The MongoDB Node.js team is pleased to announce version 4.17.0 of the mongodb package!
Release Notes
mongodb-js/saslprep is now installed by default
Until v6, the driver included the saslprep package as an optional dependency for SCRAM-SHA-256 authentication. saslprep breaks when bundled with webpack because it attempted to read a file relative to the package location and consequently the driver would throw errors when using SCRAM-SHA-256 if it were bundled.
The driver now depends on mongodb-js/saslprep, a fork of saslprep that can be bundled with webpack because it includes the necessary saslprep data in memory upon loading. This will be installed by default but will only be used if SCRAM-SHA-256 authentication is used.
Remove credential availability on ConnectionPoolCreatedEvent
In order to avoid mistakenly printing credentials the ConnectionPoolCreatedEvent will replace the credentials option with an empty object. The credentials are still accessble via MongoClient options: client.options.credentials.
Features
NODE-5272: do not create or drop ecc collections (#3678) (d26ad61)
NODE-5398: use mongodb-js/saslprep instead of saslprep (#3820) (5244711)
Bug Fixes
NODE-5262: AWS Lambda metadata detection logic is too permissive (#3683) (c0c3d99)
NODE-5311: construct error messages for AggregateErrors in Node16+ (#3683) (98b7bdf)
NODE-5316: prevent parallel topology creation in MongoClient.connect (#3696) (e13038d)
authenticate(), req#login, and req#logout accept a
keepSessionInfo: true option to keep session information after regenerating
the session.
Changed
req#login() and req#logout() regenerate the the session and clear session
information by default.
req#logout() is now an asynchronous function and requires a callback
function as the last argument.
Security
Improved robustness against session fixation attacks in cases where there is
physical access to the same system or the application is susceptible to
cross-site scripting (XSS).
[0.5.3] - 2022-05-16
Fixed
initialize() middleware extends request with login(), logIn(),
logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions
again, reverting change from 0.5.1.
This is a backport of the minor ReDos vulnerability in ansi-regex@<6.0.1, as requested in #38.
Fix ReDoS in certain cases (#37)
You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools.
Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295). This has been backported to v1. (#298)
Fix: Properties with the name __proto__ are added to objects and arrays.
(#199) This also fixes a prototype pollution vulnerability reported by
Jonathan Gregson! (#295).
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/BaseAdresseNationale/api-depot/network/alerts).
Bumps the npm_and_yarn group with 17 updates in the / directory:
11.8.311.8.54.4.04.17.06.7.26.9.90.5.20.6.03.0.03.0.15.0.05.0.12.1.32.1.41.14.91.15.55.1.15.1.22.8.82.8.94.1.04.1.11.0.11.0.23.0.43.1.21.2.51.2.81.0.61.0.75.7.15.7.21.2.31.2.5Updates
gotfrom 11.8.3 to 11.8.5Release notes
Sourced from got's releases.
Commits
5e17bb711.8.5bce8ce7Backport 861ccd9ac2237df762a9e2beed7edd88c60782dc8ced192Fix build670eb0411.8.420f29feBackport #1543: Initialize globalResponse in case of ignored HTTPError (#2017)Updates
mongodbfrom 4.4.0 to 4.17.0Release notes
Sourced from mongodb's releases.
... (truncated)
Changelog
Sourced from mongodb's changelog.
... (truncated)
Commits
c83a801chore(4.x): release 4.17.0 [skip-ci] (#3763)1b59955chore: update release automation scripts 4.x (#3824)5244711feat(NODE-5398): use mongodb-js/saslprep instead of saslprep (#3820)2910dcafix(NODE-5536): remove credentials from ConnectionPoolCreatedEvent options (#...0c1b654chore(NODE-5400): add@octokit/coreas a devDep (#3750)4adff37chore(NODE-5382): backport release automation scripts (#3747)2d028affix(NODE-5356): prevent scram auth from throwing TypeError if saslprep is not...0e1afc0ci(Node 5335): clean up instance profile from instance after CI runs (#3719)7f5b334ci(NODE-5334): install npm to node_artifacts directory in CI (#3709)e13038dfix(NODE-5316): prevent parallel topology creation in MongoClient.connect (#3...Maintainer changes
This version was pushed to npm by dbx-node, a new releaser for mongodb since your current version.
Updates
nodemailerfrom 6.7.2 to 6.9.9Release notes
Sourced from nodemailer's releases.
Changelog
Sourced from nodemailer's changelog.
... (truncated)
Commits
5a2e10fchore(master): release 6.9.9 [skip-ci] (#1606)dd8f5e8fix(security): Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use eterna...2c2b46achore: do not use caret in version specifierbe45c1bfix(tests): Use native node test runner, added code coverage support, removed...4233f6fchore(master): release 6.9.8 [skip-ci] (#1605)09d502fchore: removed double fileb4d0e0cfix(punycode): do not use native punycode module8376c02Test new github notice syntax for READMEbc46a3bUpdated stale github action78bdaf8chore: remove redundant AWS SDK for JavaScript v2 (#1593)Updates
passportfrom 0.5.2 to 0.6.0Changelog
Sourced from passport's changelog.
Commits
c33067b0.6.03052bb4Update changelog.42630cbMerge pull request #900 from jaredhanson/fix-fixation8dd79feUse utils-merge rather than Object.assign for compatibility.4f6bd5bChange keepSessionData to keepSessionData.46756e5Silence verbose logging.987b191Add tests.f8a175fAdd tests.29a90d6No need to guard callback existence.bfba8a1Add tests.Updates
@sideway/formulafrom 3.0.0 to 3.0.1Commits
5b44c1b3.0.19fbc20achore: better number regex41ae98eCleanupc59f35eMove to SidewayMaintainer changes
This version was pushed to npm by marsup, a new releaser for
@sideway/formulasince your current version.Updates
ansi-regexfrom 5.0.0 to 5.0.1Release notes
Sourced from ansi-regex's releases.
Commits
a9babce5.0.14657833fix incorrect formatc3c0b3fFix potential ReDoS (#37)178363bMove to GitHub Actions (#35)0755e66Add@Qix- to funding.ymlUpdates
cookiejarfrom 2.1.3 to 2.1.4Commits
Updates
follow-redirectsfrom 1.14.9 to 1.15.5Commits
b1677ceRelease version 1.15.5 of the npm package.d8914f7Preserve fragment in responseUrl.6585820Release version 1.15.4 of the npm package.7a6567eDisallow bracketed hostnames.05629afPrefer native URL instead of deprecated url.parse.1cba8e8Prefer native URL instead of legacy url.resolve.72bc2a4Simplify _processResponse error handling.3d42aecAdd bracket tests.bcbb096Do not directly set Error properties.192dbe7Release version 1.15.3 of the npm package.Updates
glob-parentfrom 5.1.1 to 5.1.2Release notes
Sourced from glob-parent's releases.
Changelog
Sourced from glob-parent's changelog.
Commits
eb2c439chore: update changelog12bcb6cchore: release 5.1.2f923116fix: eliminate ReDoS (#36)0b014a7chore: add JSDoc returns information (#33)2b24ebdchore: generate initial changelogUpdates
hosted-git-infofrom 2.8.8 to 2.8.9Changelog
Sourced from hosted-git-info's changelog.
Commits
8d4b369chore(release): 2.8.929adfe5fix: backport regex fix from #76Maintainer changes
This version was pushed to npm by nlf, a new releaser for hosted-git-info since your current version.
Updates
http-cache-semanticsfrom 4.1.0 to 4.1.1Commits
2449650Update mocha560b2d8Don't use regex to trim whitespaceb1bdb92Remove linting package zooc20dc7eCache 308Updates
json5from 1.0.1 to 1.0.2Release notes
Sourced from json5's releases.
Changelog
Sourced from json5's changelog.
... (truncated)
Commits
a62db1e1.0.2e0c23fedocs: update CHANGELOG for v1.0.262a6540fix: add proto to objects and arraysUpdates
minimatchfrom 3.0.4 to 3.1.2Commits
699c4593.1.22f2b5fffix: trim pattern25d7c0d3.1.155dda29fix: treat nocase:true as always having magic5e1fb8d3.1.0f8145c5Add 'allowWindowsEscape' option570e8b1add publishConfig for v3 publishes5b7cd333.0.620b4b56[fix] revert all breaking syntax changes2ff0388document, expose, and test 'partial:true' optionUpdates
minimistfrom 1.2.5 to 1.2.8Changelog
Sourced from minimist's changelog.
... (truncated)
Commits
6901ee2v1.2.8a026794Merge tag 'v0.2.3'c0b2661v0.2.363b8fee[Fix] Fix long option followed by single dash (#17)72239e6[Tests] Remove duplicate test (#12)34b0f1c[eslint] fix indentation3226afa[Dev Deps] add missingnpmignoredev dep098873c[Dev Deps] update@ljharb/eslint-config,aud9ec4d27[Fix] Fix long option followed by single dashba92fe6[actions] Avoid 0.6 tests due to build failuresMaintainer changes
This version was pushed to npm by ljharb, a new releaser for minimist since your current version.
Updates
path-parsefrom 1.0.6 to 1.0.7Commits
Updates
semverfrom 5.7.1 to 5.7.2Release notes
Sourced from semver's releases.
Changelog
Sourced from semver's changelog.
Commits
f8cc313chore: release 5.7.22f8fd41fix: better handling of whitespace (#585)deb5ad5chore:@npmcli/template-oss@4.16.0Maintainer changes
This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.
Updates
word-wrapfrom 1.2.3 to 1.2.5Release notes
Sourced from word-wrap's releases.
Commits
207044e1.2.59894315revert default indentf64b188run verb to generate README03ea082Merge pull request #42 from jonschlinkert/chore/publish-workflow420dce9Merge pull request #41 from jonschlinkert/fix/CVE-2023-26115-2bfa694eUpdate .github/workflows/publish.ymlace0b3cchore: bump version to 1.2.46fd7275chore: add publish workflow30d6dafchore: fix test655929cchore: remove package-lockDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show