The MongoDB Node.js driver has a new stable version, 4.12.0, released on November 16, 2022, succeeding version 4.11.0 (released on October 19, 2022). Both versions maintain the "The official MongoDB driver for Node.js" description and share the same Apache-2.0 license. Key dependencies like bson, socks, saslprep, @aws-sdk/credential-providers, and mongodb-connection-string-url remain consistent across both.
A notable, developer-relevant change is the removal of the denque dependency in version 4.12.0. While both versions share nearly identical development dependencies crucial for testing, linting, and building, the absence of denque in the newer version suggests a possible refactoring or optimization in the driver's internal data structures potentially improving performance or reducing the bundle size. Developers upgrading should consider this as a potential area for subtle behavior changes, although the public API is expected to remain largely compatible.
Furthermore, version 4.12.0 exhibits a slight increase in unpackedSize (2683931 bytes compared to 2662864 bytes in 4.11.0), indicating code additions or refinements within the driver. While the fileCount remains the same at 309, this size difference, coupled with the dependency change, highlights internal modifications that may offer performance enhancements or bug fixes beneficial for developers using the MongoDB driver in their Node.js applications. Developers should review the changelog for detailed information on the specific improvements and bug fixes introduced in version 4.12.0.
All the vulnerabilities related to the version 4.12.0 of the package
MongoDB Driver may publish events containing authentication-related data
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).
This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
