MongoDB Node.js driver version 2.2.13 introduces key updates compared to its predecessor, version 2.2.12, primarily revolving around its core dependencies. Developers upgrading from 2.2.12 should note the updated mongodb-core dependency, moving from version 2.0.14 to 2.1.0. This update in mongodb-core contains crucial bug fixes and performance improvements in the underlying driver logic, directly impacting connection stability and operational efficiency when interacting with MongoDB databases.
Aside from the core driver enhancement, the other dependencies, remained unchanged, including es6-promise and readable-stream. Developers focused on stability will appreciate the increment that focuses on the internals of the driver without altering other API elements, ensuring minimal disruption to existing codebases. Notably, the development dependencies, crucial for testing and building the driver, remained aligned between the two versions, signaling a consistent tooling environment.
Version 2.2.13 was released on December 7th, 2016, marking a refinement over the 2.2.12 release from November 29th, 2016. This upgrade addresses key concerns such as stability by focusing on patching the mongodb-core to its newer version. Users currently on version 2.2.12 are encouraged to migrate to 2.2.13 to benefit from these latest refinements, ensuring a robust and performant MongoDB integration within their Node.js applications, thanks to the core dependency version bump.
All the vulnerabilities related to the version 2.2.13 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
