MongoDB Node.js driver version 2.2.23, released on February 13, 2017, represents a subtle but significant update compared to its predecessor, version 2.2.22, released on January 24, 2017. While both versions share the same core dependencies like es6-promise, readable-stream, and a nearly identical set of development dependencies used for testing and tooling, the key difference lies within the mongodb-core dependency. Version 2.2.23 utilizes mongodb-core version 2.1.8, whereas version 2.2.22 relies on version 2.1.7.
This seemingly minor change in the mongodb-core dependency likely encompasses bug fixes, performance enhancements, or internal improvements within the core MongoDB driver logic. For developers, this means version 2.2.23 potentially offers a more stable and efficient interaction with MongoDB databases. The mongodb-core handles the low-level communication and protocol implementation; therefore, upgrades often address crucial aspects of data handling, connection management, and overall driver reliability.
Although the high-level API exposed to developers may remain largely consistent between these two versions, adopting version 2.2.23 is recommended. Staying up to date with the latest patch versions ensures access to the most current bug fixes and performance optimizations embedded within the mongodb-core component, leading to a smoother and more robust MongoDB integration in Node.js applications. Always consult the mongodb-core changelog for specific details regarding the changes introduced in version 2.1.8 to fully understand the implications of this update.
All the vulnerabilities related to the version 2.2.23 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
