The MongoDB Node.js team is pleased to announce version 4.17.0 of the mongodb package!
Release Notes
mongodb-js/saslprep is now installed by default
Until v6, the driver included the saslprep package as an optional dependency for SCRAM-SHA-256 authentication. saslprep breaks when bundled with webpack because it attempted to read a file relative to the package location and consequently the driver would throw errors when using SCRAM-SHA-256 if it were bundled.
The driver now depends on mongodb-js/saslprep, a fork of saslprep that can be bundled with webpack because it includes the necessary saslprep data in memory upon loading. This will be installed by default but will only be used if SCRAM-SHA-256 authentication is used.
Remove credential availability on ConnectionPoolCreatedEvent
In order to avoid mistakenly printing credentials the ConnectionPoolCreatedEvent will replace the credentials option with an empty object. The credentials are still accessble via MongoClient options: client.options.credentials.
Features
NODE-5272: do not create or drop ecc collections (#3678) (d26ad61)
NODE-5398: use mongodb-js/saslprep instead of saslprep (#3820) (5244711)
Bug Fixes
NODE-5262: AWS Lambda metadata detection logic is too permissive (#3683) (c0c3d99)
NODE-5311: construct error messages for AggregateErrors in Node16+ (#3683) (98b7bdf)
NODE-5316: prevent parallel topology creation in MongoClient.connect (#3696) (e13038d)
Fix uri scheme validation (@ChALkeR).
Fix boolean schemas with strictKeywords option (#1270)
v6.12.4
Fix: coercion of one-item arrays to scalar that should fail validation (failing example).
v6.12.3
Pass schema object to processCode function
Option for strictNumbers (@issacgerges, #1128)
Fixed vulnerability related to untrusted schemas (CVE-2020-15366)
This is a backport of the minor ReDos vulnerability in ansi-regex@<6.0.1, as requested in #38.
Fix ReDoS in certain cases (#37)
You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools.
Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295). This has been backported to v1. (#298)
Fix: Properties with the name __proto__ are added to objects and arrays.
(#199) This also fixes a prototype pollution vulnerability reported by
Jonathan Gregson! (#295).
Bumps the npm_and_yarn group with 14 updates in the / directory:
4.7.0
4.17.0
7.15.4
7.24.0
6.11.0
6.12.6
5.0.0
5.0.1
1.2.2
1.2.3
1.15.1
1.15.5
2.7.1
2.8.9
4.0.0
4.1.1
1.0.1
1.0.2
3.0.4
3.1.2
1.2.0
1.2.8
1.0.6
1.0.7
5.6.0
5.7.2
1.2.3
1.2.5
Updates
mongodb
from 4.7.0 to 4.17.0Release notes
Sourced from mongodb's releases.
... (truncated)
Changelog
Sourced from mongodb's changelog.
... (truncated)
Commits
c83a801
chore(4.x): release 4.17.0 [skip-ci] (#3763)1b59955
chore: update release automation scripts 4.x (#3824)5244711
feat(NODE-5398): use mongodb-js/saslprep instead of saslprep (#3820)2910dca
fix(NODE-5536): remove credentials from ConnectionPoolCreatedEvent options (#...0c1b654
chore(NODE-5400): add@octokit/core
as a devDep (#3750)4adff37
chore(NODE-5382): backport release automation scripts (#3747)2d028af
fix(NODE-5356): prevent scram auth from throwing TypeError if saslprep is not...0e1afc0
ci(Node 5335): clean up instance profile from instance after CI runs (#3719)7f5b334
ci(NODE-5334): install npm to node_artifacts directory in CI (#3709)e13038d
fix(NODE-5316): prevent parallel topology creation in MongoClient.connect (#3...Maintainer changes
This version was pushed to npm by dbx-node, a new releaser for mongodb since your current version.
Updates
@babel/traverse
from 7.15.4 to 7.24.0Release notes
Sourced from
@babel/traverse
's releases.... (truncated)
Changelog
Sourced from
@babel/traverse
's changelog.... (truncated)
Commits
ce59160
v7.24.0bd5abd5
fix: avoidpopContext
on unvisited node paths (#16305)08a057c
UseObject.hasOwn
when available (#16248)a0dd614
v7.23.91200542
fix: Don't throw ingetTypeAnnotation
when using TS+inference (#15383)e428a6d
v7.23.7d292822
fix: Crash when removing withoutProgram
(#16191)d02c1f7
v7.23.6cce807f
Bump debug to ^4.3.1 (#16164)8479012
v7.23.5Updates
ajv
from 6.11.0 to 6.12.6Release notes
Sourced from ajv's releases.
Commits
fe59143
6.12.6d580d3e
Merge pull request #1298 from ajv-validator/fix-urlfd36389
fix: regular expression for "url" format490e34c
docs: link to v7-beta branch9cd93a1
docs: note about v7 in readme877d286
Merge pull request #1262 from b4h0-c4t/refactor-opt-object-typef1c8e45
6.12.5764035e
Merge branch 'ChALkeR-chalker/fix-comma'3798160
Merge branch 'chalker/fix-comma' of git://github.com/ChALkeR/ajv into ChALkeR...a3c7eba
Merge branch 'refactor-opt-object-type' of github.com:b4h0-c4t/ajv into refac...Updates
ansi-regex
from 5.0.0 to 5.0.1Release notes
Sourced from ansi-regex's releases.
Commits
a9babce
5.0.14657833
fix incorrect formatc3c0b3f
Fix potential ReDoS (#37)178363b
Move to GitHub Actions (#35)0755e66
Add@Qix
- to funding.ymlUpdates
bl
from 1.2.2 to 1.2.3Commits
d69edfd
1.2.3847473a
test all branches0bd87ec
Fix unintialized memory accessdc097f3
test newer versions of NodeUpdates
follow-redirects
from 1.15.1 to 1.15.5Commits
b1677ce
Release version 1.15.5 of the npm package.d8914f7
Preserve fragment in responseUrl.6585820
Release version 1.15.4 of the npm package.7a6567e
Disallow bracketed hostnames.05629af
Prefer native URL instead of deprecated url.parse.1cba8e8
Prefer native URL instead of legacy url.resolve.72bc2a4
Simplify _processResponse error handling.3d42aec
Add bracket tests.bcbb096
Do not directly set Error properties.192dbe7
Release version 1.15.3 of the npm package.Updates
hosted-git-info
from 2.7.1 to 2.8.9Changelog
Sourced from hosted-git-info's changelog.
... (truncated)
Commits
8d4b369
chore(release): 2.8.929adfe5
fix: backport regex fix from #76afeaefd
chore(release): 2.8.85038b18
fix: #61 & #65 addressing issues w/ url.URL implmentation which regressed nod...7440afa
chore(release): 2.8.72d0bb66
fix: Do not attempt to use url.URL when unavailablef2cdfcf
fix: Do not pass scp-style URLs to the WhatWG url.URLe1b83df
chore(release): 2.8.6ff259a6
Ensure passwords in hosted Git URLs are correctly escaped624fd6f
chore(release): 2.8.5Maintainer changes
This version was pushed to npm by nlf, a new releaser for hosted-git-info since your current version.
Updates
http-cache-semantics
from 4.0.0 to 4.1.1Commits
2449650
Update mocha560b2d8
Don't use regex to trim whitespaceb1bdb92
Remove linting package zooc20dc7e
Cache 308ed83aec
Explain trust server date1b35980
rfc 5861 (stale-if-error, stale-while-revalidate)2c2fac2
Drop trustServerDateeb7028f
Test names84cc9a8
Bumpae5ecd5
Add status to testsUpdates
json5
from 1.0.1 to 1.0.2Release notes
Sourced from json5's releases.
Changelog
Sourced from json5's changelog.
... (truncated)
Commits
a62db1e
1.0.2e0c23fe
docs: update CHANGELOG for v1.0.262a6540
fix: add proto to objects and arraysUpdates
minimatch
from 3.0.4 to 3.1.2Commits
699c459
3.1.22f2b5ff
fix: trim pattern25d7c0d
3.1.155dda29
fix: treat nocase:true as always having magic5e1fb8d
3.1.0f8145c5
Add 'allowWindowsEscape' option570e8b1
add publishConfig for v3 publishes5b7cd33
3.0.620b4b56
[fix] revert all breaking syntax changes2ff0388
document, expose, and test 'partial:true' optionUpdates
minimist
from 1.2.0 to 1.2.8Changelog
Sourced from minimist's changelog.
... (truncated)
Commits
6901ee2
v1.2.8a026794
Merge tag 'v0.2.3'c0b2661
v0.2.363b8fee
[Fix] Fix long option followed by single dash (#17)72239e6
[Tests] Remove duplicate test (#12)34b0f1c
[eslint] fix indentation3226afa
[Dev Deps] add missingnpmignore
dev dep098873c
[Dev Deps] update@ljharb/eslint-config
,aud
9ec4d27
[Fix] Fix long option followed by single dashba92fe6
[actions] Avoid 0.6 tests due to build failuresMaintainer changes
This version was pushed to npm by ljharb, a new releaser for minimist since your current version.
Updates
path-parse
from 1.0.6 to 1.0.7Commits
Updates
semver
from 5.6.0 to 5.7.2Release notes
Sourced from semver's releases.
Changelog
Sourced from semver's changelog.