MongoDB Node.js driver version 4.6.0 brings subtle improvements over its predecessor, version 4.5.0, primarily focusing on internal dependency updates for enhanced stability and performance. A key difference lies in the "bson" dependency, updated from version 4.6.2 to 4.6.3, potentially including bug fixes or minor feature additions within the BSON serialization/deserialization layer, crucial for handling MongoDB data. The core functionalities remain consistent, ensuring existing applications should experience seamless upgrades.
Developers will appreciate that both versions maintain a rich suite of developer dependencies, indicating an active focus on code quality and testing. These include tools for linting (eslint), formatting (prettier), testing (mocha, chai, sinon), and TypeScript support, allowing for a modern development workflow. The development dependencies versions stay mostly equal.
Both versions share identical optional dependencies (saslprep), and the same license (Apache-2.0) and authors, signifying stability in the development philosophy. Considering the fileCount is identical, but the unpackedSize is slightly bigger, the newer version might added some small files or enhanced existing ones. This incremental update pattern provides confidence for developers seeking the latest improvements without requiring major code overhauls. Upgrading from 4.5.0 to 4.6.0 should be a straightforward process, and is recomended for developers which aims to have the most updated version, which may bring security fixes and performance improvements.
All the vulnerabilities related to the version 4.6.0 of the package
MongoDB Driver may publish events containing authentication-related data
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).
This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
