[Snyk] Upgrade mongodb from 3.5.9 to 3.7.3

[snyk-bot]

Snyk has created this PR to upgrade mongodb from 3.5.9 to 3.7.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 20 versions ahead of your current version.
• The recommended version was released 9 months ago, on 2021-10-20.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Remote Memory Exposure SNYK-JS-BL-608877	492/1000 Why? Proof of Concept exploit, CVSS 7.7	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: mongodb

• 3.7.3 - 2021-10-20
  

  The MongoDB Node.js team is pleased to announce version 3.7.3 of the mongodb package!

  What's Changed

  • fix(NODE-3515): do proper opTime merging in bulk results by @ durran in #3011

  Full Changelog: v3.7.2...v3.7.3

  Documentation

  • Reference: https://docs.mongodb.com/drivers/node
  • API: https://mongodb.github.io/node-mongodb-native/3.7
  • Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.7/HISTORY.md

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 3.7.2 - 2021-10-05
  

  The MongoDB Node.js team is pleased to announce version 3.7.2 of the mongodb package!

  Release Highlights

  This release contains a fix for optional require of dependencies on yarn berry.

  Bug Fixes

  • NODE-3622: bump optional-require for additional yarn berry pnp support (#2989) (ec23d6302)

  Documentation

  • Reference: https://docs.mongodb.com/drivers/node
  • API: https://mongodb.github.io/node-mongodb-native/3.7
  • Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.7/HISTORY.md

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 3.7.1 - 2021-09-14
  

  The MongoDB Node.js team is pleased to announce version 3.7.1 of the mongodb package!

  Release Highlights

  This release contains an internal improvement that makes our monitor utilize the new hello handshake for monitoring when available.

  Features

  • NODE-3424: use hello for monitoring commands (#2964) (910c564)

  Documentation

  • Reference: https://docs.mongodb.com/drivers/node
  • API: https://mongodb.github.io/node-mongodb-native/3.7
  • Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.7/HISTORY.md

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 3.7.0 - 2021-08-31
  

  The MongoDB Node.js team is pleased to announce version 3.7.0 of the mongodb package!

  Release Highlights

  Versioned API

  Versioned API is a new feature in MongoDB 5.0 that allows user-selectable API versions, subsets of MongoDB server semantics, to be declared on a client. During communication with a server, clients with a declared API version will force the server to behave in a manner compatible with the API version. Declaring an API version on a client can be used to ensure consistent responses from a server, providing long term API stability for an application. The declared API version is applied to all commands run through the client, including those sent through the generic RunCommand helper. Specifying versioned API options in the command document AND declaring an API version on the client is not supported and will lead to undefined behavior.

  Declare an API version on a client

  // Declare API version "1" for the client
  client = new MongoClient(uri, { serverApi: { version: '1' } });

  cursor = client.db('database').collection('coll').find(...);

  Strict mode

  Declaring a strict API version will cause the MongoDB server to reject all commands that are not part of the declared API version. This includes command options and aggregation pipeline stages. For example, the following find call would fail because the tailable option is not part of version 1:

  // Declare API version "1" for the client, with strict on
  client = new MongoClient(uri, { serverApi: { version: '1', strict: true } });

  // Fails with an error
  cursor = client.db('database').collection('coll').find({ ... }, { tailable: true });

  Deprecation Errors

  The deprecationErrors option can be used to enable command failures when using functionality that is deprecated from version 1. Note that at the time of this writing, no deprecations in version 1 exist.

  // Declare API version "1" for the client, with deprecationErrors on
  client = new MongoClient(uri, { serverApi: { version: '1', deprecationErrors: true } });

  // Note: since API version "1" is the initial version, there are no deprecated commands to provide as an example yet.

  Features

  • NODE-3191: backport versioned api (#2850) (93a47fd)

  Bug Fixes

  • NODE-3377: driver should allow arbitrary explain levels (#2961) (96c8ab4)
  • NODE-3463: pass explain error through to callback (#2949) (e5975af)

  Documentation

  • Reference: https://docs.mongodb.com/drivers/node/current/
  • API: https://mongodb.github.io/node-mongodb-native/3.7/api/
  • Changelog: https://github.com/mongodb/node-mongodb-native/blob/v3.7.0/HISTORY.md

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 3.6.12 - 2021-08-30
  

  The MongoDB Node.js team is pleased to announce version 3.6.12 of the mongodb package!

