The npm package mongodb saw a minor version update from 3.0.9 to 3.0.10 in early June 2018. Both versions serve as the official Node.js driver for MongoDB, offering developers tools to interact with MongoDB databases. The core functionality remains consistent between the two versions, which is reflected in the identical description, license, repository, and author information.
The key difference lies within their dependencies. Version 3.0.10 updates its dependency on mongodb-core to version 3.0.9, while version 3.0.9 relies on mongodb-core version 3.0.8. This subtle change in the underlying core driver typically includes bug fixes, performance improvements, and potentially new features implemented at a lower level.
For developers using the mongodb package, upgrading to version 3.0.10 is generally recommended to benefit from these improvements and fixes incorporated within mongodb-core. The "devDependencies" which are dependencies used for development purposes - testing, linting, and building - are identical between the two releases, thus not representing any impact for end users of the package.
While both versions are remarkably similar, the bump in dependency to mongodb-core suggests that version 3.0.10 offers a refined and potentially more stable experience for Node.js developers working with MongoDB. The small increase in "unpackedSize" from 856003 to 856264 indicates the addition of these refinements. Always refer to the mongodb-core changelog for precise details on the enhancements in the newer core version.
All the vulnerabilities related to the version 3.0.10 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
