[Snyk] Upgrade mongodb from 6.16.0 to 6.18.0

[danielmason89]

Snyk has created this PR to upgrade mongodb from 6.16.0 to 6.18.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 28 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Improper Handling of Unexpected Data Type SNYK-JS-ONHEADERS-10773729	436	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	436	Proof of Concept

Release notes

Package name: mongodb

• 6.18.0 - 2025-07-22
  

  6.18.0 (2025-07-22)

  The MongoDB Node.js team is pleased to announce version 6.18.0 of the mongodb package!

  Release Notes

  New appendMetadata API allows clients to add handshake metadata post construction

  Driver information such as name, version, and platform are allowed:

  import { MongoClient } from 'mongodb';

  const client = new MongoClient(process.env.MONGODB_URI);
  client.appendMetadata({ name: 'my library', version: '1.0', platform: 'NodeJS' });

  Cursors lazily instantiate sessions

  In previous versions, sessions were eagerly allocated whenever a cursor was created, regardless of whether or not a cursor was actually iterated (and the session was actually needed). Some driver APIs (FindCursor.count(), AggregationCursor.explain() and FindCursor.explain()) don't actually iterate the cursor they are executed on. This can lead to client sessions being created and never being cleaned up.

  With this update, sessions are not allocated until the cursor is iterated.

  Idle connections are now pruned during periods of no activity even when minPoolSize=0

  A MongoClient configured with a maxIdleTimeMS and minPoolSize of 0 is advantageous for workloads that have sustained periods of little or no activity because it allows the connection pool to close connections that are unused during these periods of inactivity. However, due to a bug in the ConnectionPool implementation, idle / perished connections were not cleaned up unless minPoolSize was non-zero.

  With the changes in this PR, the ConnectionPool now always cleans up idle connections, regardless of minPoolSize.

  ChangeStream event interfaces include a wallTime property

  This property is available on all types with the exception of reshard collection and refine collection shard key events. Thanks to @ qhello for bringing this bug to our attention!

  CommandSucceededEvent and CommandFailedEvent events now have a databaseName property

  CommandSucceededEvent and CommandFailedEvent now include the name of the database against which the command was executed.

  Deprecations

  Transaction state getters are deprecated

  These were for internal use only and include:

  Transaction#options
  Transaction#recoveryToken
  Transaction#isPinned
  Transaction#isStarting
  Transaction#isActive
  Transaction#isCommitted

  ClientMetadata, ClientMetadataOptions, and CancellationToken have been deprecated

  These types will be removed in an upcoming major version of the driver.

  CommandOptions.noResponse is deprecated

  Caution

  noResponse is not intended for use outside of MongoClient.close(). Do not use this option.

  The Node driver has historically supported an option, noResponse, that is used internally when a MongoClient is closed. This option was accidentally public. This option will be removed in an upcoming major release.

  Features

  • NODE-5055: Add databaseName property to command monitoring events (#4586) (3faf0c9)
  • NODE-7009: add client metadata on demand (#4574) (b9636ee)
  • NODE-7053: deprecate noResponse option (#4589) (1115319)
  • NODE-6865: deprecate transaction getters (#4567) (da46aea)
  • NODE-6991: deprecate unintentionally public client metadata types (#4566) (ca6554b)

  Bug Fixes

  • NODE-4845: allocate sessions lazily in cursors (#4575) (5761703)
  • NODE-6589: background task does not prune idle connections when minPoolSize=0 (#4569) (7cbb641)
  • NODE-6955: add missing wallTime property TS change stream event interfaces (#4541) (f153c6f)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.18.0-dev.20250815.sha.fae8ac8a - 2025-08-15
• 6.18.0-dev.20250814.sha.33d340ef - 2025-08-14
• 6.18.0-dev.20250808.sha.8e06e72a - 2025-08-08
• 6.18.0-dev.20250806.sha.e628296a - 2025-08-06
• 6.18.0-dev.20250805.sha.ff9a7858 - 2025-08-05
• 6.18.0-dev.20250802.sha.be7f808c - 2025-08-02
• 6.18.0-dev.20250801.sha.aac76296 - 2025-08-01
• 6.18.0-dev.20250731.sha.c5365347 - 2025-07-31
• 6.18.0-dev.20250730.sha.2ef6c10c - 2025-07-30
• 6.18.0-dev.20250724.sha.acd86250 - 2025-07-24
• 6.18.0-dev.20250723.sha.d92acfc1 - 2025-07-23
• 6.17.0 - 2025-06-03
  

  6.17.0 (2025-06-03)

  The MongoDB Node.js team is pleased to announce version 6.17.0 of the mongodb package!

