The npm package mongodb saw a minor version update from 2.2.8 to 2.2.9 in late August 2016. Both versions serve as the official Node.js driver for connecting to and interacting with MongoDB databases. Examining the package metadata reveals subtle but significant differences that developers should be aware of.
The core functionality remains consistent, with both versions listing the same dependencies for es6-promise (3.2.1) and readable-stream (2.1.5), ensuring compatibility with asynchronous operations and stream handling. The key change lies in the dependency on mongodb-core, which updates from version 2.0.10 to 2.0.11. This suggests underlying improvements or bug fixes within the core MongoDB driver logic itself. Developers upgrading should investigate the mongodb-core changelog for specific details on these changes, as they could impact performance, stability, or feature support, especially around edge cases and specific MongoDB server versions.
The devDependencies, used for development and testing, remain identical between the two versions. This indicates that the tooling and testing strategy were consistent during this update. The release dates show a roughly one-week gap between the two versions, hinting at a focused effort to address a specific issue identified in version 2.2.8. This quick turnaround reinforces the importance of staying updated with the latest patches for stability and reliability when using the MongoDB driver in production environments.
All the vulnerabilities related to the version 2.2.9 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
js-bson vulnerable to REDoS
The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
