MongoDB Node.js driver version 2.1.9 represents a minor update over its prior stable version, 2.1.8, primarily focusing on internal dependency adjustments and bug fixes. The core functionalities remain consistent between the two versions. While the "description", "license", "repository", and "author" fields are identical. The key difference lies in the "dependencies" section, specifically the "mongodb-core" dependency. Version 2.1.9 utilizes "mongodb-core": "1.3.7", while version 2.1.8 relies on "mongodb-core": "1.3.5". This indicates that the update likely incorporates bug fixes, performance improvements, or new features within the underlying MongoDB driver core. Developers should check the mongodb-core changelog for detailed changes.
Both versions maintain the same set of "devDependencies", meaning the tools used for development, testing, and building the package haven't changed during this minor release. This suggests that the development workflow and testing procedures remain consistent. While the releaseDate on version 2.1.9 is "2016-03-16T10:00:34.030Z" and on version 2.1.8 is "2016-03-14T12:17:28.350Z". The tarball download links differ, reflecting the distinct builds for each version. Given the minor version increment, developers can expect a relatively seamless upgrade from 2.1.8 to 2.1.9, with minimal to no breaking changes anticipated. The primary motivation for updating would be to benefit from the improvements and fixes incorporated into the "mongodb-core" dependency.
All the vulnerabilities related to the version 2.1.9 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
