Version 2.0.34 of the MongoDB Node.js driver represents a minor update over the preceding stable release, version 2.0.33. The core functionality remains consistent, providing a "MongoDB legacy driver emulation layer on top of mongodb-core" which allows developers to interact with MongoDB databases using a familiar API. However, several key differences warrant attention for developers considering an upgrade.
The primary change lies in the updated dependency on mongodb-core, which jumps from version 1.1.32 to 1.2.0. This underlying core driver likely incorporates bug fixes, performance enhancements, and potentially new features related to MongoDB server interactions. Developers relying on the mongodb-core API directly should investigate its changelog for specifics. Other dependencies like readable-stream stay unchanged.
The devDependencies also show some changes. The bson dependency sees a minor version jump from "~0.3" to "~0.4", which could include improvements in BSON serialization and deserialization. mongodb-version-manager sees a significant jump from version "^0.5.0" to "^0.7.1" which might include improvements in how MongoDB versions are installed and operated on your testing environment. This suggests potential performance or stability improvements during development.
Both versions maintain the same license (Apache-2.0), repository, and author information. Developers should also note the release dates: version 2.0.34 was released on June 17, 2015, while version 2.0.33 was released on May 19, 2015. Given these changes, upgrading to version 2.0.34 is generally recommended for its likely improvements in core functionality and underlying dependencies, but developers are advised to thoroughly test their applications to ensure compatibility with the updated mongodb-core and bson packages.
All the vulnerabilities related to the version 2.0.34 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
DLL Injection in kerberos
Version of kerberos prior to 1.0.0 are vulnerable to DLL Injection. The package loads DLLs without specifying a full path. This may allow attackers to create a file with the same name in a folder that precedes the intended file in the DLL path search. Doing so would allow attackers to execute arbitrary code in the machine.
Upgrade to version 1.0.0 or later.
