MongoDB's version 2.1.3 introduces subtle but important updates compared to the preceding stable version 2.1.2. Both versions act as a legacy driver emulation layer built upon mongodb-core, offering developers a familiar interface while leveraging the core driver's functionality. Developers relying on the legacy driver interface will find continuity between these versions.
The key difference lies within the dependencies. Version 2.1.3 upgrades the mongodb-core dependency from version 1.2.30 to 1.2.31. While seemingly minor, this update within mongodb-core likely includes bug fixes, performance enhancements, and potentially new features within the core driver itself, all of which indirectly benefit users of mongodb. The other dependencies, es6-promise and readable-stream, remain the same.
For developers, this means upgrading to 2.1.3 is generally recommended to take advantage of the latest improvements and bug fixes within the core MongoDB driver, without requiring extensive code changes due to the stable emulation layer. As always, developers should review the changelog for mongodb-core version 1.2.31 to understand the specific changes included and assess their potential impact on their applications. Both versions share the same development dependencies like co, bson, bluebird and more, underlining their compatibility.
All the vulnerabilities related to the version 2.1.3 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
