[Snyk] Security upgrade mongodb from 4.17.2 to 6.0.0

[reconsumeralization]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/nodes-base/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	823/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.6	Server-side Request Forgery (SSRF) SNYK-JS-IP-6240864	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: mongodb

The new version differs by 250 commits.

• e57b738 chore(main): release 6.0.0 [skip-ci] ([Snyk] Security upgrade file-type from 14.7.1 to 16.5.4 n8n-io/n8n#3762)
• e70826a docs: generate docs from latest main [skip-ci] (Simple Sort doesn't work for numbers n8n-io/n8n#3744)
• df1b4f2 docs(NODE-5560): add v6 upgrade guide (n8n-4124-overhaul-gmail-node-trigger n8n-io/n8n#3844)
• 7bef363 feat(NODE-5584)!: adopt bson v6 and mongodb-client-encryption v6 (fix(core & function nodes): Update function nodes to work with binary-data-mode 'filesystem'. n8n-io/n8n#3845)
• 05d2725 fix(NODE-5592): withTransaction return type (Create .dockerignore n8n-io/n8n#3846)
• 91152b9 chore(NODE-5581): pull in bson alpha.1 and mongodb-legacy main (Support pairedItem for pinned data n8n-io/n8n#3843)
• ecb2e20 chore: fix alpha version guard
• ea2d60a refactor(NODE-5514): make FLE logic use async-await (Cursor doesn't work on /executions n8n-io/n8n#3830)
• a17b0af feat(NODE-5484)!: mark MongoError for internal use and remove Node14 cause assignment logic (Format nodes-base package (A-F) n8n-io/n8n#3800)
• 33c86c9 feat(NODE-5566): add ability to provide CRL file via tlsCRLFile (🐛 Fix pagination issue in /executions - N8N-4236 n8n-io/n8n#3834)
• 2323ca8 ci(NODE-5125): fix flaky case 14 prose test (Synchronize default settings n8n-io/n8n#3833)
• a0955bd fix(NODE-5548): ensure that tlsCertificateKeyFile maps to cert and key (Fix node versioning in client n8n-io/n8n#3819)
• bf00e32 docs(no-story): generate api docs for 5.8 release (add check for node ids migration n8n-io/n8n#3832)
• 11682d0 docs(NODE-5532): fix docs for `types` and regenerate 5.7 docs (Updated welcome sticky image and text n8n-io/n8n#3822)
• a7ffdf5 ci(NODE-5446): revert bump dev dependencies (💄 Updating onboarding prompt label n8n-io/n8n#3801) (feat(MySql.credentials): add multipleStatements setting n8n-io/n8n#3829)
• 46e15e7 docs: fix cutoff sentence on CommandStartedEvent (User Management: switch over to decorators to define routes n8n-io/n8n#3827)
• 1c05b38 docs: generate 4.17.0 documentation (Migrations failing on latest Docker image n8n-io/n8n#3826)
• 45f8fb9 chore(NODE-5544): fix duplicate PR highlights (N8N-4126 credentials injection and testing on specific nodes n8n-io/n8n#3816)
• bd031fc feat(NODE-5396): add `mongodb-js/saslprep` as a required dependency (N8N-4269 Postgres Node PairedItem Support n8n-io/n8n#3815)
• fd9a467 chore(NODE-5446): bump dev dependencies (💄 Updating onboarding prompt label n8n-io/n8n#3801)
• 6483276 docs(NODE-5540): Fix MDB University links in GH pages (N8n 4058 spike single sign on n8n-io/n8n#3814)
• 7955610 fix(NODE-4788)!: use implementer Writable methods for GridFSBucketWriteStream (🐞MongoDb: Fix to ensure all items get processed in all operations n8n-io/n8n#3808)
• 2fbb715 docs(NODE-5523): add component support matrix to readme (Add saml integration n8n-io/n8n#3806)
• af47529 docs(NODE-5535): fix link to Transactions quickstart (Format additional files in nodes A-F n8n-io/n8n#3811)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)

[height]

Link Height tasks by mentioning a task ID in the pull request title or commit messages, or description and comments with the keyword link (e.g. "Link T-123").

💡Tip: You can also use "Close T-X" to automatically close a task when the pull request is merged.

[github-actions]

Great PR! Please pay attention to the following items before merging:

Files matching packages/**:

• If fixing bug, added test to cover scenario.
• If addressing forum or Github issue, added link to description.

Files matching packages/nodes-base/package.json:

• Avoided adding dependencies for nodes if not absolutely necessary.

Make sure to check off this list before asking for review.

[sourcery-ai]

PR Type: Enhancement

PR Summary: This pull request addresses a critical security vulnerability by upgrading the MongoDB package from version 4.17.2 to 6.0.0. The upgrade mitigates the risk associated with a Server-side Request Forgery (SSRF) vulnerability identified by Snyk. The change is confined to the packages/nodes-base/package.json file, specifically updating the version of the mongodb dependency.

Decision: Comment

📝 Type: 'Enhancement' - not supported yet.

• Sourcery currently only approves 'Typo fix' PRs.

✅ Issue addressed: this change correctly addresses the issue or implements the desired feature.

No details provided.

✅ Small diff: the diff is small enough to approve with confidence.

No details provided.

General suggestions:

• Ensure comprehensive testing is conducted to verify that the upgrade does not introduce any breaking changes or affect existing functionalities, given the major version jump.
• Review the MongoDB 6.0.0 release notes and migration guide to understand the changes and adjustments that may be necessary for your project.
• Consider the broader impact of this upgrade on the project, especially if there are other dependencies or project components that interact closely with MongoDB.

Thanks for using Sourcery. We offer it for free for open source projects and would be very grateful if you could help us grow. If you like it, would you consider sharing Sourcery on your favourite social media? ✨

Share Sourcery

• X
• Mastodon
• LinkedIn
• Facebook

---

Help me be more useful! Please click 👍 or 👎 on each comment to tell me if it was helpful.