MongoDB Node.js driver version 2.2.14 is a minor update over version 2.2.13, focusing primarily on internal dependency adjustments. Both versions serve as the official MongoDB driver for Node.js, enabling seamless interaction with MongoDB databases. Developers will find the core functionality and API largely consistent between the two.
A key difference lies in the mongodb-core dependency. Version 2.2.14 utilizes mongodb-core version 2.1.1, whereas version 2.2.13 relies on version 2.1.0. This update in the core driver likely includes bug fixes, performance improvements, and potentially new features at a lower level, though these changes might not be immediately apparent in the high-level MongoDB driver API. Other dependencies, such as es6-promise and readable-stream, remain at the same versions in both releases.
For developers, the upgrade from 2.2.13 to 2.2.14 should be relatively straightforward, assuming no direct reliance on undocumented or internal behaviors of the mongodb-core driver. The update promises potential stability and performance enhancements inherited from the core driver improvements. The release dates indicate that version 2.2.14 was released shortly after 2.2.13, suggesting a quick follow-up release potentially addressing urgent issues or incorporating late-breaking improvements. As always, thoroughly testing the upgraded driver in a non-production environment is recommended to ensure compatibility and identify unforeseen issues before deploying to production.
All the vulnerabilities related to the version 2.2.14 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
