MongoDB Node.js driver version 2.2.33 introduces subtle but important updates compared to version 2.2.32. Both versions serve as the official interface for Node.js applications to interact with MongoDB databases, providing essential functionality for data manipulation and management. Key dependencies such as es6-promise and readable-stream remain consistent across both versions, ensuring continued compatibility and stability.
The primary difference lies in the updated mongodb-core dependency. Version 2.2.33 utilizes mongodb-core version 2.1.17, while version 2.2.32 relies on version 2.1.16. This update in mongodb-core likely incorporates bug fixes, performance enhancements, and potentially new features at the core driver level. Developers should consult the mongodb-core changelog for detailed information on the specific changes introduced in version 2.1.17.
Furthermore, a later release date is observed for version 2.2.33 (2017-10-12) compared to version 2.2.32 (2017-10-12), indicating a newer build with the incorporated mongodb-core update. Developers looking for the most stable and up-to-date experience should opt for version 2.2.33. For those already using 2.2.32, upgrading to 2.2.33 is recommended to leverage the improvements and fixes included within the updated core dependency. Both versions maintain the same development dependencies, license, repository details, and authorship, indicating a focused update on the core driver component.
All the vulnerabilities related to the version 2.2.33 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
