MongoDB's Node.js driver saw a significant update with the release of version 1.0.0, marking a step forward from the previous stable version, 0.9.9. The most immediate change for developers is the introduction of a direct dependency on the bson (Binary JSON) library, specifically version 0.0.4. This signifies a tighter integration and potentially improved handling of BSON data, a key aspect of interacting with MongoDB databases. Version 0.9.9 had no declared dependencies.
The development dependencies also reflect a shift. Version 1.0.0 introduces step, gleak, and github3 as development dependencies and upgrades dox and nodeunit versions. These tools are likely used internally for managing asynchronous control flow (step), detecting memory leaks (gleak), interacting with the GitHub API for development-related tasks (github3), documenting the code (dox), and running unit tests (nodeunit), suggesting a more robust and mature development process around the driver.
Another notable change is the repository URL, switching from git://github.com/christkv/node-mongodb-native.git in 0.9.9 to git://github.com/mongodb/node-mongodb-native.git in 1.0.0. This indicates a formal transfer of repository ownership to the official MongoDB organization, reinforcing the driver's status and official support. The releaseDate also highlights a few months of development between the versions. For developers, these changes signal a more actively developed and maintained library.
All the vulnerabilities related to the version 1.0.0 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
