Skip to content

refactor: Upgrade mongodb from 6.13.0 to 6.15.0 #9713

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

refactor: Upgrade mongodb from 6.13.0 to 6.15.0 #9713

wants to merge 1 commit into from

Conversation

parseplatformorg
Copy link
Contributor

snyk-top-banner

Snyk has created this PR to upgrade mongodb from 6.13.0 to 6.15.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 35 versions ahead of your current version.

  • The recommended version was released a month ago.

Release notes
Package name: mongodb
  • 6.15.0 - 2025-03-18

    6.15.0 (2025-03-18)

    The MongoDB Node.js team is pleased to announce version 6.15.0 of the mongodb package!

    Release Notes

    Support for custom AWS credential providers

    The driver now supports a user supplied custom AWS credentials provider for both authentication and for KMS requests when using client side encryption. The signature for the custom provider must be of () => Promise<AWSCredentials> which matches that of the official AWS SDK provider API. Provider chains from the actual AWS SDK can also be provided, allowing users to customize any of those options.

    Example for authentication with a provider chain from the AWS SDK:

    import { fromNodeProviderChain } from '@ aws-sdk/credential-providers';

    const client = new MongoClient(process.env.MONGODB_URI, {
    authMechanismProperties: {
    AWS_CREDENTIAL_PROVIDER: fromNodeProviderChain()
    }
    });

    Example for using a custom provider for KMS requests only:

    import { fromNodeProviderChain } from '@ aws-sdk/credential-providers';

    const client = new MongoClient(process.env.MONGODB_URI, {
    autoEncryption: {
    keyVaultNamespace: 'keyvault.datakeys',
    kmsProviders: { aws: {} },
    credentialProviders: {
    aws: fromNodeProviderChain()
    }
    }
    }

    Custom providers do not need to come from the AWS SDK, they just need to be an async function that returns credentials:

    const client = new MongoClient(process.env.MONGODB_URI, {
  authMechanismProperties: {
    AWS_CREDENTIAL_PROVIDER: async () => {
      return {
        accessKeyId: process.env.ACCESS_KEY_ID,
        secretAccessKey: process.env.SECRET_ACCESS_KEY
      }
    }
  }
});

    Fix misc unhandled rejections under special conditions

    We identified an issue with our test suite that suppressed catching unhandled rejections and surfacing them to us so we can ensure the driver handles any possible rejections. Luckily only 3 cases were identified and each was under a flagged or specialized code path that may not have been in use:

    • If the MongoClient was configured to use OIDC and an AbortSignal was aborted on cursor at the same time the client was reauthenticating, if the reauth process was rejected it would have been unhandled.
    • If timeoutMS was used and the timeout expired before an operation reached the server selection step the operation would throw the expected timeout error but a promise representing the timeout would also raise an unhandled rejection.
    • If a change stream was closed while processing a change event it was possible for the "change stream is closed" error to be emitted as an error event and reject an internal promise representing fetching the "next" change.

    Features

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 6.15.0-dev.20250416.sha.4f033594 - 2025-04-16
  • 6.15.0-dev.20250410.sha.b2511f06 - 2025-04-10
  • 6.15.0-dev.20250409.sha.46cb56de - 2025-04-09
  • 6.15.0-dev.20250408.sha.85124c25 - 2025-04-08
  • 6.15.0-dev.20250405.sha.cb88b05d - 2025-04-05
  • 6.15.0-dev.20250403.sha.9111f98c - 2025-04-03
  • 6.15.0-dev.20250328.sha.32b3e34e - 2025-03-28
  • 6.15.0-dev.20250327.sha.cfdb8ec2 - 2025-03-27
  • 6.15.0-dev.20250326.sha.d01ecc79 - 2025-03-26
  • 6.15.0-dev.20250325.sha.5ce0a4ec - 2025-03-25
  • 6.15.0-dev.20250322.sha.892c14de - 2025-03-22
  • 6.15.0-dev.20250321.sha.20f7db7f - 2025-03-21
  • 6.15.0-dev.20250320.sha.af30db93 - 2025-03-20
  • 6.15.0-dev.20250319.sha.f176de4f - 2025-03-19
  • 6.14.2 - 2025-03-04

    6.14.2 (2025-03-04)

    The MongoDB Node.js team is pleased to announce version 6.14.2 of the mongodb package!

    Release Notes

    KMS Requests can cause unhandled rejection

    When using explicit encryption or automatic encryption, the driver makes requests to a Key Management System when to fetch key encryption keys. The driver supports connecting to a KMS provider through a Socks5 proxy. However, the socket used for the socks5 proxy was created in all circumstances, regardless of proxy configuration. This leads to unhandled rejection errors when closing the socket the driver attempts to clean up the unused socket.

    With the changes in this release, the socket is only created if a proxy is configured and the any promises created for the proxy are properly handled.

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 6.14.2-dev.20250318.sha.78d951b9 - 2025-03-18
  • 6.14.2-dev.20250315.sha.cd09d435 - 2025-03-15
  • 6.14.2-dev.20250314.sha.6895b258 - 2025-03-14
  • 6.14.2-dev.20250313.sha.54d29e56 - 2025-03-13
  • 6.14.2-dev.20250312.sha.5783db21 - 2025-03-12
  • 6.14.2-dev.20250310.sha.39c76999 - 2025-03-10
  • 6.14.2-dev.20250306.sha.21072009 - 2025-03-06
  • 6.14.2-dev.20250305.sha.398e361f - 2025-03-05
  • 6.14.1 - 2025-03-03

    6.14.1 (2025-03-03)

    The MongoDB Node.js team is pleased to announce version 6.14.1 of the mongodb package!

    Release Notes

    Fixed occasional OIDC reauthentication failure

    Error code 391 is intended to make the driver internally reauthenticate the connection to the server, however, occasionally this was being raised to the user. This was due to a bug in setting the cached access token on newly created connections.

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 6.14.1-dev.20250304.sha.3cc3a6b2 - 2025-03-04
  • 6.14.0 - 2025-02-28

    6.14.0 (2025-02-28)

    The MongoDB Node.js team is pleased to announce version 6.14.0 of the mongodb package!

    Release Notes

    Add support for $lookup on encrypted collections

    Starting in the upcoming MongoDB server 8.1, the aggregation stage $lookup can now be used with clients configured for automatic encryption after upgrading to mongodb-client-encryption@>=6.3.0! 🔒 🎉

    Use isUint8Array defined in the driver rather than util/types

    Some users of bundlers for next.js and our very own mongosh noticed a new import from "util/types" that would need to be supported in environments that don't have that module. We already have an internal implementation of isUint8Array so we do not need to add an import for "util/types".

    Revert @ aws-sdk/credential-providers compatiblity change

    In v6.13.1 we inadvertantly raised the version compatibility of @ aws-sdk/credential-providers, that change has been reverted.

    Features

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 6.14.0-dev.20250301.sha.44bc5a88 - 2025-03-01
  • 6.13.1 - 2025-02-20

    6.13.1 (2025-02-20)

    The MongoDB Node.js team is pleased to announce version 6.13.1 of the mongodb package!

    Release Notes

    Remove extraneous Promise<Document> in Collection.replaceOne return type

    The return type signature of the replaceOne method no longer includes the general Promise<Document> type. Thanks to @ arturmuller, the replaceOne type signature is now more accurate! 🎉

    Fix writeConcern omitted when timeoutMS is provided

    When timeoutMS and a write concern were provided, the writeConcern was incorrectly omitted from the final command executed by the driver.

    Thanks @ stepanho for contributing the fix!

    Update BSON version requirement to 6.10.3

    This pulls in fixes made in bson versions 6.10.3 and 6.10.2 into the driver.

    BSON 6.10.2 fixed an issue in calculateObjectSize ignoring the size contributed by BigInt values to a BSON document. This impacted batch splitting logic in bulkWrite operations: if the actual BSON was over the size returned by calculateObjectSize the server would return an error.

    Warning

    BSON 6.10.3 addresses a potential data corruption risk with the use of useBigInt64 flag introduced in BSON 6.4.0, where negative Long values would be deserialized into BigInt as unsigned integers when the useBigInt64 flag was enabled. (Thanks to @ rkistner for reporting this issue!)

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 6.13.1-dev.20250228.sha.488c4071 - 2025-02-28
  • 6.13.1-dev.20250227.sha.196e08e9 - 2025-02-27
  • 6.13.1-dev.20250226.sha.7800067a - 2025-02-26
  • 6.13.1-dev.20250225.sha.1a6dc9b8 - 2025-02-25
  • 6.13.1-dev.20250222.sha.421ddeb3 - 2025-02-22
  • 6.13.1-dev.20250221.sha.21f2cb91 - 2025-02-21
  • 6.13.0 - 2025-01-30

    6.13.0 (2025-01-30)

    The MongoDB Node.js team is pleased to announce version 6.13.0 of the mongodb package!

    Release Notes

    MongoDB Standardized Logging 📝

    The driver's standardized logger is now available! The primary goal of our driver's logger is to enable insight into database operations without code changes so enabling and configuring the logger are primarily done through our environment variables.

    TL;DR Show me the logs!

    env MONGODB_LOG_ALL=debug node server.mjs

    Tip

    If you are a CLI app developer (or otherwise take great care of your std outputs): The client options constructor argument takes precedence over environment variables, permitting you to disable or otherwise customize the logger so your app does not automatically respond to the current environment.

