The npm package mongodb saw a significant update with the release of version 2.2.0, following the previous stable version 2.1.21. Both versions serve as the official Node.js driver for MongoDB, providing essential tools for developers interacting with MongoDB databases. The core difference lies in the updated dependencies. While both rely on es6-promise and readable-stream, version 2.2.0 features mongodb-core version 2.0.3, a notable jump from version 1.3.21 used in 2.1.21. This change in mongodb-core likely brings performance improvements, bug fixes, and potentially new features within the core MongoDB driver logic, which is a critical consideration for developers focused on optimal database interactions.
The development dependencies remain largely consistent across both versions, indicating a stable development and testing environment. Tools like co, nyc, bson, and others are used for testing, linting, and benchmarking, ensuring code quality and performance. The devDependencies show the libraries used to test the package, but do not affect the production functionality of the package. The fact that bson was updated from 0.4.20 to ^0.5.0 could indicate substantial difference like JSON serialization upgrades which may impact developers working with complex data structures in MongoDB. If you are using the mongodb package it's important that you check breaking changes in mongodb-core and bson libraries.
All the vulnerabilities related to the version 2.2.0 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
js-bson vulnerable to REDoS
The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
