Version 1.1.4 of the MongoDB Node.js driver builds upon the solid foundation established by version 1.1.3, offering subtle yet potentially important refinements for developers interacting with MongoDB databases. Both versions, 1.1.3 and 1.1.4, share a common core, providing essential functionalities for connecting to and manipulating MongoDB databases within Node.js environments. They both depend on bson version 0.1.1, ensuring consistent BSON serialization and deserialization capabilities. Furthermore, both leverage identical development dependencies, including tools like dox for documentation, ejs for templating, step and async for asynchronous control flow, gleak for memory leak detection, github3 for GitHub interaction, markdown for documentation formatting, nodeunit for testing, and uglify-js for JavaScript minification.
The key difference lies within the repository URL and the release date. While 1.1.3's repository URL is "http://github.com/mongodb/node-mongodb-native.git", version 1.1.4 updates this to "git://github.com/mongodb/node-mongodb-native.git", suggesting a possible change in the preferred protocol for accessing the repository. This seemingly minor adjustment might reflect an effort to streamline the development workflow or accommodate evolving best practices. Furthermore, version 1.1.4 was released on "2012-08-27T18:01:17.341Z" compared to 1.1.3 released on "2012-08-11T22:02:15.886Z".
Developers already using these versions are advised to note this potential change if they are fetching the code in an automated way.
All the vulnerabilities related to the version 1.1.4 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
