Skip to content
This repository has been archived by the owner on Feb 15, 2022. It is now read-only.

[Snyk] Upgrade mongodb from 3.3.4 to 3.5.5 #2016

Merged
merged 1 commit into from
Mar 25, 2020

Conversation

snyk-bot
Copy link
Contributor

Snyk has created this PR to upgrade mongodb from 3.3.4 to 3.5.5.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
  • The recommended version is 9 versions ahead of your current version.
  • The recommended version was released 13 days ago, on 2020-03-11.
Release notes
Package name: mongodb
  • 3.5.5 - 2020-03-11

    The MongoDB Node.js team is pleased to announce version 3.5.5 of the driver

    Release Highlights

    Regression in hasNext when using a cursor with a limit

    @peterbroadhurst helped point out a regression introduced in v3.5.4 where using hasNext
    on a cusor with a limit would not return the full set of results.

    Ignored topology updates cause servers to fall out of latency window

    A change introduced across all MongoDB drivers, and in particular v3.5.0 of the Node.js
    driver, attempted to prevent needless duplicate topologyDescriptionChanged topology events
    by introducing a ServerDescription equality operator. Since equality does not take the
    lastUpdateTime and lastWriteDate fields of an ismaster into account, the driver could
    eventually consider servers non-suitable for server selection, since they would fall out
    of the latency window.
    All updates are considered viable for topology updates now, and only event emission is
    gated by ServerDescription equality.

    Memory leaks with Node.js v12+

    The legacy topology types (in particular if you were connected to a replic set) used a
    custom Timeout class to wrap a timer. Unfortunately, the class depended on an undocumented,
    private variable _called, which was removed in Node.js v12. This would lead to the driver
    thinking the timeout never occurred, and therefore never releasing the object for garbage
    collection. We recommend users of the legacy topology types immediately update to this
    version of the driver, or use the Unified Topology which is unaffected by this bug.

    TypeError: Cannot read property 'Symbol(cancelled)' of undefined

    @erfanium and @Paic helped us identify an issue in rare failover events where multiple
    requests to process the server selection queue would result in an attempted property
    access of an undefined variable.

    promiseLibrary not respected by newly introduced maybePromise helper

    @TobyEalden pointed out that an internal refactor to use a helper to optionally
    return a Promise for top level API methods was not, in fact, using a custom
    promise library if one was provided!

    Thanks very much to all the community members who contributed to this release!

    Release Notes

    Bug

    • [NODE-2460] - Memory Leak with ReplSet and NodeJS v12
    • [NODE-2472] - TypeError on server available with useUnifiedTopology: true
    • [NODE-2474] - Server_Description update with lastUpdateTime / lastWriteDate fields is ignored in topology
    • [NODE-2480] - TypeError after reconnecting
    • [NODE-2483] - Regression using hasNext on cursor with limit
    • [NODE-2490] - promiseLibrary option is not honoured
  • 3.5.4 - 2020-02-25

    The MongoDB Node.js team is pleased to announce version 3.5.4 of the driver

    Release Highlights

    Regression in hasNext when piping a cursor

    Pierre Mallet and @Sintendo helped identify a regression with our cursors which did not
    properly rewind a cursor when hasNext was called before the cursor was piped.

    Regression in server selection queue processing

    A change introduced in v3.5.3 converted the server selection loop from a loop with timers
    to a queue of callbacks. A subtle bug was introduced to the code to process the quere where
    the upper bound of a for loop was using a dynamically decreasing length, leading to some
    operations being ignored, and ultimately timing out. Many thanks to Frederic Maillasson,
    @paulrobinson, and @adityapatadia for helping uncover this issue

    Only ensure minimum connection pool size if a size is specified

    User @millerick submitted a PR short circuiting the background task for ensuring a minimum
    pool size if no minimum size was set.

    Release Notes

    Bug

    • [NODE-2454] - Cursor.hasNext() seems to consume first document when the cursor is piped in a writable stream
    • [NODE-2464] - max election ID comparison uses invalid comparison for tracking
    • [NODE-2466] - Driver does not seem to properly recover from a long disconnection with primary server
    • [NODE-2467] - MongoServerSelectionError when using useUnifiedTopology: true

    Improvement

    • [NODE-2459] - Do not run minimum connection size task if there is no minimum pool size
  • 3.5.3 - 2020-02-12

    The MongoDB Node.js team is pleased to announce version 3.5.3 of the driver

    Release Highlights

    This patch release fixes one issue with command error handling during network errors, and one minor issue with multiple incoming wire messages not being properly processed.

    Release Notes

    Bug

    • [NODE-2435] - Unified topology does not transition server to Unknown on non-timeout operation error
    • [NODE-2437] - Multiple incoming message packets are not processed correctly

    Improvement

    • [NODE-2438] - Add exhaust command support to transport layer
    • [NODE-2449] - Simplify server error handling in unified topology
  • 3.5.2 - 2020-01-20

    The MongoDB Node.js team is pleased to announce version 3.5.2 of the driver

    Release Highlights

    This patch release corrects a regression introduced in the 4.2 timeframe which would
    effectively disable retryable operations for connection to MongoDB 4.2+. Additionally,
    the server selection loop has been converted to a queue of callbacks to improve
    readability, as well as performance in certain scenarios.

    Release Notes

    Bug

    • [NODE-2408] - retryWrites seems not to work as expected in failover test

    Improvement

    • [NODE-2398] - Use a queue for server selection
  • 3.5.1 - 2020-01-17

    The MongoDB Node.js team is pleased to announce version 3.5.1 of the driver

    Release Highlights

    This patch release fixes a few regressions introduced with new connection pool, primarily
    around the ability to use custom TLS certificates.

    Release Notes

    Bug

    • [NODE-2372] - db.findOne does not respect client setting bufferMaxEntries
    • [NODE-2401] - "readPreference.equals is not a function" exception thrown within executeWithServerSelection
    • [NODE-2424] - CMAP connection pool fails to create connection using SSL / TLS
  • 3.5.0 - 2020-01-14

    The MongoDB Node.js team is pleased to announce version 3.5.0 of the driver

    Release Highlights

    CMAP-compliant Connection Pool

    This release introduces a modern replacement for the driver's connection pool, available only with the
    unified topology. A major effort was made in early 2019 to fully specifiy connection pools for MongoDB
    drivers (see: CMAP specification), and this release brings the Node.js driver in line with that
    specification.

    Traceability

    The new pool supports monitoring for all aspects of its behavior. This allows deep introspection into
    the operation of the connection pool, as well as an ability to profile the lifetime of an operation
    when used in conjunction with command monitoring.

    Stream-first Connection Design

    The Connection class was completely rewritten for the new pool adopting a stream-first mentality. All
    wire message processing and compression is handled in a duplex stream called the MessageStream, and
    that stream is connected bidirectionally to the underlaying TCP socket. The result is a connection which
    gains the general benefit of streams: better performance, less memory pressure, backpressure support. It
    also opens the possiblity of supporting non-TCP/UDP streams as a transport for the driver.

    waitQueueTimeoutMS

    The new connection pool has a concept of a "wait queue", which allows operation requests to buffer waiting
    for a connection to execute against. There is no timeout by default, but users can now specify a new value
    waitQueueTimeoutMS in their connection string or MongoClient options to proactively cancel operations
    that have waited too long.

    Remember that the new connection pool is only available for the "Unified Topology", so remember to pass
    useUnifiedTopology: true to your MongoClient constructor to use it!

    Dedicated monitoring connection

    Both the legacy and unified SDAM implementations have until now executed monitoring checks as priority
    messages in the legacy Pool implementation. This means that monitoring (ismaster) operations were
    prioritized over other queued operations, but also means that monitoring could be indefinitely blocked,
    in particular during failover or black hole scenarios. The default socket timeout is null (read: Infinity),
    so if the pool was completely saturated with operations, there may be no ability to execute a monitoring
    check and determine that the connection to a server was no longer valid. This version of the driver
    introduces a new Monitor class which manages its own dedicated monitoring connection to each known
    node.

    Server selection errors

    In v3.3.0 of the driver we introduced a new MongoTimeoutError for all errors covered by the server
    selection loop, leading to a spike in bug reports with a title similar to Server selection timed out after 30000ms.
    Even though the error type itself had an attached reason field, we still feel it was easy to miss why
    the selection had failed. As a result we have introduced a new type MongoServerSelectionError which
    will use the originating error (reason) for its message, better informing users what caused a
    selection error, while still also conveying it is an error in server selection.

    Release Notes

    New Feature

    • [NODE-1742] - Implement Connection Monitoring and Pooling spec
    • [NODE-2386] - Use a dedicated monitoring thread

    Bug

    • [NODE-2400] - Synchronous errors are swallowed by executeOperation
    • [NODE-2417] - Server descriptions with me mismatch from primary response should be removed
    • [NODE-2418] - client platform not sent in metadata for CMAP connections

    Improvement

    • [NODE-1619] - Remove wasteful empty Buffer allocations in `Connection`
    • [NODE-2049] - Add "connectionError" as a valid "reason" for a ConnectionCheckOutFailedEvent when connection set up fails
    • [NODE-2397] - Make server selection errors more informative
    • [NODE-2402] - Integrate CMAP connection pool into unified topology
    • [NODE-2419] - Improve traceability of CMAP events
    • [NODE-2033] - Ignore ConnectionReadyEvent in CMAP pool creation test
  • 3.4.1 - 2019-12-19

    The MongoDB Node.js team is pleased to announce version 3.4.1 of the driver

    Release Highlights

    This is a patch release addressing two regressions introduced in bulk writes and SCRAM authentication.

    Release Notes

    Bug

    • [NODE-2383] - Unordered bulk write reports wrong error indexes
    • [NODE-2390] - Sporadic connection errors with AWS Lambda
  • 3.4.0 - 2019-12-10

    The MongoDB Node.js team is pleased to announce version 3.4.0 of the driver

    Release Highlights

    Client Side Field Level Encryption (CSFLE)

    The major functionality introduced in this release, and indeed the reason for the minor version bump, is full support for MongoDB's Client Side Field Level Encryption. The bulk of the support comes through an addon module mongodb-client-encryption, please refer to the reference documentation for more details.

    TLS Option Variants

    This release also introduces a number of new connection string options related to TLS. In order to unify uri options across all MongoDB drivers, and to better signal the technology the driver is actually using, all ssl related options now have a corresponding tls variant. NOTE: your application will not break if you continue to use the ssl variants, but deprecation warnings will be introduced prior to the 4.x driver release.

    @adityapatadia initially pointed out that these tls variants had no effect, now they do. Thank you @adityapatadia!

    mongodb+srv

    A critical bug was found by @ephemer with the recently introduced "mongos discovery", where a typo caused DNS polling to occur at very fast intervals.

    Additionally, user @mpilar identified and fixed a bug with our mongodb+srv parsing, where user-provided client options were not overriding those provided by a TXT record lookup.

    Thank you very much @ephemer and @mpilar!

    server selection

    @adityapatadia also helped find a bug in the server selection code which rendered selection with a nearest read preference non-functional. Thanks again @adityapatadia!

    bulkWrite

    A small bug was fixed causing errors in an unordered bulk write to be reported in incorrect order. If an error occurs in a bulk write now, then it will show up in the writeErrors field of the resulting BulkWriteError with an index that corresponds to the position the operation had in the initial input.

    Release Notes

    Bug

    • [NODE-1547] - Default Port is not applied
    • [NODE-1991] - replaceOne() also returns the replacement document?
    • [NODE-2089] - Only apply TransientTransactionError label within a transaction
    • [NODE-2308] - Bulk write error returns incorrect index in WriteError for unordered writes
    • [NODE-2334] - Driver must error if autoEncryption is attempted against wire version < 8
    • [NODE-2335] - Node Driver does not follow Initial DNS Seedlist Discovery spec
    • [NODE-2353] - Timed out connections should not half-close on destroy
    • [NODE-2356] - nearest server is not selected when useUnifiedTopology is set
    • [NODE-2359] - tls option in connection URI has no effect
    • [NODE-2375] - Typo in `rescanIntervalSrvMS` causes spike in DNS lookups
    • [NODE-2376] - Malicious server can accept incomplete SCRAM authentication and bypass mutual authentication

    New Feature

  • [NODE-2094] - FLE GA Support

    Improvement

    • [NODE-2024] - Document createIndexes usage
    • [NODE-2052] - [FLE] Add a corpus test that exhaustively enumerates all ways to encrypt all BSON value types
    • [NODE-2053] - [FLE] Add prose test for explicit encryption with key alt name
    • [NODE-2298] - Add driver API documentation for Field Level Encryption
    • [NODE-2363] - Allow connection establishment to be cancelled
    • [NODE-2306] - Driver module does not export `BulkWriteError`
    • [NODE-2338] - build FLE addon on windows
  • 3.3.5 - 2019-11-26

    The MongoDB Node.js team is pleased to announce version 3.3.5 of the driver

    Release Highlights

    unified topology

    This patch release includes additional fixes for the regression in the unified topology discovered in v3.3.2, expanding our testing infrastructure to include a simulated workload during failover testing. There was a bug when connecting to single-node replicasets which could result in a stack overflow which was corrected. Additionally, events and options which are incompatible with the unified topology will now emit a warning message.

    mongodb+srv

    The release also includes a fix submitted by @mpilar, who found an inconsistency in our implementation of the "Initial Seedlist Discovery" specification. An authSource specified in the options passed to MongoClient would be overridden by an authSource provided in the TXT record checked during initial seedlist discovery over SRV. Thank you very much Miguel!

    bulkWrite

    BulkWriteError is now exported at the top level of the module so that users can catch them easily. Additionally, a fix was made to ensure that the index of operations passed into an unordered bulk operation were preserved when reporting possible errors in the future.

    Release Notes

    Bug

    • [NODE-1747] - Replica set causes MongoNetworkError due to not connecting with fully qualified domain name
    • [NODE-2089] - Only apply TransientTransactionError label within a transaction
    • [NODE-2143] - getaddrinfo ENOTFOUND error on Windows 10 due to failed fallback to ipv4 after ipv6 lookup fails
    • [NODE-2308] - Bulk write error returns incorrect index in WriteError for unordered writes
    • [NODE-2332] - useUnifiedTopology - replicaset
    • [NODE-2335] - Node Driver does not follow Initial DNS Seedlist Discovery spec
    • [NODE-2342] - Enabling useUnifiedTopology results in stack overflow when connecting to uninitialized replica set

    Improvement

    • [NODE-2348] - Document and notify on deprecated events and options for unified topology
    • [NODE-2306] - Driver module does not export `BulkWriteError`
  • 3.3.4 - 2019-11-11

    The MongoDB Node.js team is pleased to announce version 3.3.4 of the driver

    Release Highlights

    This release primary consists of improvements to the "unified topology". In particular, a regression with interaction between the connection pool and topology could result in servers which "go away" (due to network error, for example) would not return, resulting in a MongoTimeoutError.

    Release Notes

    Bug

    • [NODE-2123] - MaxListenersExceededWarning caused by topologyDescriptionChanged
    • [NODE-2214] - Incorrect removal of Unknown server type from ReplicaSetNoPrimary topology
    • [NODE-2234] - isConnected() takes legacy path with useUnifiedTopology
    • [NODE-2251] - `useUnifiedTopology` continuously emits 'close' event when replica set member is down
    • [NODE-2268] - Legacy SDAM ReplSet topology reports incorrect topology ID
    • [NODE-2270] - Servers are not removed from unknownServer list, leaking
    • [NODE-2274] - Unified topology never regains nodes which temporarily go down
    • [NODE-2277] - Unhandled error when server is offline

    Improvement

    • [NODE-1517] - normalize state management across all stateful types
    • [NODE-2257] - Introduce ServerDescription equality to reduce SDAM events
    • [NODE-2263] - support ability to pass hint to update
    • [NODE-2276] - Add SDAM test for debouncing topology description updates
    • [NODE-2280] - Integrate a state machine into the unified topology
    • [NODE-2309] - Document the design and rationale of the unified topology
    • [NODE-2316] - Correct client metadata for unified topology
from mongodb GitHub release notes
Commit messages
Package name: mongodb
  • d7ac176 chore(release): 3.5.5
  • f69f51c fix: multiple concurrent attempts to process the queue may fail
  • cde11ec fix: pass optional promise lib to maybePromise
  • 0c36a32 NODE-2474: update equal server description ([Snyk] Fix for 1 vulnerabilities #2260)
  • 6b3b64d test: ensure mock server is setup before continuing with tests
  • 6238c84 fix: correctly use template string for connection string error message
  • 44097c2 test: use a reduced `minHeartbeatFrequencyMS` for spec test runner
  • ef04d00 fix(cursor): hasNext consumes documents on cursor with limit
  • b72fefe docs: update community links to use MongoDB Community forums
  • e7dd608 docs: fix typo and formatting of bulletted lists
  • 3ddaa3e fix: don't depend on private node api for `Timeout` wrapper
  • 582d3e2 chore(release): 3.5.4
  • e08b358 chore: disable test using CodeWScope with a `$where` clause
  • 3dd726c chore: upate EVG macos runs to use 10.14 boxes
  • 494dffb fix(topology): enter `STATE_CLOSING` before draining waitQueue
  • bf701d6 fix(topology): ensure selection wait queue is always processed
  • 361bc1e refactor: remove SKIP_SESSION aspect
  • f6a8ceb refactor: use `maybePromise` for all `MongoClient` fake operations
  • 6f71507 chore: move sdam spec unit tests from `unit/core` to `unit/sdam`
  • a1e0849 fix(sdam): use ObjectId comparison to track maxElectionId
  • 2d1b713 fix(cmap): don't run min connection thread if no minimum specified
  • f8694f5 refactor: remove `nextObject` helper, inline code in cusror class
  • bb359a1 fix: don't consume first document when calling `hasNext` on cursor
  • c56ff72 test: add test for `hasNext` not consuming first document in stream

Compare


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

@DeviaVir DeviaVir merged commit 7dca6b2 into unstable Mar 25, 2020
@DeviaVir DeviaVir deleted the snyk-upgrade-16e6a756bd547dc10ade3e6bd3f81982 branch March 25, 2020 09:46
YarnSeemannsgarn pushed a commit to YarnSeemannsgarn/zenbot that referenced this pull request Apr 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants