[Snyk] Upgrade mongodb from 3.6.2 to 3.6.3

[snyk-bot]

Snyk has created this PR to upgrade mongodb from 3.6.2 to 3.6.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 1 version ahead of your current version.
• The recommended version was released 22 days ago, on 2020-11-06.

Release notes

Package name: mongodb

• 3.6.3 - 2020-11-06
  

  The MongoDB Node.js team is pleased to announce version 3.6.3 of the driver

  Release Highlights

  MongoError: not master when running createIndex

  A regression introduced in v3.6.2 meant that createIndex operations would not be executed with a fixed
  primary read preference. This resulted in the driver selecting any server for the operation, which would
  fail if a non-primary was selected.

  Performance issues on AWS Lambda

  The driver periodically monitors members of the replicaset for changes in the topology, but ensures that
  the "monitoring thread" is never woken sooner than 500ms. Measuring this elapsed time depends on a
  stable clock, which is not available to us in some virtualized environments like AWS Lambda. The result
  was that periodically operations would think there were no available servers, and the driver would force
  a wait of heartbeatFrequencyMS (10s by default) before reaching out to servers again for a new
  monitoring check. The internal async interval timer has been improved to account for these environments

  GSSAPI AuthProvider reuses single kerberos client

  A regression introduced in v3.6.0 forced the driver to reuse a single kerberos client for all
  authentication attempts. This would result in incomplete authentication flows, and occaisionally even
  a crash in the kerberos module. The driver has been reverted to creating a kerberos client per
  authentication attempt.

  Performance regression due to use of setImmediate

  A change introduced in v3.6.1 switched all our usage of process.nextTick in the connection pool with
  setImmediate per Node.js core recommendation. This was observed to introduce noticeable latency when the event loop
  was experiencing pressure, so the change was reverted for this release pending further investigation.

  Community Contributions

  • @jswangjunsheng submitted a fix for a rare scenario when wait queue members time out before connection establishment
  • @through-a-haze submitted a fix for incorrect construction of an X509 authentication message
  • @andreialecu helped us indicate peer optional dependencies in our package.json for stricter package managers (pnpm, yarn2)

  Documentation

  Reference: http://mongodb.github.io/node-mongodb-native/3.6/
  API: http://mongodb.github.io/node-mongodb-native/3.6/api/
  Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

  We invite you to try the driver immediately, and report any issues to the NODE project.

  Thanks very much to all the community members who contributed to this release!

  Release Notes

  Bug

  • [NODE-2172] - Change stream breaks on disconnection when there's something piped into it.
  • [NODE-2784] - MongoError: Not Master when running createIndex in 3.6.0
  • [NODE-2807] - MongoClient.readPreference always returns primary
  • [NODE-2827] - Connecting to single mongos makes driver think it is connected to a standalone
  • [NODE-2829] - MongoDB Driver 3.6+ Performance issues on AWS Lambda
  • [NODE-2835] - Remove default timeout for read operations
  • [NODE-2859] - GSSAPI AuthProvider causing crashes in Compass
  • [NODE-2861] - Performance Regression for usage of mongodb connections (queries, inserts, ...)
  • [NODE-2865] - Connections can be leaked if wait queue members are cancelled
  • [NODE-2869] - Invalid assignment of X509 username makes authentication impossible

  Improvement

  • [NODE-2834] - Remove deprecation of AggregationCursor#geoNear
  • [NODE-2867] - Use peerDependenciesMeta field to mark peer optional dependencies
• 3.6.2 - 2020-09-10
  

  The MongoDB Node.js team is pleased to announce version 3.6.2 of the driver

  Release Highlights

  Updated bl dependency due to CVE-2020-8244

  See this link for more details: https://github.com/advisories/GHSA-pp7h-53gx-mx7r

  Connection pool wait queue processing is too greedy

  The logic for processing the wait queue in our connection pool ran the risk of
  starving the event loop. Calls to process the wait queue are now wrapped in a
  setImmediate to prevent starvation

  Documentation

  Reference: http://mongodb.github.io/node-mongodb-native/3.6/
  API: http://mongodb.github.io/node-mongodb-native/3.6/api/
  Changelog: https://github.com/mongodb/node-mongodb-native/blob/3.6/HISTORY.md

  We invite you to try the driver immediately, and report any issues to the NODE project.

  Thanks very much to all the community members who contributed to this release!

  Release Notes

  Bug

  • [NODE-2798] - Update version of dependency "bl" due to vulnerability
  • [NODE-2803] - Connection pool wait queue processing is too greedy

from mongodb GitHub release notes

Commit messages

Package name: mongodb

• 86ae813 chore(release): 3.6.3
• 308f840 chore: ensure aws4 is present for mongodb-aws tests
• 9110a45 fix: correctly assign username to X509 auth command (Update babel-preset-es2015 to version 6.14.0 🚀 #2587)
• c9f9d5e fix: revert use of setImmediate to process.nextTick (parse not updating from 1.4.0  #2611)
• 89b77ed fix: Change socket timeout default to 0 (Using become() with legacy session tokens #2572)
• 033b6e7 fix: move kerberos client setup from prepare to auth (Update mongodb to version 2.2.9 🚀 #2608)
• f0cee7a test: restrict geoSearch tests to mongodb <= 4.4 (Unable to schedule push notifications - always firing immediately #2612)
• 186090e fix: add peerDependenciesMeta to mark optional deps (Parse.com and parse-server different behaviour in storing date in a object field #2606)
• cafaa1b fix: connection leak if wait queue member cancelled
• 79df553 test: removes destructuring, spread, rest syntax and adds lint rules
• a6e7caf fix: correctly re-establishes pipe destinations
• f8fd310 fix: adds topology discovery for sharded cluster
• efd906a test: add directConnection spec tests
• 6acced0 fix: use options for readPreference in client
• 4955a52 fix: remove geoNear deprecation
• 967de13 fix: user roles take single string & DDL readPreference tests
• 0e5c45a fix: Fix test filters and revert mocha version (Changelog 2.2.18 #2558)
• b70baf4 test: Update connection-monitoring-and-pooling specs (Error code 2. The service is currently unavailable. #2555)
• 6c63471 style: Sync tooling configuration from 4.0 branch (server-side logout not working #2553)
• e0e11bb fix: permit waking async interval with unreliable clock
• 6113b24 chore(release): 3.6.2
• ddcd03d fix: sets primary read preference for writes

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[codecov]

Codecov Report

Merging #7026 (21628c4) into master (abdfe61) will increase coverage by 0.03%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #7026      +/-   ##
==========================================
+ Coverage   93.86%   93.90%   +0.03%     
==========================================
  Files         169      169              
  Lines       12445    12445              
==========================================
+ Hits        11682    11686       +4     
+ Misses        763      759       -4     

Impacted Files	Coverage Δ
src/Adapters/Storage/Mongo/MongoStorageAdapter.js	93.58% <0.00%> (+0.66%)	⬆️
src/Adapters/Files/GridFSBucketAdapter.js	80.32% <0.00%> (+0.81%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update abdfe61...21628c4. Read the comment docs.

[dplewis]

I can't recreate the failing tests locally. This is a duplicate of #6994

Edit: I am able to recreate this. I had to change the pretest / posttest in package.json to replicaset and wiredTiger

[sunshineo]

#7048

[dplewis]

@davimacedo The tests were failing because of a replication lag. I cleaned up the tests and added a small delay in the tests to give time for the replication to happen (I couldn't figure out how to force replication effectively). This may result in flaky tests in the future but it works for now.

[davimacedo]

Good job. I was on it right now but with no luck. LGTM!

[mtrezza]

The tests were failing because of a replication lag. I cleaned up the tests and added a small delay in the tests to give time for the replication to happen (I couldn't figure out how to force replication effectively). This may result in flaky tests in the future but it works for now.

@dplewis Might be fixable with the MongoDB write concern parameter.