    Check out the in-depth logging docs here: https://www.mongodb.com/docs/drivers/node/current/fundamentals/logging/

    🚀 Improved command monitoring performance

    Previously, when command monitoring was enabled, the driver would make deep copies of command and reply objects, which have the potential to be very large documents. These copies have been eliminated, providing a speed and memory efficiency bump to command monitoring.

    Warning

    Since we no longer make deep copies of commands/replies in Command Monitoring Events, directly modifying the command/reply objects on CommandStartedEvents and CommandSucceededEvents may lead to undefined behaviour.

    🧪 Experimental AbortSignal support added to Find and Aggregate! 🚥

    A signal argument can now be passed to the following APIs:

    • collection.find() & collection.findOne()
    • collection.aggregate() & collection.countDocuments()

    In order to support field level encryption properly, also:

    • db.listCollections()
    • db.command()

    When aborted, the signal will interrupt the execution of each of each of these APIs. For the cursor-based APIs, this will be observed when attempting to consume from the cursor via toArray(), next(), for-await, etc.

    There is a known limitation: aborting a signal closes a perfectly healthy connection which can cause unnecessary connection reestablishment so we're releasing this as experimental for evaluation in use cases that can tolerate the shortcoming.

    DNS SRV & TXT look up timeouts are retried

    To mitigate the potentially transient DNS timeout error, the driver now catches and retries the DNS lookups upon resolving a mongodb+srv:// style connection string.

    MongoClient.close now closes any outstanding cursors

    Previously, cursors could somewhat live beyond the client they came from. What this meant was that depending on timing you would learn of the client's (and by proxy, the cursor's) demise via an assertion that the associated session had expired. This only occurred if your cursor needed to use the session, which only happens when it is attempting to run a getMore operation to obtain another batch of documents.

    Practically speaking a cursor that lives beyond a client is an exception waiting to happen, the connection pools are closed, the sessions are ended, last call has been served 🍻, it is only a matter of timing and event firing until the cursor learns of its fate and informs you by throwing an error via whatever API is being used (.toArray(), for-await, .next()).

    To make the expected state of cursors clearer in this scenario the MongoClient will now close any associated cursors upon its close()-ing reducing the risk of leaving behind server-side resources.

    MongoClient.close() can be called concurrently

    In the past, concurrent calls to MongoClient.close() had poorly defined behavior depending on the exact timing of the second (or more) calls to close(). In some cases, this could also throw errors.

    With these changes, MongoClient.close() can be called concurrently safely and always returns the same promise.

    Note

    This is intended as a correctness fix - we don't recommend calling MongoClient.close() concurrently if it can be avoided.

    MONGODB-OIDC now properly reauthenticates in speculative auth scenarios

    When using MONGODB-OIDC authentication, if the initial handshake contained speculative authentication, the driver would not properly reauthenticate when the server would raise 391 errors. This is now fixed.

    Features

    Bug Fixes

    Performance Improvements

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

from mongodb GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
fix: upgrade mongodb from 6.13.0 to 6.15.0
0b4edc5 
Snyk has created this PR to upgrade mongodb from 6.13.0 to 6.15.0.

See this package in npm:
mongodb

See this project in Snyk:
https://app.snyk.io/org/acinader/project/fe36ba29-7b23-4655-9807-441cf85f2203?utm_source=github&utm_medium=referral&page=upgrade-pr
@parse-github-assistant Parse GitHub Assistant
Copy link

I will reformat the title to use the proper commit message syntax.

@parse-github-assistant Parse GitHub Assistant
Copy link

🚀 Thanks for opening this pull request!

@parse-github-assistant parse-github-assistant bot changed the title [Snyk] Upgrade mongodb from 6.13.0 to 6.15.0 refactor: Upgrade mongodb from 6.13.0 to 6.15.0 Apr 16, 2025
@codecov Codecov
Copy link

codecov bot commented Apr 16, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 93.07%. Comparing base (2ff9c71) to head (0b4edc5).
Report is 2 commits behind head on release-7.x.x.

Additional details and impacted files 
@@                Coverage Diff                @@
##           release-7.x.x    #9713      +/-   ##
=================================================
+ Coverage          93.06%   93.07%   +0.01%     
=================================================
  Files                187      187              
  Lines              14977    14977              
=================================================
+ Hits               13938    13940       +2     
+ Misses              1039     1037       -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mtrezza mtrezza closed this Apr 19, 2025
@mtrezza mtrezza deleted the snyk-upgrade-700f0fbca33a4853c46bfa93d49b0350 branch April 19, 2025 14:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@parseplatformorg @mtrezza @snyk-bot