MongoDB Node.js driver version 2.2.4 is a minor point release following version 2.2.3. Both versions serve as the official MongoDB drivers for Node.js, facilitating seamless interaction with MongoDB databases. A key difference between the two versions is the release date – version 2.2.4 was published just minutes after 2.2.3, suggesting that the changes were important enough to warrant a new immediate release.
Both versions share identical dependencies: es6-promise, mongodb-core, and readable-stream, ensuring consistent core functionality. Similarly, the devDependencies, including tools such as co, nyc, bson, gleak, jsdoc, and a suite of testing and utility libraries, remain the same. This indicates that the development and testing environment and processes have not been altered between the two releases.
The identical dependencies and devDependencies suggest that the changes in 2.2.4 are likely bug fixes, performance improvements, or very minor feature tweaks within either the driver itself or its core dependencies. While the differences are subtle, developers should consider upgrading to 2.2.4 from 2.2.3 to benefit from any potential refinements, especially concerning stability or performance. For existing applications, this upgrade is likely non-breaking. New projects should always use the latest stable version.
All the vulnerabilities related to the version 2.2.4 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
js-bson vulnerable to REDoS
The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
