[Snyk] Upgrade mongodb from 3.6.0 to 3.6.3

[BretFisher]

Snyk has created this PR to upgrade mongodb from 3.6.0 to 3.6.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 3 versions ahead of your current version.
• The recommended version was released 3 months ago, on 2020-11-06.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Remote Memory Exposure SNYK-JS-BL-608877	385/1000 Why? CVSS 7.7	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: mongodb

• 3.6.3 - 2020-11-06
  

  The MongoDB Node.js team is pleased to announce version 3.6.3 of the driver

  Release Highlights

  MongoError: not master when running createIndex

  A regression introduced in v3.6.2 meant that createIndex operations would not be executed with a fixed
  primary read preference. This resulted in the driver selecting any server for the operation, which would
  fail if a non-primary was selected.

  Performance issues on AWS Lambda

  The driver periodically monitors members of the replicaset for changes in the topology, but ensures that
  the "monitoring thread" is never woken sooner than 500ms. Measuring this elapsed time depends on a
  stable clock, which is not available to us in some virtualized environments like AWS Lambda. The result
  was that periodically operations would think there were no available servers, and the driver would force
  a wait of heartbeatFrequencyMS (10s by default) before reaching out to servers again for a new
  monitoring check. The internal async interval timer has been improved to account for these environments

  GSSAPI AuthProvider reuses single kerberos client

  A regression introduced in v3.6.0 forced the driver to reuse a single kerberos client for all
  authentication attempts. This would result in incomplete authentication flows, and occaisionally even
  a crash in the kerberos module. The driver has been reverted to creating a kerberos client per
  authentication attempt.

  Performance regression due to use of setImmediate

  A change introduced in v3.6.1 switched all our usage of process.nextTick in the connection pool with
  setImmediate per Node.js core recommendation. This was observed to introduce noticeable latency when the event loop
  was experiencing pressure, so the change was reverted for this release pending further investigation.

  Community Contributions

  • @ jswangjunsheng submitted a fix for a rare scenario when wait queue members time out before connection establishment
  • @ through-a-haze submitted a fix for incorrect construction of an X509 authentication message
  • @ andreialecu helped us indicate peer optional dependencies in our package.json for stricter package managers (pnpm, yarn2)

  Documentation

  Reference: http://mongodb.github.io/node-mongodb-native/3.6/
  API: http://mongodb.github.io/node-mongodb-native/3.6/api/
  Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

  We invite you to try the driver immediately, and report any issues to the NODE project.

  Thanks very much to all the community members who contributed to this release!

  Release Notes

  Bug

  • [NODE-2172] - Change stream breaks on disconnection when there's something piped into it.
  • [NODE-2784] - MongoError: Not Master when running createIndex in 3.6.0
  • [NODE-2807] - MongoClient.readPreference always returns primary
  • [NODE-2827] - Connecting to single mongos makes driver think it is connected to a standalone
  • [NODE-2829] - MongoDB Driver 3.6+ Performance issues on AWS Lambda
  • [NODE-2835] - Remove default timeout for read operations
  • [NODE-2859] - GSSAPI AuthProvider causing crashes in Compass
  • [NODE-2861] - Performance Regression for usage of mongodb connections (queries, inserts, ...)
  • [NODE-2865] - Connections can be leaked if wait queue members are cancelled
  • [NODE-2869] - Invalid assignment of X509 username makes authentication impossible

  Improvement

  • [NODE-2834] - Remove deprecation of AggregationCursor#geoNear
  • [NODE-2867] - Use peerDependenciesMeta field to mark peer optional dependencies
• 3.6.2 - 2020-09-10
  

  The MongoDB Node.js team is pleased to announce version 3.6.2 of the driver

  Release Highlights

  Updated bl dependency due to CVE-2020-8244

  See this link for more details: https://github.com/advisories/GHSA-pp7h-53gx-mx7r

  Connection pool wait queue processing is too greedy

  The logic for processing the wait queue in our connection pool ran the risk of
  starving the event loop. Calls to process the wait queue are now wrapped in a
  setImmediate to prevent starvation

  Documentation

  Reference: http://mongodb.github.io/node-mongodb-native/3.6/
  API: http://mongodb.github.io/node-mongodb-native/3.6/api/
  Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

  We invite you to try the driver immediately, and report any issues to the NODE project.

  Thanks very much to all the community members who contributed to this release!

  Release Notes

  Bug

  • [NODE-2798] - Update version of dependency "bl" due to vulnerability
  • [NODE-2803] - Connection pool wait queue processing is too greedy
• 3.6.1 - 2020-09-02
  

  The MongoDB Node.js team is pleased to announce version 3.6.1 of the driver

  Release Highlights

  Kerberos

  A bug in introducing the new CMAP Connection prevented some users from properly authenticating with the kerberos module.

  Index options are not respected with createIndex

  The logic for building the createIndex command was changed in v3.6.0 to use an allowlist rather than a blocklist, but omitted a number of index types in that list. This release reintroduces all supported index types to the allowlist.

  Remove strict mode for createCollection

  Since v3.6.0 createCollection will no longer returned a cached Collection instance if a collection already exists in the database, rather it will return a server error stating that the collection already exists. This is the same behavior provided by the strict option for createCollection, so that option has been removed from documentation.

  Documentation

  Reference: http://mongodb.github.io/node-mongodb-native/3.6/
  API: http://mongodb.github.io/node-mongodb-native/3.6/api/
  Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

  We invite you to try the driver immediately, and report any issues to the NODE project.

  Thanks very much to all the community members who contributed to this release!

  Release Notes

  Bug

  • [NODE-2731] - CMAP Connection type does not provide host/port properties
  • [NODE-2755] - "language_override" option support for text index is broken

  Improvement

  • [NODE-2730] - Move MongoAuthProcess into the driver source tree
  • [NODE-2746] - Strict mode for `createCollection` should be removed
• 3.6.0 - 2020-07-30
  

  The MongoDB Node.js team is pleased to announce version 3.6.0 of the driver

  NOTE: This version begins our official support for MongoDB 4.4

  Release Highlights

  Streaming topology changes

  MongoDB drivers maintain a local view of the topology they are connected to, and ensure the accuracy of that view by polling connected nodes on average every ~10s. In MongoDB 4.4, drivers are now able to receive push notifications about topology updates, effectively reducing the time for client recovery in failover scenarios to the time it takes for the server to make the election and report the outcome.

  This feature is enabled by default when connecting to MongoDB 4.4, no changes are needed for user code.

  Authentication

  MONGODB-AWS authentication mechanism

  The MONGODB-AWS authentication mechanism uses your Amazon Web Services Identity and Access Management (AWS IAM) credentials to authenticate users on MongoDB 4.4+. Please read more about this new authentication mechanism in our documentation.

  Performance improvements

  There were two projects to transparently improve performance of authentication in MongoDB 4.4:

  • A driver can now include the first saslStart command in its initial handshake with server. This so-called "speculative authentication" allows us to reduce one roundtrip to the server for authentication a connection. This feature is only support for X.509, SCRAM-SHA-1 and SCRAM-SHA-256 (default) authentication mechanisms.

  • The SCRAM conversation between driver and server can now skip one of it's empty exchanges which also serves to reduce the roundtrips during a SCRAM authentication.

  OCSP stapling testing

  OCSP stapling greatly improves performance when using LetsEncrypt certificates, removing the need for an external request to LetsEncrypt servers for each authentication attempt. No additional changes were required to support OCSP stapling in the driver, but extensive testing was added to verify that the feature works as expected.

  Changes in behavior of Db.prototype.createCollection

  The createCollection helper used to internally run a listCollections command in order to see if a collection already existed before running the command. If it determined a collection with the same name existed, it would skip running the command and return an instance of Collection. This behavior was changed in v3.6.0 to avoid potentially serious bugs, specifically that the driver was not considering options passed into createCollection as part of the collection equality check. Imagine the following scenario:

  const client = new MongoClient('...');
  await client.connect();
   
  await client.db('foo').collection('bar').insert({ importantField: 'llamas' });
  await client.db('foo').createCollection('bar', {
    validator: { $jsonSchema: {
      bsonType: 'object',
      required: ['importantField'],
      properties: { name: { bsonType: 'boolean' } }
    }
  });
  

  The createCollection call which defines a JSON schema validator would be completely bypassed because of the existence of bar, which was implicitly created in the first command. Our policy is strictly adhere to semver, but in rare cases like this where we feel there is potential for a data corrupting bug, we make breaking behavioral changes to protect the user.

  Documentation

  Reference: http://mongodb.github.io/node-mongodb-native/3.6/
  API: http://mongodb.github.io/node-mongodb-native/3.6/api/
  Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

  We invite you to try the driver immediately, and report any issues to the NODE project.

  Thanks very much to all the community members who contributed to this release!

  Release Notes

  Epic

  • [NODE-2450] - Node MongoDB 4.4 Support

  New Feature

  • [NODE-2434] - Reduce Client Time To Recovery On Topology Changes
  • [NODE-2288] - MONGODB-AWS Support
  • [NODE-2289] - Support for allowDiskUse on find operations
  • [NODE-2290] - Allow passing hint to findAndModify update and replace operations
  • [NODE-2291] - Improve testing around default writeConcern
  • [NODE-2295] - Collection and index creation in multi-doc txns
  • [NODE-2427] - OCSP Support
  • [NODE-2487] - Support speculative authentication attempts in isMaster
  • [NODE-2301] - Support shorter SCRAM conversation
  • [NODE-2269] - Add support for validate command "background" option

  Improvement

  • [NODE-2175] - Avoid using readConcern snapshot in sharded transaction tests
  • [NODE-2176] - Resync bson-corpus array.json to fix duplicate test names
  • [NODE-2393] - Change uri_options/auth-options spec test to enable conditional tests
  • [NODE-2394] - Verify max set version and max election id on topologies in SDAM spec tests
  • [NODE-2422] - Validate that mongocryptd is not spawned if bypassAutoEncryption=true
  • [NODE-2430] - Raise error if hint specified for unacknowledged update using OP_MSG or OP_UPDATE
  • [NODE-2431] - Reduce floating point precision required of extended json implementations
  • [NODE-2432] - Clarify behavior when "me" field doesn't match any values in "hosts" array
  • [NODE-2477] - Allow hinting the delete command
  • [NODE-2504] - Add SDAM test for incompatible server becoming compatible
  • [NODE-2506] - Ensure that the WriteConcernError "errInfo" object is propagated
  • [NODE-2538] - Add RetryableWriteError error labels to retryable transaction tests
  • [NODE-2546] - Deprecate geoHaystack and geoSearch
  • [NODE-2559] - Reduce race conditions in SDAM error handling
  • [NODE-2560] - Make 'reIndex' a standalone-only command
  • [NODE-2564] - Clarify how a driver must handle wrong set name in single topology
  • [NODE-2569] - 'CommitQuorum' option support for 'createIndexes’ command on MongoDB 4.4
  • [NODE-2576] - Raise error when hint option is provided on unacknowledged writes against any server version
  • [NODE-2592] - Update documentation for Text Search
  • [NODE-2594] - Do not add the RetryableWriteError label to errors that occur during a write within a transaction (excepting commitTransaction and abortTransaction)
  • [NODE-2622] - allowDiskUse option for find should be documented as only being supported in 4.4+
  • [NODE-2627] - Reduce default keepalive time to align with Azure defaults
  • [NODE-2659] - Drivers should retry replSetStepDown after "Unable to acquire X lock" error
  • [NODE-2661] - Define behavior of connectTimeoutMS=0 with streaming protocol
  • [NODE-2675] - Test that ElectionInProgress is not resumed
  • [NODE-2682] - Treat CursorNotFound as a resumable change stream error
  • [NODE-2150] - Bump wire protocol version for 4.4
  • [NODE-2379] - Expand use of error labels for RetryableWrites
  • [NODE-2423] - Deprecate oplogReplay find command option from CRUD spec
  • [NODE-2426] - Make ExceededTimeLimit retryable writes error
  • [NODE-2429] - GridFS index checking should support indexes created in the shell
  • [NODE-2433] - Lift restriction on authSource without credentials
  • [NODE-2452] - Unify behavior around configuration for replica set discovery
  • [NODE-2510] - Driver support for server Hedged Reads
  • [NODE-2516] - Update comment in Transactions withTxn examples for the manual.
  • [NODE-2557] - Remove replicaset from tests that perform reIndex command

  Bug

  • [NODE-2416] - Confusing documentation for collection.aggregate collation option
  • [NODE-2502] - replaceOne example in test/examples/update_documents.js incorrect
  • [NODE-2537] - createCollection helper should not run listIndexes outside of strict mode
  • [NODE-2567] - Fix qs dependency for older node
  • [NODE-2616] - SDAM test typo "compatible"
  • [NODE-2623] - Gridfs doesn't allow to catch exception with length that exceeds file size
  • [NODE-2660] - Throw an error if bulk update documents don't contain update operator expressions
  • [NODE-2711] - Monitoring should not be immediately scheduled on streaming failure

from mongodb GitHub release notes

Commit messages

Package name: mongodb

• 86ae813 chore(release): 3.6.3
• 308f840 chore: ensure aws4 is present for mongodb-aws tests
• 9110a45 fix: correctly assign username to X509 auth command (#2587)
• c9f9d5e fix: revert use of setImmediate to process.nextTick (#2611)
• 89b77ed fix: Change socket timeout default to 0 (#2572)
• 033b6e7 fix: move kerberos client setup from prepare to auth (#2608)
• f0cee7a test: restrict geoSearch tests to mongodb <= 4.4 (#2612)
• 186090e fix: add peerDependenciesMeta to mark optional deps (#2606)
• cafaa1b fix: connection leak if wait queue member cancelled
• 79df553 test: removes destructuring, spread, rest syntax and adds lint rules
• a6e7caf fix: correctly re-establishes pipe destinations
• f8fd310 fix: adds topology discovery for sharded cluster
• efd906a test: add directConnection spec tests
• 6acced0 fix: use options for readPreference in client
• 4955a52 fix: remove geoNear deprecation
• 967de13 fix: user roles take single string & DDL readPreference tests
• 0e5c45a fix: Fix test filters and revert mocha version (#2558)
• b70baf4 test: Update connection-monitoring-and-pooling specs (#2555)
• 6c63471 style: Sync tooling configuration from 4.0 branch (#2553)
• e0e11bb fix: permit waking async interval with unreliable clock
• 6113b24 chore(release): 3.6.2
• ddcd03d fix: sets primary read preference for writes
• 4e03dfa fix: allow event loop to process during wait queue processing (#2537)
• 2a6faa6 chore: update bl due to CVE

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs