Dependency mongodb-extended-json is no longer maintained and has known vulnerabilities.

[sleepycat]

This project depends on "mongodb-extended-json": "^1.7.1". According to the readme it's no longer maintained and recommends mongodb-extjson.

mongodb-extended-json also depends on the event-stream library recently affected by malware: dominictarr/event-stream#116.

[skeggse]

Thanks for flagging! Happy to field a pull request if you've got the time.

[ptrk8]

I have some time but I may not have the ability given I have never contributed to a package before (but now would be a good time to start considering I use this package in my project).

Seems to me that the offending package is used once in bsonUrlEncoding.js:

var EJSON = require('mongodb-extended-json');
var base64url = require('base64-url');

/**
 * These will take a BSON object (an database result returned by the MongoDB library) and
 * encode/decode as a URL-safe string.
 */

module.exports.encode = function(obj) {
  return base64url.encode(EJSON.stringify(obj));
};

module.exports.decode = function(str) {
  return EJSON.parse(base64url.decode(str));
};

If I'm not mistaken the only thing that needs to be done is to:

1. Remove the dependency on 'mongodb-extended-json'
2. Add a dependency to 'mongodb-extjson'
3. Modify the above snippet in the following manner. Since .parse method in 'mongodb-extjson' accepts a String as well.

var EJSON = require('mongodb-extjson'); /* Only change required. */
var base64url = require('base64-url');

/**
 * These will take a BSON object (an database result returned by the MongoDB library) and
 * encode/decode as a URL-safe string.
 */

module.exports.encode = function(obj) {
  return base64url.encode(EJSON.stringify(obj));
};

module.exports.decode = function(str) {
  return EJSON.parse(base64url.decode(str));
};

If what I've written is correct, I'm happy to make those changes.

[simararneja]

mongodb-extjson is (also discontinued) merged with json-bson. Read here and no longer maintained. Happy to open PR to upgrade it