MongoDB Node.js Driver version 2.1.13 is a minor update from version 2.1.12, both serving as official drivers for connecting Node.js applications to MongoDB databases. While the core functionality remains consistent, the key difference lies in an updated dependency: mongodb-core. Version 2.1.13 utilizes mongodb-core version 1.3.12, whereas the previous version, 2.1.12, relies on mongodb-core version 1.3.11. This seemingly small change in the core dependency likely addresses bug fixes, performance improvements, or internal updates within the underlying MongoDB driver implementation.
For developers considering an upgrade, version 2.1.13 offers the potential benefits of these core improvements, contributing to a more stable and efficient interaction with MongoDB databases. However, the absence of other changes suggests that the update is relatively minor and should not introduce major breaking changes or require significant code modifications. Therefore, developers can likely update with confidence, expecting a smoother and possibly more performant database interaction, particularly in scenarios benefiting from the underlying mongodb-core enhancements. Both versions provide robust tools for querying, updating, and managing MongoDB data, adhering to the Apache-2.0 license and maintained as part of the node-mongodb-native project. Ultimately, upgrading to version 2.1.13 presents a low-risk opportunity to leverage the latest refinements within the MongoDB driver ecosystem.
All the vulnerabilities related to the version 2.1.13 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
