[Snyk] Upgrade mongodb from 3.1.13 to 3.5.5

[snyk-bot]

Snyk has created this PR to upgrade mongodb from 3.1.13 to 3.5.5.

✨What is Merge Advice?

We check thousands of dependency upgrade pull requests and CI tests every day to see which upgrades were successfully merged. After crunching this data, we give a recommendation on how safe we think the change is for you to merge without causing issues. Learn more, and share your feedback to help improve this feature. 🙏

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 26 versions ahead of your current version.
• The recommended version was released 2 months ago, on 2020-03-11.

The recommended version fixes:

Severity	Issue	Exploit Maturity
	Internal Property Tampering SNYK-JS-BSON-561052	No Known Exploit

Release notes

Package name: mongodb

• 3.5.5 - 2020-03-11
  

  The MongoDB Node.js team is pleased to announce version 3.5.5 of the driver

  Release Highlights

  Regression in hasNext when using a cursor with a limit

  @peterbroadhurst helped point out a regression introduced in v3.5.4 where using hasNext
  on a cusor with a limit would not return the full set of results.

  Ignored topology updates cause servers to fall out of latency window

  A change introduced across all MongoDB drivers, and in particular v3.5.0 of the Node.js
  driver, attempted to prevent needless duplicate topologyDescriptionChanged topology events
  by introducing a ServerDescription equality operator. Since equality does not take the
  lastUpdateTime and lastWriteDate fields of an ismaster into account, the driver could
  eventually consider servers non-suitable for server selection, since they would fall out
  of the latency window.
  All updates are considered viable for topology updates now, and only event emission is
  gated by ServerDescription equality.

  Memory leaks with Node.js v12+

  The legacy topology types (in particular if you were connected to a replic set) used a
  custom Timeout class to wrap a timer. Unfortunately, the class depended on an undocumented,
  private variable _called, which was removed in Node.js v12. This would lead to the driver
  thinking the timeout never occurred, and therefore never releasing the object for garbage
  collection. We recommend users of the legacy topology types immediately update to this
  version of the driver, or use the Unified Topology which is unaffected by this bug.

  TypeError: Cannot read property 'Symbol(cancelled)' of undefined

  @erfanium and @Paic helped us identify an issue in rare failover events where multiple
  requests to process the server selection queue would result in an attempted property
  access of an undefined variable.

  promiseLibrary not respected by newly introduced maybePromise helper

  @TobyEalden pointed out that an internal refactor to use a helper to optionally
  return a Promise for top level API methods was not, in fact, using a custom
  promise library if one was provided!

  Thanks very much to all the community members who contributed to this release!

  Release Notes

  Bug

  • [NODE-2460] - Memory Leak with ReplSet and NodeJS v12
  • [NODE-2472] - TypeError on server available with useUnifiedTopology: true
  • [NODE-2474] - Server_Description update with lastUpdateTime / lastWriteDate fields is ignored in topology
  • [NODE-2480] - TypeError after reconnecting
  • [NODE-2483] - Regression using hasNext on cursor with limit
  • [NODE-2490] - promiseLibrary option is not honoured
• 3.5.4 - 2020-02-25
  

  The MongoDB Node.js team is pleased to announce version 3.5.4 of the driver

  Release Highlights

  Regression in hasNext when piping a cursor

  Pierre Mallet and @Sintendo helped identify a regression with our cursors which did not
  properly rewind a cursor when hasNext was called before the cursor was piped.

  Regression in server selection queue processing

  A change introduced in v3.5.3 converted the server selection loop from a loop with timers
  to a queue of callbacks. A subtle bug was introduced to the code to process the quere where
  the upper bound of a for loop was using a dynamically decreasing length, leading to some
  operations being ignored, and ultimately timing out. Many thanks to Frederic Maillasson,
  @paulrobinson, and @adityapatadia for helping uncover this issue

  Only ensure minimum connection pool size if a size is specified

  User @millerick submitted a PR short circuiting the background task for ensuring a minimum
  pool size if no minimum size was set.

  Release Notes

  Bug

  • [NODE-2454] - Cursor.hasNext() seems to consume first document when the cursor is piped in a writable stream
  • [NODE-2464] - max election ID comparison uses invalid comparison for tracking
  • [NODE-2466] - Driver does not seem to properly recover from a long disconnection with primary server
  • [NODE-2467] - MongoServerSelectionError when using useUnifiedTopology: true

  Improvement

  • [NODE-2459] - Do not run minimum connection size task if there is no minimum pool size
• 3.5.3 - 2020-02-12
  

  The MongoDB Node.js team is pleased to announce version 3.5.3 of the driver

  Release Highlights

  This patch release fixes one issue with command error handling during network errors, and one minor issue with multiple incoming wire messages not being properly processed.

  Release Notes

  Bug

  • [NODE-2435] - Unified topology does not transition server to Unknown on non-timeout operation error
  • [NODE-2437] - Multiple incoming message packets are not processed correctly

  Improvement

  • [NODE-2438] - Add exhaust command support to transport layer
  • [NODE-2449] - Simplify server error handling in unified topology
• 3.5.2 - 2020-01-20
  

  The MongoDB Node.js team is pleased to announce version 3.5.2 of the driver

  Release Highlights

  This patch release corrects a regression introduced in the 4.2 timeframe which would
  effectively disable retryable operations for connection to MongoDB 4.2+. Additionally,
  the server selection loop has been converted to a queue of callbacks to improve
  readability, as well as performance in certain scenarios.

  Release Notes

  Bug

  • [NODE-2408] - retryWrites seems not to work as expected in failover test

  Improvement

  • [NODE-2398] - Use a queue for server selection
• 3.5.1 - 2020-01-17
  

  The MongoDB Node.js team is pleased to announce version 3.5.1 of the driver

  Release Highlights

  This patch release fixes a few regressions introduced with new connection pool, primarily
  around the ability to use custom TLS certificates.

  Release Notes

  Bug

  • [NODE-2372] - db.findOne does not respect client setting bufferMaxEntries
  • [NODE-2401] - "readPreference.equals is not a function" exception thrown within executeWithServerSelection
  • [NODE-2424] - CMAP connection pool fails to create connection using SSL / TLS
• 3.5.0 - 2020-01-14
  

  The MongoDB Node.js team is pleased to announce version 3.5.0 of the driver

  Release Highlights

  CMAP-compliant Connection Pool

  This release introduces a modern replacement for the driver's connection pool, available only with the
  unified topology. A major effort was made in early 2019 to fully specifiy connection pools for MongoDB
  drivers (see: CMAP specification), and this release brings the Node.js driver in line with that
  specification.

  Traceability

  The new pool supports monitoring for all aspects of its behavior. This allows deep introspection into
  the operation of the connection pool, as well as an ability to profile the lifetime of an operation
  when used in conjunction with command monitoring.

  Stream-first Connection Design

  The Connection class was completely rewritten for the new pool adopting a stream-first mentality. All
  wire message processing and compression is handled in a duplex stream called the MessageStream, and
  that stream is connected bidirectionally to the underlaying TCP socket. The result is a connection which
  gains the general benefit of streams: better performance, less memory pressure, backpressure support. It
  also opens the possiblity of supporting non-TCP/UDP streams as a transport for the driver.

  waitQueueTimeoutMS

  The new connection pool has a concept of a "wait queue", which allows operation requests to buffer waiting
  for a connection to execute against. There is no timeout by default, but users can now specify a new value
  waitQueueTimeoutMS in their connection string or MongoClient options to proactively cancel operations
  that have waited too long.

  Remember that the new connection pool is only available for the "Unified Topology", so remember to pass
  useUnifiedTopology: true to your MongoClient constructor to use it!

  Dedicated monitoring connection

  Both the legacy and unified SDAM implementations have until now executed monitoring checks as priority
  messages in the legacy Pool implementation. This means that monitoring (ismaster) operations were
  prioritized over other queued operations, but also means that monitoring could be indefinitely blocked,
  in particular during failover or black hole scenarios. The default socket timeout is null (read: Infinity),
  so if the pool was completely saturated with operations, there may be no ability to execute a monitoring
  check and determine that the connection to a server was no longer valid. This version of the driver
  introduces a new Monitor class which manages its own dedicated monitoring connection to each known
  node.

  Server selection errors

  In v3.3.0 of the driver we introduced a new MongoTimeoutError for all errors covered by the server
  selection loop, leading to a spike in bug reports with a title similar to Server selection timed out after 30000ms.
  Even though the error type itself had an attached reason field, we still feel it was easy to miss why
  the selection had failed. As a result we have introduced a new type MongoServerSelectionError which
  will use the originating error (reason) for its message, better informing users what caused a
  selection error, while still also conveying it is an error in server selection.

  Release Notes

  New Feature

  • [NODE-1742] - Implement Connection Monitoring and Pooling spec
  • [NODE-2386] - Use a dedicated monitoring thread

  Bug

  • [NODE-2400] - Synchronous errors are swallowed by executeOperation
  • [NODE-2417] - Server descriptions with me mismatch from primary response should be removed
  • [NODE-2418] - client platform not sent in metadata for CMAP connections

  Improvement

  • [NODE-1619] - Remove wasteful empty Buffer allocations in `Connection`
  • [NODE-2049] - Add "connectionError" as a valid "reason" for a ConnectionCheckOutFailedEvent when connection set up fails
  • [NODE-2397] - Make server selection errors more informative
  • [NODE-2402] - Integrate CMAP connection pool into unified topology
  • [NODE-2419] - Improve traceability of CMAP events
  • [NODE-2033] - Ignore ConnectionReadyEvent in CMAP pool creation test
• 3.4.1 - 2019-12-19
  

  The MongoDB Node.js team is pleased to announce version 3.4.1 of the driver

  Release Highlights

  This is a patch release addressing two regressions introduced in bulk writes and SCRAM authentication.

  Release Notes

  Bug

  • [NODE-2383] - Unordered bulk write reports wrong error indexes
  • [NODE-2390] - Sporadic connection errors with AWS Lambda
• 3.4.0 - 2019-12-10
  

  The MongoDB Node.js team is pleased to announce version 3.4.0 of the driver

  Release Highlights

  Client Side Field Level Encryption (CSFLE)

  The major functionality introduced in this release, and indeed the reason for the minor version bump, is full support for MongoDB's Client Side Field Level Encryption. The bulk of the support comes through an addon module mongodb-client-encryption, please refer to the reference documentation for more details.

  TLS Option Variants

  This release also introduces a number of new connection string options related to TLS. In order to unify uri options across all MongoDB drivers, and to better signal the technology the driver is actually using, all ssl related options now have a corresponding tls variant. NOTE: your application will not break if you continue to use the ssl variants, but deprecation warnings will be introduced prior to the 4.x driver release.

  @adityapatadia initially pointed out that these tls variants had no effect, now they do. Thank you @adityapatadia!

  mongodb+srv

  A critical bug was found by @ephemer with the recently introduced "mongos discovery", where a typo caused DNS polling to occur at very fast intervals.

  Additionally, user @mpilar identified and fixed a bug with our mongodb+srv parsing, where user-provided client options were not overriding those provided by a TXT record lookup.

  Thank you very much @ephemer and @mpilar!

  server selection

  @adityapatadia also helped find a bug in the server selection code which rendered selection with a nearest read preference non-functional. Thanks again @adityapatadia!

  bulkWrite

  A small bug was fixed causing errors in an unordered bulk write to be reported in incorrect order. If an error occurs in a bulk write now, then it will show up in the writeErrors field of the resulting BulkWriteError with an index that corresponds to the position the operation had in the initial input.

  Release Notes

  Bug

  • [NODE-1547] - Default Port is not applied
  • [NODE-1991] - replaceOne() also returns the replacement document?
  • [NODE-2089] - Only apply TransientTransactionError label within a transaction
  • [NODE-2308] - Bulk write error returns incorrect index in WriteError for unordered writes
  • [NODE-2334] - Driver must error if autoEncryption is attempted against wire version < 8
  • [NODE-2335] - Node Driver does not follow Initial DNS Seedlist Discovery spec
  • [NODE-2353] - Timed out connections should not half-close on destroy
  • [NODE-2356] - nearest server is not selected when useUnifiedTopology is set
  • [NODE-2359] - tls option in connection URI has no effect
  • [NODE-2375] - Typo in `rescanIntervalSrvMS` causes spike in DNS lookups
  • [NODE-2376] - Malicious server can accept incomplete SCRAM authentication and bypass mutual authentication

  New Feature

• [NODE-2094] - FLE GA Support

Improvement

• [NODE-2024] - Document createIndexes usage
• [NODE-2052] - [FLE] Add a corpus test that exhaustively enumerates all ways to encrypt all BSON value types
• [NODE-2053] - [FLE] Add prose test for explicit encryption with key alt name
• [NODE-2298] - Add driver API documentation for Field Level Encryption
• [NODE-2363] - Allow connection establishment to be cancelled
• [NODE-2306] - Driver module does not export `BulkWriteError`
• [NODE-2338] - build FLE addon on windows
• 3.3.5 - 2019-11-26
  

  The MongoDB Node.js team is pleased to announce version 3.3.5 of the driver

  Release Highlights

  unified topology

  This patch release includes additional fixes for the regression in the unified topology discovered in v3.3.2, expanding our testing infrastructure to include a simulated workload during failover testing. There was a bug when connecting to single-node replicasets which could result in a stack overflow which was corrected. Additionally, events and options which are incompatible with the unified topology will now emit a warning message.

  mongodb+srv

  The release also includes a fix submitted by @mpilar, who found an inconsistency in our implementation of the "Initial Seedlist Discovery" specification. An authSource specified in the options passed to MongoClient would be overridden by an authSource provided in the TXT record checked during initial seedlist discovery over SRV. Thank you very much Miguel!

  bulkWrite

  BulkWriteError is now exported at the top level of the module so that users can catch them easily. Additionally, a fix was made to ensure that the index of operations passed into an unordered bulk operation were preserved when reporting possible errors in the future.

  Release Notes

  Bug

  • [NODE-1747] - Replica set causes MongoNetworkError due to not connecting with fully qualified domain name
  • [NODE-2089] - Only apply TransientTransactionError label within a transaction
  • [NODE-2143] - getaddrinfo ENOTFOUND error on Windows 10 due to failed fallback to ipv4 after ipv6 lookup fails
  • [NODE-2308] - Bulk write error returns incorrect index in WriteError for unordered writes
  • [NODE-2332] - useUnifiedTopology - replicaset
  • [NODE-2335] - Node Driver does not follow Initial DNS Seedlist Discovery spec
  • [NODE-2342] - Enabling useUnifiedTopology results in stack overflow when connecting to uninitialized replica set

  Improvement

  • [NODE-2348] - Document and notify on deprecated events and options for unified topology
  • [NODE-2306] - Driver module does not export `BulkWriteError`
• 3.3.4 - 2019-11-11
• 3.3.4-rc0 - 2019-11-06
• 3.3.3 - 2019-10-16
• 3.3.2 - 2019-08-28
• 3.3.1 - 2019-08-23
• 3.3.0 - 2019-08-13
• 3.3.0-beta2 - 2019-07-18
• 3.3.0-beta1 - 2019-06-18
• 3.2.7 - 2019-06-04
• 3.2.6 - 2019-05-24
• 3.2.5 - 2019-05-17
• 3.2.4 - 2019-05-08
• 3.2.3 - 2019-04-05
• 3.2.2 - 2019-03-22
• 3.2.1 - 2019-03-21
• 3.2.0-beta2 - 2019-03-10
• 3.2.0-beta1 - 2019-02-27
• 3.1.13 - 2019-01-23

from mongodb GitHub release notes

Commit messages

Package name: mongodb

• d7ac176 chore(release): 3.5.5
• f69f51c fix: multiple concurrent attempts to process the queue may fail
• cde11ec fix: pass optional promise lib to maybePromise
• 0c36a32 NODE-2474: update equal server description (#2260)
• 6b3b64d test: ensure mock server is setup before continuing with tests
• 6238c84 fix: correctly use template string for connection string error message
• 44097c2 test: use a reduced `minHeartbeatFrequencyMS` for spec test runner
• ef04d00 fix(cursor): hasNext consumes documents on cursor with limit
• b72fefe docs: update community links to use MongoDB Community forums
• e7dd608 docs: fix typo and formatting of bulletted lists
• 3ddaa3e fix: don't depend on private node api for `Timeout` wrapper
• 582d3e2 chore(release): 3.5.4
• e08b358 chore: disable test using CodeWScope with a `$where` clause
• 3dd726c chore: upate EVG macos runs to use 10.14 boxes
• 494dffb fix(topology): enter `STATE_CLOSING` before draining waitQueue
• bf701d6 fix(topology): ensure selection wait queue is always processed
• 361bc1e refactor: remove SKIP_SESSION aspect
• f6a8ceb refactor: use `maybePromise` for all `MongoClient` fake operations
• 6f71507 chore: move sdam spec unit tests from `unit/core` to `unit/sdam`
• a1e0849 fix(sdam): use ObjectId comparison to track maxElectionId
• 2d1b713 fix(cmap): don't run min connection thread if no minimum specified
• f8694f5 refactor: remove `nextObject` helper, inline code in cusror class
• bb359a1 fix: don't consume first document when calling `hasNext` on cursor
• c56ff72 test: add test for `hasNext` not consuming first document in stream

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs