Skip to content

[Snyk] Upgrade mongodb from 6.16.0 to 6.17.0 #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade mongodb from 6.16.0 to 6.17.0 #51

wants to merge 1 commit into from

Conversation

danielmason89
Copy link
Collaborator

snyk-top-banner

Snyk has created this PR to upgrade mongodb from 6.16.0 to 6.17.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 16 versions ahead of your current version.

  • The recommended version was released 2 months ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
low severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-BRACEEXPANSION-9789073		 436 Proof of Concept
Release notes
Package name: mongodb
  • 6.17.0 - 2025-06-03

    6.17.0 (2025-06-03)

    The MongoDB Node.js team is pleased to announce version 6.17.0 of the mongodb package!

    Release Notes

    Support for MongoDB 4.0 is removed

    Warning

    When the driver connects to a MongoDB server of version 4.0 or less, it will now throw an error.

    OIDC machine workflows now retry on token expired errors during initial authentication

    This resolves issues of a cached OIDC token in the driver causing initial authentication to fail when the token had expired. The affected environments were "azure", "gcp", and "k8s".

    keepAliveInitialDelay may now be configured at the MongoClient level

    When not present will default to 120 seconds. The option value must be specified in milliseconds.

    import { MongoClient } from 'mongodb';

    const client = new MongoClient(process.env.MONGODB_URI, { keepAliveInitialDelay: 100000 });

    updateOne and replaceOne now support a sort option

    The updateOne and replaceOne operations in each of the ways they can be performed support a sort option starting in MongoDB 8.0. The driver now supports the sort option the same way it does for find or findOneAndModify-style commands:

    const sort = { fieldName: -1 };

    collection.updateOne({}, {}, { sort });
    collection.replaceOne({}, {}, { sort });

    collection.bulkWrite([
    { updateOne: { filter: {}, update: {}, sort } },
    { replaceOne: { filter: {}, replacement: {}, sort } },
    ]);

    client.bulkWrite([
    { name: 'updateOne', namespace: 'db.test', filter: {}, update: {}, sort },
    { name: 'replaceOne', namespace: 'db.test', filter: {}, replacement: {}, sort }
    ]);

    MongoClient close shuts outstanding in-use connections

    The MongoClient.close() method now shuts connections that are in-use allowing the event loop to close if the only remaining resource was the MongoClient.

    Support Added for Configuring the DEK cache expiration time.

    Default value is 60000. Requires using mongodb-client-encryption >= 6.4.0

    For ClientEncryption:

    import { MongoClient, ClientEncryption } from 'mongodb';
const client = new MongoClient(process.env.MONGODB_URI);
const clientEncryption = new ClientEncryption(client, { keyExpirationMS: 100000, kmsProviders: ... });

    For auto encryption:

    import { MongoClient, ClientEncryption } from 'mongodb';
const client = new MongoClient(process.env.MONGODB_URI, {
  autoEncryption: {
    keyExpirationMS: 100000,
    kmsProviders: ...
  }
});

    Update operations will now throw if ignoreUndefined is true and all operations are undefined.

    When using any of the following operations they will now throw if all atomic operations in the update are undefined and the ignoreUndefined option is true. This is to avoid accidental replacement of the entire document with an empty document. Examples of this scenario:

    import { MongoClient } from 'mongodb';

    const client = new MongoClient(process.env.MONGODB_URI);

    client.bulkWrite(
    [
    {
    name: 'updateMany',
    namespace: 'foo.bar',
    filter: { age: { $lte: 5 } },
    update: { $set: undefined, $unset: undefined }
    }
    ],
    { ignoreUndefined: true }
    );

    const collection = client.db('test').collection('test');

    collection.bulkWrite(
    [
    {
    updateMany: {
    filter: { age: { $lte: 5 } },
    update: { $set: undefined, $unset: undefined }
    }
    }
    ],
    { ignoreUndefined: true }
    );

    collection.findOneAndUpdate(
    { a: 1 },
    { $set: undefined, $unset: undefined },
    { ignoreUndefined: true }
    );

    collection.updateOne({ a: 1 }, { $set: undefined, $unset: undefined }, { ignoreUndefined: true });

    collection.updateMany({ a: 1 }, { $set: undefined, $unset: undefined }, { ignoreUndefined: true });

    Socket errors are always treated as network errors

    Network errors perform an important role in the driver, impacting topology monitoring processes and retryablity. A bug in the driver's socket implementation meant that in scenarios where server disconnects occurred while no operation was in progress on the socket resulted in errors that were not considered network errors.

    Socket errors are now unconditionally treated as network errors.

    Features

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 6.17.0-dev.20250722.sha.6e240d41 - 2025-07-22
  • 6.17.0-dev.20250719.sha.3faf0c96 - 2025-07-19
  • 6.17.0-dev.20250715.sha.ec82ae97 - 2025-07-15
  • 6.17.0-dev.20250711.sha.b9636ee3 - 2025-07-11
  • 6.17.0-dev.20250710.sha.a09212a4 - 2025-07-10
  • 6.17.0-dev.20250708.sha.bff57ed8 - 2025-07-08
  • 6.17.0-dev.20250706.sha.57617039 - 2025-07-06
  • 6.17.0-dev.20250702.sha.52ed3d12 - 2025-07-02
  • 6.17.0-dev.20250627.sha.da46aeaf - 2025-06-27
  • 6.17.0-dev.20250625.sha.4c1fa54e - 2025-06-25
  • 6.17.0-dev.20250624.sha.83534ff3 - 2025-06-24
  • 6.17.0-dev.20250612.sha.8ab5d19b - 2025-06-12
  • 6.17.0-dev.20250611.sha.d7426ce5 - 2025-06-11
  • 6.17.0-dev.20250605.sha.57ef31be - 2025-06-05
  • 6.17.0-dev.20250604.sha.441186ae - 2025-06-04
  • 6.16.0 - 2025-04-21

    6.16.0 (2025-04-21)

    The MongoDB Node.js team is pleased to announce version 6.16.0 of the mongodb package!

    Release Notes

    distinct commands now support an index hint

    The Collection.distinct() method now supports an optional hint, which can be used to tell the server which index to use for the command:

    // providing an index description
    await collection.distinct('my-key', {
    hint: { 'my-key': 1 }
    });

    // providing an index name
    await collection.distinct('my-key', {
    hint: 'my-key'
    });

    This requires server 7.1+.

    Driver support for servers <=4.0 deprecated

    Warning

    Node driver support for server 4.0 will be removed in an upcoming minor release. Reference: MongoDB Software Lifecycle Schedules.

    Fix processing of multiple messages within one network data chunk

    During elections, or other scenarios where the server is pushing multiple topology updates to the driver in a short period of time, a bug in the driver's socket code led to backlog of topology updates that would remain in the buffer until another heartbeat arrived from the server. This could lead to delays in the driver recovering from an election and/or an increase in MongoServerSelectionErrors.

    Now, all messages in the current buffer are returned to the driver leading to faster processing times.

    Huge thank you to @ andreim-brd for sharing a self-contained reproduction that proved to be instrumental in the identification of the underlying issue!

    FindCursor.rewind() throws documents?.clear() is not a function errors in certain scenarios

    In certain scenarios where limit and batchSize are both set on a FindCursor, an internal driver optimization intended to prevent unnecessary requests to the server when the driver knows the cursor is exhausted would prevent the cursor from being rewound. This issue has been resolved.

    Features

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

from mongodb GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
fix: upgrade mongodb from 6.16.0 to 6.17.0
782d5c3 
Snyk has created this PR to upgrade mongodb from 6.16.0 to 6.17.0.

See this package in npm:
mongodb

See this project in Snyk:
https://app.snyk.io/org/danielmason89/project/a5d1e7ce-fd9c-433a-84e2-1d1c310d8b02?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danielmason89 @snyk-bot