MongoDB Node.js driver version 3.6.0 introduces subtle yet potentially impactful changes compared to its predecessor, version 3.5.11. While both versions share a common core, providing the official interface for Node.js applications to interact with MongoDB databases, a closer examination reveals key differences that developers should be aware of.
Both share the same dependencies with some difference in the patch version, the "bl" dependency has been bumped from "^2.2.1" to "^2.2.0".
File count from the 3.5.11 is of 148 files where the 3.6.0 has 147 files.
The distribution size reported from the registry is different, where the older version has "unpackedSize":1455229 and the newerone "unpackedSize":1486527.
The 3.6.0 come out in "releaseDate":"2020-07-30T18:13:37.114Z" and the older version "releaseDate":"2020-09-10T18:38:09.143Z"
These differences, though seemingly minor, might reflect internal code refactoring, dependency updates, or bug fixes that could affect application behavior. Developers upgrading from 3.5.11 to 3.6.0 should thoroughly test their applications to ensure compatibility and identify any unforeseen issues arising from these subtle changes. Regularly consulting the official MongoDB Node.js driver release notes and changelogs is crucial for staying informed about specific enhancements, bug fixes, and potential breaking changes introduced in each version.
All the vulnerabilities related to the version 3.6.0 of the package
MongoDB Driver may publish events containing authentication-related data
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).
This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