  Release Notes

  Support for MongoDB 4.0 is removed

  Warning

  When the driver connects to a MongoDB server of version 4.0 or less, it will now throw an error.

  OIDC machine workflows now retry on token expired errors during initial authentication

  This resolves issues of a cached OIDC token in the driver causing initial authentication to fail when the token had expired. The affected environments were "azure", "gcp", and "k8s".

  keepAliveInitialDelay may now be configured at the MongoClient level

  When not present will default to 120 seconds. The option value must be specified in milliseconds.

  import { MongoClient } from 'mongodb';

  const client = new MongoClient(process.env.MONGODB_URI, { keepAliveInitialDelay: 100000 });

  updateOne and replaceOne now support a sort option

  The updateOne and replaceOne operations in each of the ways they can be performed support a sort option starting in MongoDB 8.0. The driver now supports the sort option the same way it does for find or findOneAndModify-style commands:

  const sort = { fieldName: -1 };

  collection.updateOne({}, {}, { sort });
  collection.replaceOne({}, {}, { sort });

  collection.bulkWrite([
  { updateOne: { filter: {}, update: {}, sort } },
  { replaceOne: { filter: {}, replacement: {}, sort } },
  ]);

  client.bulkWrite([
  { name: 'updateOne', namespace: 'db.test', filter: {}, update: {}, sort },
  { name: 'replaceOne', namespace: 'db.test', filter: {}, replacement: {}, sort }
  ]);

  MongoClient close shuts outstanding in-use connections

  The MongoClient.close() method now shuts connections that are in-use allowing the event loop to close if the only remaining resource was the MongoClient.

  Support Added for Configuring the DEK cache expiration time.

  Default value is 60000. Requires using mongodb-client-encryption >= 6.4.0

  For ClientEncryption:

  import { MongoClient, ClientEncryption } from 'mongodb';
  const client = new MongoClient(process.env.MONGODB_URI);
  const clientEncryption = new ClientEncryption(client, { keyExpirationMS: 100000, kmsProviders: ... });

  For auto encryption:

  import { MongoClient, ClientEncryption } from 'mongodb';
  const client = new MongoClient(process.env.MONGODB_URI, {
    autoEncryption: {
      keyExpirationMS: 100000,
      kmsProviders: ...
    }
  });

  Update operations will now throw if ignoreUndefined is true and all operations are undefined.

  When using any of the following operations they will now throw if all atomic operations in the update are undefined and the ignoreUndefined option is true. This is to avoid accidental replacement of the entire document with an empty document. Examples of this scenario:

  import { MongoClient } from 'mongodb';

  const client = new MongoClient(process.env.MONGODB_URI);

  client.bulkWrite(
  [
  {
  name: 'updateMany',
  namespace: 'foo.bar',
  filter: { age: { $lte: 5 } },
  update: { $set: undefined, $unset: undefined }
  }
  ],
  { ignoreUndefined: true }
  );

  const collection = client.db('test').collection('test');

  collection.bulkWrite(
  [
  {
  updateMany: {
  filter: { age: { $lte: 5 } },
  update: { $set: undefined, $unset: undefined }
  }
  }
  ],
  { ignoreUndefined: true }
  );

  collection.findOneAndUpdate(
  { a: 1 },
  { $set: undefined, $unset: undefined },
  { ignoreUndefined: true }
  );

  collection.updateOne({ a: 1 }, { $set: undefined, $unset: undefined }, { ignoreUndefined: true });

  collection.updateMany({ a: 1 }, { $set: undefined, $unset: undefined }, { ignoreUndefined: true });

  Socket errors are always treated as network errors

  Network errors perform an important role in the driver, impacting topology monitoring processes and retryablity. A bug in the driver's socket implementation meant that in scenarios where server disconnects occurred while no operation was in progress on the socket resulted in errors that were not considered network errors.

