[Snyk] Upgrade mongodb from 3.0.10 to 3.6.5 #2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Snyk has created this PR to upgrade mongodb from 3.0.10 to 3.6.5. See this package in npm: https://www.npmjs.com/package/mongodb See this project in Snyk: https://app.snyk.io/org/mrhegemon/project/1950cc64-58c1-49c5-be9a-e2c8f47821fb?utm_source=github&utm_medium=upgrade-pr
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade mongodb from 3.0.10 to 3.6.5.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version fixes:
SNYK-JS-MONGODB-473855
Why? Has a fix available, CVSS 7.5
SNYK-JS-BSON-561052
Why? Has a fix available, CVSS 7.5
npm:bson:20180225
Why? Has a fix available, CVSS 7.5
(*) Note that the real score may have changed since the PR was raised.
Release notes
Package name: mongodb
-
3.6.5 - 2021-03-16
- session support detection spec compliance (#2732) (9baec71)
- [NODE-3100] - startSession fails intermittently on servers that support sessions
- [NODE-3066] - Accessing non-existent property 'MongoError' of module exports inside circular dependency
- [NODE-3114] - Incorrect warning: Top-level use of w, wtimeout, j, and fsync is deprecated
- [NODE-3119] - Node 14.5.4, mongo 3.6.4 Circular warnings
-
3.6.4 - 2021-02-02
- Reference: http://mongodb.github.io/node-mongodb-native/3.6
- API: http://mongodb.github.io/node-mongodb-native/3.6/api
- Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md
- [NODE-2355] - GridFSBucketWriteStream doesn't implement stream.Writable properly
- [NODE-2828] - noCursorTimeout does not seem to for find()
- [NODE-2874] - Setting connectionTimeoutMS to 0 will result in a disconnection every heartbeatFrequencyMS
- [NODE-2876] - Race condition when resetting server monitor
- [NODE-2916] - Legacy topology hangs with unlimited socket timeout
- [NODE-2945] - ignoreUndefined not works on findOneAndUpdate when { upsert: true }
- [NODE-2965] - MongoClient.readPreference returns "primary" ignoring readPref from connection string
- [NODE-2966] - Unified topology: server selection fails when trying to connect to a remote replica set with a member whose 'host' attribute resolves to 'localhost'
- [NODE-2977] - Query parameters with path in connection string not working on windows
- [NODE-2986] - MongoError: pool destroyed
- [NODE-2762] - Comprehensive Support for Explain
- [NODE-2852] - Add explain support to non-cursor commands
- [NODE-2853] - Add explain support to cursor-based commands
- [NODE-1726] - Deprecate Topology events in
- [NODE-2825] - Support Azure and GCP keystores in FLE
- [NODE-2880] - Improve stack traces in the session leak checker
- [NODE-2895] - Update AggregateCursor "unwind" method to match the native driver
- [NODE-2995] - Sharing a MongoClient for metadata lookup can lead to deadlock in drivers using automatic encryption
-
3.6.3 - 2020-11-06
- @ jswangjunsheng submitted a fix for a rare scenario when wait queue members time out before connection establishment
- @ through-a-haze submitted a fix for incorrect construction of an X509 authentication message
- @ andreialecu helped us indicate peer optional dependencies in our
- [NODE-2172] - Change stream breaks on disconnection when there's something piped into it.
- [NODE-2784] - MongoError: Not Master when running createIndex in 3.6.0
- [NODE-2807] - MongoClient.readPreference always returns primary
- [NODE-2827] - Connecting to single mongos makes driver think it is connected to a standalone
- [NODE-2829] - MongoDB Driver 3.6+ Performance issues on AWS Lambda
- [NODE-2835] - Remove default timeout for read operations
- [NODE-2859] - GSSAPI AuthProvider causing crashes in Compass
- [NODE-2861] - Performance Regression for usage of mongodb connections (queries, inserts, ...)
- [NODE-2865] - Connections can be leaked if wait queue members are cancelled
- [NODE-2869] - Invalid assignment of X509 username makes authentication impossible
- [NODE-2834] - Remove deprecation of AggregationCursor#geoNear
- [NODE-2867] - Use peerDependenciesMeta field to mark peer optional dependencies
-
3.6.2 - 2020-09-10
- [NODE-2798] - Update version of dependency "bl" due to vulnerability
- [NODE-2803] - Connection pool wait queue processing is too greedy
-
3.6.1 - 2020-09-02
- [NODE-2731] - CMAP Connection type does not provide host/port properties
- [NODE-2755] - "language_override" option support for text index is broken
- [NODE-2730] - Move MongoAuthProcess into the driver source tree
- [NODE-2746] - Strict mode for `createCollection` should be removed
-
3.6.0 - 2020-07-30
-
3.6.0-beta.0 - 2020-04-14
-
3.5.11 - 2020-09-10
- [NODE-2731] - CMAP Connection type does not provide host/port properties
- [NODE-2798] - Update version of dependency "bl" due to vulnerability
-
3.5.10 - 2020-07-30
-
3.5.9 - 2020-06-12
-
3.5.8 - 2020-05-28
-
3.5.7 - 2020-04-29
-
3.5.6 - 2020-04-14
-
3.5.5 - 2020-03-11
-
3.5.4 - 2020-02-25
-
3.5.3 - 2020-02-12
-
3.5.2 - 2020-01-20
-
3.5.1 - 2020-01-17
-
3.5.0 - 2020-01-14
-
3.4.1 - 2019-12-19
-
3.4.0 - 2019-12-10
-
3.3.5 - 2019-11-26
-
3.3.4 - 2019-11-11
-
3.3.4-rc0 - 2019-11-06
-
3.3.3 - 2019-10-16
-
3.3.2 - 2019-08-28
-
3.3.1 - 2019-08-23
-
3.3.0 - 2019-08-13
-
3.3.0-beta2 - 2019-07-18
-
3.3.0-beta1 - 2019-06-18
-
3.2.7 - 2019-06-04
-
3.2.6 - 2019-05-24
-
3.2.5 - 2019-05-17
-
3.2.4 - 2019-05-08
-
3.2.3 - 2019-04-05
-
3.2.2 - 2019-03-22
-
3.2.1 - 2019-03-21
-
3.2.0-beta2 - 2019-03-10
-
3.2.0-beta1 - 2019-02-27
-
3.1.13 - 2019-01-23
-
3.1.12 - 2019-01-16
-
3.1.11 - 2019-01-15
-
3.1.10 - 2018-11-16
-
3.1.9 - 2018-11-06
-
3.1.8 - 2018-10-10
-
3.1.7 - 2018-10-09
-
3.1.6 - 2018-09-15
-
3.1.5 - 2018-09-14
-
3.1.4 - 2018-08-25
-
3.1.3 - 2018-08-13
-
3.1.2 - 2018-08-13
-
3.1.1 - 2018-07-05
-
3.1.0 - 2018-06-27
-
3.1.0-beta4 - 2018-05-11
-
3.1.0-beta3 - 2018-05-08
-
3.1.0-beta2 - 2018-04-19
-
3.1.0-beta1 - 2018-04-18
-
3.0.11 - 2018-06-28
-
3.0.10 - 2018-06-02
from mongodb GitHub release notesThe MongoDB Node.js team is pleased to announce version 3.6.5 of the driver!
Notable Fixes
In this patch there is a fix surrounding an issue some users were encountering in serverless environments when using the Unified Topology. If the nodejs process went unused for a great amount of time there was an intermittent issue that would cause
startSessionto fail, however, issuing a dummy read request would resolve the problem. The session support check is now done after server selection meaning the driver has the most up to date information about the MongoDB deployment before utilizing sessions. We encourage any user's that implemented workarounds to updated their driver and make use of this fix.In addition, the previous release of our driver added a warning about an upcoming change in the v4 version of the driver about how users can specify their write concern options. We've updated the driver to use nodejs's
process.emitWarningAPI in nearly all cases where the driver prints something out, as well as limit most warning messages to only be printed once.Bug
MongoDB Driver v3.6.4
The MongoDB Node.js team is pleased to announce version 3.6.4 of the driver
Release Highlights
Explain Support
The full set of $explain verbosity settings are now supported:
queryPlannerqueryPlannerExtendedexecutionStatsallPlansExecutionIn the following commands:
aggregate()(MDB 3.0+)find()(MDB 3.0+)remove()(MDB 3.0+)update()(MDB 3.0+)distinct()(MDB 3.2+)findAndModify()(MDB 3.2+)mapReduce()(MDB 4.4+)You can get a lot of insight into the performance of a query or optimization using these fine grained reports.
To learn more about how to use explain read here.
Direct Connection Issue Revert
We removed automatic direct connection for the unified topology in the 3.6.3 release of the driver. This change was preparatory for the 4.0 version of the driver, where we'll always perform automatic discovery. To avoid making this kind of change in a patch release, this version restores automatic direct connection when connecting to a single host using the unified topology without a specified replicaSet and without directConnection: false, in line with previous 3.6 releases.
Support Azure and GCP keystores in FLE
There are no functional changes to the driver to support using Azure and GCP keystores but a new mongodb-client-encryption release (v1.2.0) can be found here which prominently features support for these key stores.
Documentation
We invite you to try the driver immediately, and report any issues to the NODE project.
Thanks very much to all the community members who contributed to this release!
Release Notes
Bug
Features
Improvement
DbThe MongoDB Node.js team is pleased to announce version 3.6.3 of the driver
Release Highlights
MongoError: not masterwhen runningcreateIndexA regression introduced in v3.6.2 meant that
createIndexoperations would not be executed with a fixedprimary read preference. This resulted in the driver selecting any server for the operation, which would
fail if a non-primary was selected.
Performance issues on AWS Lambda
The driver periodically monitors members of the replicaset for changes in the topology, but ensures that
the "monitoring thread" is never woken sooner than 500ms. Measuring this elapsed time depends on a
stable clock, which is not available to us in some virtualized environments like AWS Lambda. The result
was that periodically operations would think there were no available servers, and the driver would force
a wait of
heartbeatFrequencyMS(10s by default) before reaching out to servers again for a newmonitoring check. The internal async interval timer has been improved to account for these environments
GSSAPI AuthProvider reuses single kerberos client
A regression introduced in v3.6.0 forced the driver to reuse a single kerberos client for all
authentication attempts. This would result in incomplete authentication flows, and occaisionally even
a crash in the
kerberosmodule. The driver has been reverted to creating a kerberos client perauthentication attempt.
Performance regression due to use of
setImmediateA change introduced in v3.6.1 switched all our usage of
process.nextTickin the connection pool withsetImmediateper Node.js core recommendation. This was observed to introduce noticeable latency when the event loopwas experiencing pressure, so the change was reverted for this release pending further investigation.
Community Contributions
package.jsonfor stricter package managers (pnpm, yarn2)Documentation
Reference: http://mongodb.github.io/node-mongodb-native/3.6/
API: http://mongodb.github.io/node-mongodb-native/3.6/api/
Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md
We invite you to try the driver immediately, and report any issues to the NODE project.
Thanks very much to all the community members who contributed to this release!
Release Notes
Bug
Improvement
The MongoDB Node.js team is pleased to announce version 3.6.2 of the driver
Release Highlights
Updated
bldependency due to CVE-2020-8244See this link for more details: https://github.com/advisories/GHSA-pp7h-53gx-mx7r
Connection pool wait queue processing is too greedy
The logic for processing the wait queue in our connection pool ran the risk of
starving the event loop. Calls to process the wait queue are now wrapped in a
setImmediateto prevent starvationDocumentation
Reference: http://mongodb.github.io/node-mongodb-native/3.6/
API: http://mongodb.github.io/node-mongodb-native/3.6/api/
Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md
We invite you to try the driver immediately, and report any issues to the NODE project.
Thanks very much to all the community members who contributed to this release!
Release Notes
Bug
The MongoDB Node.js team is pleased to announce version 3.6.1 of the driver
Release Highlights
Kerberos
A bug in introducing the new CMAP
Connectionprevented some users from properly authenticating with thekerberosmodule.Index options are not respected with
createIndexThe logic for building the
createIndexcommand was changed in v3.6.0 to use an allowlist rather than a blocklist, but omitted a number of index types in that list. This release reintroduces all supported index types to the allowlist.Remove strict mode for
createCollectionSince v3.6.0
createCollectionwill no longer returned a cachedCollectioninstance if a collection already exists in the database, rather it will return a server error stating that the collection already exists. This is the same behavior provided by thestrictoption forcreateCollection, so that option has been removed from documentation.Documentation
Reference: http://mongodb.github.io/node-mongodb-native/3.6/
API: http://mongodb.github.io/node-mongodb-native/3.6/api/
Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md
We invite you to try the driver immediately, and report any issues to the NODE project.
Thanks very much to all the community members who contributed to this release!
Release Notes
Bug
Improvement
The MongoDB Node.js team is pleased to announce version 3.5.11 of the driver
Release Highlights
Kerberos
A bug in introducing the new CMAP
Connectionprevented some users from properlyauthenticating with the
kerberosmodule.Updated
bldependency due to CVE-2020-8244See this link for more details: https://github.com/advisories/GHSA-pp7h-53gx-mx7r
Documentation
Reference: http://mongodb.github.io/node-mongodb-native/3.5/
API: http://mongodb.github.io/node-mongodb-native/3.5/api/
Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.5/HISTORY.md
We invite you to try the driver immediately, and report any issues to the NODE project.
Thanks very much to all the community members who contributed to this release!
Release Notes
Bug
Commit messages
Package name: mongodb
Compare
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs