[Snyk] Upgrade mongodb from 3.5.9 to 6.13.0

[akanchhaS]

Snyk has created this PR to upgrade mongodb from 3.5.9 to 6.13.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 268 versions ahead of your current version.

• The recommended version was released 21 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Remote Memory Exposure SNYK-JS-BL-608877	199	Proof of Concept

Release notes

Package name: mongodb

• 6.13.0 - 2025-01-30
  

  6.13.0 (2025-01-30)

  The MongoDB Node.js team is pleased to announce version 6.13.0 of the mongodb package!

  Release Notes

  MongoDB Standardized Logging 📝

  The driver's standardized logger is now available! The primary goal of our driver's logger is to enable insight into database operations without code changes so enabling and configuring the logger are primarily done through our environment variables.

  TL;DR Show me the logs!

  env MONGODB_LOG_ALL=debug node server.mjs

  Tip

  If you are a CLI app developer (or otherwise take great care of your std outputs): The client options constructor argument takes precedence over environment variables, permitting you to disable or otherwise customize the logger so your app does not automatically respond to the current environment.

  Check out the in-depth logging docs here: https://www.mongodb.com/docs/drivers/node/current/fundamentals/logging/

  🚀 Improved command monitoring performance

  Previously, when command monitoring was enabled, the driver would make deep copies of command and reply objects, which have the potential to be very large documents. These copies have been eliminated, providing a speed and memory efficiency bump to command monitoring.

  Warning

  Since we no longer make deep copies of commands/replies in Command Monitoring Events, directly modifying the command/reply objects on CommandStartedEvents and CommandSucceededEvents may lead to undefined behaviour.

  🧪 Experimental AbortSignal support added to Find and Aggregate! 🚥

  A signal argument can now be passed to the following APIs:

  • collection.find() & collection.findOne()
  • collection.aggregate() & collection.countDocuments()

  In order to support field level encryption properly, also:

  • db.listCollections()
  • db.command()

  When aborted, the signal will interrupt the execution of each of each of these APIs. For the cursor-based APIs, this will be observed when attempting to consume from the cursor via toArray(), next(), for-await, etc.

  There is a known limitation: aborting a signal closes a perfectly healthy connection which can cause unnecessary connection reestablishment so we're releasing this as experimental for evaluation in use cases that can tolerate the shortcoming.

  DNS SRV & TXT look up timeouts are retried

  To mitigate the potentially transient DNS timeout error, the driver now catches and retries the DNS lookups upon resolving a mongodb+srv:// style connection string.

  MongoClient.close now closes any outstanding cursors

  Previously, cursors could somewhat live beyond the client they came from. What this meant was that depending on timing you would learn of the client's (and by proxy, the cursor's) demise via an assertion that the associated session had expired. This only occurred if your cursor needed to use the session, which only happens when it is attempting to run a getMore operation to obtain another batch of documents.

  Practically speaking a cursor that lives beyond a client is an exception waiting to happen, the connection pools are closed, the sessions are ended, last call has been served 🍻, it is only a matter of timing and event firing until the cursor learns of its fate and informs you by throwing an error via whatever API is being used (.toArray(), for-await, .next()).

  To make the expected state of cursors clearer in this scenario the MongoClient will now close any associated cursors upon its close()-ing reducing the risk of leaving behind server-side resources.

  MongoClient.close() can be called concurrently

  In the past, concurrent calls to MongoClient.close() had poorly defined behavior depending on the exact timing of the second (or more) calls to close(). In some cases, this could also throw errors.

  With these changes, MongoClient.close() can be called concurrently safely and always returns the same promise.

  Note

  This is intended as a correctness fix - we don't recommend calling MongoClient.close() concurrently if it can be avoided.

  MONGODB-OIDC now properly reauthenticates in speculative auth scenarios

  When using MONGODB-OIDC authentication, if the initial handshake contained speculative authentication, the driver would not properly reauthenticate when the server would raise 391 errors. This is now fixed.

