refactor: Upgrade mongodb from 6.13.0 to 6.16.0

[parseplatformorg]

Snyk has created this PR to upgrade mongodb from 6.13.0 to 6.16.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 51 versions ahead of your current version.

• The recommended version was released 22 days ago.

Release notes

Package name: mongodb

• 6.16.0 - 2025-04-21
  

  6.16.0 (2025-04-21)

  The MongoDB Node.js team is pleased to announce version 6.16.0 of the mongodb package!

  Release Notes

  distinct commands now support an index hint

  The Collection.distinct() method now supports an optional hint, which can be used to tell the server which index to use for the command:

  // providing an index description
  await collection.distinct('my-key', {
  hint: { 'my-key': 1 }
  });

  // providing an index name
  await collection.distinct('my-key', {
  hint: 'my-key'
  });

  This requires server 7.1+.

  Driver support for servers <=4.0 deprecated

  Warning

  Node driver support for server 4.0 will be removed in an upcoming minor release. Reference: MongoDB Software Lifecycle Schedules.

  Fix processing of multiple messages within one network data chunk

  During elections, or other scenarios where the server is pushing multiple topology updates to the driver in a short period of time, a bug in the driver's socket code led to backlog of topology updates that would remain in the buffer until another heartbeat arrived from the server. This could lead to delays in the driver recovering from an election and/or an increase in MongoServerSelectionErrors.

  Now, all messages in the current buffer are returned to the driver leading to faster processing times.

  Huge thank you to @ andreim-brd for sharing a self-contained reproduction that proved to be instrumental in the identification of the underlying issue!

  FindCursor.rewind() throws documents?.clear() is not a function errors in certain scenarios

  In certain scenarios where limit and batchSize are both set on a FindCursor, an internal driver optimization intended to prevent unnecessary requests to the server when the driver knows the cursor is exhausted would prevent the cursor from being rewound. This issue has been resolved.

  Features

  • NODE-6494: add support for hint on distinct commands (#4487) (40d0e87)
  • NODE-6515: deprecate driver support for server 4.0 (#4517) (4c1a8a7)

  Bug Fixes

  • NODE-6630: read all messages in buffer when chunk arrives (#4512) (8c86e30)
  • NODE-6878: documents.clear() throws a TypeError after cursor is rewound (#4488) (a1fffeb)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.16.0-dev.20250514.sha.c529f07c - 2025-05-14
• 6.16.0-dev.20250510.sha.6fe6ccc8 - 2025-05-10
• 6.16.0-dev.20250507.sha.fcbc6edf - 2025-05-07
• 6.16.0-dev.20250506.sha.6a35701d - 2025-05-06
• 6.16.0-dev.20250505.sha.ae617568 - 2025-05-05
• 6.16.0-dev.20250503.sha.64fdb3ef - 2025-05-03
• 6.16.0-dev.20250501.sha.f57c51b9 - 2025-05-01
• 6.16.0-dev.20250429.sha.de2c9552 - 2025-04-29
• 6.16.0-dev.20250426.sha.9625b2d1 - 2025-04-26
• 6.16.0-dev.20250425.sha.3139a92d - 2025-04-25
• 6.16.0-dev.20250424.sha.82303f3d - 2025-04-24
• 6.16.0-dev.20250423.sha.28857b79 - 2025-04-23
• 6.16.0-dev.20250422.sha.746af47a - 2025-04-22
• 6.15.0 - 2025-03-18
  

  6.15.0 (2025-03-18)

  The MongoDB Node.js team is pleased to announce version 6.15.0 of the mongodb package!

  Release Notes

  Support for custom AWS credential providers

  The driver now supports a user supplied custom AWS credentials provider for both authentication and for KMS requests when using client side encryption. The signature for the custom provider must be of () => Promise<AWSCredentials> which matches that of the official AWS SDK provider API. Provider chains from the actual AWS SDK can also be provided, allowing users to customize any of those options.

  Example for authentication with a provider chain from the AWS SDK:

  import { fromNodeProviderChain } from '@ aws-sdk/credential-providers';

  const client = new MongoClient(process.env.MONGODB_URI, {
  authMechanismProperties: {
  AWS_CREDENTIAL_PROVIDER: fromNodeProviderChain()
  }
  });

  Example for using a custom provider for KMS requests only:

  import { fromNodeProviderChain } from '@ aws-sdk/credential-providers';

  const client = new MongoClient(process.env.MONGODB_URI, {
  autoEncryption: {
  keyVaultNamespace: 'keyvault.datakeys',
  kmsProviders: { aws: {} },
  credentialProviders: {
  aws: fromNodeProviderChain()
  }
  }
  }

  Custom providers do not need to come from the AWS SDK, they just need to be an async function that returns credentials:

  const client = new MongoClient(process.env.MONGODB_URI, {
    authMechanismProperties: {
      AWS_CREDENTIAL_PROVIDER: async () => {
        return {
          accessKeyId: process.env.ACCESS_KEY_ID,
          secretAccessKey: process.env.SECRET_ACCESS_KEY
        }
      }
    }
  });

  Fix misc unhandled rejections under special conditions

  We identified an issue with our test suite that suppressed catching unhandled rejections and surfacing them to us so we can ensure the driver handles any possible rejections. Luckily only 3 cases were identified and each was under a flagged or specialized code path that may not have been in use:

  • If the MongoClient was configured to use OIDC and an AbortSignal was aborted on cursor at the same time the client was reauthenticating, if the reauth process was rejected it would have been unhandled.
  • If timeoutMS was used and the timeout expired before an operation reached the server selection step the operation would throw the expected timeout error but a promise representing the timeout would also raise an unhandled rejection.
  • If a change stream was closed while processing a change event it was possible for the "change stream is closed" error to be emitted as an error event and reject an internal promise representing fetching the "next" change.

  Features

  • NODE-6141: allow custom aws sdk config (#4373) (3d047ed)

  Bug Fixes

  • NODE-6845: ensure internal rejections are handled (#4448) (06e941a)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.15.0-dev.20250419.sha.efffb500 - 2025-04-19
• 6.15.0-dev.20250417.sha.f0b87396 - 2025-04-17
• 6.15.0-dev.20250416.sha.4f033594 - 2025-04-16
• 6.15.0-dev.20250410.sha.b2511f06 - 2025-04-10
• 6.15.0-dev.20250409.sha.46cb56de - 2025-04-09
• 6.15.0-dev.20250408.sha.85124c25 - 2025-04-08
• 6.15.0-dev.20250405.sha.cb88b05d - 2025-04-05
• 6.15.0-dev.20250403.sha.9111f98c - 2025-04-03
• 6.15.0-dev.20250328.sha.32b3e34e - 2025-03-28
• 6.15.0-dev.20250327.sha.cfdb8ec2 - 2025-03-27
• 6.15.0-dev.20250326.sha.d01ecc79 - 2025-03-26
• 6.15.0-dev.20250325.sha.5ce0a4ec - 2025-03-25
• 6.15.0-dev.20250322.sha.892c14de - 2025-03-22
• 6.15.0-dev.20250321.sha.20f7db7f - 2025-03-21
• 6.15.0-dev.20250320.sha.af30db93 - 2025-03-20
• 6.15.0-dev.20250319.sha.f176de4f - 2025-03-19
• 6.14.2 - 2025-03-04
  

  6.14.2 (2025-03-04)

  The MongoDB Node.js team is pleased to announce version 6.14.2 of the mongodb package!

  Release Notes

  KMS Requests can cause unhandled rejection

  When using explicit encryption or automatic encryption, the driver makes requests to a Key Management System when to fetch key encryption keys. The driver supports connecting to a KMS provider through a Socks5 proxy. However, the socket used for the socks5 proxy was created in all circumstances, regardless of proxy configuration. This leads to unhandled rejection errors when closing the socket the driver attempts to clean up the unused socket.

  With the changes in this release, the socket is only created if a proxy is configured and the any promises created for the proxy are properly handled.

  Bug Fixes

  • NODE-6803: kms proxy socket creates unhandled rejection (#4444) (ed69cf9)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.14.2-dev.20250318.sha.78d951b9 - 2025-03-18
• 6.14.2-dev.20250315.sha.cd09d435 - 2025-03-15
• 6.14.2-dev.20250314.sha.6895b258 - 2025-03-14
• 6.14.2-dev.20250313.sha.54d29e56 - 2025-03-13
• 6.14.2-dev.20250312.sha.5783db21 - 2025-03-12
• 6.14.2-dev.20250310.sha.39c76999 - 2025-03-10
• 6.14.2-dev.20250306.sha.21072009 - 2025-03-06
• 6.14.2-dev.20250305.sha.398e361f - 2025-03-05
• 6.14.1 - 2025-03-03
  

  6.14.1 (2025-03-03)

  The MongoDB Node.js team is pleased to announce version 6.14.1 of the mongodb package!

  Release Notes

  Fixed occasional OIDC reauthentication failure

  Error code 391 is intended to make the driver internally reauthenticate the connection to the server, however, occasionally this was being raised to the user. This was due to a bug in setting the cached access token on newly created connections.

  Bug Fixes

  • NODE-6801: set token on connection from cache (#4438) (cb13746)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.14.1-dev.20250304.sha.3cc3a6b2 - 2025-03-04
• 6.14.0 - 2025-02-28
  

  6.14.0 (2025-02-28)

  The MongoDB Node.js team is pleased to announce version 6.14.0 of the mongodb package!

  Release Notes

  Add support for $lookup on encrypted collections

  Starting in the upcoming MongoDB server 8.1, the aggregation stage $lookup can now be used with clients configured for automatic encryption after upgrading to mongodb-client-encryption@>=6.3.0! 🔒 🎉

  Use isUint8Array defined in the driver rather than util/types

  Some users of bundlers for next.js and our very own mongosh noticed a new import from "util/types" that would need to be supported in environments that don't have that module. We already have an internal implementation of isUint8Array so we do not need to add an import for "util/types".

  Revert @ aws-sdk/credential-providers compatiblity change

  In v6.13.1 we inadvertantly raised the version compatibility of @ aws-sdk/credential-providers, that change has been reverted.

  Features

  • NODE-6676: add support for nsType in change stream create events (#4431) (7800067)
  • NODE-6773: add support for $lookup with automatic encryption (#4427) (965b21a)

  Bug Fixes

  • NODE-6765: FindOneAndUpdateOptions supports aggregation expressions (#4423) (421ddeb)
  • NODE-6792: use isUint8Array from driver's utils instead of util/types (#4436) (dfe1fba)
  • NODE-6794: revert @ aws-sdk/credential-providers peer compatibility change (#4437) (488c407)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.14.0-dev.20250301.sha.44bc5a88 - 2025-03-01
• 6.13.1 - 2025-02-20
  

  6.13.1 (2025-02-20)

  The MongoDB Node.js team is pleased to announce version 6.13.1 of the mongodb package!

  Release Notes

  Remove extraneous Promise<Document> in Collection.replaceOne return type

  The return type signature of the replaceOne method no longer includes the general Promise<Document> type. Thanks to @ arturmuller, the replaceOne type signature is now more accurate! 🎉

  Fix writeConcern omitted when timeoutMS is provided

  When timeoutMS and a write concern were provided, the writeConcern was incorrectly omitted from the final command executed by the driver.

  Thanks @ stepanho for contributing the fix!

  Update BSON version requirement to 6.10.3

  This pulls in fixes made in bson versions 6.10.3 and 6.10.2 into the driver.

  BSON 6.10.2 fixed an issue in calculateObjectSize ignoring the size contributed by BigInt values to a BSON document. This impacted batch splitting logic in bulkWrite operations: if the actual BSON was over the size returned by calculateObjectSize the server would return an error.

  Warning

  BSON 6.10.3 addresses a potential data corruption risk with the use of useBigInt64 flag introduced in BSON 6.4.0, where negative Long values would be deserialized into BigInt as unsigned integers when the useBigInt64 flag was enabled. (Thanks to @ rkistner for reporting this issue!)

  Bug Fixes

  • NODE-6407: use conversationId returned from server in saslContinue (#4368) (fbefa6b)
  • NODE-6613: Update error messages when primaries go stale (#4397) (6528c8d)
  • NODE-6690: Remove extraneous Document in replaceOne return type (#4383) (6c81d4e)
  • NODE-6763: pass WriteConcernOptions instead on WriteConcernSettings (#4421) (26f15d7)
  • NODE-6777: update BSON to 6.10.3 (#4428) (db5b9e0)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 6.13.1-dev.20250228.sha.488c4071 - 2025-02-28
• 6.13.1-dev.20250227.sha.196e08e9 - 2025-02-27
• 6.13.1-dev.20250226.sha.7800067a - 2025-02-26
• 6.13.1-dev.20250225.sha.1a6dc9b8 - 2025-02-25
• 6.13.1-dev.20250222.sha.421ddeb3 - 2025-02-22
• 6.13.1-dev.20250221.sha.21f2cb91 - 2025-02-21
• 6.13.0 - 2025-01-30
  

  6.13.0 (2025-01-30)

  The MongoDB Node.js team is pleased to announce version 6.13.0 of the mongodb package!

  Release Notes

  MongoDB Standardized Logging 📝

  The driver's standardized logger is now available! The primary goal of our driver's logger is to enable insight into database operations without code changes so enabling and configuring the logger are primarily done through our environment variables.

  TL;DR Show me the logs!

  env MONGODB_LOG_ALL=debug node server.mjs

  Tip

  If you are a CLI app developer (or otherwise take great care of your std outputs): The client options constructor argument takes precedence over environment variables, permitting you to disable or otherwise customize the logger so your app does not automatically respond to the current environment.

  Check out the in-depth logging docs here: https://www.mongodb.com/docs/drivers/node/current/fundamentals/logging/

  🚀 Improved command monitoring performance

  Previously, when command monitoring was enabled, the driver would make deep copies of command and reply objects, which have the potential to be very large documents. These copies have been eliminated, providing a speed and memory efficiency bump to command monitoring.

  Warning

  Since we no longer make deep copies of commands/replies in Command Monitoring Events, directly modifying the command/reply objects on CommandStartedEvents and CommandSucceededEvents may lead to undefined behaviour.

  🧪 Experimental AbortSignal support added to Find and Aggregate! 🚥

  A signal argument can now be passed to the following APIs:

  • collection.find() & collection.findOne()
  • collection.aggregate() & collection.countDocuments()

  In order to support field level encryption properly, also:

  • db.listCollections()
  • db.command()

  When aborted, the signal will interrupt the execution of each of each of these APIs. For the cursor-based APIs, this will be observed when attempting to consume from the cursor via toArray(), next(), for-await, etc.

  There is a known limitation: aborting a signal closes a perfectly healthy connection which can cause unnecessary connection reestablishment so we're releasing this as experimental for evaluation in use cases that can tolerate the shortcoming.

  DNS SRV & TXT look up timeouts are retried

  To mitigate the potentially transient DNS timeout error, the driver now catches and retries the DNS lookups upon resolving a mongodb+srv:// style connection string.

  MongoClient.close now closes any outstanding cursors

  Previously, cursors could somewhat live beyond the client they came from. What this meant was that depending on timing you would learn of the client's (and by proxy, the cursor's) demise via an assertion that the associated session had expired. This only occurred if your cursor needed to use the session, which only happens when it is attempting to run a getMore operation to obtain another batch of documents.

  Practically speaking a cursor that lives beyond a client is an exception waiting to happen, the connection pools are closed, the sessions are ended, last call has been served 🍻, it is only a matter of timing and event firing until the cursor learns of its fate and informs you by throwing an error via whatever API is being used (.toArray(), for-await, .next()).

  To make the expected state of cursors clearer in this scenario the MongoClient will now close any associated cursors upon its close()-ing reducing the risk of leaving behind server-side resources.

  MongoClient.close() can be called concurrently

  In the past, concurrent calls to MongoClient.close() had poorly defined behavior depending on the exact timing of the second (or more) calls to close(). In some cases, this could also throw errors.

  With these changes, MongoClient.close() can be called concurrently safely and always returns the same promise.

  Note

  This is intended as a correctness fix - we don't recommend calling MongoClient.close() concurrently if it can be avoided.

  MONGODB-OIDC now properly reauthenticates in speculative auth scenarios

  When using MONGODB-OIDC authentication, if the initial handshake contained speculative authentication, the driver would not properly reauthenticate when the server would raise 391 errors. This is now fixed.

  Features

  • NODE-5672: support standardized logging (#4387) (d1b2453)
  • NODE-6258: add signal support to find and aggregate (#4364) (73def18)
  • NODE-6451: retry SRV and TXT lookup for DNS timeout errors (#4375) (fd902d3)
  • NODE-6633: MongoClient.close closes active cursors (#4372) (654069f)

  Bug Fixes

  • NODE-5225: concurrent MongoClient.close() calls each attempt to close the client (#4376) (9419af7)
  • NODE-6340: OIDC reauth uses caches speculative auth result (#4379) (8b2b7fd)

  Performance Improvements

  • NODE-6452: Optimize CommandStartedEvent and CommandSucceededEvent constructors (#4371) (41b066b)
  • NODE-6616: shortcircuit logging ejson.stringify (#4377) (c1bcf0d)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

from mongodb GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 93.07%. Comparing base (40f9d8a) to head (34642cc).
Report is 1 commits behind head on release-7.x.x.

Additional details and impacted files

@@                Coverage Diff                @@
##           release-7.x.x    #9757      +/-   ##
=================================================
+ Coverage          93.06%   93.07%   +0.01%     
=================================================
  Files                187      187              
  Lines              14977    14977              
=================================================
+ Hits               13938    13940       +2     
+ Misses              1039     1037       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.