MongoDB Node.js driver version 2.2.8 introduces subtle yet important changes compared to its predecessor, version 2.2.7. Both versions serve as the official MongoDB driver for Node.js, facilitating seamless interaction with MongoDB databases. A key difference lies in the updated dependency on mongodb-core, which jumps from version 2.0.9 in 2.2.7 to 2.0.10 in 2.2.8. This update likely includes bug fixes, performance improvements, or new features within the core MongoDB driver, potentially influencing connection stability and query execution efficiency.
Developers should note that while most dependencies remain consistent between the two versions, this mongodb-core upgrade is significant. If experiencing issues with database connectivity, query performance, or specific MongoDB features, upgrading to version 2.2.8 might resolve these, owing to the refinements in the underlying mongodb-core component. Both versions maintain the same set of development dependencies, suggesting continued focus on testing and tooling during development. Ultimately, 2.2.8 ensures developers are leveraging the latest improvements within the core MongoDB driver, contributing to a more robust and performant database integration experience in their Node.js applications. The release of version 2.2.8 also occurred a few days later, including further potential refinements.
All the vulnerabilities related to the version 2.2.8 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
js-bson vulnerable to REDoS
The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
