[Snyk] Upgrade mongodb from 6.13.0 to 6.13.1 #16
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Snyk has created this PR to upgrade mongodb from 6.13.0 to 6.13.1. See this package in npm: mongodb See this project in Snyk: https://app.snyk.io/org/maxh33/project/a49c099a-4aa5-43f3-8e2d-d0918761f239?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade mongodb from 6.13.0 to 6.13.1.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 7 versions ahead of your current version.
The recommended version was released a month ago.
Release notes
Package name: mongodb
-
6.13.1 - 2025-02-20
- NODE-6407: use conversationId returned from server in saslContinue (#4368) (fbefa6b)
- NODE-6613: Update error messages when primaries go stale (#4397) (6528c8d)
- NODE-6690: Remove extraneous Document in replaceOne return type (#4383) (6c81d4e)
- NODE-6763: pass WriteConcernOptions instead on WriteConcernSettings (#4421) (26f15d7)
- NODE-6777: update BSON to 6.10.3 (#4428) (db5b9e0)
- Reference
- API
- Changelog
-
6.13.1-dev.20250228.sha.488c4071 - 2025-02-28
-
6.13.1-dev.20250227.sha.196e08e9 - 2025-02-27
-
6.13.1-dev.20250226.sha.7800067a - 2025-02-26
-
6.13.1-dev.20250225.sha.1a6dc9b8 - 2025-02-25
-
6.13.1-dev.20250222.sha.421ddeb3 - 2025-02-22
-
6.13.1-dev.20250221.sha.21f2cb91 - 2025-02-21
-
6.13.0 - 2025-01-30
- NODE-5672: support standardized logging (#4387) (d1b2453)
- NODE-6258: add signal support to find and aggregate (#4364) (73def18)
- NODE-6451: retry SRV and TXT lookup for DNS timeout errors (#4375) (fd902d3)
- NODE-6633: MongoClient.close closes active cursors (#4372) (654069f)
- NODE-5225: concurrent MongoClient.close() calls each attempt to close the client (#4376) (9419af7)
- NODE-6340: OIDC reauth uses caches speculative auth result (#4379) (8b2b7fd)
- NODE-6452: Optimize CommandStartedEvent and CommandSucceededEvent constructors (#4371) (41b066b)
- NODE-6616: shortcircuit logging ejson.stringify (#4377) (c1bcf0d)
- Reference
- API
- Changelog
from mongodb GitHub release notes6.13.1 (2025-02-20)
The MongoDB Node.js team is pleased to announce version 6.13.1 of the
mongodbpackage!Release Notes
Remove extraneous
Promise<Document>inCollection.replaceOnereturn typeThe return type signature of the
replaceOnemethod no longer includes the generalPromise<Document>type. Thanks to @ arturmuller, thereplaceOnetype signature is now more accurate! 🎉Fix writeConcern omitted when timeoutMS is provided
When
timeoutMSand a write concern were provided, thewriteConcernwas incorrectly omitted from the final command executed by the driver.Thanks @ stepanho for contributing the fix!
Update BSON version requirement to 6.10.3
This pulls in fixes made in
bsonversions 6.10.3 and 6.10.2 into the driver.BSON 6.10.2 fixed an issue in
calculateObjectSizeignoring the size contributed byBigIntvalues to a BSON document. This impacted batch splitting logic inbulkWriteoperations: if the actual BSON was over the size returned bycalculateObjectSizethe server would return an error.Warning
BSON 6.10.3 addresses a potential data corruption risk with the use of
useBigInt64flag introduced in BSON 6.4.0, where negativeLongvalues would be deserialized intoBigIntas unsigned integers when theuseBigInt64flag was enabled. (Thanks to @ rkistner for reporting this issue!)Bug Fixes
Documentation
We invite you to try the
mongodblibrary immediately, and report any issues to the NODE project.6.13.0 (2025-01-30)
The MongoDB Node.js team is pleased to announce version 6.13.0 of the
mongodbpackage!Release Notes
MongoDB Standardized Logging 📝
The driver's standardized logger is now available! The primary goal of our driver's logger is to enable insight into database operations without code changes so enabling and configuring the logger are primarily done through our environment variables.
TL;DR Show me the logs!
Tip
If you are a CLI app developer (or otherwise take great care of your std outputs): The client options constructor argument takes precedence over environment variables, permitting you to disable or otherwise customize the logger so your app does not automatically respond to the current environment.
Check out the in-depth logging docs here: https://www.mongodb.com/docs/drivers/node/current/fundamentals/logging/
🚀 Improved command monitoring performance
Previously, when command monitoring was enabled, the driver would make deep copies of command and reply objects, which have the potential to be very large documents. These copies have been eliminated, providing a speed and memory efficiency bump to command monitoring.
Warning
Since we no longer make deep copies of commands/replies in Command Monitoring Events, directly modifying the command/reply objects on
CommandStartedEvents andCommandSucceededEvents may lead to undefined behaviour.🧪 Experimental AbortSignal support added to Find and Aggregate! 🚥
A
signalargument can now be passed to the following APIs:collection.find()&collection.findOne()collection.aggregate()&collection.countDocuments()In order to support field level encryption properly, also:
db.listCollections()db.command()When aborted, the signal will interrupt the execution of each of each of these APIs. For the cursor-based APIs, this will be observed when attempting to consume from the cursor via toArray(), next(), for-await, etc.
There is a known limitation: aborting a signal closes a perfectly healthy connection which can cause unnecessary connection reestablishment so we're releasing this as experimental for evaluation in use cases that can tolerate the shortcoming.
DNS SRV & TXT look up timeouts are retried
To mitigate the potentially transient DNS timeout error, the driver now catches and retries the DNS lookups upon resolving a
mongodb+srv://style connection string.MongoClient.close now closes any outstanding cursors
Previously, cursors could somewhat live beyond the client they came from. What this meant was that depending on timing you would learn of the client's (and by proxy, the cursor's) demise via an assertion that the associated session had expired. This only occurred if your cursor needed to use the session, which only happens when it is attempting to run a
getMoreoperation to obtain another batch of documents.Practically speaking a cursor that lives beyond a client is an exception waiting to happen, the connection pools are closed, the sessions are ended, last call has been served 🍻, it is only a matter of timing and event firing until the cursor learns of its fate and informs you by throwing an error via whatever API is being used (
.toArray(),for-await,.next()).To make the expected state of cursors clearer in this scenario the
MongoClientwill now close any associated cursors upon itsclose()-ing reducing the risk of leaving behind server-side resources.MongoClient.close() can be called concurrently
In the past, concurrent calls to
MongoClient.close()had poorly defined behavior depending on the exact timing of the second (or more) calls to close(). In some cases, this could also throw errors.With these changes, MongoClient.close() can be called concurrently safely and always returns the same promise.
Note
This is intended as a correctness fix - we don't recommend calling MongoClient.close() concurrently if it can be avoided.
MONGODB-OIDC now properly reauthenticates in speculative auth scenarios
When using MONGODB-OIDC authentication, if the initial handshake contained speculative authentication, the driver would not properly reauthenticate when the server would raise 391 errors. This is now fixed.
Features
Bug Fixes
Performance Improvements
Documentation
We invite you to try the
mongodblibrary immediately, and report any issues to the NODE project.Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information: