MongoDB Node.js driver version 4.8.0 introduces subtle but important updates compared to its predecessor, version 4.7.0. The core dependencies have been bumped, with bson moving from ^4.6.3 to ^4.6.5, potentially incorporating performance improvements or bug fixes within the BSON serialization/deserialization layer. Developers should review the bson changelog for specific details.
The development environment also sees significant upgrades. Notably, the eslint version jumps from ^8.12.0 to ^8.17.0, @microsoft/api-extractor from 7.24.1 to 7.25.0, and @typescript-eslint/parser along with @typescript-eslint/eslint-plugin from ^5.26.0 to ^5.28.0. Typescript also goes up, from version 4.7.2 to 4.7.3. These updates suggest improvements in code quality checks, API documentation generation, and TypeScript support, benefiting contributors and users relying on type safety. Yargs also gets an update, changing from 17.4.0 to 17.5.1.
The increase in unpacked size (2616313 to 2625068) and file count (300 to 312) might indicate added features, tests, or documentation. Developers incorporating MongoDB into their Node.js applications should consider these changes, especially if they have strict dependency versioning or rely on specific behaviors influenced by these updated dependencies. The releaseDate also indicates a more recent version, which might include critical security patches or address newly discovered issues. Overall, 4.8.0 offers a refined development experience and potentially enhanced core functionality.
All the vulnerabilities related to the version 4.8.0 of the package
MongoDB Driver may publish events containing authentication-related data
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).
This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
