MongoDB Node.js driver version 1.3.4 represents a minor update over the prior stable release, version 1.3.3, offering incremental improvements to this widely used library for interacting with MongoDB databases from Node.js applications. Both versions share a common foundation, utilizing 'bson' for efficient binary JSON serialization and offering optional 'kerberos' authentication support, crucial for secure deployments. The core dependencies and development tools, including 'dox' for documentation generation, 'ejs' for templating, and 'nodeunit' for testing, remain consistent, ensuring a familiar development workflow for those already using the driver.
However, the key distinction lies in the timing of the releases. Version 1.3.4 was published on May 14, 2013, a few days after version 1.3.3 released on May 9, 2013. While the provided data doesn't explicitly outline the specific bug fixes or feature enhancements introduced in 1.3.4, this short cycle suggests that the update likely addresses critical bug fixes discovered shortly after the release of 1.3.3. Developers currently using Node.js and MongoDB should prioritize upgrading from 1.3.3 to 1.3.4, especially those who value stability and quick bug fixes to avoid potential compatibility issues. Users already employing mongodb should verify their dependence on optional dependencies.
All the vulnerabilities related to the version 1.3.4 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
