chore(deps): bump the driver group across 1 directory with 6 updates

[dependabot]

Bumps the driver group with 6 updates in the / directory:

Package	From	To
bson	6.10.3	6.10.4
kerberos	2.2.1	2.2.2
mongodb-client-encryption	6.3.0	6.4.0
native-machine-id	0.1.2	0.1.3
mongodb	6.16.0	6.17.0
@mongodb-js/oidc-mock-provider	0.10.2	0.10.3

Updates bson from 6.10.3 to 6.10.4

Release notes

Sourced from bson's releases.

v6.10.4

6.10.4 (2025-06-02)

The MongoDB Node.js team is pleased to announce version 6.10.4 of the bson package!

Release Notes

Top-Level Await removed from the browser BSON bundle

In versions <6.10.4, BSON uses a top-level await to asynchronously import the crypto module. This change unintentionally caused headaches for users of webpack, react native, vite and other tools bundlers and tools.

The top-level await has been removed from all BSON bundles. Thanks to @​lourd for this contribution.

Prevent the creation of incorrectly sized float32 vectors

This adds validation to our BSON.serialize and EJSON.stringify methods that will prevent creating float 32 vectors that are not a multiple of 4. Previously created vectors that do not meet this validation will still be deserialized and parsed so they can be fixed.

Additionally, the toFloat32Array(), toInt8Array(), and toPackedBits() methods now perform the same validation that serialize does to prevent use of incorrectly formatted Binary vector values. (For example, a packed bits vector with more than 7 bits of padding)

Vectors of an incorrect length could only be made manually (directly constructing the bytes and calling new Binary). We recommend using toFloat32Array and fromFloat32Array when interacting with Vectors in MongoDB as they handle the proper creation and translation of this data type.

Bug Fixes

• NODE-6074: Removes top-level await in bson with separate node and browser ESM bundles (#749) (4602973)
• NODE-6735, NODE-6711: add BSON vector validation to EJSON stringification, serialization and conversion to native types (#748) (64ff6a2)

Documentation

• API
• Changelog

We invite you to try the bson library immediately, and report any issues to the NODE project.

Changelog

Sourced from bson's changelog.

6.10.4 (2025-06-02)

Bug Fixes

• NODE-6074: Removes top-level await in bson with separate node and browser ESM bundles (#749) (4602973)
• NODE-6735, NODE-6711: add BSON vector validation to EJSON stringification, serialization and conversion to native types (#748) (64ff6a2)

Commits

• 302f96e chore(main): release 6.10.4 (#803)
• da8a4bf chore: revert release 6.10.4 (#802)
• 8d712be chore(main): release 6.10.4 (#800)
• 0203beb chore: revert 6.10 release to try again (#799)
• b021bd8 chore(main): release 6.10.4 (#789)
• 86f9dc4 chore(NODE-6938): update typescript to 5.8.3 (#793)
• 3e5f1f8 deps(NODE-6898): FY26Q2 dependency updates (#795)
• 17650e1 chore(NODE-6921): perf tests default to cwd and errexit (#791)
• 7f2a6d3 test(NODE-6920): esm bundles do not have top-level await (#790)
• 4602973 fix(NODE-6074): Removes top-level await in bson with separate node and browse...
• Additional commits viewable in compare view

Updates kerberos from 2.2.1 to 2.2.2

Release notes

Sourced from kerberos's releases.

v2.2.2

2.2.2 (2025-02-10)

The MongoDB Node.js team is pleased to announce version 2.2.2 of the kerberos package!

Bug Fixes

• NODE-6732: test and fix webpack bundling (#230) (81bf1a7)

Documentation

• Changelog

We invite you to try the kerberos library immediately, and report any issues to the NODE project.

Changelog

Sourced from kerberos's changelog.

2.2.2 (2025-02-10)

Bug Fixes

• NODE-6732: test and fix webpack bundling (#230) (81bf1a7)

Commits

• 0364c1d chore(main): release 2.2.2 [skip-ci] (#231)
• 81bf1a7 fix(NODE-6732): test and fix webpack bundling (#230)
• 35749ba chore(deps): bump prebuild-install from 7.1.2 to 7.1.3 (#227)
• 3c16c92 chore(deps): bump ip and socks (#222)
• 771c6c9 chore(deps-dev): bump the development-dependencies group across 1 directory w...
• 5275d4c chore(deps-dev): bump jsdoc-to-markdown from 8.0.3 to 9.0.5 (#217)
• 9672d0b chore: Add CODEOWNERS file
• 2938238 chore(NODE-6635): pin NPM to 10 when Node version is 18 (#226)
• See full diff in compare view

Updates mongodb-client-encryption from 6.3.0 to 6.4.0

Release notes

Sourced from mongodb-client-encryption's releases.

v6.4.0

6.4.0 (2025-05-08)

Features

• NODE-6947: add keyExpirationMS to bindings (#78) (d0fcc4b)
• NODE-6841: updates libmongocrypt to 1.14 for better error message handling.

Changelog

Sourced from mongodb-client-encryption's changelog.

6.4.0 (2025-05-08)

Features

• NODE-6947: add keyExpirationMS to bindings (#78) (d0fcc4b)

Commits

• 2361c75 chore(main): release 6.4.0 (#79)
• d0fcc4b feat(NODE-6947): add keyExpirationMS to bindings (#78)
• 750a0f6 chore(NODE-6936): update typescript to 5.8.3 (#77)
• e7c8204 chore: Bump the development-dependencies group across 1 directory with 10 upd...
• ccf9e9f deps(NODE-6899): FY26Q2 dependency updates (#75)
• 45b3a3f chore: Bump mocha from 10.8.2 to 11.1.0 (#73)
• See full diff in compare view

Updates native-machine-id from 0.1.2 to 0.1.3

Commits

• b4a530f chore(ci): bump packages
• 362a8a6 chore: make node 18 support never end (for test purposes) (#537)
• b0fac8d chore: update cidrs.json [skip ci]
• 081fcac chore(ci): bump packages
• 6c52935 fix: tweak native-machine-id scripts (#536)
• See full diff in compare view

Updates mongodb from 6.16.0 to 6.17.0

Release notes

Sourced from mongodb's releases.

v6.17.0

6.17.0 (2025-06-03)

The MongoDB Node.js team is pleased to announce version 6.17.0 of the mongodb package!

Release Notes

Support for MongoDB 4.0 is removed

[!WARNING] When the driver connects to a MongoDB server of version 4.0 or less, it will now throw an error.

OIDC machine workflows now retry on token expired errors during initial authentication

This resolves issues of a cached OIDC token in the driver causing initial authentication to fail when the token had expired. The affected environments were "azure", "gcp", and "k8s".

keepAliveInitialDelay may now be configured at the MongoClient level

When not present will default to 120 seconds. The option value must be specified in milliseconds.

import { MongoClient } from 'mongodb';
const client = new MongoClient(process.env.MONGODB_URI, { keepAliveInitialDelay: 100000 });

updateOne and replaceOne now support a sort option

The updateOne and replaceOne operations in each of the ways they can be performed support a sort option starting in MongoDB 8.0. The driver now supports the sort option the same way it does for find or findOneAndModify-style commands:

const sort = { fieldName: -1 };
collection.updateOne({}, {}, { sort });
collection.replaceOne({}, {}, { sort });
collection.bulkWrite([
{ updateOne: { filter: {}, update: {}, sort } },
{ replaceOne: { filter: {}, replacement: {}, sort } },
]);
client.bulkWrite([
{ name: 'updateOne', namespace: 'db.test', filter: {}, update: {}, sort },
{ name: 'replaceOne', namespace: 'db.test', filter: {}, replacement: {}, sort }
]);

MongoClient close shuts outstanding in-use connections

... (truncated)

Changelog

Sourced from mongodb's changelog.

6.17.0 (2025-06-03)

Features

• NODE-6245: add keepAliveInitialDelay config (#4510) (d6c0eb3)
• NODE-6290: add sort support to updateOne and replaceOne (#4515) (28857b7)
• NODE-6882: eagerly close checked out connections when client is closed (#4499) (64fdb3e)
• NODE-6884: remove support for 4.0 (#4534) (6fe6ccc)
• NODE-6952: support configuring DEK cache expiration (#4538) (c529f07)
• NODE-6963: use BSON 6.10.4 (#4549) (aee490a)

Bug Fixes

• NODE-6638: throw if all atomic updates are undefined (#4519) (9625b2d)
• NODE-6864: socket errors are not always converted to MongoNetworkErrors (#4473) (2d86095)
• NODE-6962: OIDC machine workflows use OIDCCallbacks internally (#4546) (bd6030f)

Commits

• 56b2e6d chore(main): release 6.17.0 (#4552)
• c11ac89 chore(NODE-6967): remove skip-ci from release please config (#4551)
• aee490a feat(NODE-6963): use BSON 6.10.4 (#4549)
• 352b7ea chore: bring back token missing fix (#4548)
• 5186fb1 test(NODE-6959): add OIDC reauth with session prose test (#4547)
• bd6030f fix(NODE-6962): OIDC machine workflows use OIDCCallbacks internally (#4546)
• 7ef6edd docs(NODE-6960): fix typo in getWriteErrorCount comment (#4544)
• 25f5bb9 ci(NODE-6951): assume ec2 role explicitly in failing CI tasks (#4543)
• c33c2f5 docs(DRIVERS-3105): Update README.md (#4542)
• c529f07 feat(NODE-6952): support configuring DEK cache expiration (#4538)
• Additional commits viewable in compare view

Updates @mongodb-js/oidc-mock-provider from 0.10.2 to 0.10.3

Commits

• 7c6900d chore(ci): bump packages
• 561a26d fix(mongodb-cloud-info): if the host's IP is not in a cloud's range, check if...
• 559968a chore: update cidrs.json [skip ci]
• 8e46b11 chore: update cidrs.json [skip ci]
• 52746e9 chore: update cidrs.json [skip ci]
• a980026 chore: update cidrs.json [skip ci]
• 83d9003 chore: update cidrs.json [skip ci]
• 5f97f5a chore(ci): bump packages
• 7b49da0 chore: update dependencies MONGOSH-2125 (#522)
• 17d74dc chore(ci): bump packages
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.