MongoDB Node.js driver experienced a minor version bump from 3.6.3 to 3.6.4, offering subtle improvements and refinements for developers using the popular NoSQL database with Node.js. Both versions maintain identical core dependencies like bl, bson, denque, saslprep, safe-buffer, and require_optional, ensuring a consistent foundation for database interactions. The optional dependency, saslprep, also remains unchanged.
The most notable difference lies within the development dependencies. Version 3.6.4 upgrades the standard-version tool from version 4.4.0 to 8.0.2. This update likely brings enhanced semantic versioning capabilities during the driver's release process and potentially streamlines changelog generation. While seemingly minor, this optimization can lead to more accurate and informative release notes for developers relying on the library. Additionally, the file count increased from 147 to 148 and the unpacked size increased from 1481512 to 1506010, which indicates some added content, most likely related to the updated build process for standard version.
For developers, the core functionality and API remain largely consistent between the two versions. The upgrade to 3.6.4 presents a low-risk update, primarily impacting the development workflow of the MongoDB driver itself rather than introducing breaking changes to user applications. Choosing to upgrade should depend on a user's usual update process since there aren't many interesting features.
All the vulnerabilities related to the version 3.6.4 of the package
MongoDB Driver may publish events containing authentication-related data
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).
This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
