MongoDB Node.js driver versions 4.9.1 and 4.9.0 present subtle but noteworthy differences for developers leveraging the library for database interactions. Both versions share a common core, including dependencies like bson, socks, denque, saslprep, and mongodb-connection-string-url, ensuring continued compatibility with existing MongoDB deployments. The primary distinctions lie in the development dependencies, reflecting updates to tooling and testing environments.
Version 4.9.1 brings upgrades to several development dependencies, such as tsd (increased from 0.21.0 to 0.22.0), eslint (increased from 8.17.0 to 8.22.0), ts-node (increased from 10.8.1 to 10.9.1), @types/chai (increased from 4.3.1 to 4.3.3), @types/node (increased from 17.0.42 to 18.7.13), @types/semver (increased from 7.3.9 to 7.3.12), @microsoft/api-extractor (increased from 7.25.0 to 7.29.5), @typescript-eslint/parser (increased from 5.28.0 to 5.35.1), @typescript-eslint/eslint-plugin (increased from 5.28.0 to 5.35.1) and prettier (increased from 2.7.0 to 2.7.1). These updates likely incorporate bug fixes, performance enhancements, and new features within the respective development tools. Furthermore, the releaseDate showcases a more recent build date for version 4.9.1, suggesting potential refinements or patches addressing issues identified after the release of 4.9.0. The unpacked size is slighlty bigger.
For developers, these incremental updates primarily impact the development workflow. Upgrading to 4.9.1 ensures access to the latest linting rules, type definitions, and build tools, potentially leading to improved code quality and maintainability. However, the core functionality and API of the MongoDB driver remain largely consistent between the two versions, minimizing the risk of breaking changes during upgrades.
All the vulnerabilities related to the version 4.9.1 of the package
MongoDB Driver may publish events containing authentication-related data
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).
This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
