Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade mongodb from 3.6.1 to 3.6.3 #4

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

[Snyk] Upgrade mongodb from 3.6.1 to 3.6.3 #4

wants to merge 1 commit into from

Conversation

wasimakh2
Copy link
Owner

Snyk has created this PR to upgrade mongodb from 3.6.1 to 3.6.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 2 versions ahead of your current version.
  • The recommended version was released 3 months ago, on 2020-11-06.
Release notes
Package name: mongodb
  • 3.6.3 - 2020-11-06

    The MongoDB Node.js team is pleased to announce version 3.6.3 of the driver

    Release Highlights

    MongoError: not master when running createIndex

    A regression introduced in v3.6.2 meant that createIndex operations would not be executed with a fixed
    primary read preference. This resulted in the driver selecting any server for the operation, which would
    fail if a non-primary was selected.

    Performance issues on AWS Lambda

    The driver periodically monitors members of the replicaset for changes in the topology, but ensures that
    the "monitoring thread" is never woken sooner than 500ms. Measuring this elapsed time depends on a
    stable clock, which is not available to us in some virtualized environments like AWS Lambda. The result
    was that periodically operations would think there were no available servers, and the driver would force
    a wait of heartbeatFrequencyMS (10s by default) before reaching out to servers again for a new
    monitoring check. The internal async interval timer has been improved to account for these environments

    GSSAPI AuthProvider reuses single kerberos client

    A regression introduced in v3.6.0 forced the driver to reuse a single kerberos client for all
    authentication attempts. This would result in incomplete authentication flows, and occaisionally even
    a crash in the kerberos module. The driver has been reverted to creating a kerberos client per
    authentication attempt.

    Performance regression due to use of setImmediate

    A change introduced in v3.6.1 switched all our usage of process.nextTick in the connection pool with
    setImmediate per Node.js core recommendation. This was observed to introduce noticeable latency when the event loop
    was experiencing pressure, so the change was reverted for this release pending further investigation.

    Community Contributions

    • @ jswangjunsheng submitted a fix for a rare scenario when wait queue members time out before connection establishment
    • @ through-a-haze submitted a fix for incorrect construction of an X509 authentication message
    • @ andreialecu helped us indicate peer optional dependencies in our package.json for stricter package managers (pnpm, yarn2)

    Documentation

    Reference: http://mongodb.github.io/node-mongodb-native/3.6/
    API: http://mongodb.github.io/node-mongodb-native/3.6/api/
    Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

    We invite you to try the driver immediately, and report any issues to the NODE project.

    Thanks very much to all the community members who contributed to this release!

    Release Notes

    Bug

    • [NODE-2172] - Change stream breaks on disconnection when there's something piped into it.
    • [NODE-2784] - MongoError: Not Master when running createIndex in 3.6.0
    • [NODE-2807] - MongoClient.readPreference always returns primary
    • [NODE-2827] - Connecting to single mongos makes driver think it is connected to a standalone
    • [NODE-2829] - MongoDB Driver 3.6+ Performance issues on AWS Lambda
    • [NODE-2835] - Remove default timeout for read operations
    • [NODE-2859] - GSSAPI AuthProvider causing crashes in Compass
    • [NODE-2861] - Performance Regression for usage of mongodb connections (queries, inserts, ...)
    • [NODE-2865] - Connections can be leaked if wait queue members are cancelled
    • [NODE-2869] - Invalid assignment of X509 username makes authentication impossible

    Improvement

    • [NODE-2834] - Remove deprecation of AggregationCursor#geoNear
    • [NODE-2867] - Use peerDependenciesMeta field to mark peer optional dependencies
  • 3.6.2 - 2020-09-10

    The MongoDB Node.js team is pleased to announce version 3.6.2 of the driver

    Release Highlights

    Updated bl dependency due to CVE-2020-8244

    See this link for more details: https://github.com/advisories/GHSA-pp7h-53gx-mx7r

    Connection pool wait queue processing is too greedy

    The logic for processing the wait queue in our connection pool ran the risk of
    starving the event loop. Calls to process the wait queue are now wrapped in a
    setImmediate to prevent starvation

    Documentation

    Reference: http://mongodb.github.io/node-mongodb-native/3.6/
    API: http://mongodb.github.io/node-mongodb-native/3.6/api/
    Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

    We invite you to try the driver immediately, and report any issues to the NODE project.

    Thanks very much to all the community members who contributed to this release!

    Release Notes

    Bug

    • [NODE-2798] - Update version of dependency "bl" due to vulnerability
    • [NODE-2803] - Connection pool wait queue processing is too greedy
  • 3.6.1 - 2020-09-02

    The MongoDB Node.js team is pleased to announce version 3.6.1 of the driver

    Release Highlights

    Kerberos

    A bug in introducing the new CMAP Connection prevented some users from properly authenticating with the kerberos module.

    Index options are not respected with createIndex

    The logic for building the createIndex command was changed in v3.6.0 to use an allowlist rather than a blocklist, but omitted a number of index types in that list. This release reintroduces all supported index types to the allowlist.

    Remove strict mode for createCollection

    Since v3.6.0 createCollection will no longer returned a cached Collection instance if a collection already exists in the database, rather it will return a server error stating that the collection already exists. This is the same behavior provided by the strict option for createCollection, so that option has been removed from documentation.

    Documentation

    Reference: http://mongodb.github.io/node-mongodb-native/3.6/
    API: http://mongodb.github.io/node-mongodb-native/3.6/api/
    Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

    We invite you to try the driver immediately, and report any issues to the NODE project.

    Thanks very much to all the community members who contributed to this release!

    Release Notes

    Bug

    • [NODE-2731] - CMAP Connection type does not provide host/port properties
    • [NODE-2755] - "language_override" option support for text index is broken

    Improvement

    • [NODE-2730] - Move MongoAuthProcess into the driver source tree
    • [NODE-2746] - Strict mode for `createCollection` should be removed
from mongodb GitHub release notes
Commit messages
Package name: mongodb

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wasimakh2 @snyk-bot