[Snyk] Upgrade mongodb from 3.5.9 to 3.6.10

[snyk-bot]

Snyk has created this PR to upgrade mongodb from 3.5.9 to 3.6.10.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 14 versions ahead of your current version.
• The recommended version was released a month ago, on 2021-07-06.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Remote Memory Exposure SNYK-JS-BL-608877	492/1000 Why? Proof of Concept exploit, CVSS 7.7	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: mongodb

• 3.6.10 - 2021-07-06
  

  The MongoDB Node.js team is pleased to announce version 3.6.10 of the mongodb package!

  Release Highlights

  This patch addresses a few bugs listed below. Notably the bsonRegExp option is now respected by the underlying BSON library, you can use this to decode regular expressions that contain syntax not permitted in native JS RegExp objects. Take a look at this example:

  await collection.insertOne({ a: new BSONRegExp('(?-i)AA_') })
  await collection.findOne({ a: new BSONRegExp('(?-i)AA_') }, { bsonRegExp: true })
  // { _id: ObjectId,  a: BSONRegExp { pattern: '(?-i)AA_', options: '' } }

  Also there was an issue with Cursor.forEach where user defined forEach callbacks that throw errors incorrectly handled catching errors. Take a look at the comments in this example:

  collection.find({}).forEach(doc => {
      if(doc.bad) throw new Error('bad document!');
  }).catch(error => {
      // now this is called! and error is `bad document!`
  })
  // before this fix the `bad document!` error would be thrown synchronously
  // and have to be caught with try catch out here

  Bug Fixes

  • NODE-2035: Exceptions thrown from awaited cursor forEach do not propagate (#2852) (a917dfa)
  • NODE-3150: added bsonRegExp option for v3.6 (#2843) (e4a9a57)
  • NODE-3358: Command monitoring objects hold internal state references (#2858) (750760c)
  • NODE-3380: perform retryable write checks against server (#2861) (621677a)
  • NODE-3397: report more helpful error with unsupported authMechanism in initial handshake (#2876) (3ce148d)

  Documentation

  • Reference: https://docs.mongodb.com/drivers/node/current/
  • API: http://mongodb.github.io/node-mongodb-native/3.6/api
  • Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

  We invite you to try the mongodb package immediately, and report any issues to the NODE project.

• 3.6.9 - 2021-05-26
  

  The MongoDB Node.js team is pleased to announce version 3.6.9 of the driver!

  Release Highlights

  This release fixes a major performance bug in bulk write operations, which was inadvertently introduced by an incomplete code change in the previous release. The bug resulted in redundant array iterations and caused exponential increases in bulk operation completion times. Thank you Jan Schwalbe for bringing this to our attention!

  Bug Fixes

  • NODE-3309: remove redundant iteration of bulk write result (#2815) (fac9610)
  • NODE-3234: fix url parsing for a mongodb+srv url that has commas in the database name (#2789) (58c4e69)

  Documentation

  • Reference: https://docs.mongodb.com/drivers/node/current/
  • API: http://mongodb.github.io/node-mongodb-native/3.6/api
  • Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

  We invite you to try the mongodb package immediately, and report any issues to the NODE project.

• 3.6.8 - 2021-05-21
  

  The MongoDB Node.js team is pleased to announce version 3.6.8 of the mongodb package!

  Release Highlights

  Thanks to the quick adoption of the previous new patch by the mongoose package (Automattic/mongoose#10265) a small bug was identified when connections to mongodb would timeout causing unnecessary clean up operations to run. Thank you @ vkarpov15!

  Bug Fixes

  • NODE-3305: undo flipping of beforeHandshake flag for timeout errors (#2813) (6e3bab3)

  Documentation

  • Reference: https://docs.mongodb.com/drivers/node/current/
  • API: http://mongodb.github.io/node-mongodb-native/3.6/api
  • Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

  We invite you to try the mongodb package immediately, and report any issues to the NODE project.

• 3.6.7 - 2021-05-18
  

  The MongoDB Node.js team is pleased to announce version 3.6.7 of the driver

  Release Highlights

  This patch addresses a number of bug fixes. Notably, there was an interesting javascript related issue with sorting documents. It only impacts users using numerical keys in their documents.

  > { a: 'asc', [23]: 'asc' }
  { [23]: 'asc', a: 'asc' } // numbers come first

  In javascript, numerical keys are always iterated first when looping over the keys of an object followed by the chronological specification of each string key. This effectively changes the ordering of a sort document sent to mongodb. However our driver does accept sort specification in a variety of ways and one way to avoid this problem is passing an array of tuples:

  [['a', 'asc'], ['23', 'asc']]

  This ensures that mongodb is sent the 'a' key as the first sort key and '23' as the second.

  Bug Fixes

  • NODE-3159: removing incorrect apm docs (#2793) (971259a)
  • NODE-3173: Preserve sort key order for numeric string keys (#2790) (730f43a)
  • NODE-3176: handle errors from MessageStream (#2774) (f1afcc4)
  • NODE-3192: check clusterTime is defined before access (#2806) (6ceace6)
  • NODE-3252: state transistion from DISCONNECTED (#2807) (5d8f649)
  • NODE-3219: topology no longer causes close event (#2791) (16e7064)
  • invalid case on writeconcern makes skip check fail (#2773) (b1363c2)

  Documentation

  • Reference: http://mongodb.github.io/node-mongodb-native/3.6
  • API: http://mongodb.github.io/node-mongodb-native/3.6/api
  • Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

  We invite you to try the driver immediately, and report any issues to the NODE project.

  Thanks very much to all the community members who contributed to this release!

• 3.6.6 - 2021-04-06
  

  The MongoDB Node.js team is pleased to announce version 3.6.6 of the driver

  Release Highlights

  This patch addresses a number of bugs listed below.
  Most notably, for client side encryption users upgrading to this version of the driver along with the new version of [email protected] will alleviate the potential deadlock case if your connection pool was fully utilized. There will now be an internal MongoClient that will be used for metadata look ups (e.g, listCollections) when the pool size is under certain constraints. The events generated from this client are forwarded to the client instance you initialize so it is possible to monitor all events.

  Bug

  • [NODE-2995] - Sharing a MongoClient for metadata lookup can lead to deadlock in drivers using automatic encryption
  • [NODE-3050] - Infinite loop on Windows due to a bug in require_optional package
  • [NODE-3120] - TypeError: Cannot read property 'roundTripTime' of undefined
  • [NODE-3122] - Pipelining an upload stream of GridFSBucket never finishes on Node v14
  • [NODE-3129] - Collection () .. .setReadPreference() not routing query to secondaries
  • [NODE-3133] - autoEncryption produces serverHeartbeatFailed - with MongoError typemismatch

  Improvement

  • [NODE-3070] - Define error handling behavior of writeErrors and writeConcernError on Mongos

  Documentation

  • Reference: http://mongodb.github.io/node-mongodb-native/3.6
  • API: http://mongodb.github.io/node-mongodb-native/3.6/api
  • Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

  We invite you to try the driver immediately, and report any issues to the NODE project.

  Thanks very much to all the community members who contributed to this release!

• 3.6.5 - 2021-03-16
• 3.6.4 - 2021-02-02
• 3.6.3 - 2020-11-06
• 3.6.2 - 2020-09-10
• 3.6.1 - 2020-09-02
• 3.6.0 - 2020-07-30
• 3.6.0-beta.0 - 2020-04-14
• 3.5.11 - 2020-09-10
• 3.5.10 - 2020-07-30
• 3.5.9 - 2020-06-12

from mongodb GitHub release notes

Commit messages

Package name: mongodb

• 1297cd1 chore(release): 3.6.10
• e9196ab refactor(NODE-3324): bump max wire version to 13 (#2875)
• 3ce148d fix(NODE-3397): report more helpful error with unsupported authMechanism in initial handshake (#2876)
• 558182f test(NODE-3307): unified runner does not assert identical keys (#2867)
• 621677a fix(NODE-3380): perform retryable write checks against server (#2861)
• e4a9a57 fix(NODE-3150): added bsonRegExp option for v3.6 (#2843)
• 750760c fix(NODE-3358): Command monitoring objects hold internal state references (#2858)
• a917dfa fix(NODE-2035): Exceptions thrown from awaited cursor forEach do not propagate (#2852)
• b98f206 refactor(NODE-3356): Update command monitoring logging (#2853)
• 68b4665 test(NODE-2856): ensure defaultTransactionOptions get used from session (#2845)
• 8c8b4c3 fix(NODE-3356): update redaction logic for command monitoring events (#2847)
• 2c5d440 test(NODE-3357): extend timeout for atlas connectivity (#2846)
• fd97808 test(NODE-3288): sync command-monitoring spec tests to 3.6 (#2838)
• bf8b21b docs: change links to use https (#2836)
• f42ac4c refactor(NODE-2752): deprecate strict option for Db.collection (#2819)
• 394832a chore(release): 3.6.9
• fac9610 fix(NODE-3309): remove redundant iteration of bulk write result (#2815)
• 58c4e69 fix: fix url parsing for a mongodb+srv url that has commas in the database name (#2789)
• 6c8cc84 chore(release): 3.6.8
• 6e3bab3 fix(cmap): undo flipping of `beforeHandshake` flag for timeout errors (#2813)
• 4fd03e8 chore(release): 3.6.7
• 6ceace6 fix(NODE-3192): check clusterTime is defined before access (#2806)
• 1967515 test(NODE-3187): port unified test runner (#2783)
• 5d8f649 fix(NODE-3252): state transistion from DISCONNECTED (#2807)

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs