Skip to content
This repository has been archived by the owner on Jun 4, 2024. It is now read-only.

[Snyk] Upgrade bson from 6.3.0 to 6.7.0 #54

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

boytur
Copy link
Owner

@boytur boytur commented May 26, 2024

This PR was automatically created by Snyk using the credentials of a real user.


![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123)

Snyk has created this PR to upgrade bson from 6.3.0 to 6.7.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 4 versions ahead of your current version.

  • The recommended version was released on 24 days ago.

Release notes
Package name: bson
  • 6.7.0 - 2024-05-02

    6.7.0 (2024-05-01)

    The MongoDB Node.js team is pleased to announce version 6.7.0 of the bson package!

    Release Notes

    Add Long.fromStringStrict method

    The Long.fromStringStrict method is almost identical to the Long.fromString method, except it throws a BSONError if any of the following are true:

    • input string has invalid characters, for the given radix
    • the string contains whitespace
    • the value the input parameters represent is too large or too small to be a 64-bit Long

    Unlike Long.fromString, this method does not coerce the inputs '+/-Infinity' and 'NaN' to Long.ZERO, in any case.

    Examples:

    Long.fromStringStrict('1234xxx5'); // throws BSONError
    Long.fromString('1234xxx5'); // coerces input and returns new Long(123400)

    // when writing in radix 10, 'n' and 'a' are both invalid characters
    Long.fromStringStrict('NaN'); // throws BSONError
    Long.fromString('NaN'); // coerces input and returns Long.ZERO

    Note

    Long.fromStringStrict's functionality will be present in Long.fromString in the V7 BSON release.

    Add static Double.fromString method

    This method attempts to create an Double type from a string, and will throw a BSONError on any string input that is not representable as a IEEE-754 64-bit double.
    Notably, this method will also throw on the following string formats:

    • Strings in non-decimal and non-exponential formats (binary, hex, or octal digits)
    • Strings with characters other than sign, numeric, floating point, or slash characters (Note: 'Infinity', '-Infinity', and 'NaN' input strings are still allowed)
    • Strings with leading and/or trailing whitespace
      Strings with leading zeros, however, are also allowed.

    Add static Int32.fromString method

    This method attempts to create an Int32 type from string, and will throw a BSONError on any string input that is not representable as an Int32.
    Notably, this method will also throw on the following string formats:

    • Strings in non-decimal formats (exponent notation, binary, hex, or octal digits)
    • Strings with non-numeric and non-leading sign characters (ex: '2.0', '24,000')
    • Strings with leading and/or trailing whitespace

    Strings with leading zeros, however, are allowed

    UTF-8 validation now throws a BSONError on overlong encodings in Node.js

    Specifically, this affects deserialize when utf8 validation is enabled, which is the default.

    An overlong encoding is when the number of bytes in an encoding is inflated by padding the code point with leading 0s (see here for more information).

    Long.fromString takes radix into account before coercing '+/-Infinity' and 'NaN' to Long.ZERO

    Long.fromString no longer coerces the following cases to Long.ZERO when the provided radix supports all characters in the string:

    • '+Infinity', '-Infinity', or 'Infinity' when 35 <= radix <= 36
    • 'NaN' when 24 <= radix <= 36
    // when writing in radix 27, 'n' and 'a' are valid characters, so 'NaN' represents the decimal number 17060
    Long.fromString('NaN', 27); // new Long(17060)
    Long.fromString('NaN', 10); // new Long(0) <-- Since 'NaN' is not a valid input in base 10, it gets coerced to Long.ZERO

    Features

    Bug Fixes

    Documentation

    We invite you to try the bson library immediately, and report any issues to the NODE project.

  • 6.6.0 - 2024-04-02

    6.6.0 (2024-04-01)

    The MongoDB Node.js team is pleased to announce version 6.6.0 of the bson package!

    Release Notes

    Binary.toString and Binary.toJSON align with BSON serialization

    When BSON serializes a Binary instance it uses the bytes between 0 and binary.position since Binary supports pre-allocating empty space and writing segments of data using .put()/.write(). Erroneously, the toString() and toJSON() methods did not use the position property to limit how much of the underlying buffer to transform into the final value, potentially returning more string than relates to the actual data of the Binary instance.

    In general, you may not encounter this bug if Binary instances are created from a data source (new Binary(someBuffer)) or are returned by the database because in both of these cases binary.position is equal to the length of the underlying buffer.

    Fixed example creating an empty Binary:

    new BSON.Binary().toString();
    // old output: '\x00\x00\x00\x00...' (256 zeros)
    // new output: '' 

    Experimental APIs

    This release contains experimental APIs that are not suitable for production use. As a reminder, anything marked @ experimental is not a part of the stable semantically versioned API and is subject to change in any subsequent release.

    Bug Fixes

    Documentation

    We invite you to try the bson library immediately, and report any issues to the NODE project.

  • 6.5.0 - 2024-03-12

    6.5.0 (2024-03-12)

    The MongoDB Node.js team is pleased to announce version 6.5.0 of the bson package!

    Release Notes

    Fixed float byte-wise handling on big-endian systems

    Caution

    Among the platforms BSON and the MongoDB driver support this issue impacts s390x big-endian systems. x86, ARM, and other little-endian systems are not affected. Existing versions of the driver can be upgraded to this release.

    A recent change to the BSON library started parsing and serializing floats using a Float64Array. When reading the bytes from this array the ordering is dependent on the platform it is running on and we now properly account for that ordering.

    Add SUBTYPE_SENSITIVE on Binary class

    When a BSON.Binary object is of 'sensitive' subtype, the object's subtype will equal 0x08.

    Features

    Bug Fixes

    Documentation

    We invite you to try the bson library immediately, and report any issues to the NODE project.

  • 6.4.0 - 2024-02-29

    6.4.0 (2024-02-29)

    The MongoDB Node.js team is pleased to announce version 6.4.0 of the bson package!

    Release Notes

    BSON short basic latin string writing performance improved!

    The BSON library's string encoding logic now attempts to optimize for basic latin (ASCII) characters. This will apply to both BSON keys and BSON values that are or contain strings. If strings are less than 6 bytes we observed approximately 100% increase in speed while around 24 bytes the performance was about 33% better. For any non-basic latin bytes or at 25 bytes or greater the BSON library will continue to use Node.js' Buffer.toString API.

    The intent is to generally target the serialization of BSON keys which are often short and only use basic latin.

    Fixed objectId symbol property not defined on instances from cross cjs and mjs

    We do recommend that users of the driver use the BSON APIs exported from the driver. One reason for this is at this time the driver is only shipped in commonjs format and as a result it will only import the commonjs BSON bundle. If in your application you use import syntax then there will be a commonjs and an es module instance in the current process which prevents things like instanceof from working.

    Also, private symbols defined in one package will not be equal to symbols defined in the other. This caused an issue on ObjectId's private symbol property preventing the .equals method from one package from operating on an ObjectId created from another.

    Thanks to @ dot-i's contribution we've changed the private symbol to a private string property so that the .equals() method works across module types.

    Deserialization performance increased

    If BSON data does not contain Doubles and UTF8 validation is disabled the deserializer is careful to not allocate data structures needed to support that functionality. This has shown to greatly increase (2x-1.3x) the performance of the deserializer.

    Thank you @ billouboq for this contribution!

    Improve the performance of small byte copies

    When serializing ObjectIds, Decimal128, and UUID values we can get better performance by writing the byte-copying logic in Javascript for loops rather than using the TypedArray.set API. ObjectId serialization performance is 1.5x-2x faster.

    Improved the performance of serializing and deserializing doubles and bigints

    We now use bit shifting and multiplication operators in place of DataView getX/setX calls to parse and serialize bigints and a Float64Array to convert a double to bytes. This change has been shown to increase deserializing performance ~1.3x and serializing performance ~1.75x.

    Use allocUnsafe for ObjectIds and Decimal128

    For small allocations Node.js performance can be improved by using pre-allocated pooled memory. ObjectIds and Decimal128 instance will now use allocUnsafe on Node.js.

    Features

    Bug Fixes

    • NODE-5873: objectId symbol property not defined on instances from cross cjs and mjs (#643) (4d9884d)

    Performance Improvements

    Documentation

    We invite you to try the bson library immediately, and report any issues to the NODE project.

  • 6.3.0 - 2024-02-01

    6.3.0 (2024-01-31)

    The MongoDB Node.js team is pleased to announce version 6.3.0 of the bson package!

    Release Notes

    BSON short basic latin string parsing performance improved! 🐎

    The BSON library's string decoding logic now attempts to optimize for basic latin (ASCII) characters. This will apply to both BSON keys and BSON values that are or contain strings. If strings are less than 6 bytes we observed approximately ~100% increase in speed while around 15 bytes the performance was about ~30% better. For any non-basic latin bytes or at 20 bytes or greater the BSON library will continue to use Node.js' Buffer.toString API.

    The intent is to generally target the deserialization of BSON keys which are often short and only use basic latin, Et tu, _id?

    Using a number type as input to the ObjectId constructor is deprecated

    Instead, use static createFromTime() to set a numeric value for the new ObjectId.

    // previously
    new ObjectId(Date.now())

    // recommended
    ObjectId.createFromTime(Date.now())

    Features

    Documentation

    We invite you to try the bson library immediately, and report any issues to the NODE project.

from bson GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

Snyk has created this PR to upgrade bson from 6.3.0 to 6.7.0.

See this package in npm:
bson

See this project in Snyk:
https://app.snyk.io/org/boytur/project/cf4b89c9-71bc-436e-a66d-5720618e4f3e?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants