mongodb: use driver 4.7.0

[rodmatos]

Since this project is running on a old mongodb driver version, we should update it. Will address issue #51

[EricThompson-PeopleReign]

It would be great to get this merged in. There are Vulnerabilities in this package that can be remediated by this.

[rodmatos]

@EricThompson-PeopleReign: I haven't been able to get an answer from the maintainer, so I wouldn't be too hopeful.

[wzrdtales]

this merge request doesn't attempt to upgrade the version. also we will need to add gitlab actions to the repo now that travis non free. I also don't have an environment with MongoDB right now to do manual testing in case

[rodmatos]

@wzrdtales: I am aware of that. I am happy to contribute with the upgrade but the whole CI needs a revamp since it is using an outdated toolchain.

[wzrdtales]

which toolchain you talk about, if you mean vows, not really worth the effort in time, but feel free to replace it with what the other projects already use, hapi lab.

[EricThompson-PeopleReign]

I think moving away from vows would be a good idea. It also brings in some vulnerability issues unless it can be upgraded to 0.8.3, but apparently tests break if we do.

[wzrdtales]

vulnerabilities in dev dependencies don't matter much usually, they don't end up in the end product. Also you will need to learn to distinguish vulnerabilities. As a piece of advice, don't make everything an elephant.

We're talking about CVE of type ReDoS vulnerability, there couldn't be anything less relevant, in a dev dependency. If it is a RCE ok, that is also dangerous over there, even though not actually relevant in most case, since there has to be an actor to exploit which is very unlikely unless you're very specifically targeted by hackers.