fix(deps): update dependency mongodb to v6

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mongodb	^5.0.0 -> ^6.0.0

---

Release Notes

mongodb/node-mongodb-native (mongodb)

v6.8.0

Compare Source

Features

• NODE-5718: add ReadConcernMajorityNotAvailableYet to retryable errors (#​4154) (4f32dec)
• NODE-5801: allow multiple providers providers per type (#​4137) (4d209ce)
• NODE-5853: support delegated KMIP data key option (#​4129) (aa429f8)
• NODE-6136: parse cursor responses on demand (#​4112) (3ed6a2a)
• NODE-6157: add signature to github releases (#​4119) (f38c5fe)

Bug Fixes

• NODE-5801: use more specific key typing for multiple KMS provider support (#​4146) (465ffd9)
• NODE-6085: add TS support for KMIP data key options (#​4128) (f790cc1)
• NODE-6241: allow Binary as local KMS provider key (#​4160) (fb724eb)
• NODE-6242: close becomes true after calling close when documents still remain (#​4161) (e3d70c3)

v6.7.0

Compare Source

Features

• NODE-5464: OIDC machine and callback workflow (#​3912) (2ba8434)

Bug Fixes

• NODE-6165: useBigInt64 causes compareTopologyVersion to throw (#​4109) (21b729b)

v6.6.2

Compare Source

Bug Fixes

• NODE-6171: RTT set to zero when serverMonitoringMode=stream (#​4110) (7a7ec5b)

v6.6.1

Compare Source

Bug Fixes

• NODE-6151: MongoClient connect does not keep Node.js running (#​4101) (7e0d9e6)

v6.6.0

Compare Source

The MongoDB Node.js team is pleased to announce version 6.6.0 of the mongodb package!

Release Notes

Aggregation pipelines can now add stages manually

When creating an aggregation pipeline cursor, a new generic method addStage() has been added in the fluid API for users to add aggregation pipeline stages in a general manner.

const documents = await users.aggregate().addStage({ $project: { name: true } }).toArray();

Thank you @​prenaissance for contributing this feature!

cause and package name included for MongoMissingDependencyErrors

MongoMissingDependencyErrors now include a cause and a dependencyName field, which can be used to programmatically determine which package is missing and why the driver failed to load it.

For example:

MongoMissingDependencyError: The iHateJavascript module does not exist
    at findOne (mongodb/main.js:7:11)
    at Object.<anonymous> (mongodb/main.js:14:1)
    ... 3 lines matching cause stack trace ...
    at Module._load (node:internal/modules/cjs/loader:1021:12) {
  dependencyName: 'iHateJavascript',
  [Symbol(errorLabels)]: Set(0) {},
  [cause]: Error: Cannot find module 'iHateJavascript'
  Require stack:
  - mongodb/main.js
      at require (node:internal/modules/helpers:179:18)
      at findOne (mongodb/main.js:5:5)
      at Object.<anonymous> (mongodb/main.js:14:1) {
    code: 'MODULE_NOT_FOUND',
    requireStack: [ 'mongodb/main.js' ]
  }
}

ServerDescription Round Trip Time (RTT) measurement changes

(1) ServerDescription.roundTripTime is now a moving average

Previously, ServerDescription.roundTripTime was calculated as a weighted average of the most recently observed heartbeat duration and the previous duration. This update changes this behaviour to average ServerDescription.roundTripTime over the last 10 observed heartbeats. This should reduce the likelihood that the selected server changes as a result of momentary spikes in server latency.

(2) Added minRoundTripTime to ServerDescription

A new minRoundTripTime property is now available on the ServerDescription class which gives the minimum RTT over the last 10 heartbeats. Note that this value will be reported as 0 when fewer than 2 samples have been observed.

type supported in SearchIndexDescription

It is now possible to specify the type of a search index when creating a search index:

const indexName = await collection.createSearchIndex({
  name: 'my-vector-search-index',
  // new! specifies that a `vectorSearch` index is created
  type: 'vectorSearch',
  definition: {
    mappings: { dynamic: false }
  }
});

Collection.findOneAndModify's UpdateFilter.$currentDate no longer throws on collections with limited schema

Example:

// collection has no schema
collection.update(
    $currentData: {
       lastModified: true
    } // no longer throws a TS error
);

TopologyDescription now properly stringifies itself to JSON

The TopologyDescription class is exposed by the driver in server selection errors and topology monitoring events to provide insight into the driver's current representation of the server's topology and to aid in debugging. However, the TopologyDescription uses Maps internally, which get serialized to {} when JSON stringified. We recommend using Node's util.inspect() helper to print topology descriptions because inspect properly handles all JS types and all types we use in the driver. However, if JSON must be used, the TopologyDescription now provides a custom toJSON() hook:

client.on('topologyDescriptionChanged', ({ newDescription }) => {
   // recommended!
	console.log('topology description changed', inspect(newDescription, { depth: Infinity, colors: true }))

    // now properly prints the entire topology description
	console.log('topology description changed', JSON.stringify(newDescription))
});

Omit readConcern and writeConcern in Collection.listSearchIndexes options argument

[!Important]
readConcern and writeConcern are no longer viable keys in the options argument passed into Collection.listSearchIndexes

This type change is a correctness fix.

