[Snyk] Upgrade mongodb from 3.1.13 to 3.6.0

[snyk-bot]

Snyk has created this PR to upgrade mongodb from 3.1.13 to 3.6.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 34 versions ahead of your current version.
• The recommended version was released 2 months ago, on 2020-07-30.

Release notes

Package name: mongodb

• 3.6.0 - 2020-07-30
  

  The MongoDB Node.js team is pleased to announce version 3.6.0 of the driver

  NOTE: This version begins our official support for MongoDB 4.4

  Release Highlights

  Streaming topology changes

  MongoDB drivers maintain a local view of the topology they are connected to, and ensure the accuracy of that view by polling connected nodes on average every ~10s. In MongoDB 4.4, drivers are now able to receive push notifications about topology updates, effectively reducing the time for client recovery in failover scenarios to the time it takes for the server to make the election and report the outcome.

  This feature is enabled by default when connecting to MongoDB 4.4, no changes are needed for user code.

  Authentication

  MONGODB-AWS authentication mechanism

  The MONGODB-AWS authentication mechanism uses your Amazon Web Services Identity and Access Management (AWS IAM) credentials to authenticate users on MongoDB 4.4+. Please read more about this new authentication mechanism in our documentation.

  Performance improvements

  There were two projects to transparently improve performance of authentication in MongoDB 4.4:

  • A driver can now include the first saslStart command in its initial handshake with server. This so-called "speculative authentication" allows us to reduce one roundtrip to the server for authentication a connection. This feature is only support for X.509, SCRAM-SHA-1 and SCRAM-SHA-256 (default) authentication mechanisms.

  • The SCRAM conversation between driver and server can now skip one of it's empty exchanges which also serves to reduce the roundtrips during a SCRAM authentication.

  OCSP stapling testing

  OCSP stapling greatly improves performance when using LetsEncrypt certificates, removing the need for an external request to LetsEncrypt servers for each authentication attempt. No additional changes were required to support OCSP stapling in the driver, but extensive testing was added to verify that the feature works as expected.

  Changes in behavior of Db.prototype.createCollection

  The createCollection helper used to internally run a listCollections command in order to see if a collection already existed before running the command. If it determined a collection with the same name existed, it would skip running the command and return an instance of Collection. This behavior was changed in v3.6.0 to avoid potentially serious bugs, specifically that the driver was not considering options passed into createCollection as part of the collection equality check. Imagine the following scenario:

  const client = new MongoClient('...');
  await client.connect();
   
  await client.db('foo').collection('bar').insert({ importantField: 'llamas' });
  await client.db('foo').createCollection('bar', {
    validator: { $jsonSchema: {
      bsonType: 'object',
      required: ['importantField'],
      properties: { name: { bsonType: 'boolean' } }
    }
  });
  

  The createCollection call which defines a JSON schema validator would be completely bypassed because of the existence of bar, which was implicitly created in the first command. Our policy is strictly adhere to semver, but in rare cases like this where we feel there is potential for a data corrupting bug, we make breaking behavioral changes to protect the user.

  Documentation

  Reference: http://mongodb.github.io/node-mongodb-native/3.6/
  API: http://mongodb.github.io/node-mongodb-native/3.6/api/
  Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

  We invite you to try the driver immediately, and report any issues to the NODE project.

  Thanks very much to all the community members who contributed to this release!

  Release Notes

  Epic

  • [NODE-2450] - Node MongoDB 4.4 Support

  New Feature

  • [NODE-2434] - Reduce Client Time To Recovery On Topology Changes
  • [NODE-2288] - MONGODB-AWS Support
  • [NODE-2289] - Support for allowDiskUse on find operations
  • [NODE-2290] - Allow passing hint to findAndModify update and replace operations
  • [NODE-2291] - Improve testing around default writeConcern
  • [NODE-2295] - Collection and index creation in multi-doc txns
  • [NODE-2427] - OCSP Support
  • [NODE-2487] - Support speculative authentication attempts in isMaster
  • [NODE-2301] - Support shorter SCRAM conversation
  • [NODE-2269] - Add support for validate command "background" option

  Improvement

  • [NODE-2175] - Avoid using readConcern snapshot in sharded transaction tests
  • [NODE-2176] - Resync bson-corpus array.json to fix duplicate test names
  • [NODE-2393] - Change uri_options/auth-options spec test to enable conditional tests
  • [NODE-2394] - Verify max set version and max election id on topologies in SDAM spec tests
  • [NODE-2422] - Validate that mongocryptd is not spawned if bypassAutoEncryption=true
  • [NODE-2430] - Raise error if hint specified for unacknowledged update using OP_MSG or OP_UPDATE
  • [NODE-2431] - Reduce floating point precision required of extended json implementations
  • [NODE-2432] - Clarify behavior when "me" field doesn't match any values in "hosts" array
  • [NODE-2477] - Allow hinting the delete command
  • [NODE-2504] - Add SDAM test for incompatible server becoming compatible
  • [NODE-2506] - Ensure that the WriteConcernError "errInfo" object is propagated
  • [NODE-2538] - Add RetryableWriteError error labels to retryable transaction tests
  • [NODE-2546] - Deprecate geoHaystack and geoSearch
  • [NODE-2559] - Reduce race conditions in SDAM error handling
  • [NODE-2560] - Make 'reIndex' a standalone-only command
  • [NODE-2564] - Clarify how a driver must handle wrong set name in single topology
  • [NODE-2569] - 'CommitQuorum' option support for 'createIndexes’ command on MongoDB 4.4
  • [NODE-2576] - Raise error when hint option is provided on unacknowledged writes against any server version
  • [NODE-2592] - Update documentation for Text Search
  • [NODE-2594] - Do not add the RetryableWriteError label to errors that occur during a write within a transaction (excepting commitTransaction and abortTransaction)
  • [NODE-2622] - allowDiskUse option for find should be documented as only being supported in 4.4+
  • [NODE-2627] - Reduce default keepalive time to align with Azure defaults
  • [NODE-2659] - Drivers should retry replSetStepDown after "Unable to acquire X lock" error
  • [NODE-2661] - Define behavior of connectTimeoutMS=0 with streaming protocol
  • [NODE-2675] - Test that ElectionInProgress is not resumed
  • [NODE-2682] - Treat CursorNotFound as a resumable change stream error
  • [NODE-2150] - Bump wire protocol version for 4.4
  • [NODE-2379] - Expand use of error labels for RetryableWrites
  • [NODE-2423] - Deprecate oplogReplay find command option from CRUD spec
  • [NODE-2426] - Make ExceededTimeLimit retryable writes error
  • [NODE-2429] - GridFS index checking should support indexes created in the shell
  • [NODE-2433] - Lift restriction on authSource without credentials
  • [NODE-2452] - Unify behavior around configuration for replica set discovery
  • [NODE-2510] - Driver support for server Hedged Reads
  • [NODE-2516] - Update comment in Transactions withTxn examples for the manual.
  • [NODE-2557] - Remove replicaset from tests that perform reIndex command

  Bug

  • [NODE-2416] - Confusing documentation for collection.aggregate collation option
  • [NODE-2502] - replaceOne example in test/examples/update_documents.js incorrect
  • [NODE-2537] - createCollection helper should not run listIndexes outside of strict mode
  • [NODE-2567] - Fix qs dependency for older node
  • [NODE-2616] - SDAM test typo "compatible"
  • [NODE-2623] - Gridfs doesn't allow to catch exception with length that exceeds file size
  • [NODE-2660] - Throw an error if bulk update documents don't contain update operator expressions
  • [NODE-2711] - Monitoring should not be immediately scheduled on streaming failure
• 3.6.0-beta.0 - 2020-04-14
  No content.
• 3.5.11 - 2020-09-10
• 3.5.10 - 2020-07-30
  

  The MongoDB Node.js team is pleased to announce version 3.5.10 of the driver

  NOTE: This will be the final release in the 3.5.x branch, please consider upgrading to 3.6.0

  Release Highlights

  TypeError: Cannot read property 'documents' of null

  @adrian-gierakowski helped us identify a bug with our ChangeStreamCursor, specifically when the cursor
  was complete it would not return a valid document but instead a null value.

  Command helper not respecting server selection specification rules

  The server selection specification indicates that the "runCommand" helper should act
  as a read operation for the purposes of server selection, and that it should use a default read
  preference of "primary" which can only be overridden by the helper itself. The driver had a bug
  where it would inherit the read preference from its "parent" type (Collection, Db, MongoClient)
  which is at odds with the specified behavior.

  mongodb+srv invalid IPv6 support

  Due to a bug in how we referred to ipv6 addresses internal to the driver, if a mongodb+srv
  connection string was provided with an ipv6 address the driver would never be able to connect
  and would result in a the following error RangeError: Maximum call stack size exceeded.

  maxStalenessSeconds not accepted when provided via options

  There was a bug in our connection string and MongoClient options parsing where a value provided
  for maxStalenessSeconds would not end up being reflected in the ReadPreference used internal
  to the driver.

  Sessions are prohibited with unacknowledged writes

  MongoDB can provide no guarantees around unacknowledged writes when used within a session. The
  driver will now silently remove the lsid field from all writes issued with { w: 0 }, and
  will return an error in these situations in the upcoming 4.0 major release.

  Documentation

  Reference: http://mongodb.github.io/node-mongodb-native/3.5/
  API: http://mongodb.github.io/node-mongodb-native/3.5/api/
  Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.5/HISTORY.md

  We invite you to try the driver immediately, and report any issues to the NODE project.

  Thanks very much to all the community members who contributed to this release!

  Release Notes

  Bug

  • [NODE-2626] - initialising change stream results in: TypeError: Cannot read property 'documents' of null
  • [NODE-2649] - Driver 3.5.x with useUnifiedTopology sends admin commands to secondary
  • [NODE-2671] - ipv6 is not supported when using dns service discovering
  • [NODE-2678] - ReadPreference.fromOptions doesn't pull "maxStalenessSeconds" from options

  Improvement

  • [NODE-1341] - Prohibit using unacknowledged writes with explicit sessions
• 3.5.9 - 2020-06-12
  

  The MongoDB Node.js team is pleased to announce version 3.5.9 of the driver

  Release Highlights

  Use duration of handshake if no previous roundTripTime exists

  The default roundTripTime of a ServerDescription is -1, which means if that value is used we can potentially calculate a negative roundTripTime. Instead, if no previous roundTripTime exists, we use the duration of the initial handshake.

  the options [maxIdleTimeMS] is not supported

  A number of new options were added when the CMAP compliant connection pool was introduced in 3.5.x. Unfortunately, these options were not documented properly. Now they are mentioned in the MongoClient documentation, with a notice that they are only supported with the unified topology.

  TypeError: Reduce of empty array with no initial value

  A fix in 3.5.8 which ensured proper filtering of servers during server selection exposed an issue in max staleness calculations when the topology type is ReplicaSetNoPrimary and no servers are currently known. In order to estimate an upper bound of max staleness when there is no primary, the most stale known server is known to compare the others to - if there are no known servers, you can't reduce the array!

  Server monitoring is prevented under heavy request load

  In certain very high load fail-over scenarios the driver is unable to reschedule a monitoring check in order to update its view of the topology for retryability. This would result in a high number of failed operations, as they were unable to determine a new viable server.

  Documentation

  Reference: http://mongodb.github.io/node-mongodb-native/3.5/
  API: http://mongodb.github.io/node-mongodb-native/3.5/api/
  Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.5/HISTORY.md

  We invite you to try the driver immediately, and report any issues to the NODE project.

  Thanks very much to all the community members who contributed to this release!

  Release Notes

  Bug

  • [NODE-2637] - connection pool options support for MongoClient
  • [NODE-2641] - maxStalenessReducer fails on empty set of servers
  • [NODE-2643] - Server monitoring is prevented under heavy request load
  • [NODE-2652] - Use duration of initial handshake if no roundTripTime value exists for server

  Improvement

  • [NODE-2651] - Use consistent means of measuring time
• 3.5.8 - 2020-05-28
  Read more
• 3.5.7 - 2020-04-29
  

  The MongoDB Node.js team is pleased to announce version 3.5.7 of the driver

  Release Highlights

  Warning: Accessing non-existent property 'count' of module exports inside circular dependency

  Work earlier this year left some dead code in our operations code, resulting in this warning message reported by multiple users. While we still have a few cycles in our codebase yet, this will quiet Node.js 14's circular dependency warnings.

  Sessions are only acquired when operations are executed

  Drivers use an implicit session for all operations where an explicit session is not provided. A subtle bug was introduced when session support was implemented where implicit sessions were created and assigned to operations even if they were about to sit in a queue waiting for execution. This results in the driver creating many sessions rather than reusing pooled ones. The fix is to ensure a session is only checked out of the pool when the operation is about to be written to a server.

  Thanks very much to all the community members who contributed to this release!

  Release Notes

  Bug

  • [NODE-2536] - Circular dependency in Node.js 14 nightly
  • [NODE-2552] - Server session creation grows unbounded with every operation call

  Improvement

  • [NODE-2534] - Document options supported by the unified topology
  • [NODE-2560] - Make 'reIndex' a standalone-only command
• 3.5.6 - 2020-04-14
  Read more
• 3.5.5 - 2020-03-11
  Read more
• 3.5.4 - 2020-02-25
  Read more
• 3.5.3 - 2020-02-12
  

  The MongoDB Node.js team is pleased to announce version 3.5.3 of the driver

  Release Highlights

  This patch release fixes one issue with command error handling during network errors, and one minor issue with multiple incoming wire messages not being properly processed.

  Release Notes

  Bug

  • [NODE-2435] - Unified topology does not transition server to Unknown on non-timeout operation error
  • [NODE-2437] - Multiple incoming message packets are not processed correctly

  Improvement

  • [NODE-2438] - Add exhaust command support to transport layer
  • [NODE-2449] - Simplify server error handling in unified topology
• 3.5.2 - 2020-01-20
• 3.5.1 - 2020-01-17
• 3.5.0 - 2020-01-14
• 3.4.1 - 2019-12-19
• 3.4.0 - 2019-12-10
• 3.3.5 - 2019-11-26
• 3.3.4 - 2019-11-11
• 3.3.4-rc0 - 2019-11-06
• 3.3.3 - 2019-10-16
• 3.3.2 - 2019-08-28
• 3.3.1 - 2019-08-23
• 3.3.0 - 2019-08-13
• 3.3.0-beta2 - 2019-07-18
• 3.3.0-beta1 - 2019-06-18
• 3.2.7 - 2019-06-04
• 3.2.6 - 2019-05-24
• 3.2.5 - 2019-05-17
• 3.2.4 - 2019-05-08
• 3.2.3 - 2019-04-05
• 3.2.2 - 2019-03-22
• 3.2.1 - 2019-03-21
• 3.2.0-beta2 - 2019-03-10
• 3.2.0-beta1 - 2019-02-27
• 3.1.13 - 2019-01-23

from mongodb GitHub release notes

Commit messages

Package name: mongodb

• d84d14b chore(release): 3.6.0
• a053f4e fix: silently ignore session with unacknowledged write
• dfe7afa fix: ReadPreference maxStalenessSeconds from options
• d728a13 fix: remove destructuring assignments for legacy node support
• 4666646 chore: adds test for SRV + directConnection
• 5d7c556 test: avoid unable to acquire lock errors on primary stepdown
• 5bd16e2 chore: sync connectTimeoutMS SDAM spec test
• 603d445 docs: add banner with link to new reference documentation
• 19ec62f fix: IPv6 is not supported when using dns service discovery
• 31ae3c9 fix: assert update/replace atomic requirements in bulk operations
• 188c23e fix: don't immediately schedule monitoring after streaming failure
• a256485 chore: update `sdam_viz` to include a write workload
• 9f0b7ab fix(ChangeStream): make CursorNotFound error resumable
• c1c69fc test: use sinon mock timers for determinstic timer testing
• bb04441 chore: sync retryable reads tests for `listIndex` changes
• e40b18e test: adds SPEC-1511 to lift restriction on authSource option
• c394284 fix: db.command to not inherit options from parent
• 8db18cc refactor: add `mongodb+srv` tests to atlas connectivity tests
• b5976d5 chore: improve text representation of types during sdam logging
• 14179a2 fix(ChangeStream): handle null changes
• 66c76c3 fix(create_indexes): add missing `bucketSize` option to list of valid options
• c71a4df fix(GridFS): emit error on bad options
• 3adba87 test: two uncaught change stream test methods which leak sessions
• 5d82eb6 refactor: use common methods for duration calculations

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs