MongoDB Node.js driver version 3.0.8 represents a minor iteration over the preceding 3.0.7, primarily centered on improvements within the mongodb-core dependency, updated to version 3.0.8 as well. Both versions maintain the same core development dependencies, including tools for linting, testing, and documentation generation like eslint, chai, sinon, and jsdoc. Developers utilizing either version benefit from a robust and well-tested driver compatible with MongoDB databases.
Key considerations for developers when choosing between these versions revolve around the nature of fixes or enhancements incorporated into mongodb-core 3.0.8. Dependency tools such as co, bson, bluebird, prettier and semver were kept on the same version. Reviewing the changelog for mongodb-core is crucial to understanding the specific reasons for the upgrade. If the newer core addresses critical bugs or performance bottlenecks relevant to the developer's application, upgrading to 3.0.8 is advisable. Otherwise, staying on 3.0.7 might suffice.
The dist sections indicate differences in file count and unpacked size. mongodb-3.0.8 has a fileCount of 39 and an unpackedSize of 733469 compared to 40 and 856449 in version 3.0.7.
Both versions are licensed under Apache-2.0, ensuring open-source usability. Release dates are also significantly spaced with version 3.0.7 being released about 3 weeks before version 3.0.8.
All the vulnerabilities related to the version 3.0.8 of the package
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.
Upgrade to version 3.1.13 or later.
Deserialization of Untrusted Data in bson
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
Deserialization of Untrusted Data in bson
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, leading to cases where an object is serialized as a document rather than the intended BSON type.
