MongoDB Node.js driver version 2.1.20 offers a minor update over its predecessor, version 2.1.19, refining the official MongoDB experience for Node.js developers. Both versions share the same core dependencies like es6-promise and readable-stream, ensuring consistent asynchronous operations and stream handling. Crucially, the mongodb-core dependency sees an update from version 1.3.19 to 1.3.20, which likely incorporates bug fixes and performance improvements within the underlying MongoDB driver core. Developers should assess the changelog of mongodb-core 1.3.20 for specific details on the enhancements.
The development dependencies, encompassing tools for testing, documentation, and benchmarking, remain identical between the two versions. This suggests that the development workflow and testing methodologies haven't significantly changed between these releases. The consistent suite of tools, from nyc for code coverage to jsdoc for documentation generation, provides a stable development environment. The presence of tools like mongodb-version-manager and mongodb-topology-manager highlights the driver's sophisticated testing infrastructure ensuring compatibility across various MongoDB server versions and deployment topologies.
For developers choosing between these versions, examining the mongodb-core 1.3.20 changelog is crucial. If the update addresses specific issues impacting their applications, migrating to 2.1.20 is recommended. Otherwise, both versions provide a reliable MongoDB interface, backed by a comprehensive suite of development and testing tools. Version 2.1.20 was released on May 25, 2016, a week after 2.1.19, released May 17, 2016.
All the vulnerabilities related to the version 2.1.20 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
