The MongoDB Node.js team is pleased to announce version 4.17.0 of the mongodb package!
Release Notes
mongodb-js/saslprep is now installed by default
Until v6, the driver included the saslprep package as an optional dependency for SCRAM-SHA-256 authentication. saslprep breaks when bundled with webpack because it attempted to read a file relative to the package location and consequently the driver would throw errors when using SCRAM-SHA-256 if it were bundled.
The driver now depends on mongodb-js/saslprep, a fork of saslprep that can be bundled with webpack because it includes the necessary saslprep data in memory upon loading. This will be installed by default but will only be used if SCRAM-SHA-256 authentication is used.
Remove credential availability on ConnectionPoolCreatedEvent
In order to avoid mistakenly printing credentials the ConnectionPoolCreatedEvent will replace the credentials option with an empty object. The credentials are still accessble via MongoClient options: client.options.credentials.
Features
NODE-5272: do not create or drop ecc collections (#3678) (d26ad61)
NODE-5398: use mongodb-js/saslprep instead of saslprep (#3820) (5244711)
Bug Fixes
NODE-5262: AWS Lambda metadata detection logic is too permissive (#3683) (c0c3d99)
NODE-5311: construct error messages for AggregateErrors in Node16+ (#3683) (98b7bdf)
NODE-5316: prevent parallel topology creation in MongoClient.connect (#3696) (e13038d)
authenticate(), req#login, and req#logout accept a
keepSessionInfo: true option to keep session information after regenerating
the session.
Changed
req#login() and req#logout() regenerate the the session and clear session
information by default.
req#logout() is now an asynchronous function and requires a callback
function as the last argument.
Security
Improved robustness against session fixation attacks in cases where there is
physical access to the same system or the application is susceptible to
cross-site scripting (XSS).
[0.5.3] - 2022-05-16
Fixed
initialize() middleware extends request with login(), logIn(),
logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions
again, reverting change from 0.5.1.
This is a backport of the minor ReDos vulnerability in ansi-regex@<6.0.1, as requested in #38.
Fix ReDoS in certain cases (#37)
You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools.
Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295). This has been backported to v1. (#298)
Fix: Properties with the name __proto__ are added to objects and arrays.
(#199) This also fixes a prototype pollution vulnerability reported by
Jonathan Gregson! (#295).
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/BaseAdresseNationale/api-depot/network/alerts).
Bumps the npm_and_yarn group with 17 updates in the / directory:
11.8.3
11.8.5
4.4.0
4.17.0
6.7.2
6.9.9
0.5.2
0.6.0
3.0.0
3.0.1
5.0.0
5.0.1
2.1.3
2.1.4
1.14.9
1.15.5
5.1.1
5.1.2
2.8.8
2.8.9
4.1.0
4.1.1
1.0.1
1.0.2
3.0.4
3.1.2
1.2.5
1.2.8
1.0.6
1.0.7
5.7.1
5.7.2
1.2.3
1.2.5
Updates
got
from 11.8.3 to 11.8.5Release notes
Sourced from got's releases.
Commits
5e17bb7
11.8.5bce8ce7
Backport 861ccd9ac2237df762a9e2beed7edd88c60782dc8ced192
Fix build670eb04
11.8.420f29fe
Backport #1543: Initialize globalResponse in case of ignored HTTPError (#2017)Updates
mongodb
from 4.4.0 to 4.17.0Release notes
Sourced from mongodb's releases.
... (truncated)
Changelog
Sourced from mongodb's changelog.
... (truncated)
Commits
c83a801
chore(4.x): release 4.17.0 [skip-ci] (#3763)1b59955
chore: update release automation scripts 4.x (#3824)5244711
feat(NODE-5398): use mongodb-js/saslprep instead of saslprep (#3820)2910dca
fix(NODE-5536): remove credentials from ConnectionPoolCreatedEvent options (#...0c1b654
chore(NODE-5400): add@octokit/core
as a devDep (#3750)4adff37
chore(NODE-5382): backport release automation scripts (#3747)2d028af
fix(NODE-5356): prevent scram auth from throwing TypeError if saslprep is not...0e1afc0
ci(Node 5335): clean up instance profile from instance after CI runs (#3719)7f5b334
ci(NODE-5334): install npm to node_artifacts directory in CI (#3709)e13038d
fix(NODE-5316): prevent parallel topology creation in MongoClient.connect (#3...Maintainer changes
This version was pushed to npm by dbx-node, a new releaser for mongodb since your current version.
Updates
nodemailer
from 6.7.2 to 6.9.9Release notes
Sourced from nodemailer's releases.
Changelog
Sourced from nodemailer's changelog.
... (truncated)
Commits
5a2e10f
chore(master): release 6.9.9 [skip-ci] (#1606)dd8f5e8
fix(security): Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use eterna...2c2b46a
chore: do not use caret in version specifierbe45c1b
fix(tests): Use native node test runner, added code coverage support, removed...4233f6f
chore(master): release 6.9.8 [skip-ci] (#1605)09d502f
chore: removed double fileb4d0e0c
fix(punycode): do not use native punycode module8376c02
Test new github notice syntax for READMEbc46a3b
Updated stale github action78bdaf8
chore: remove redundant AWS SDK for JavaScript v2 (#1593)Updates
passport
from 0.5.2 to 0.6.0Changelog
Sourced from passport's changelog.
Commits
c33067b
0.6.03052bb4
Update changelog.42630cb
Merge pull request #900 from jaredhanson/fix-fixation8dd79fe
Use utils-merge rather than Object.assign for compatibility.4f6bd5b
Change keepSessionData to keepSessionData.46756e5
Silence verbose logging.987b191
Add tests.f8a175f
Add tests.29a90d6
No need to guard callback existence.bfba8a1
Add tests.Updates
@sideway/formula
from 3.0.0 to 3.0.1Commits
5b44c1b
3.0.19fbc20a
chore: better number regex41ae98e
Cleanupc59f35e
Move to SidewayMaintainer changes
This version was pushed to npm by marsup, a new releaser for
@sideway/formula
since your current version.Updates
ansi-regex
from 5.0.0 to 5.0.1Release notes
Sourced from ansi-regex's releases.
Commits
a9babce
5.0.14657833
fix incorrect formatc3c0b3f
Fix potential ReDoS (#37)178363b
Move to GitHub Actions (#35)0755e66
Add@Qix
- to funding.ymlUpdates
cookiejar
from 2.1.3 to 2.1.4Commits
Updates
follow-redirects
from 1.14.9 to 1.15.5Commits
b1677ce
Release version 1.15.5 of the npm package.d8914f7
Preserve fragment in responseUrl.6585820
Release version 1.15.4 of the npm package.7a6567e
Disallow bracketed hostnames.05629af
Prefer native URL instead of deprecated url.parse.1cba8e8
Prefer native URL instead of legacy url.resolve.72bc2a4
Simplify _processResponse error handling.3d42aec
Add bracket tests.bcbb096
Do not directly set Error properties.192dbe7
Release version 1.15.3 of the npm package.Updates
glob-parent
from 5.1.1 to 5.1.2Release notes
Sourced from glob-parent's releases.
Changelog
Sourced from glob-parent's changelog.
Commits
eb2c439
chore: update changelog12bcb6c
chore: release 5.1.2f923116
fix: eliminate ReDoS (#36)0b014a7
chore: add JSDoc returns information (#33)2b24ebd
chore: generate initial changelogUpdates
hosted-git-info
from 2.8.8 to 2.8.9Changelog
Sourced from hosted-git-info's changelog.
Commits
8d4b369
chore(release): 2.8.929adfe5
fix: backport regex fix from #76Maintainer changes
This version was pushed to npm by nlf, a new releaser for hosted-git-info since your current version.
Updates
http-cache-semantics
from 4.1.0 to 4.1.1Commits
2449650
Update mocha560b2d8
Don't use regex to trim whitespaceb1bdb92
Remove linting package zooc20dc7e
Cache 308Updates
json5
from 1.0.1 to 1.0.2Release notes
Sourced from json5's releases.
Changelog
Sourced from json5's changelog.
... (truncated)
Commits
a62db1e
1.0.2e0c23fe
docs: update CHANGELOG for v1.0.262a6540
fix: add proto to objects and arraysUpdates
minimatch
from 3.0.4 to 3.1.2Commits
699c459
3.1.22f2b5ff
fix: trim pattern25d7c0d
3.1.155dda29
fix: treat nocase:true as always having magic5e1fb8d
3.1.0f8145c5
Add 'allowWindowsEscape' option570e8b1
add publishConfig for v3 publishes5b7cd33
3.0.620b4b56
[fix] revert all breaking syntax changes2ff0388
document, expose, and test 'partial:true' optionUpdates
minimist
from 1.2.5 to 1.2.8Changelog
Sourced from minimist's changelog.
... (truncated)
Commits
6901ee2
v1.2.8a026794
Merge tag 'v0.2.3'c0b2661
v0.2.363b8fee
[Fix] Fix long option followed by single dash (#17)72239e6
[Tests] Remove duplicate test (#12)34b0f1c
[eslint] fix indentation3226afa
[Dev Deps] add missingnpmignore
dev dep098873c
[Dev Deps] update@ljharb/eslint-config
,aud
9ec4d27
[Fix] Fix long option followed by single dashba92fe6
[actions] Avoid 0.6 tests due to build failuresMaintainer changes
This version was pushed to npm by ljharb, a new releaser for minimist since your current version.
Updates
path-parse
from 1.0.6 to 1.0.7Commits
Updates
semver
from 5.7.1 to 5.7.2Release notes
Sourced from semver's releases.
Changelog
Sourced from semver's changelog.
Commits
f8cc313
chore: release 5.7.22f8fd41
fix: better handling of whitespace (#585)deb5ad5
chore:@npmcli/template-oss
@4
.16.0Maintainer changes
This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.
Updates
word-wrap
from 1.2.3 to 1.2.5Release notes
Sourced from word-wrap's releases.
Commits
207044e
1.2.59894315
revert default indentf64b188
run verb to generate README03ea082
Merge pull request #42 from jonschlinkert/chore/publish-workflow420dce9
Merge pull request #41 from jonschlinkert/fix/CVE-2023-26115-2bfa694e
Update .github/workflows/publish.ymlace0b3c
chore: bump version to 1.2.46fd7275
chore: add publish workflow30d6daf
chore: fix test655929c
chore: remove package-lockDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show