[Snyk] Upgrade mongodb from 6.21.0 to 7.0.0

[alokshukla2012]

Snyk has created this PR to upgrade mongodb from 6.21.0 to 7.0.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 19 versions ahead of your current version.

• The recommended version was released 2 months ago.

Release notes

Package name: mongodb

• 7.0.0 - 2025-11-06
  

  7.0.0 (2025-11-06)

  The MongoDB Node.js team is pleased to announce version 7.0.0 of the mongodb package!

  Release Notes

  The following is a detailed collection of the changes in the major v7 release of the mongodb package for Node.js.
  The main focus of this release was usability improvements and a streamlined API. Read on for details!

  Important

  This is a list of changes relative to v6.21.0 of the driver. ALL changes listed below are BREAKING unless indicated otherwise.
  Users migrating from an older version of the driver are advised to upgrade to at least v6.21.0 before adopting v7.

  🛠️ Runtime and dependency updates

  Minimum Node.js version is now v20.19.0

  The minimum supported Node.js version is now v20.19.0 and our TypeScript target has been updated to ES2023. We strive to keep our minimum supported Node.js version in sync with the runtime's release cadence to keep up with the latest security updates and modern language features.

  Notably, the driver now offers native support for explicit resource management. Symbol.asyncDispose implementations are available on the MongoClient, ClientSession, ChangeStream and on cursors.

  Note

  Explicit resource management is considered experimental in the driver and will be until the TC39 explicit resource management proposal is completed.

  bson and mongodb-connection-string-url versions 7.0.0

  This driver version has been updated to use [email protected] and [email protected], which match the driver's Node.js runtime version support. BSON functionality re-exported from the driver is furthermore subject to the changes outlined in the BSON V7 release notes.

  Optional peer dependency releases and version bumps

  • @ mongodb-js/zstd optional peer dependency minimum version raised to 7.0.0, dropped support for 1.x and 2.x (note that @ mongodb-js/zstd does not have 3.x-6.x version releases)
  • kerberos optional peer dependency minimum version raised to 7.0.0, dropped support for 2.x (note that kerberos does not have 3.x-6.x version releases)
  • mongodb-client-encryption optional peer dependency minimum version raised to 7.0.0, dropped support for 6.x

  Additionally, the driver is now compatible with the following packages:

  Dependency	Previous Range	New Allowed Range
  @ aws-sdk/credential-providers	^3.188.0	^3.806.0
  gcp-metadata	^5.2.0	^7.0.1
  socks	^2.7.1	^2.8.6

  🔐 AWS authentication

  To improve long-term maintainability and ensure compatibility with AWS updates, we’ve standardized AWS auth to use the official SDK in all cases and made a number of supporting changes outlined below.

  @ aws-sdk/credential-providers is now required for MONGODB-AWS authentication

  Previous versions of the driver contained two implementations for AWS authentication and could run the risk of the custom driver implementation not supporting all AWS authentication features as well as not being correct when AWS makes changes. Using the official AWS SDK in all cases alleviates these issues.

  npm install @ aws-sdk/credential-providers

  Custom AWS credential provider takes highest precedence

  When providing a custom AWS credential provider via the auth mechanism property AWS_CREDENTIAL_PROVIDER, it will now take the highest precedence over any other AWS auth method.

  Explicitly provided credentials no longer accepted with MONGODB-AWS authentication

  AWS environments (such as AWS Lambda) do not have credentials that are permanent and expire within a set amount of time. Providing credentials in the URI or options would mandate that those credentials would be valid for the life of the MongoClient, which is problematic. With this change, the fetching of credentials is fully handled by the installed required AWS SDK.

  This means that for AWS authentication, all client URIs MUST now be specified as:

  import { MongoClient } from 'mongodb';

  const client = new MongoClient('mongodb<+srv>://<host>:<port>/?authMechanism=MONGODB-AWS');

  The previous method of providing URI encoded credentials based on the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY directly in the connection string will no longer work.

  ⚙️ Error handling improvements

  Dropping a collection returns false instead of throwing when NS not found

  This change has been made for consistency with the common drivers specifications.

  Aggregate with write concern and explain no longer throws client-side

  This will now throw a MongoServerError instead.

  All encryption-related errors now subclass MongoError

  The driver aims to ensure that all errors it throws are subclasses of MongoError. However, when using CSFLE or QE, the driver's encryption implementation could sometimes throw errors that were not instances of MongoError.

  Now, all errors thrown during encryption are subclasses of MongoError.

  'PoolRequstedRetry' error label renamed to 'PoolRequestedRetry'

  The PoolClearedError thrown in cases where the connection pool was cleared now fixes the typo in the error label.

  💥 Misc breaking improvements

  Change streams no longer filter $changeStream stage options

  Users can now pass any option to collection.watch(). If an option is invalid for the $changeStream stage of the pipeline, the server will return an error. This change makes it possible to use newly introduced server options without waiting for them to become available in our public type definitions and eliminates the risk of valid but unrecognized options being silently ignored.

  Cursors no longer provide a default batchSize of 1000 for getMores

  In driver versions <7.0, the driver provides a default batchSize of 1000 for each getMore when iterating a cursor. This behavior is not ideal because the default is set regardless of the documents being fetched. For example, if a cursor fetches many small documents, the driver's default of 1000 can result in many round-trips to fetch all documents, when the server could fit all documents inside a single getMore if no batchSize were set.

  Now, cursors no longer provide a default batchSize when executing a getMore. A batchSize will only be set on getMore commands if a batchSize has been explicitly configured for the cursor.

  Auto encryption options now include default filenames in TS

  A common source of confusion for people configuring auto encryption is where to specify the path to mongocryptd and where to specify the path to crypt_shared. We've now made this clearer in our Typescript users. Typescript now reports errors if the specified filename doesn't match the default name of the file. Some examples:

  var path: AutoEncryptionOptions['extraOptions']['mongocryptdSpawnPath'] = 'some path'; // ERROR
  var path: AutoEncryptionOptions['extraOptions']['mongocryptdSpawnPath'] = 'mongocryptd'; // OK
  var path: AutoEncryptionOptions['extraOptions']['mongocryptdSpawnPath'] =
  '/usr/local/bin/mongocryptd'; // OK
  var path: AutoEncryptionOptions['extraOptions']['mongocryptdSpawnPath'] = 'mongocryptd.exe'; // OK

  var path: AutoEncryptionOptions['extraOptions']['cryptSharedLibPath'] = 'some path'; // ERROR
  var path: AutoEncryptionOptions['extraOptions']['cryptSharedLibPath'] = 'mongo_crypt_v1.so'; // OK
  var path: AutoEncryptionOptions['extraOptions']['cryptSharedLibPath'] = 'mongo_crypt_v1.dll'; // OK
  var path: AutoEncryptionOptions['extraOptions']['cryptSharedLibPath'] = 'mongo_crypt_v1.dylib'; // OK

  ☀️ Misc non-breaking improvements

  Improve MongoClient.connect() consistency across environments

  The MongoClient connect function will now run a handshake regardless of credentials being defined. The upshot of this change is that connect is more consistent at verifying some fail-fast preconditions regardless of environment. For example, previously, if connecting to a loadBalanced=true cluster without authentication there would not have been an error until a command was attempted.

  MongoClient.close() no longer sends endSessions if the topology does not have session support

  MongoClient.close() attempts to free up any server resources that the client has instantiated, including sessions. Previously, MongoClient.close() unconditionally attempted to kill all sessions, regardless of whether or not the topology actually supports sessions.

  Now, MongoClient.close() only attempts to clean up sessions if the topology supports sessions.

  Wrap socket write in a try/catch to ensure errors can be properly wrapped

  One socket.write call was not correctly wrapped in a try/catch block and network errors could bubble up to the driver. This call is now properly wrapped and will result in a retry.

  ClientEncryption.rewrapManyDataKey() options now correctly marked as optional

  The options parameter for the ClientEncryption.rewrapManyDataKey() method is now correctly marked as optional in its TypeScript definition. This change aligns the type signature with the method's implementation and documentation, resolving a type mismatch for TypeScript users.

  📜 Removal of deprecated functionality

  Cursor and ChangeStream stream() method no longer accepts a transform

  Cursors and ChangeStreams no longer accept a transform function. ReadableStream.map() can be used instead:

  // before
  const stream = cursor.stream({ transform: JSON.stringify });

  // after
  const stream = cursor.stream().map(JSON.stringify);

  MONGODB-CR AuthMechanism has been removed

  This mechanism has been unsupported as of MongoDB 4.0 and attempting to use it will still raise an error.

  Internal ClientMetadata properties have been removed from the public API

  Previous versions of the driver unintentionally exposed the following properties that have now been made internal:

  MongoClient.options.additionalDriverInfo
  MongoClient.options.metadata
  MongoClient.options.extendedMetadata
  MongoOptions.additionalDriverInfo
  MongoOptions.metadata
  MongoOptions.extendedMetadata
  ConnectionOptions.metadata
  ConnectionOptions.extendedMetadata
  

  CommandOptions.noResponse option removed

  This option was never intended to be public, and never worked properly for user-facing APIs. It has now been removed.

  Assorted deprecated type, class, and option removals

  GridFSFile.contentType;
  GridFSFile.aliases;
  GridFSBucketWriteStreamOptions.contentType;
  GridFSBucketWriteStreamOptions.aliases;
  CloseOptions;
  ResumeOptions;
  MongoClientOptions.useNewUrlParser;
  MongoClientOptions.useUnifiedTopology;
  CreateCollectionOptions.autoIndexId;
  FindOptions<TSchema>; // now no generic type
  ClientMetadataOptions;
  FindOneOptions.batchSize;
  FindOneOptions.limit;
  FindOneOptions.noCursorTimeout;
  ReadPreference.minWireVersion;
  ServerCapabilities;
  CommandOperationOptions.retryWrites; // is a global option on the MongoClient
  ClientSession.transaction;
  Transaction;
  CancellationToken;

  ⚠️ ALL BREAKING CHANGES

  • NODE-7286: Update dependencies to v7 (#4780)
  • NODE-5510: dont filter change stream options (#4723)
  • NODE-6296: remove cursor default batch size of 1000 (#4729)
  • NODE-7150: update peer dependency matrix for 3rd party peer deps (#4720)
  • NODE-7046: remove AWS uri/options support (#4689)
  • NODE-4808: remove support for stream() transform on cursors and change streams (#4728)
  • NODE-6377: remove noResponse option (#4724)
  • NODE-6473: remove MONGODB-CR auth (#4717)
  • NODE-5994: Remove metadata-related properties from public driver API (#4716)
  • NODE-7016: remove beta namespace and move resource management into driver (#4719)
  • NODE-4184: don't throw on aggregate with write concern and explain (#4718)
  • NODE-7043, NODE-7217: adopt mongodb-client-encryption v7 (#4705)
  • NODE-6065: throw MongoRuntimeError instead of MissingDependencyError in crypto connection (#4711)
  • NODE-6584: improve typing for filepaths in AutoEncryptionOptions (#4341)
  • NODE-6334: rename PoolRequstedRetry to PoolRequestedRetry (#4696)
  • NODE-7174: drop support for Node16 and Node18 (#4668)
  • NODE-7047: use custom credential provider first after URI (#4656)
  • NODE-6988: require aws sdk for aws auth (#4659)
  • NODE-5545: remove deprecated objects (#4704) (cfbada6)

  Non-breaking

  • NODE-4243: drop collection checks ns not found (#4742) (a8d7c5f)
  • NODE-7223: run checkout on connect regardless of credentials (#4715) (c5f74ab)
  • NODE-7232: only send endSessions during client close if the topology supports sessions (#4722) (cc85ebf)
  • NODE-7067: Wrap socket write in a try/catch to ensure errors can be properly wrapped (#4759) (66c18b7)
• 7.0.0-dev.20251220.sha.e70fdc98 - 2025-12-20
• 7.0.0-dev.20251219.sha.a4211e77 - 2025-12-19
• 7.0.0-dev.20251218.sha.f0af829f - 2025-12-18
• 7.0.0-dev.20251217.sha.c990750f - 2025-12-17
• 7.0.0-dev.20251213.sha.4cb2b875 - 2025-12-13
• 7.0.0-dev.20251211.sha.f88bfe18 - 2025-12-11
• 7.0.0-dev.20251204.sha.ae2e037e - 2025-12-04
• 7.0.0-dev.20251203.sha.a96fa26d - 2025-12-03
• 7.0.0-dev.20251202.sha.d4e44388 - 2025-12-02
• 7.0.0-dev.20251125.sha.f433e11a - 2025-11-25
• 7.0.0-dev.20251121.sha.761b9bfa - 2025-11-21
• 7.0.0-dev.20251119.sha.49c5b6fe - 2025-11-19
• 7.0.0-dev.20251115.sha.287c98a9 - 2025-11-15
• 7.0.0-dev.20251114.sha.1cc3d1c9 - 2025-11-14
• 7.0.0-dev.20251113.sha.26eb0e61 - 2025-11-13
• 7.0.0-dev.20251112.sha.3cf02a8d - 2025-11-12
• 7.0.0-dev.20251111.sha.b183de39 - 2025-11-11
• 7.0.0-dev.20251107.sha.5db818c2 - 2025-11-07
• 6.21.0 - 2025-11-12
  

  6.21.0 (2025-11-05)

  The MongoDB Node.js team is pleased to announce version 6.21.0 of the mongodb package!

  Release Notes

  Deprecated items to be removed in 7.0.0

  The following items have been deprecated and will be removed in 7.0.0:

  MongoCredentials.authMechanismProperties.AWS_SESSION_TOKEN // URI & client options for AWS variables will no longer be respected
  CommandOptions.noResponse // Unused
  ConnectionOptions.cancellationToken // Unused
  CursorStreamOptions // Only option, transform, removed in favor of Stream#map

  Features

  • NODE-7230: add deprecations of items to be removed in v7 (#4774) (5104c0f)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

from mongodb GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs