[Snyk] Upgrade mongodb from 6.21.0 to 7.1.1

[Aravind-Kumar-cstk]

Snyk has created this PR to upgrade mongodb from 6.21.0 to 7.1.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 60 versions ahead of your current version.

• The recommended version was released a month ago.

Release notes

Package name: mongodb

• 7.1.1 - 2026-03-24
  

  7.1.1 (2026-03-24)

  The MongoDB Node.js team is pleased to announce version 7.1.1 of the mongodb package!

  Release Notes

  Tighten OIDC ALLOWED_HOSTS wildcard matching

  The OIDC ALLOWED_HOSTS wildcard handling has been fixed to require full subdomain/path matches for *. and */ entries, preventing partial suffix matches from being incorrectly accepted.

  Fixed TCP keep-alive and no-delay settings not being applied on TLS connections

  Due to a Node.js bug, tls.connect() silently ignores keepAlive, keepAliveInitialDelay, and noDelay options passed through its constructor. This could cause idle connections - particularly through cloud load balancers like Azure (240s idle timeout) or AWS PrivateLink/NLB - to be dropped unexpectedly due to missing TCP keep-alive probes.

  The driver now explicitly calls setKeepAlive() and setNoDelay() on the socket after creation, ensuring these settings are always applied regardless of whether TLS is used.

  Bug Fixes

  • NODE-7477: OIDC host allowlist fix (#4896) (237c9ab)
  • NODE-7482: explicitly call setKeepAlive and setNoDelay on socket (#4900) (b14ba21)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 7.1.0 - 2026-02-04
  

  7.1.0 (2026-02-02)

  The MongoDB Node.js team is pleased to announce version 7.1.0 of the mongodb package!

  Release Notes

  🧩 Runtime and platform compatibility improvements

  aws4 package no longer required for AWS authentication

  The aws4 package is no longer required to use AWS authentication, reducing the dependency footprint.

  Usages of util.promisify have been removed

  The driver no longer relies on Node.js’s util.promisify() API, which improves compatibility with alternate runtimes.

  Explicit node:process import instead of global.process

  The driver now explicitly imports node:process instead of relying on global.process, allowing bundlers and alternate runtimes to supply and optimize the process implementation more consistently.

  Node-specific platform APIs replaced with standards-based equivalents

  The driver replaces several Node-specific APIs with standards-based equivalents:

  • process.arch → os.arch()
  • process.platform → os.platform()
  • os.endianness() → BSON.NumberUtils
  • process.hrtime() → performance.now()
  • process.nextTick() → queueMicrotask()

  These changes reduce the number of patches required to run the driver outside of Node.js and improve compatibility with non-Node.js runtimes.

  🔁 Connection resilience and retry behavior improvements

  Connection churn avoidance in server overload scenarios

  When server-side connection rate limiting is enabled and the rate limiter kicks in under periods of high connection establishment,the driver will additionally churn connections by clearing the pool every time the rate limiter rejects an incoming connection request.

  In this new driver release, connection establishment failures no longer clear the pool, preventing unnecessary connection churn in these scenarios.

  withTransaction now applies exponential backoff during transaction retries

  The convenient transaction API, withTransaction, now uses exponential backoff between retries when a transaction must be retried. Under high server load, this can help prevent transaction retry storms.

  Server selection deprioritizes servers during retries

  When retrying a command, the driver now deprioritizes servers during server selection, improving stability and reducing the likelihood of repeatedly targeting overloaded or previously failed servers.

  🔐 OIDC authentication improvements

  Expanded the list of ALLOWED_HOSTS for OIDC

  OIDC authentication now supports hosts matching *.mongo.com in its default ALLOWED_HOSTS list.

  OIDC reauthentication now works with promoteValues: false

  When MongoClient is configured with promoteValues: false (for applications that rely on raw BSON types), OIDC reauthentication now succeeds as expected.

  ✅ Fixed read preference adherence for $merge and $out aggregations

  Resolved an issue where the driver failed to detect MongoDB 5.0+ capabilities due to incorrect commonWireVersion initialization. As a result, aggregations with write stages now correctly respect secondary and secondaryPreferred read preferences, rather than forcing execution on the primary.

  Huge thanks to @ crehbichler for discovering and investigating this bug and for implementing a fix!

  ⚠️ Deprecations

  RenameCollectionOptions.new_collection

  This option has been unused since driver 4.x. It is now deprecated and will be removed in a future major release. Existing code that sets this option can safely remove it with no behavioral change.

  Features

  • NODE-5393: aws4 no longer required for AWS authentication (#4824) (0f46db8)
  • NODE-7121: prevent connection churn on backpressure errors when establishing connections (#4800) (4cb2b87)
  • NODE-7122: exponential backoff between retries in convenient transaction API (#4765) (e70fdc9)
  • NODE-7304: remove usages in src of promisify (#4799) (761b9bf)
  • NODE-7306: Replace global process with import node:process (#4820) (cc503cb)
  • NODE-7310: Replace process.arch with os.arch() (#4823) (f0af829)
  • NODE-7311: Replace process.platform with os.platform() (#4822) (c58ca1f)
  • NODE-7317: use BSON.NumberUtils to determine endianness (#4808) (4e9467e)
  • NODE-7319: update allowed hosts list with *.mongo.com (#4802) (bfb7160)
  • NODE-7330: deprecate RenameCollectionOptions.new_collection (#4815) (a96fa26)
  • NODE-7333: add support for deprioritized servers to all topologies (#4821) (a4211e7)
  • NODE-7307: Replace node:process.hrtime() with performance.now() (#4816) (ae2e037)
  • NODE-7308: replace process.nextTick with queueMicrotask (#4817) (b1b6e81)

  Bug Fixes

  • NODE-7290: use valueof for error code check (#4791) (1cc3d1c)
  • NODE-7298: ensure commonWireVersion is computed from server maxWireVersion (#4805) (2b2366d)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

• 7.1.0-dev.20260418.sha.dbdd9320 - 2026-04-18
• 7.1.0-dev.20260416.sha.16a899da - 2026-04-16
• 7.1.0-dev.20260415.sha.1fc0e09f - 2026-04-15
• 7.1.0-dev.20260409.sha.1cf791f9 - 2026-04-09
• 7.1.0-dev.20260331.sha.f36b7546 - 2026-03-31
• 7.1.0-dev.20260327.sha.941e5fa3 - 2026-03-27
• 7.1.0-dev.20260326.sha.5d414cc9 - 2026-03-26
• 7.1.0-dev.20260324.sha.4c894082 - 2026-03-24
• 7.1.0-dev.20260323.sha.f7ea4219 - 2026-03-23
• 7.1.0-dev.20260321.sha.7be12ee8 - 2026-03-21
• 7.1.0-dev.20260320.sha.778a2a14 - 2026-03-20
• 7.1.0-dev.20260319.sha.0634c9b6 - 2026-03-19
• 7.1.0-dev.20260317.sha.ac98f4a9 - 2026-03-17
• 7.1.0-dev.20260314.sha.275afa5f - 2026-03-14
• 7.1.0-dev.20260311.sha.aa8b39cd - 2026-03-11
• 7.1.0-dev.20260310.sha.87a34653 - 2026-03-10
• 7.1.0-dev.20260307.sha.a1c04e2b - 2026-03-07
• 7.1.0-dev.20260303.sha.4d6e2a2e - 2026-03-03
• 7.1.0-dev.20260228.sha.4dbcb887 - 2026-02-28
• 7.1.0-dev.20260226.sha.22c6031a - 2026-02-26
• 7.1.0-dev.20260213.sha.e5a85d07 - 2026-02-13
• 7.1.0-dev.20260211.sha.e465058c - 2026-02-11
• 7.1.0-dev.20260207.sha.cfb0bbdd - 2026-02-07
• 7.1.0-dev.20260206.sha.311cc779 - 2026-02-06
• 7.1.0-dev.20260205.sha.d2ad07f2 - 2026-02-05
• 7.0.0 - 2025-11-06
  

  7.0.0 (2025-11-06)

  The MongoDB Node.js team is pleased to announce version 7.0.0 of the mongodb package!

  Release Notes

  The following is a detailed collection of the changes in the major v7 release of the mongodb package for Node.js.
  The main focus of this release was usability improvements and a streamlined API. Read on for details!

  Important

  This is a list of changes relative to v6.21.0 of the driver. ALL changes listed below are BREAKING unless indicated otherwise.
  Users migrating from an older version of the driver are advised to upgrade to at least v6.21.0 before adopting v7.

  🛠️ Runtime and dependency updates

  Minimum Node.js version is now v20.19.0

  The minimum supported Node.js version is now v20.19.0 and our TypeScript target has been updated to ES2023. We strive to keep our minimum supported Node.js version in sync with the runtime's release cadence to keep up with the latest security updates and modern language features.

  Notably, the driver now offers native support for explicit resource management. Symbol.asyncDispose implementations are available on the MongoClient, ClientSession, ChangeStream and on cursors.

  Note

  Explicit resource management is considered experimental in the driver and will be until the TC39 explicit resource management proposal is completed.

  bson and mongodb-connection-string-url versions 7.0.0

  This driver version has been updated to use bson@7.0.0 and mongodb-connection-string-url@7.0.0, which match the driver's Node.js runtime version support. BSON functionality re-exported from the driver is furthermore subject to the changes outlined in the BSON V7 release notes.

  Optional peer dependency releases and version bumps

  • @ mongodb-js/zstd optional peer dependency minimum version raised to 7.0.0, dropped support for 1.x and 2.x (note that @ mongodb-js/zstd does not have 3.x-6.x version releases)
  • kerberos optional peer dependency minimum version raised to 7.0.0, dropped support for 2.x (note that kerberos does not have 3.x-6.x version releases)
  • mongodb-client-encryption optional peer dependency minimum version raised to 7.0.0, dropped support for 6.x

  Additionally, the driver is now compatible with the following packages:

  Dependency	Previous Range	New Allowed Range
  @ aws-sdk/credential-providers	^3.188.0	^3.806.0
  gcp-metadata	^5.2.0	^7.0.1
  socks	^2.7.1	^2.8.6

  🔐 AWS authentication

  To improve long-term maintainability and ensure compatibility with AWS updates, we’ve standardized AWS auth to use the official SDK in all cases and made a number of supporting changes outlined below.

  @ aws-sdk/credential-providers is now required for MONGODB-AWS authentication

  Previous versions of the driver contained two implementations for AWS authentication and could run the risk of the custom driver implementation not supporting all AWS authentication features as well as not being correct when AWS makes changes. Using the official AWS SDK in all cases alleviates these issues.

  npm install @ aws-sdk/credential-providers

  Custom AWS credential provider takes highest precedence

  When providing a custom AWS credential provider via the auth mechanism property AWS_CREDENTIAL_PROVIDER, it will now take the highest precedence over any other AWS auth method.

  Explicitly provided credentials no longer accepted with MONGODB-AWS authentication

  AWS environments (such as AWS Lambda) do not have credentials that are permanent and expire within a set amount of time. Providing credentials in the URI or options would mandate that those credentials would be valid for the life of the MongoClient, which is problematic. With this change, the fetching of credentials is fully handled by the installed required AWS SDK.

  This means that for AWS authentication, all client URIs MUST now be specified as:

  import { MongoClient } from 'mongodb';

  const client = new MongoClient('mongodb<+srv>://<host>:<port>/?authMechanism=MONGODB-AWS');

  The previous method of providing URI encoded credentials based on the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY directly in the connection string will no longer work.

  ⚙️ Error handling improvements

  Dropping a collection returns false instead of throwing when NS not found

  This change has been made for consistency with the common drivers specifications.

  Aggregate with write concern and explain no longer throws client-side

  This will now throw a MongoServerError instead.

  All encryption-related errors now subclass MongoError

  The driver aims to ensure that all errors it throws are subclasses of MongoError. However, when using CSFLE or QE, the driver's encryption implementation could sometimes throw errors that were not instances of MongoError.

  Now, all errors thrown during encryption are subclasses of MongoError.

  'PoolRequstedRetry' error label renamed to 'PoolRequestedRetry'

  The PoolClearedError thrown in cases where the connection pool was cleared now fixes the typo in the error label.

  💥 Misc breaking improvements

  Change streams no longer filter $changeStream stage options

  Users can now pass any option to collection.watch(). If an option is invalid for the $changeStream stage of the pipeline, the server will return an error. This change makes it possible to use newly introduced server options without waiting for them to become available in our public type definitions and eliminates the risk of valid but unrecognized options being silently ignored.

  Cursors no longer provide a default batchSize of 1000 for getMores

  In driver versions <7.0, the driver provides a default batchSize of 1000 for each getMore when iterating a cursor. This behavior is not ideal because the default is set regardless of the documents being fetched. For example, if a cursor fetches many small documents, the driver's default of 1000 can result in many round-trips to fetch all documents, when the server could fit all documents inside a single getMore if no batchSize were set.

  Now, cursors no longer provide a default batchSize when executing a getMore. A batchSize will only be set on getMore commands if a batchSize has been explicitly configured for the cursor.

  Auto encryption options now include default filenames in TS

  A common source of confusion for people configuring auto encryption is where to specify the path to mongocryptd and where to specify the path to crypt_shared. We've now made this clearer in our Typescript users. Typescript now reports errors if the specified filename doesn't match the default name of the file. Some examples:

  var path: AutoEncryptionOptions['extraOptions']['mongocryptdSpawnPath'] = 'some path'; // ERROR
  var path: AutoEncryptionOptions['extraOptions']['mongocryptdSpawnPath'] = 'mongocryptd'; // OK
  var path: AutoEncryptionOptions['extraOptions']['mongocryptdSpawnPath'] =
  '/usr/local/bin/mongocryptd'; // OK
  var path: AutoEncryptionOptions['extraOptions']['mongocryptdSpawnPath'] = 'mongocryptd.exe'; // OK

  var path: AutoEncryptionOptions['extraOptions']['cryptSharedLibPath'] = 'some path'; // ERROR
  var path: AutoEncryptionOptions['extraOptions']['cryptSharedLibPath'] = 'mongo_crypt_v1.so'; // OK
  var path: AutoEncryptionOptions['extraOptions']['cryptSharedLibPath'] = 'mongo_crypt_v1.dll'; // OK
  var path: AutoEncryptionOptions['extraOptions']['cryptSharedLibPath'] = 'mongo_crypt_v1.dylib'; // OK

  ☀️ Misc non-breaking improvements

  Improve MongoClient.connect() consistency across environments

  The MongoClient connect function will now run a handshake regardless of credentials being defined. The upshot of this change is that connect is more consistent at verifying some fail-fast preconditions regardless of environment. For example, previously, if connecting to a loadBalanced=true cluster without authentication there would not have been an error until a command was attempted.

  MongoClient.close() no longer sends endSessions if the topology does not have session support

  MongoClient.close() attempts to free up any server resources that the client has instantiated, including sessions. Previously, MongoClient.close() unconditionally attempted to kill all sessions, regardless of whether or not the topology actually supports sessions.

  Now, MongoClient.close() only attempts to clean up sessions if the topology supports sessions.

  Wrap socket write in a try/catch to ensure errors can be properly wrapped

  One socket.write call was not correctly wrapped in a try/catch block and network errors could bubble up to the driver. This call is now properly wrapped and will result in a retry.

  ClientEncryption.rewrapManyDataKey() options now correctly marked as optional

  The options parameter for the ClientEncryption.rewrapManyDataKey() method is now correctly marked as optional in its TypeScript definition. This change aligns the type signature with the method's implementation and documentation, resolving a type mismatch for TypeScript users.

  📜 Removal of deprecated functionality

  Cursor and ChangeStream stream() method no longer accepts a transform

  Cursors and ChangeStreams no longer accept a transform function. ReadableStream.map() can be used instead:

  // before
  const stream = cursor.stream({ transform: JSON.stringify });

  // after
  const stream = cursor.stream().map(JSON.stringify);

  MONGODB-CR AuthMechanism has been removed

  This mechanism has been unsupported as of MongoDB 4.0 and attempting to use it will still raise an error.

  Internal ClientMetadata properties have been removed from the public API

  Previous versions of the driver unintentionally exposed the following properties that have now been made internal:

  MongoClient.options.additionalDriverInfo
  MongoClient.options.metadata
  MongoClient.options.extendedMetadata
  MongoOptions.additionalDriverInfo
  MongoOptions.metadata
  MongoOptions.extendedMetadata
  ConnectionOptions.metadata
  ConnectionOptions.extendedMetadata
  

  CommandOptions.noResponse option removed

  This option was never intended to be public, and never worked properly for user-facing APIs. It has now been removed.

  Assorted deprecated type, class, and option removals

  GridFSFile.contentType;
  GridFSFile.aliases;
  GridFSBucketWriteStreamOptions.contentType;
  GridFSBucketWriteStreamOptions.aliases;
  CloseOptions;
  ResumeOptions;
  MongoClientOptions.useNewUrlParser;
  MongoClientOptions.useUnifiedTopology;
  CreateCollectionOptions.autoIndexId;
  FindOptions<TSchema>; // now no generic type
  ClientMetadataOptions;
  FindOneOptions.batchSize;
  FindOneOptions.limit;
  FindOneOptions.noCursorTimeout;
  ReadPreference.minWireVersion;
  ServerCapabilities;
  CommandOperationOptions.retryWrites; // is a global option on the MongoClient
  ClientSession.transaction;
  Transaction;
  CancellationToken;

  ⚠️ ALL BREAKING CHANGES

  • NODE-7286: Update dependencies to v7 (#4780)
  • NODE-5510: dont filter change stream options (#4723)
  • NODE-6296: remove cursor default batch size of 1000 (#4729)
  • NODE-7150: update peer dependency matrix for 3rd party peer deps (#4720)
  • NODE-7046: remove AWS uri/options support (#4689)
  • NODE-4808: remove support for stream() transform on cursors and change streams (#4728)
  • NODE-6377: remove noResponse option (#4724)
  • NODE-6473: remove MONGODB-CR auth (#4717)
  • NODE-5994: Remove metadata-related properties from public driver API (#4716)
  • NODE-7016: remove beta namespace and move resource management into driver (#4719)
  • NODE-4184: don't throw on aggregate with write concern and explain (#4718)
  • NODE-7043, NODE-7217: adopt mongodb-client-encryption v7 (#4705)
  • NODE-6065: throw MongoRuntimeError instead of MissingDependencyError in crypto connection (#4711)
  • NODE-6584: improve typing for filepaths in AutoEncryptionOptions (#4341)
  • NODE-6334: rename PoolRequstedRetry to PoolRequestedRetry (#4696)
  • NODE-7174: drop support for Node16 and Node18 (#4668)
  • NODE-7047: use custom credential provider first after URI (#4656)
  • NODE-6988: require aws sdk for aws auth (#4659)
  • NODE-5545: remove deprecated objects (#4704) (cfbada6)

  Non-breaking

  • NODE-4243: drop collection checks ns not found (#4742) (a8d7c5f)
  • NODE-7223: run checkout on connect regardless of credentials (#4715) (c5f74ab)
  • NODE-7232: only send endSessions during client close if the topology supports sessions (#4722) (cc85ebf)
  • NODE-7067: Wrap socket write in a try/catch to ensure errors can be properly wrapped (#4759) (66c18b7)
• 7.0.0-dev.20260203.sha.9151d481 - 2026-02-03
• 7.0.0-dev.20260131.sha.59c2557d - 2026-01-31
• 7.0.0-dev.20260129.sha.0358360b - 2026-01-29
• 7.0.0-dev.20260128.sha.840c77bb - 2026-01-28
• 7.0.0-dev.20260124.sha.2b2366dd - 2026-01-24
• 7.0.0-dev.20260123.sha.7a8276e5 - 2026-01-23
• 7.0.0-dev.20260121.sha.4e9467e8 - 2026-01-21
• 7.0.0-dev.20260117.sha.bf751818 - 2026-01-17
• 7.0.0-dev.20260115.sha.92a0470c - 2026-01-15
• 7.0.0-dev.20260114.sha.f6375c99 - 2026-01-14
• 7.0.0-dev.20260113.sha.0f46db8a - 2026-01-13
• 7.0.0-dev.20260110.sha.97686403 - 2026-01-10
• 7.0.0-dev.20260109.sha.cc503cb9 - 2026-01-09
• 7.0.0-dev.20260108.sha.5e66f9a2 - 2026-01-08
• 7.0.0-dev.20251220.sha.e70fdc98 - 2025-12-20
• 7.0.0-dev.20251219.sha.a4211e77 - 2025-12-19
• 7.0.0-dev.20251218.sha.f0af829f - 2025-12-18
• 7.0.0-dev.20251217.sha.c990750f - 2025-12-17
• 7.0.0-dev.20251213.sha.4cb2b875 - 2025-12-13
• 7.0.0-dev.20251211.sha.f88bfe18 - 2025-12-11
• 7.0.0-dev.20251204.sha.ae2e037e - 2025-12-04
• 7.0.0-dev.20251203.sha.a96fa26d - 2025-12-03
• 7.0.0-dev.20251202.sha.d4e44388 - 2025-12-02
• 7.0.0-dev.20251125.sha.f433e11a - 2025-11-25
• 7.0.0-dev.20251121.sha.761b9bfa - 2025-11-21
• 7.0.0-dev.20251119.sha.49c5b6fe - 2025-11-19
• 7.0.0-dev.20251115.sha.287c98a9 - 2025-11-15
• 7.0.0-dev.20251114.sha.1cc3d1c9 - 2025-11-14
• 7.0.0-dev.20251113.sha.26eb0e61 - 2025-11-13
• 7.0.0-dev.20251112.sha.3cf02a8d - 2025-11-12
• 7.0.0-dev.20251111.sha.b183de39 - 2025-11-11
• 7.0.0-dev.20251107.sha.5db818c2 - 2025-11-07
• 6.21.0 - 2025-11-12
  

  6.21.0 (2025-11-05)

  The MongoDB Node.js team is pleased to announce version 6.21.0 of the mongodb package!

  Release Notes

  Deprecated items to be removed in 7.0.0

  The following items have been deprecated and will be removed in 7.0.0:

  MongoCredentials.authMechanismProperties.AWS_SESSION_TOKEN // URI & client options for AWS variables will no longer be respected
  CommandOptions.noResponse // Unused
  ConnectionOptions.cancellationToken // Unused
  CursorStreamOptions // Only option, transform, removed in favor of Stream#map

  Features

  • NODE-7230: add deprecations of items to be removed in v7 (#4774) (5104c0f)

  Documentation

  • Reference
  • API
  • Changelog

  We invite you to try the mongodb library immediately, and report any issues to the NODE project.

from mongodb GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[github-actions]

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type	Count (with fixes)	Without fixes	Threshold	Result
🔴 Critical Severity	0	0	10	✅ Passed
🟠 High Severity	0	0	25	✅ Passed
🟡 Medium Severity	0	0	500	✅ Passed
🔵 Low Severity	0	0	1000	✅ Passed

⏱️ SLA Breach Summary

✅ No SLA breaches detected. All vulnerabilities are within acceptable time thresholds.

Severity	Breaches (with fixes)	Breaches (no fixes)	SLA Threshold (with/no fixes)	Status
🔴 Critical	0	0	15 / 30 days	✅ Passed
🟠 High	0	0	30 / 120 days	✅ Passed
🟡 Medium	0	0	90 / 365 days	✅ Passed
🔵 Low	0	0	180 / 365 days	✅ Passed

✅ BUILD PASSED - All security checks passed