Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade mongodb from 3.5.9 to 4.12.1 #705

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade mongodb from 3.5.9 to 4.12.1 #705

wants to merge 2 commits into from

Conversation

snyk-bot
Copy link

Snyk has created this PR to upgrade mongodb from 3.5.9 to 4.12.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Warning: This is a major version upgrade, and may be a breaking change.

  • The recommended version is 53 versions ahead of your current version.
  • The recommended version was released a month ago, on 2022-11-23.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Remote Memory Exposure
SNYK-JS-BL-608877		 492/1000
Why? Proof of Concept exploit, CVSS 7.7		 Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: mongodb
  • 4.12.1 - 2022-11-23

    The MongoDB Node.js team is pleased to announce version 4.12.1 of the mongodb package!

    Release Highlights

    This version includes a fix to a regression in our monitoring logic that could cause process crashing errors that was introduced in v4.12.0.

    If you are using v4.12.0 of the Node driver, we strongly encourage you to upgrade.

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 4.12.0 - 2022-11-16

    The MongoDB Node.js team is pleased to announce version 4.12.0 of the mongodb package!

    Release Highlights

    ChangeStreams are now AsyncIterators

    ChangeStreams are now async iterables and can be used anywhere that expects an async iterable. Notably, change streams can now be used in Javascript for-await loops:

    const changeStream = collection.watch();
for await (const change of changeStream) {
  console.log(“Received change: , change);
}

    Some users may have been using change streams in for-await loops manually by using a for-await loop with the ChangeStream’s internal cursor. For example:

    const changeStream = collection.watch();
for await (const change of changeStream.cursor) {
  console.log(“Received change: , change);
}

    The change stream cursor has no support for resumabilty and consequently the change stream will never attempt to resume on any errors. We strongly caution against using a change stream cursor as an async iterable and strongly recommend using the change stream directly.

    Server Monitoring Fix When Monitoring Events are Skipped

    Version 4.7.0 of the Node driver released an improvement to our server monitoring in FAAS environments by allowing the driver to skip monitoring events if there were more than one monitoring events in the queue when the monitoring code restarted. When skipping monitoring events that contained a topology change, the driver would incorrectly fail to update its view of the topology.

    Version 4.12.0 fixes this issue by ensuring that the topology is always updated when monitoring events are processed.

    Performance Improvements with Buffering

    This release also modifies the data structures used internally in the driver to use linked lists in places where random access is not required and constant time insertion and deletion is beneficial.

    External Contributions

    Many thanks to @ ImRodry for helping us fix the documentation for our deprecated callback overloads in this release!

    Features

    Deprecations

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 4.11.0 - 2022-10-19

    The MongoDB Node.js team is pleased to announce version 4.11.0 of the mongodb package!

    Release Highlights

    Recursive Schema Support

    Version 4.3.0 of the Node driver added Typescript support for dot notation into our Filter type but
    in the process it broke support for recursive schemas. In 4.11.0, we now support mutually recursive schemas and
    provide type safety on dot notation queries up to a depth of 8. Beyond a depth of 8, code still compiles
    but is no longer type checked (it falls back to a type of any).

    interface Author {
    name: string;
    bestBook: Book;
    }

    interface Book {
    title: string;
    author: Author;
    }

    let authors: Collection<Author>

    // below a depth of 8, type checking is enforced
    authors.findOne({ 'bestBook.author.bestBook.title': 25 }})
    // ✅ expected compilation error is thrown: "title must be a string"

    // at a depth greater than 8 code compiles but is not type checked (9 deep in this example)
    authors.findOne({ 'bestBook.author.bestBook.author.bestBook.author.bestBook.author.name': 25 })
    // ⛔️ perhaps unexpected, no compilation error is thrown because the key is too deeply nested

    Note that our depth limit is a product of Typescript's recursive type limitations.

    AWS Authentication

    If the optional aws-sdk dependency is installed, the driver will now use the SDK to get credentials
    from the environment. Because of this, if you have a shared AWS credentials or config file, then
    those credentials will be used by default if AWS auth environment variables are not set. To override this
    behavior, set AWS_SHARED_CREDENTIALS_FILE="" in your shell or set the
    equivalent environment variable value in your script or application. Alternatively, you can create
    an AWS profile specifically for your MongoDB credentials and set the AWS_PROFILE environment
    variable to that profile name.

    External Contributions

    Many thanks to those who contributed to this release!

    • @ ermik provided an extremely large schema to test compilation with, which made testing our new recursive schema support possible with large schemas straightforward.
    • @ noahsilas for documentation improvements in change streams and fixing our Typescript types for read preferences.
    • @ zendagin for adding Typescript support for hashed indexes.
    • @ biniona-mongodb for fixing our parsing of TLS options.
    • @ LinusU for removing support for server versions lower than our minimum supported server version and improving error messages for unacknowledged writes with hints.

    Features

    Bug Fixes

    Documentation

    We invite you to try the mongodb library immediately, and report any issues to the NODE project.

  • 4.10.0 - 2022-09-19
    Read more
  • 4.9.1 - 2022-08-31
    Read more
  • 4.9.0 - 2022-08-18
    Read more
  • 4.8.1 - 2022-07-26
    Read more
  • 4.8.0 - 2022-07-13
    Read more
  • 4.7.0 - 2022-06-06
    Read more
  • 4.6.0 - 2022-05-11
    Read more
  • 4.6.0-alpha.0 - 2022-05-04
  • 4.5.0 - 2022-04-04
  • 4.4.1 - 2022-03-03
  • 4.4.0 - 2022-02-17
  • 4.3.1 - 2022-01-18
  • 4.3.0 - 2022-01-06
  • 4.2.2 - 2021-12-13
  • 4.2.1 - 2021-11-30
  • 4.2.0 - 2021-11-17
  • 4.1.4 - 2021-11-03
  • 4.1.3 - 2021-10-05
  • 4.1.2 - 2021-09-14
  • 4.1.1 - 2021-08-24
  • 4.1.0 - 2021-08-03
  • 4.0.1 - 2021-07-20
  • 4.0.0 - 2021-07-13
  • 4.0.0-beta.6 - 2021-07-01
  • 4.0.0-beta.5 - 2021-05-26
  • 4.0.0-beta.4 - 2021-05-18
  • 4.0.0-beta.3 - 2021-04-06
  • 4.0.0-beta.2 - 2021-03-16
  • 4.0.0-beta.1 - 2021-02-02
  • 4.0.0-beta.0 - 2021-01-19
  • 3.7.3 - 2021-10-20
  • 3.7.2 - 2021-10-05
  • 3.7.1 - 2021-09-14
  • 3.7.0 - 2021-08-31
  • 3.6.12 - 2021-08-30
  • 3.6.11 - 2021-08-05
  • 3.6.10 - 2021-07-06
  • 3.6.9 - 2021-05-26
  • 3.6.8 - 2021-05-21
  • 3.6.7 - 2021-05-18
  • 3.6.6 - 2021-04-06
  • 3.6.5 - 2021-03-16
  • 3.6.4 - 2021-02-02
  • 3.6.3 - 2020-11-06
  • 3.6.2 - 2020-09-10
  • 3.6.1 - 2020-09-02
  • 3.6.0 - 2020-07-30
  • 3.6.0-beta.0 - 2020-04-14
  • 3.5.11 - 2020-09-10
  • 3.5.10 - 2020-07-30
  • 3.5.9 - 2020-06-12
from mongodb GitHub release notes
Commit messages
Package name: mongodb
  • 73e92ce chore(release): 4.12.1
  • 9795cdb fix(NODE-4831): check map value is not undefined (#3477)
  • ff375e9 fix(NODE-4830): lazily import aws module (#3476)
  • c4c560c chore(NODE-4824): add check to confirm docs generation and release only runs on main repo (#3468)
  • fda7d25 test(NODE-4790): retryable handshake errors spec sync (#3472)
  • 8254575 chore(release): 4.12.0
  • bcc33c8 docs: generate docs from latest main (#3469)
  • 4c9b4d8 fix(NODE-4783): handle orphaned operation descriptions (#3463)
  • 04203c7 docs(NODE-4755): clarify deprecation docs for autoIndexId (#3470)
  • 1a5e619 feat(NODE-4757): deprecate unused PipeOptions (#3466)
  • 9958879 docs: generate docs from latest main (#3462)
  • 8320315 docs(NODE-4823): fix broken links in 4.11 documentation (#3467)
  • 199dcaf fix(NODE-4753): remove erroneous deprecation of geoNear (#3465)
  • 1eea4f0 feat(NODE-4809): deprecate the existing logger (#3464)
  • b70cc7c types: move deprecated overloads to the bottom (#3461)
  • beb1893 docs: generate docs from latest main (#3431)
  • 6a8776c feat(NODE-4681): deprecate modify result (#3459)
  • a143d3b feat(NODE-4733): deprecate result and getLastOp (#3458)
  • bf7a132 docs(NODE-4775): improve documentation on gridfs start and end options (#3460)
  • 528449d docs(NODE-4762): document raw bson option (#3456)
  • df8d9a4 feat(NODE-4683): make ChangeStream an async iterable (#3454)
  • 89b27e9 fix(NODE-4735): fix change stream consecutive resumabilty (#3453)
  • d55022b refactor(NODE-4754): remove unused QueryOptions export (#3455)
  • 1bf6ef1 fix(NODE-4609): allow mapping to falsey non-null values in cursors (#3452)

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 10, 2025
View reviewed changes
profileImageURLUpload.js
Comment on lines +19 to +20
const imageRequest = request
.get(url)

Check failure

Code scanning / SnykCode

Server-Side Request Forgery (SSRF) Error

Unsanitized input from {0} {1} into {2}, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.
profileImageURLUpload.js
.on('response', function (res) {
if (res.statusCode === 200) {
const ext = ['jpg', 'jpeg', 'png', 'svg', 'gif'].includes(url.split('.').slice(-1)[0].toLowerCase()) ? url.split('.').slice(-1)[0].toLowerCase() : 'jpg'
imageRequest.pipe(fs.createWriteStream(`frontend/dist/frontend/assets/public/images/uploads/${loggedInUser.data.id}.${ext}`))

Check failure

Code scanning / SnykCode

Path Traversal Error

Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write to arbitrary files.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@snyk-bot @akanchhaS