  Features

  • NODE-5672: support standardized logging (#4387) (d1b2453)
  • NODE-6258: add signal support to find and aggregate (#4364) (73def18)
  • NODE-6451: retry SRV and TXT lookup for DNS timeout errors (#4375) (fd902d3)
  • NODE-6633: MongoClient.close closes active cursors (#4372) (654069f)

  Bug Fixes

  • NODE-5225: concurrent MongoClient.close() calls each attempt to close the client (#4376) (9419af7)
  • NODE-6340: OIDC reauth uses caches speculative auth result (#4379) (8b2b7fd)

  Performance Improvements

  • NODE-6452: Optimize CommandStartedEvent and CommandSucceededEvent constructors (#4371) (41b066b)
  • NODE-6616: shortcircuit logging ejson.stringify (#4377) (c1bcf0d)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.13.0-dev.20250220.sha.0789dff0 - 2025-02-20
• 6.13.0-dev.20250215.sha.94122fb8 - 2025-02-15
• 6.13.0-dev.20250214.sha.d18108c5 - 2025-02-14
• 6.13.0-dev.20250213.sha.ba422064 - 2025-02-13
• 6.13.0-dev.20250212.sha.5f4500b8 - 2025-02-12
• 6.13.0-dev.20250211.sha.7bfce01e - 2025-02-11
• 6.13.0-dev.20250208.sha.a79a13d3 - 2025-02-08
• 6.13.0-dev.20250207.sha.057693e1 - 2025-02-07
• 6.13.0-dev.20250206.sha.1d0b2b44 - 2025-02-06
• 6.13.0-dev.20250205.sha.3a4edd51 - 2025-02-05
• 6.13.0-dev.20250204.sha.5d99661a - 2025-02-04
• 6.13.0-dev.20250201.sha.35c703e3 - 2025-02-01
• 6.13.0-dev.20250131.sha.e7898a4d - 2025-01-31
• 6.12.0 - 2024-12-10
  

  6.12.0 (2024-12-10)

  The MongoDB Node.js team is pleased to announce version 6.12.0 of the mongodb package!

  Release Notes

  zstd@2.0 is now supported for zstd compression

  The new @ mongodb-js/zstd@2.0 release can now be used with the driver for zstd compression.

  Populate ServerDescription.error field when primary marked stale

  We now attach an error to the newly created ServerDescription object when marking a primary as stale. This helps with debugging SDAM issues when monitoring SDAM events.

  BSON upgraded to v6.10.1

  See: https://github.com/mongodb/js-bson/releases/tag/v6.10.1

  Socket read stream set to object mode

  Socket data was being read with a stream set to buffer mode when it should be set to object mode to prevent inaccurate data chunking, which may have caused message parsing errors in rare cases.

  SOCKS5: MongoNetworkError wrap fix

  If the driver encounters an error while connecting to a socks5 proxy, the driver wraps the socks5 error in a MongoNetworkError. In some circumstances, this resulted in the driver wrapping MongoNetworkErrors inside MongoNetworkErrors.

  The driver no longer double wraps errors in MongoNetworkErrors.

  Features

  • NODE-6593: add support for zstd@2.x (#4346) (ea8a33f)
  • NODE-6605: add error message when invalidating primary (#4340) (37613f1)

  Bug Fixes

  • NODE-6583: upgrade to BSON v6.10.1 to remove internal unbounded type cache (#4338) (249c279)
  • NODE-6600: set object mode correctly for message chunking in SizedMessageTransform (#4345) (5558573)
  • NODE-6602: only wrap errors from SOCKS in network errors (#4347) (ed83f36)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.12.0-dev.20250130.sha.6b15f201 - 2025-01-30
• 6.12.0-dev.20250129.sha.907aac19 - 2025-01-29
• 6.12.0-dev.20250128.sha.654069fc - 2025-01-28
• 6.12.0-dev.20250125.sha.c1bcf0de - 2025-01-25
• 6.12.0-dev.20250124.sha.70d476aa - 2025-01-24
• 6.12.0-dev.20250118.sha.41b066b2 - 2025-01-18
• 6.12.0-dev.20250115.sha.e2aa15c2 - 2025-01-15
• 6.12.0-dev.20250111.sha.13ca4405 - 2025-01-11
• 6.12.0-dev.20250109.sha.3216d330 - 2025-01-09
• 6.12.0-dev.20241221.sha.c392465a - 2024-12-21
• 6.12.0-dev.20241220.sha.80c4d74a - 2024-12-20
• 6.12.0-dev.20241218.sha.e972bb8f - 2024-12-18
• 6.12.0-dev.20241212.sha.f6d7868f - 2024-12-12
• 6.12.0-dev.20241211.sha.2f9ad4d4 - 2024-12-11
• 6.11.0 - 2024-11-22
  

  6.11.0 (2024-11-22)

  The MongoDB Node.js team is pleased to announce version 6.11.0 of the mongodb package!

  Release Notes

  Client Side Operations Timeout (CSOT)

  We've been working hard to try to simplify how setting timeouts works in the driver and are excited to finally put Client Side Operation Timeouts (CSOT) in your hands! We're looking forward to hearing your feedback on this new feature during its trial period in the driver, so feel free to file Improvements, Questions or Bug reports on our Jira Project or leave comments on this community forum thread: Node.js Driver 6.11 Forum Discussion!

  CSOT is the common drivers solution for timing out the execution of an operation at the different stages of an operation's lifetime. At its simplest, CSOT allows you to specify one option,timeoutMS that determines when the driver will interrupt an operation and return a timeout error.

  For example, when executing a potentially long-running query, you would specify timeoutMS as follows:

  await collection.find({}, {timeoutMS: 600_000}).toArray(); // Ensures that the find will throw a timeout error if all documents are not retrieved within 10 minutes
  // Potential Stack trace if this were to time out:
  // Uncaught MongoOperationTimeoutError: Timed out during socket read (600000ms)
  //    at Connection.readMany (mongodb/lib/cmap/connection.js:427:31)
  //    at async Connection.sendWire (mongodb/lib/cmap/connection.js:246:30)
  //    at async Connection.sendCommand (mongodb/lib/cmap/connection.js:281:24)
  //    at async Connection.command (mongodb/lib/cmap/connection.js:323:26)
  //    at async Server.command (mongodb/lib/sdam/server.js:170:29)
  //    at async GetMoreOperation.execute (mongodb/lib/operations/get_more.js:58:16)
  //    at async tryOperation (mongodb/lib/operations/execute_operation.js:203:20)
  //    at async executeOperation (mongodb/lib/operations/execute_operation.js:73:16)
  //    at async FindCursor.getMore (mongodb/lib/cursor/abstract_cursor.js:590:16)

  Warning

  This feature is experimental and subject to change at any time. We do not recommend using this feature in production applications until it is stable.

  What's new?

  timeoutMS

  The main new option introduced with CSOT is the timeoutMS option. This option can be applied directly as a client option, as well as at the database, collection, session, transaction and operation layers, following the same inheritance behaviours as other driver options.

  When the timeoutMS option is specified, it will always take precedence over the following options:

  • socketTimeoutMS
  • waitQueueTimeoutMS
  • wTimeoutMS
  • maxTimeMS
  • maxCommitTimeMS

  Note, however that timeoutMS DOES NOT unconditionally override the serverSelectionTimeoutMS option.

  When timeoutMS is specified, the duration of time allotted to the server selection and connection checkout portions of command execution is defined by min(serverSelectionTimeoutMS, timeoutMS) if both are >0. A zero value for either timeout value represents an infinite timeout. A finite timeout will always be used unless both timeouts are specified as 0. Note also that the driver has a default value for serverSelectionTimeoutMS of 30000.

  After server selection and connection checkout are complete, the time remaining bounds the execution of the remainder of the operation.

  Note

  Specifying timeoutMS is not a hard guarantee that an operation will take exactly the duration specified. In the circumstances identified below, the driver's internal cleanup logic can result in an operation exceeding the duration specified by timeoutMS.

  • AbstractCursor.toArray() - can take up to 2 * timeoutMS in 'cursorLifetimeMode' and (n+1) * timeoutMS when returning n batches in 'iteration' mode
  • AbstractCursor.[Symbol.asyncIterator]() - can take up to 2 * timeoutMS in 'cursorLifetimeMode' and (n+1)*timeoutMS when returning n batches in 'iteration' mode
  • MongoClient.bulkWrite() - can take up to 2 * timeoutMS in error scenarios when the driver must clean up cursors used internally.
  • CSFLE/QE - can take up to 2 * timeoutMS in rare error scenarios when the driver must clean up cursors used internally when fetching keys from the keyvault or listing collections.

  In the AbstractCursor.toArray case and the AbstractCursor.[Symbol.asyncIterator] case, this occurs as these methods close the cursor when they finish returning their documents. As detailed in the following section, this results in a refreshing of the timeout before sending the killCursors command to close the cursor on the server.
  The MongoClient.bulkWrite and autoencryption implementations use cursors under the hood and so inherit this issue.

  Cursors, timeoutMS and timeoutMode

  Cursors require special handling with the new timout paradigm introduced here. Cursors can be configured to interact with CSOT in two ways.
  The first, 'cursorLifetime' mode, uses the timeoutMS to bound the entire lifetime of a cursor and is the default timeout mode for non-tailable cursors (find, aggregate*, listCollections, etc.). This means that the initialization of the cursor and all subsequent getMore calls MUST finish within timeoutMS or a timeout error will be thrown. Note, however that the closing of a cursor, either as part of a toArray() call or manually via the close() method resets the timeout before sending a killCursors operation to the server.

  e.g.

  // This will ensure that the initialization of the cursor and retrieval of all docments will occur within 1000ms, throwing an error if it exceeds this time limit
  const docs = await collection.find({}, {timeoutMS: 1000}).toArray();

  The second, 'iteration' mode, uses timeoutMS to bound each next/hasNext/tryNext call, refreshing the timeout after each call completes. This is the default mode for all tailable cursors (tailable find cursors on capped collections, change streams, etc.). e.g.

  // Each turn of the async iterator will take up to 1000ms before it throws
  for await (const doc of cappedCollection.find({}, {tailable: true, timeoutMS: 1000})) {
      // process document
  }

  Note that timeoutMode is also configurable on a per-cursor basis.

  GridFS and timeoutMS

  GridFS streams interact with timeoutMS in a similar manner to cursors in 'cursorLifeTime' mode in that timeoutMS bounds the entire lifetime of the stream.
  In addition, GridFSBucket.find, GridFSBucket.rename and GridFSBucket.drop all support the timeoutMS option and behave in the same way as other operations.

  Sessions, Transactions, timeoutMS and defaultTimeoutMS

  ClientSessions have a new option: defaultTimeoutMS, which specifies the timeoutMS value to use for:

  • commitTransaction
  • abortTransaction
  • withTransaction
  • endSession

  Note

  If defaultTimeoutMS is not specified, then it will inherit the timeoutMS of the parent MongoClient.

  When using ClientSession.withTransaction, the timeoutMS can be configured either in the options on the withTransaction call or inherited from the session's defaultTimeoutMS. This timeoutMS will apply to the entirety of the withTransaction callback provided that the session is correctly passed into each database operation. If the session is not passed into the operation, it will not respect the configured timeout. Also be aware that trying to override the timeoutMS at the operation level for operations making use of the explicit session inside the withTransaction callback will result in an error being thrown.

  const session = client.startSession({defaultTimeoutMS: 1000});
  const coll = client.db('db').collection('coll');
  // ❌ Incorrect; will throw an error
  await session.withTransaction(async function(session) {
  await coll.insertOne({x:1}, { session, timeoutMS: 600 });
  })

  // ❌ Incorrect; will not respect timeoutMS configured on session
  await session.withTransaction(async function(session) {
  await coll.insertOne({x:1}, {});
  })

  ClientEncryption and timeoutMS

  The ClientEncryption class now supports the timeoutMS option. If timeoutMS is provided when constructing a ClientEncryption instance, it will be used to govern the lifetime of all operations performed on instance, otherwise, it will inherit from the timeoutMS set on the MongoClient provided to the ClientEncryption constructor.
  If timeoutMS is set on both the client and provided to ClientEncryption directly, the option provided to ClientEncryption takes precedence.

  const encryption = new ClientEncryption(new MongoClient('localhost:27027'), { timeoutMS: 1_000 });
  await encryption.createDataKey('local'); // will not take longer than 1_000ms

  const encryption = new ClientEncryption(new MongoClient('localhost:27027', { timeoutMS: 1_000 }));
  await encryption.createDataKey('local'); // will not take longer than 1_000ms

  const encryption = new ClientEncryption(new MongoClient('localhost:27027', { timeoutMS: 5_000 }), { timeoutMS: 1_000 });
  await encryption.createDataKey('local'); // will not take longer than 1_000ms

  Limitations

  At the time of writing, when using the driver's autoconnect feature alongside CSOT, the time taken for the command doing the autonnection will not be bound by the configured timeoutMS. We made this design choice because the client's connection logic handles a number of potentially long-running I/O and other setup operations including reading certificate files, DNS lookups, instantiating server monitors, and launching external processes for client encryption.
  We recommend manually connecting the MongoClient if intending to make use of CSOT, or otherwise ensuring that the driver is already connected when running commands that make use of timeoutMS.

  const client = new MongoClient(uri, { timeoutMS: 1000 });
  // ❌ No guarantee to finish in specified time
  await client.db('db').collection('coll').insertOne({x:1});

  // ✔️ Will have expected behaviour
  await client.connect();
  await client.db('db').collection('coll').insertOne({x:1});

  Explain helpers support timeoutMS

  Explain helpers support timeoutMS:

  await collection.deleteMany({}, { timeoutMS: 1_000, explain: true });
  await collection.find().explain(
    { verbosity: 'queryPlanner' },
    { timeoutMS: 1_000 }
  )

  Note

  Providing a maxTimeMS value with a timeoutMS value will throw errors.

  MONGODB-OIDC Authentication now supports Kubernetes Environments.

  For k8s environments running in Amazon's EKS (Elastic Kubernetes Service), Google's GKE (Google Kubernetes Engine), or Azure's AKS (Azure Kubernetes Service) simply provide an ENVIRONMENT auth mechanism property in the URI or MongoClient options of "k8s".

  Example:

  const client = new MongoClient('mongodb://host:port/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s');

  BSON Binary Vector Support!

  Checkout BSON's release notes for more information: https://github.com/mongodb/js-bson/releases/tag/v6.10.0

  ConnectionClosedEvents always follow PoolClearedEvents

  When Connection Monitoring and Pooling events are listened for, ConnectionClosedEvents are now always emitted after PoolClearEvents.

  Features

  • NODE-5682: set maxTimeMS on commands and preempt I/O (#4174) (e4e6a5e)
  • NODE-5844: add iscryptd to ServerDescription (#4239) (c39d443)
  • NODE-6069: OIDC k8s machine workflow (#4270) (82c931c)
  • NODE-6090: Implement CSOT logic for connection checkout and server selection (bd8a9f4)
  • NODE-6231: Add CSOT behaviour for retryable reads and writes (#4186) (2ffd5eb)
  • NODE-6274: add CSOT support to bulkWrite (#4250) (c5a9ae5)
  • NODE-6275: Add CSOT support to GridFS (#4246) (3cb8187)
  • NODE-6304: add CSOT support for non-tailable cursors (#4195) (131f6ed)
  • NODE-6305: Add CSOT support to tailable cursors (#4218) (2398fc6)
  • NODE-6312: add error transformation for server timeouts (#4192) (c2c0cb9)
  • NODE-6313: add CSOT support to sessions and transactions (#4199) (5f1102f)
  • NODE-6387: Add CSOT support to change streams (#4256) (4588ff2)
  • NODE-6389: add support for timeoutMS in StateMachine.execute() (#4243) (c55f965)
  • NODE-6390: Add timeoutMS support to auto encryption (#4265) (55e08e7)
  • NODE-6391: Add timeoutMS support to explicit encryption (#4269) (f745b99)
  • NODE-6392: add timeoutMS support to ClientEncryption helpers part 1 (#4281) (e86f11e)
  • NODE-6403: add CSOT support to client bulk write (#4261) (365d63b)
  • NODE-6421: add support for timeoutMS to explain helpers (#4268) (5b2629b)
  • NODE-6446: deprecate legacy timeout options (#4279) (c28608b)
  • NODE-6551: update bson to 6.10.0 (#4329) (adb15fe)

  Bug Fixes

  • NODE-6374: MongoOperationTimeoutError inherits MongoRuntimeError (#4237) (9fb896a)
  • NODE-6412: read stale response from previously timed out connection (#4273) (fd8f3bd)
  • NODE-6454: use timeoutcontext for state machine execute() cursor options (#4291) (5dd8ee5)
  • NODE-6469: pool is cleared before connection checkin on error (#4296) (06a2e2c)
  • NODE-6523: deleteMany in gridfs passes timeoutMS to predicate, not options (#4319) (1965ed5)

  Performance Improvements

  • NODE-6525: remove setPrototype and defineProperty from hot path (#4321) (48ed47e)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.11.0-dev.20241210.sha.37613f1a - 2024-12-10
• 6.11.0-dev.20241207.sha.ea8a33f1 - 2024-12-07
• 6.11.0-dev.20241206.sha.ed2bdbe5 - 2024-12-06
• 6.11.0-dev.20241205.sha.55585731 - 2024-12-05
• 6.11.0-dev.20241204.sha.260e052e - 2024-12-04
• 6.11.0-dev.20241128.sha.4842cd8a - 2024-11-28
• 6.11.0-dev.20241123.sha.32f7ac63 - 2024-11-23
• 6.10.0 - 2024-10-21
  

  6.10.0 (2024-10-21)

  The MongoDB Node.js team is pleased to announce version 6.10.0 of the mongodb package!

  Release Notes

[akanchhaS]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

✅ license/snyk check is complete. No issues have been found. (View Details)

✅ code/snyk check is complete. No issues have been found. (View Details)