MongoDB Node.js driver version 2.2.7 introduces several updates compared to its predecessor, version 2.2.6. The most notable changes reside within its dependencies. Specifically, es6-promise is upgraded from version 3.0.2 to 3.2.1, mongodb-core moves from 2.0.8 to 2.0.9, and readable-stream jumps from 1.0.31 to 2.1.5. These updates likely include bug fixes, performance improvements, and potentially new functionalities within these core dependencies, indirectly benefitting MongoDB driver users. Among the development dependencies, key upgrades include nyc (coverage tool) rising from ^5.5.0 to ^8.1.0, jsdoc (documentation generator) shifting from 3.3.0-beta3 to 3.4.0, rimraf (file deletion tool) improving from 2.2.6 to 2.5.4, semver (semantic versioning) going from 5.1.0 to 5.3.0, bluebird (promise library) advancing from 2.9.27 to 3.4.1, mongodb-extended-json advancing from 1.3.0 to 1.7.0, and mongodb-version-manager going from ^0.8.10 to ^1.0.6. These upgrades suggest development environment enhancements, better testing capabilities, and more robust tooling for the MongoDB driver development team. User-facing changes may exist within the updated core dependencies, offering improved promise handling, stream management, and core MongoDB interaction. Developers should review the changelogs for es6-promise, mongodb-core, and readable-stream to understand the specific impact of these dependency upgrades on their MongoDB applications. The release date of 2.2.7 is also later (2016-08-19) than 2.2.6 (2016-08-16) suggesting bug fixes that might have been released after version 2.2.6.
All the vulnerabilities related to the version 2.2.7 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
js-bson vulnerable to REDoS
The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
