fix(deps): update dependency mongodb to v3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mongodb	^2.0.39 -> ^3.1.13

GitHub Vulnerability Alerts

GHSA-mh5c-679w-hh4r

Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application.

Recommendation

Upgrade to version 3.1.13 or later.

---

Release Notes

mongodb/node-mongodb-native (mongodb)

v3.1.13

Compare Source

Bug Fixes

• restore ability to webpack by removing makeLazyLoader (050267d)
• bulk: honor ignoreUndefined in initializeUnorderedBulkOp (e806be4)
• changeStream: properly handle changeStream event mid-close (#​1902) (5ad9fa9)
• db_ops: ensure we async resolve errors in createCollection (210c71d)

v3.1.12

Compare Source

Features

• core: update to mongodb-core v3.1.11 (9bef6e7)

v3.1.11

Compare Source

Bug Fixes

• bulk: fix error propagation in empty bulk.execute (a3adb3f)
• bulk: make sure that any error in bulk write is propagated (bedc2d2)
• bulk: properly calculate batch size for bulk writes (aafe71b)
• operations: do not call require in a hot path (ff82ff4)

v3.1.10

Compare Source

Bug Fixes

• auth: remember to default to admin database (c7dec28)

Features

• core: update to mongodb-core v3.1.9 (bd3355b)

v3.1.9

Compare Source

Bug Fixes

• db: move db constants to other file to avoid circular ref (#​1858) (239036f)
• estimated-document-count: support options other than maxTimeMs (36c3c7d)

Features

• core: update to mongodb-core v3.1.8 (80d7c79)

v3.1.8

Compare Source

Bug Fixes

• connect: use reported default databse from new uri parser (811f8f8)

Features

• core: update to mongodb-core v3.1.7 (dbfc905)

v3.1.7

Compare Source

Features

• core: update mongodb-core to v3.1.6 (61b054e)

v3.1.6

Compare Source

Features

• core: update to core v3.1.5 (c5f823d)

v3.1.5

Compare Source

Bug Fixes

• cursor: allow $meta based sort when passing an array to sort() (f93a8c3)
• utils: only set retryWrites to true for valid operations (3b725ef)

Features

• core: bump core to v3.1.4 (805d58a)

v3.1.4

Compare Source

Bug Fixes

• buffer: use safe-buffer polyfill to maintain compatibility (327da95)
• change-stream: properly support resumablity in stream mode (c43a34b)
• connect: correct replacement of topology on connect callback (918a1e0)
• cursor: remove deprecated notice on forEach (a474158)
• url-parser: bail early on validation when using domain socket (3cb3da3)

Features

• client-ops: allow bypassing creation of topologies on connect (fe39b93)
• core: update mongodb-core to 3.1.3 (a029047)
• test: use connection strings for all calls to newClient (1dac18f)

v3.1.3

Compare Source

Features

• core: update to mongodb-core 3.1.2 (337cb79)

v3.1.2

Compare Source

Bug Fixes

• aggregate: support user-provided batchSize (ad10dee)
• buffer: replace deprecated Buffer constructor (759dd85)
• bulk: fixing retryable writes for mass-change ops (0604036)
• bulk: handle MongoWriteConcernErrors (12ff392)
• change_stream: do not check isGetMore if error[mongoErrorContextSymbol] is undefined (#​1720) (844c2c8)
• change-stream: fix change stream resuming with promises (3063f00)
• client-ops: return transform map to map rather than function (cfb7d83)
• collection: correctly shallow clone passed in options (7727700)
• collection: countDocuments throws error when query doesn't match docs (09c7d8e)
• collection: depend on resolveReadPreference for inheritance (a649e35)
• collection: ensure findAndModify always use readPreference primary (86344f4)
• collection: isCapped returns false instead of undefined (b8471f1)
• collection: only send bypassDocumentValidation if true (fdb828b)
• count-documents: return callback on error case (fca1185)
• cursor: cursor count with collation fix (71879c3)
• cursor: cursor hasNext returns false when exhausted (184b817)
• cursor: cursor.count not respecting parent readPreference (5a9fdf0)
• cursor: set readPreference for cursor.count (13d776f)
• db: don't send session down to createIndex command (559c195)
• db: throw readable error when creating _id with background: true (b3ff3ed)
• db_ops: call collection.find() with correct parameters (#​1795) (36e92f1)
• db_ops: fix two incorrectly named variables (15dc808)
• findOneAndUpdate: ensure that update documents contain atomic operators (eb68074)
• index: export MongoNetworkError (98ab29e)
• mongo_client: translate options for connectWithUrl (78f6977)
• mongo-client: pass arguments to ctor when new keyword is used (d6c3417)
• mongos: bubble up close events after the first one (#​1713) (3e91d77), closes Automattic/mongoose#6249 #​1685
• parallelCollectionScan: do not use implicit sessions on cursors (2de470a)
• retryWrites: fixes more bulk ops to not use retryWrites (69e5254)
• server: remove unnecessary print statement (2bcbc12)
• teardown: properly destroy a topology when initial connect fails (b8d2f1d)
• topology-base: sending endSessions is always skipped now (a276cbe)
• txns: omit writeConcern when in a transaction (b88c938)
• utils: restructure inheritance rules for read preferences (6a7dac1)

Features

• auth: add support for SCRAM-SHA-256 (f53195d)
• changeStream: Adding new 4.0 ChangeStream features (2cb4894)
• changeStream: allow resuming on getMore errors (4ba5adc)
• changeStream: expanding changeStream resumable errors (49fbafd)
• ChangeStream: update default startAtOperationTime (50a9f65)
• collection: add colleciton level document mapping/unmapping (d03335e)
• collection: Implement new count API (a5240ae)
• Collection: warn if callback is not function in find and findOne (cddaba0)
• core: bump core dependency to v3.1.0 (4937240)
• cursor: new cursor.transformStream method (397fcd2)
• deprecation: create deprecation function (4f907a0)
• deprecation: wrap deprecated functions (a5d0f1d)
• GridFS: add option to disable md5 in file upload (704a88e)
• listCollections: add support for nameOnly option (d2d0367)
• parallelCollectionScan: does not allow user to pass a session (4da9e03)
• read-preference: add transaction to inheritance rules (18ca41d)
• read-preference: unify means of read preference resolution (#​1738) (2995e11)
• urlParser: use core URL parser (c1c5d8d)
• withSession: add top level helper for session lifetime (9976b86)

Reverts

• collection: reverting collection-mapping features (7298c76), closes #​1698 mongodb/js-bson#253

v3.1.1

Compare Source

Bug Fixes

• restore ability to webpack by removing makeLazyLoader (050267d)
• bulk: honor ignoreUndefined in initializeUnorderedBulkOp (e806be4)
• changeStream: properly handle changeStream event mid-close (#​1902) (5ad9fa9)
• db_ops: ensure we async resolve errors in createCollection (210c71d)

v3.1.0

Compare Source

Bug Fixes

• aggregate: support user-provided batchSize (ad10dee)
• bulk: fixing retryable writes for mass-change ops (0604036)
• bulk: handle MongoWriteConcernErrors (12ff392)
• change_stream: do not check isGetMore if error[mongoErrorContextSymbol] is undefined (#​1720) (844c2c8)
• change-stream: fix change stream resuming with promises (3063f00)
• collection: depend on resolveReadPreference for inheritance (a649e35)
• collection: only send bypassDocumentValidation if true (fdb828b)
• cursor: cursor count with collation fix (71879c3)
• cursor: cursor hasNext returns false when exhausted (184b817)
• cursor: cursor.count not respecting parent readPreference (5a9fdf0)
• db: don't send session down to createIndex command (559c195)
• db: throw readable error when creating _id with background: true (b3ff3ed)
• findOneAndUpdate: ensure that update documents contain atomic operators (eb68074)
• index: export MongoNetworkError (98ab29e)
• mongo-client: pass arguments to ctor when new keyword is used (d6c3417)
• mongos: bubble up close events after the first one (#​1713) (3e91d77), closes Automattic/mongoose#6249 #​1685
• parallelCollectionScan: do not use implicit sessions on cursors (2de470a)
• retryWrites: fixes more bulk ops to not use retryWrites (69e5254)
• topology-base: sending endSessions is always skipped now (a276cbe)
• txns: omit writeConcern when in a transaction (b88c938)
• utils: restructure inheritance rules for read preferences (6a7dac1)

Features

• auth: add support for SCRAM-SHA-256 (f53195d)
• changeStream: Adding new 4.0 ChangeStream features (2cb4894)
• changeStream: allow resuming on getMore errors (4ba5adc)
• changeStream: expanding changeStream resumable errors (49fbafd)
• ChangeStream: update default startAtOperationTime (50a9f65)
• collection: add colleciton level document mapping/unmapping (d03335e)
• collection: Implement new count API (a5240ae)
• Collection: warn if callback is not function in find and findOne (cddaba0)
• core: bump core dependency to v3.1.0 (855bfdb)
• cursor: new cursor.transformStream method (397fcd2)
• GridFS: add option to disable md5 in file upload (704a88e)
• listCollections: add support for nameOnly option (d2d0367)
• parallelCollectionScan: does not allow user to pass a session (4da9e03)
• read-preference: add transaction to inheritance rules (18ca41d)
• read-preference: unify means of read preference resolution (#​1738) (2995e11)
• urlParser: use core URL parser (c1c5d8d)
• withSession: add top level helper for session lifetime (9976b86)

Reverts

• collection: reverting collection-mapping features (7298c76), closes #​1698 mongodb/js-bson#253

3.0.6 (2018-04-09)

Bug Fixes

• db: ensure dropDatabase always uses primary read preference (e62e5c9)
• driverBench: driverBench has default options object now (c557817)

Features

• command-monitoring: support enabling command monitoring (5903680)
• core: update to mongodb-core v3.0.6 (cfdd0ae)
• driverBench: Implementing DriverBench (d10fbad)

3.0.5 (2018-03-23)

Bug Fixes

• AggregationCursor: adding session tracking to AggregationCursor (baca5b7)
• Collection: fix session leak in parallelCollectonScan (3331ec9)
• comments: adding fixes for PR comments (ee110ac)
• url_parser: support a default database on mongodb+srv uris (6d39b2a)

Features

• sessions: adding implicit cursor session support (a81245b)

3.0.4 (2018-03-05)

Bug Fixes

• collection: fix error when calling remove with no args (#​1657) (4c9b0f8)
• executeOperation: don't mutate options passed to commands (934a43a)
• jsdoc: mark db.collection callback as optional + typo fix (#​1658) (c519b9b)
• sessions: move active session tracking to topology base (#​1665) (b1f296f)
• utils: fixes executeOperation to clean up sessions (04e6ef6)

Features

• default-db: use dbName from uri if none provided (23b1938)
• mongodb-core: update to mongodb-core 3.0.4 (1fdbaa5)

3.0.3 (2018-02-23)

Bug Fixes

• collection: fix error when calling remove with no args (#​1657) (4c9b0f8)
• executeOperation: don't mutate options passed to commands (934a43a)
• jsdoc: mark db.collection callback as optional + typo fix (#​1658) (c519b9b)
• sessions: move active session tracking to topology base (#​1665) (b1f296f)

3.0.2 (2018-01-29)

Bug Fixes

• collection: ensure dynamic require of db is wrapped in parentheses (efa78f0)
• db: only callback with MongoError NODE-1293 (#​1652) (45bc722)
• topology base: allow more than 10 event listeners (#​1630) (d9fb750)
• url parser: preserve auth creds when composing conn string (#​1640) (eddca5e)

Features

• bulk: forward 'checkKeys' option for ordered and unordered bulk operations (421a6b2)
• collection: expose dbName property of collection (6fd05c1)

3.0.1 (2017-12-24)

• update mongodb-core to 3.0.1

v3.0.11

Compare Source

v3.0.10

Compare Source

v3.0.9

Compare Source

v3.0.8

Compare Source

v3.0.7

Compare Source

v3.0.6

Compare Source

Bug Fixes

• db: ensure dropDatabase always uses primary read preference (e62e5c9)
• driverBench: driverBench has default options object now (c557817)

Features

• command-monitoring: support enabling command monitoring (5903680)
• core: update to mongodb-core v3.0.6 (cfdd0ae)
• driverBench: Implementing DriverBench (d10fbad)

v3.0.5

Compare Source

Bug Fixes

• AggregationCursor: adding session tracking to AggregationCursor (baca5b7)
• Collection: fix session leak in parallelCollectonScan (3331ec9)
• comments: adding fixes for PR comments (ee110ac)
• url_parser: support a default database on mongodb+srv uris (6d39b2a)

Features

• sessions: adding implicit cursor session support (a81245b)

v3.0.4

Compare Source

Bug Fixes

• collection: fix error when calling remove with no args (#​1657) (4c9b0f8)
• executeOperation: don't mutate options passed to commands (934a43a)
• jsdoc: mark db.collection callback as optional + typo fix (#​1658) (c519b9b)
• sessions: move active session tracking to topology base (#​1665) (b1f296f)
• utils: fixes executeOperation to clean up sessions (04e6ef6)

Features

• default-db: use dbName from uri if none provided (23b1938)
• mongodb-core: update to mongodb-core 3.0.4 (1fdbaa5)

v3.0.3

Compare Source

Bug Fixes

• collection: fix error when calling remove with no args (#​1657) (4c9b0f8)
• executeOperation: don't mutate options passed to commands (934a43a)
• jsdoc: mark db.collection callback as optional + typo fix (#​1658) (c519b9b)
• sessions: move active session tracking to topology base (#​1665) (b1f296f)

v3.0.2

Compare Source

Bug Fixes

• collection: ensure dynamic require of db is wrapped in parentheses (efa78f0)
• db: only callback with MongoError NODE-1293 (#​1652) (45bc722)
• topology base: allow more than 10 event listeners (#​1630) (d9fb750)
• url parser: preserve auth creds when composing conn string (#​1640) (eddca5e)

Features

• bulk: forward 'checkKeys' option for ordered and unordered bulk operations (421a6b2)
• collection: expose dbName property of collection (6fd05c1)

v3.0.1

Compare Source

• update mongodb-core to 3.0.1

v3.0.0

Compare Source

Bug Fixes

• aggregate: remove support for inline results for aggregate (#​1620) (84457ec)
• topologies: unify topologies connect API (#​1615) (0fb4658)

Features

• keepAlive: make keepAlive options consistent (#​1612) (f608f44)

BREAKING CHANGES

• topologies: Function signature for .connect method on replset and mongos has changed. You shouldn't have been using this anyway, but if you were, you only should pass options and callback.

Part of NODE-1089

• keepAlive: option keepAlive is now split into boolean keepAlive and
  number keepAliveInitialDelay

Fixes NODE-998

v2.2.36

Compare Source

v2.2.35

Compare Source

v2.2.34

Compare Source

v2.2.33

Compare Source

v2.2.32

Compare Source

v2.2.31

Compare Source

• update mongodb-core to 2.2.15
• allow auth option in MongoClient.connect
• remove duplicate option promoteLongs from MongoClient's connect
• bulk operations should not throw an error on empty batch

v2.2.30

Compare Source

• Update mongodb-core to 2.2.14
• MongoClient
  • add appname to list of valid option names
  • added test for passing appname as option
• NODE-1052 ensure user options are applied while parsing connection string uris

v2.2.29

Compare Source

• Update mongodb-core to 2.1.13
  • NODE-1039 ensure we force destroy server instances, forcing queue to be flushed.
  • Use actual server type in standalone SDAM events.
• Allow multiple map calls (Issue #​1521, https://github.com/Robbilie).
• Clone insertMany options before mutating (Issue #​1522, https://github.com/vkarpov15).
• NODE-1034 Fix GridStore issue caused by Node 8.0.0 breaking backward compatible fs.read API.
• NODE-1026, use operator instead of skip function in order to avoid useless fetch stage.

v2.2.28

Compare Source

• Update mongodb-core to 2.1.12
  • NODE-1019 Set keepAlive to 300 seconds or 1/2 of socketTimeout if socketTimeout < keepAlive.
  • Minor fix to report the correct state on error.
  • NODE-1020 'family' was added to options to provide high priority for ipv6 addresses (Issue #​1518, https://github.com/firej).
  • Fix require_optional loading of bson-ext.
  • Ensure no errors are thrown by replset if topology is destroyed before it finished connecting.
  • NODE-999 SDAM fixes for Mongos and single Server event emitting.
  • NODE-1014 Set socketTimeout to default to 360 seconds.
  • NODE-1019 Set keepAlive to 300 seconds or 1/2 of socketTimeout if socketTimeout < keepAlive.
• Just handle Collection name errors distinctly from general callback errors avoiding double callbacks in Db.collection.
• NODE-999 SDAM fixes for Mongos and single Server event emitting.
• NODE-1000 Added guard condition for upload.js checkDone function in case of race condition caused by late arriving chunk write.

v2.2.27

Compare Source

• Updated mongodb-core to 2.1.11
  • NODE-987 Clear out old intervalIds on when calling topologyMonitor.
  • NODE-987 Moved filtering to pingServer method and added test case.
  • Check for connection destroyed just before writing out and flush out operations correctly if it is (Issue #​179, https://github.com/jmholzinger).
  • NODE-989 Refactored Replicaset monitoring to correcly monitor newly added servers, Also extracted setTimeout and setInterval to use custom wrappers Timeout and Interval.
• NODE-985 Deprecated Db.authenticate and Admin.authenticate and moved auth methods into authenticate.js to ensure MongoClient.connect does not print deprecation warnings.
• NODE-988 Merged readConcern and hint correctly on collection(...).find(...).count()
• Fix passing the readConcern option to MongoClient.connect (Issue #​1514, https://github.com/bausmeier).
• NODE-996 Propegate all events up to a MongoClient instance.
• Allow saving doc with null _id (Issue #​1517, https://github.com/vkarpov15).
• NODE-993 Expose hasNext for command cursor and add docs for both CommandCursor and Aggregation Cursor.

v2.2.26

Compare Source

• Updated mongodb-core to 2.1.10
  • NODE-981 delegate auth to replset/mongos if inTopology is set.
  • NODE-978 Wrap connection.end in try/catch for node 0.10.x issue causing exceptions to be thrown, Also surfaced getConnection for mongos and replset.
  • Remove dynamic require (Issue #​175, https://github.com/tellnes).
  • NODE-696 Handle interrupted error for createIndexes.
  • Fixed isse when user is executing find command using Server.command and it get interpreted as a wire protcol message, #​172.
  • NODE-966 promoteValues not being promoted correctly to getMore.
  • Merged in fix for flushing out monitoring operations.
• NODE-983 Add cursorId to aggregate and listCollections commands (Issue, #​1510).
• Mark group and profilingInfo as deprecated methods
• NODE-956 DOCS Examples.
• Update readable-stream to version 2.2.7.
• NODE-978 Added test case to uncover connection.end issue for node 0.10.x.
• NODE-972 Fix(db): don't remove database name if collectionName == dbName (Issue, #​1502)
• Fixed merging of writeConcerns on db.collection method.
• NODE-970 mix in readPreference for strict mode listCollections callback.
• NODE-966 added testcase for promoteValues being applied to getMore commands.
• NODE-962 Merge in ignoreUndefined from collection level for find/findOne.
• Remove multi option from updateMany tests/docs (Issue #​1499, https://github.com/spratt).
• NODE-963 Correctly handle cursor.count when using APM.

v2.2.25

Compare Source

• Don't rely on global toString() for checking if object (Issue #​1494, https://github.com/vkarpov15).
• Remove obsolete option uri_decode_auth (Issue #​1488, https://github.com/kamagatos).
• NODE-936 Correctly translate ReadPreference to CoreReadPreference for mongos queries.
• Exposed BSONRegExp type.
• NODE-950 push correct index for INSERT ops (https://github.com/mbroadst).
• NODE-951 Added support for sslCRL option and added a test case for it.
• NODE-953 Made batchSize issue general at cursor level.
• NODE-954 Remove write concern from reindex helper as it will not be supported in 3.6.
• Updated mongodb-core to 2.1.9.
  • Return lastIsMaster correctly when connecting with secondaryOnlyConnectionAllowed is set to true and only a secondary is available in replica state.
  • Clone options when passed to wireProtocol handler to avoid intermittent modifications causing errors.
  • Ensure SSL error propegates better for Replset connections when there is a SSL validation error.
  • NODE-957 Fixed issue where < batchSize not causing cursor to be closed on execution of first batch.
  • NODE-958 Store reconnectConnection on pool object to allow destroy to close immediately.

v2.2.24

Compare Source

• NODE-935, NODE-931 Make MongoClient strict options validation optional and instead print annoying console.warn entries.

v2.2.23

Compare Source

• Updated mongodb-core to 2.1.8.
  • NODE-925 ensure we reschedule operations while pool is < poolSize while pool is growing and there are no connections with not currently performing work.
  • NODE-927 fixes issue where authentication was performed against arbiter instances.
  • NODE-915 Normalize all host names to avoid comparison issues.
  • Fixed issue where pool.destroy would never finish due to a single operation not being executed and keeping it open.
• NODE-931 Validates all the options for MongoClient.connect and fixes missing connection settings.
• NODE-929 Update SSL tutorial to correctly reflect the non-need for server/mongos/replset subobjects
• Fix sensitive command check (Issue #​1473, https://github.com/Annoraaq)

v2.2.22

Compare Source

• Updated mongodb-core to 2.1.7.
  • NODE-919 ReplicaSet connection does not close immediately (Issue #​156).
  • NODE-901 Fixed bug when normalizing host names.
  • NODE-909 Fixed readPreference issue caused by direct connection to primary.
  • NODE-910 Fixed issue when bufferMaxEntries == 0 and read preference set to nearest.
• Add missing unref implementations for replset, mongos (Issue #​1455, https://github.com/zbjornson)

v2.2.21

Compare Source

• Updated mongodb-core to 2.1.6.
  • NODE-908 Keep auth contexts in replset and mongos topology to ensure correct application of authentication credentials when primary is first server to be detected causing an immediate connect event to happen.

v2.2.20

Compare Source

• Updated mongodb-core to 2.1.5 to include bson 1.0.4 and bson-ext 1.0.4 due to Buffer.from being broken in early node 4.x versions.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.