  Socket errors are now unconditionally treated as network errors.

  Features

  • NODE-6245: add keepAliveInitialDelay config (#4510) (d6c0eb3)
  • NODE-6290: add sort support to updateOne and replaceOne (#4515) (28857b7)
  • NODE-6882: eagerly close checked out connections when client is closed (#4499) (64fdb3e)
  • NODE-6884: remove support for 4.0 (#4534) (6fe6ccc)
  • NODE-6952: support configuring DEK cache expiration (#4538) (c529f07)
  • NODE-6963: use BSON 6.10.4 (#4549) (aee490a)

  Bug Fixes

  • NODE-6638: throw if all atomic updates are undefined (#4519) (9625b2d)
  • NODE-6864: socket errors are not always converted to MongoNetworkErrors (#4473) (2d86095)
  • NODE-6962: OIDC machine workflows use OIDCCallbacks internally (#4546) (bd6030f)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.17.0-dev.20250722.sha.6e240d41 - 2025-07-22
• 6.17.0-dev.20250719.sha.3faf0c96 - 2025-07-19
• 6.17.0-dev.20250715.sha.ec82ae97 - 2025-07-15
• 6.17.0-dev.20250711.sha.b9636ee3 - 2025-07-11
• 6.17.0-dev.20250710.sha.a09212a4 - 2025-07-10
• 6.17.0-dev.20250708.sha.bff57ed8 - 2025-07-08
• 6.17.0-dev.20250706.sha.57617039 - 2025-07-06
• 6.17.0-dev.20250702.sha.52ed3d12 - 2025-07-02
• 6.17.0-dev.20250627.sha.da46aeaf - 2025-06-27
• 6.17.0-dev.20250625.sha.4c1fa54e - 2025-06-25
• 6.17.0-dev.20250624.sha.83534ff3 - 2025-06-24
• 6.17.0-dev.20250612.sha.8ab5d19b - 2025-06-12
• 6.17.0-dev.20250611.sha.d7426ce5 - 2025-06-11
• 6.17.0-dev.20250605.sha.57ef31be - 2025-06-05
• 6.17.0-dev.20250604.sha.441186ae - 2025-06-04
• 6.16.0 - 2025-04-21
  

  6.16.0 (2025-04-21)

  The MongoDB Node.js team is pleased to announce version 6.16.0 of the mongodb package!

  Release Notes

  distinct commands now support an index hint

  The Collection.distinct() method now supports an optional hint, which can be used to tell the server which index to use for the command:

  // providing an index description
  await collection.distinct('my-key', {
  hint: { 'my-key': 1 }
  });

  // providing an index name
  await collection.distinct('my-key', {
  hint: 'my-key'
  });

  This requires server 7.1+.

  Driver support for servers <=4.0 deprecated

  Warning

  Node driver support for server 4.0 will be removed in an upcoming minor release. Reference: MongoDB Software Lifecycle Schedules.

  Fix processing of multiple messages within one network data chunk

  During elections, or other scenarios where the server is pushing multiple topology updates to the driver in a short period of time, a bug in the driver's socket code led to backlog of topology updates that would remain in the buffer until another heartbeat arrived from the server. This could lead to delays in the driver recovering from an election and/or an increase in MongoServerSelectionErrors.

  Now, all messages in the current buffer are returned to the driver leading to faster processing times.

  Huge thank you to @ andreim-brd for sharing a self-contained reproduction that proved to be instrumental in the identification of the underlying issue!

  FindCursor.rewind() throws documents?.clear() is not a function errors in certain scenarios

  In certain scenarios where limit and batchSize are both set on a FindCursor, an internal driver optimization intended to prevent unnecessary requests to the server when the driver knows the cursor is exhausted would prevent the cursor from being rewound. This issue has been resolved.

  Features

  • NODE-6494: add support for hint on distinct commands (#4487) (40d0e87)
  • NODE-6515: deprecate driver support for server 4.0 (#4517) (4c1a8a7)

  Bug Fixes

  • NODE-6630: read all messages in buffer when chunk arrives (#4512) (8c86e30)
  • NODE-6878: documents.clear() throws a TypeError after cursor is rewound (#4488) (a1fffeb)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

from mongodb GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs