections. Luckily only 3 cases were identified and each was under a flagged or specialized code path that may not have been in use:
OIDCand anAbortSignalwas aborted on cursor at the same time the client was reauthenticating, if the reauth process was rejected it would have been unhandled.timeoutMSwas used and the timeout expired before an operation reached the server selection step the operation would throw the expected timeout error but a promise representing the timeout would also raise an unhandled rejection.Features
Bug Fixes
Documentation
We invite you to try the
mongodblibrary immediately, and report any issues to the NODE project.Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information: