MongoDB Node.js driver version 2.2.30 introduces a minor update over the previous stable version 2.2.29. Both versions maintain the same core dependencies like es6-promise and readable-stream ensuring continued compatibility and consistent handling of asynchronous operations and stream processing. The primary difference lies in the updated mongodb-core dependency, which moves from version 2.1.13 to 2.1.14. This seemingly small change typically signifies bug fixes, performance improvements, or internal enhancements within the core MongoDB driver, designed to provide a more stable and efficient interaction with MongoDB databases. Developers leveraging the MongoDB Node.js driver should consider upgrading to version 2.2.30 to benefit from these under-the-hood refinements, potentially leading to more reliable and performant database interactions. Both versions provide access to robust features for interacting with MongoDB, including powerful query capabilities, schema validation, and aggregation pipelines. As both versions share a comprehensive set of development dependencies, like bson, bluebird, and testing tools, upgrading should present minimal disruption for most applications and developers should evaluate upgrading to ensure that the latest bug fixes are incorporated. The consistent API and feature set between the two versions allows developers to remain focused on implementing application logic and data models, rather than adapting to significant changes in the driver itself.
All the vulnerabilities related to the version 2.2.30 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
