MongoDB Node.js driver version 2.2.2 represents a minor update over the preceding stable release, version 2.2.1. Both versions serve as the official MongoDB driver for Node.js, enabling seamless interaction with MongoDB databases. Key dependencies like es6-promise and readable-stream remain consistent, ensuring continued compatibility and core functionality. However, a crucial distinction lies within the mongodb-core dependency. Version 2.2.2 utilizes mongodb-core version 2.0.5, while 2.2.1 relies on version 2.0.4. This subtle change within the core driver component likely addresses bug fixes or performance enhancements, improving the overall stability and efficiency of database operations.
Developers considering an upgrade should assess if the improvements in mongodb-core 2.0.5 resolve any specific issues encountered with 2.2.1. The devDependencies, crucial for development and testing, are identical, suggesting that the testing and build processes haven't undergone significant changes between the two versions. The release date difference indicates a relatively short interval between releases, further hinting at a focused effort on refining existing functionality rather than introducing major new features. Therefore, upgrading is recommended for users seeking the most stable and up-to-date experience, particularly if they've encountered issues addressed by fixes incorporated into mongodb-core 2.0.5. Otherwise, the impact might be minimal.
All the vulnerabilities related to the version 2.2.2 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
js-bson vulnerable to REDoS
The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
