MongoDB Node.js driver version 2.2.22 arrived on January 24th, 2017, building upon the foundation of version 2.2.21, released just eleven days prior on January 13th, 2017. Both versions share the same core dependencies, including es6-promise (version 3.2.1) and readable-stream (version 2.1.5). A key difference lies within the mongodb-core dependency, with version 2.2.22 utilizing version 2.1.7 while 2.2.21 relies on 2.1.6. This suggests that version 2.2.22 incorporates crucial updates or bug fixes within the MongoDB core driver itself.
For developers, this incremental update signifies a stability enhancement and potentially performance improvements inherited from the updated core driver. While the extensive list of devDependencies remains identical, containing tools for development, testing, and benchmarking like co, nyc, eslint, and betterbenchmarks, the focus should be on the underlying mongodb-core update. This update likely addresses specific issues or improves the interaction with MongoDB servers. Developers should consult the mongodb-core changelog for details of the fixes.
The package remains under the Apache-2.0 license and is available via npm. Developers are encouraged to upgrade to 2.2.22 to benefit from the newer core driver and its refinements to ensure a stable and robust integration with MongoDB databases. Keep an eye on official MongoDB documentation for complete upgrade guides.
All the vulnerabilities related to the version 2.2.22 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
