MongoDB Node.js driver version 3.0.1 represents a minor patch release following the 3.0.0 stable version, both maintained by Christian Kvalheim. Both versions serve as the official MongoDB driver for Node.js, enabling seamless interaction with MongoDB databases. Crucially, the primary difference lies in the core dependency: mongodb-core. Version 3.0.1 relies on mongodb-core version 3.0.1, whereas 3.0.0 depends on mongodb-core version 3.0.0.
This seemingly small change often signifies bug fixes, performance enhancements, or crucial stability improvements within the core driver logic, which are essential for developers relying on the MongoDB driver for production environments. Both versions share identical development dependencies, including tools for testing (chai, istanbul, mongodb-test-runner), linting (eslint, eslint-plugin-prettier), code formatting (prettier), benchmarking (betterbenchmarks), and documentation (jsdoc). These tools are instrumental in maintaining code quality and driver reliability which ensures consistent behaviour for developers using the mongodb package in both versions. Developers choosing between the two should opt for version 3.0.1 to benefit from the latest refinements and fixes incorporated within the mongodb-core dependency for a more robust and dependable experience. The release date difference is also worth noting - version 3.0.1 was released later on the same day, suggesting a quick follow-up to version 3.0.0.
All the vulnerabilities related to the version 3.0.1 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