  Bug Fixes

  • NODE-3487: check for nullish aws mechanism property (#2957) (5902b4c)
  • NODE-3528: add support for snappy v7 (#2947) (54f5c2d)

  Documentation

  • Reference: https://docs.mongodb.com/drivers/node/current/
  • API: https://mongodb.github.io/node-mongodb-native/3.6/api/
  • Changelog: https://github.com/mongodb/node-mongodb-native/blob/v3.6.12/HISTORY.md

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 3.6.11 - 2021-08-05
  

  The MongoDB Node.js team is pleased to announce version 3.6.11 of the mongodb package!

  Release Highlights

  This patch addresses a few bugs listed below.
  Notably, we fixed an issue with the way we imported one of our optional dependencies that blocked webpack bundling.

  If you are a webpack user you will still get warnings for our optional dependencies (if you don't use them).
  You can hush the warnings by adding this option to your webpack config:

  {
      // ...
      externals: [
          'mongodb-client-encryption',
          'aws4',
          'saslprep',
          'kerberos',
          'snappy',
          'bson-ext',
      ],
      // ...
  }

  It is important to note that this will leave the imports in place and not pull in the code to your bundle. If you later do adopt using these dependencies you'll want to revert the relevant setting.

  Bug Fixes

  • NODE-1843: bulk operations ignoring provided sessions (#2898) (9244b17)
  • NODE-3199: unable to bundle driver due to uncaught require (#2903) (60efe9d)

  Documentation

  • Reference: https://docs.mongodb.com/drivers/node/current/
  • API: http://mongodb.github.io/node-mongodb-native/3.6/api
  • Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

  We invite you to try the mongodb package immediately, and report any issues to the NODE project.

• 3.6.10 - 2021-07-06
• 3.6.9 - 2021-05-26
• 3.6.8 - 2021-05-21
• 3.6.7 - 2021-05-18
• 3.6.6 - 2021-04-06
• 3.6.5 - 2021-03-16
• 3.6.4 - 2021-02-02
• 3.6.3 - 2020-11-06
• 3.6.2 - 2020-09-10
• 3.6.1 - 2020-09-02
• 3.6.0 - 2020-07-30
• 3.6.0-beta.0 - 2020-04-14
• 3.5.11 - 2020-09-10
• 3.5.10 - 2020-07-30
• 3.5.9 - 2020-06-12

from mongodb GitHub release notes

Commit messages

Package name: mongodb

• b42e8b3 chore(release): 3.7.3
• 428e6d3 fix(NODE-3515): do proper opTime merging in bulk results (#3011)
• 564b0d7 test(NODE-3606): legacy and new versions of the CSFLE library (#3002)
• 7c5a7bb chore(release): 3.7.2
• ec23d63 chore(NODE-3622): bump optional-require for additional yarn berry pnp support (#2989)
• 28f721d chore(release): 3.7.1
• 910c564 feat(NODE-3424): use hello for monitoring commands (#2964)
• 44df7d7 chore(release): 3.7.0
• 1a76618 fix: versioned api low node compat fix (#2970)
• 7602f68 docs(NODE-3406): add versioned api examples (#2969)
• a07aa56 test(NODE-3409): support AWS temp credentials in CSFLE tests (#2968)
• eae0e05 chore(NODE-3303): deprecate md5 hash and isConnected (#2960)
• 77ab63e test(NODE-3387): correctly extract findOneX values in unified operations (#2966)
• 96c8ab4 fix(NODE-3377): driver should allow arbitrary explain levels (#2961)
• 4c25984 chore: sync 3.6 changes to 3.7 (#2963)
• e5975af fix(NODE-3463): pass explain error through to callback (#2949)
• 238a4b0 fix(NODE-3290): versioned api validation and tests (#2869)
• 91a2fc9 Merge remote-tracking branch 'origin/3.6' into 3.7
• 6ee945e chore(NODE-3316): add author info and update bug url in package.json (#2887)
• ecc930b test(NODE-3381): command monitoring redaction tests (#2873)
• 1297cd1 chore(release): 3.6.10
• e9196ab refactor(NODE-3324): bump max wire version to 13 (#2875)
• 3ce148d fix(NODE-3397): report more helpful error with unsupported authMechanism in initial handshake (#2876)
• 558182f test(NODE-3307): unified runner does not assert identical keys (#2867)

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs