The MongoDB Node.js driver experienced a major version bump from 2.2.36 to 3.0.0, signaling significant changes for developers. While both versions share the same fundamental purpose—providing an interface to interact with MongoDB databases—their internal structure and dependency landscape differ considerably.
Version 3.0.0 shifts its core dependency to mongodb-core version 3.0.0, suggesting a likely overhaul in the underlying connection management and protocol handling compared to version 2.2.36, which relies on mongodb-core 2.1.20. The older version also depends direktly on es6-promise and readable-stream which removed in later versions probably included inside mongodb-core.
From a developer perspective, the upgrade involves reconsidering compatibility with older Node.js versions and potentially adapting code to accommodate changes in the API exposed by mongodb-core. Both versions are licensed under Apache-2.0, ensuring freedom for commercial and non-commercial use. Reviewing the changelog and migration guides becomes crucial when moving to version 3.0.0, as the updated core may introduce breaking changes. The newer version also has newer development dependencies like eslint-plugin-prettier that ensures code stile consistency. Date release also indicates that version 2.2.36 is newer than 3.0.0, this suggests that probably there will be some compatibility issues.
All the vulnerabilities related to the version 3.0.0 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