Collection.listSearchIndexes is an Atlas specific method, and Atlas' search indexes do not support readConcern and writeConcern options. The types for this function now reflect this functionality.

Don't throw error when non-read operation in a transaction has a ReadPreferenceMode other than 'primary'

The following error will now only be thrown when a user provides a ReadPreferenceMode other than primary and then tries to perform a command that involves a read:

new MongoTransactionError('Read preference in a transaction must be primary');

Prior to this change, the Node Driver would incorrectly throw this error even when the operation does not perform a read.
Note: a RunCommandOperation is treated as a read operation for this error.

TopologyDescription.error type is MongoError

[!Important]
The TopologyDescription.error property type is now MongoError rather than MongoServerError.

This type change is a correctness fix.

Before this change, the following errors that were not instances of MongoServerError were already passed into TopologyDescription.error at runtime:

• MongoNetworkError (excluding MongoNetworkRuntimeError)
• MongoError with a MongoErrorLabel.HandshakeError label

indexExists() no longer supports the full option

The Collection.indexExists() helper supported an option, full, that modified the internals of the method. When full was set to true, the driver would always return false, regardless of whether or not the index exists.

The full option is intended to modify the return type of index enumeration APIs (Collection.indexes() and Collection.indexInformation(), but since the return type of Collection.indexExists() this option does not make sense for the Collection.indexExists() helper.

We have removed support for this option.

indexExists(), indexes() and indexInformation() support cursor options in Typescript

These APIs have supported cursor options at runtime since the 4.x version of the driver, but our Typescript has incorrectly omitted cursor options from these APIs.

Index information helpers have accurate Typescript return types

Collection.indexInformation(), Collection.indexes() and Db.indexInformation() are helpers that return index information for a given collection or database. These helpers take an option, full, that configures whether the return value contains full index descriptions or a compact summary:

collection.indexes({ full: true });   // returns an array of index descriptions
collection.indexes({ full: false });  // returns an object, mapping index names to index keys

However, the Typescript return type of these helpers was always Document. Thanks to @​prenaissance, these helpers now have accurate type information! The helpers return a new type, IndexDescriptionCompact | IndexDescriptionInfo[], which accurately reflects the return type of these helpers. The helpers also support type narrowing by providing a boolean literal as an option to the API:

collection.indexes();   // returns `IndexDescriptionCompact | IndexDescriptionInfo[]`
collection.indexes({ full: false });  // returns an `IndexDescriptionCompact`
collection.indexes({ full: true });  // returns an `IndexDescriptionInfo[]`

collection.indexInfo();   // returns `IndexDescriptionCompact | IndexDescriptionInfo[]`
collection.indexInfo({ full: false });  // returns an `IndexDescriptionCompact`
collection.indexInfo({ full: true });  // returns an `IndexDescriptionInfo[]`

db.indexInfo();   // returns `IndexDescriptionCompact | IndexDescriptionInfo[]`
db.indexInfo({ full: false });  // returns an `IndexDescriptionCompact`
db.indexInfo({ full: true });  // returns an `IndexDescriptionInfo[]`

AWS credentials with expirations no longer throw when using on-demand AWS KMS credentials

In addition to letting users provide KMS credentials manually, client-side encryption supports fetching AWS KMS credentials on-demand using the AWS SDK. However, AWS credential mechanisms that returned access keys with expiration timestamps caused the driver to throw an error.

The driver will no longer throw an error when receiving an expiration token from the AWS SDK.

ClusterTime interface signature optionality

The ClusterTime interface incorrectly reported the signature field as required, the server may omit it, so the typescript has been updated to reflect reality.

Summary

Features

• NODE-3639: add a general stage to the aggregation pipeline builder (#​4079) (8fca1aa)
• NODE-5678: add options parsing support for timeoutMS and defaultTimeoutMS (#​4068) (ddd1e81)
• NODE-5762: include cause and package name for all MongoMissingDependencyErrors (#​4067) (62ea94b)
• NODE-5825: add minRoundTripTime to ServerDescription and change roundTripTime to a moving average (#​4059) (0e3d6ea)
• NODE-5919: support new type option in create search index helpers (#​4060) (3598c23)
• NODE-6020: upgrade bson to ^6.5.0 (#​4035) (8ab2055)
• NODE-6149: upgrade bson to ^6.7.0 (#​4099) (7f191cf)

Bug Fixes

• NODE-3681: Typescript error in Collection.findOneAndModify UpdateFilter.$currentDate (#​4047) (a8670a7)
• NODE-5530: make topology descriptions JSON stringifiable (#​4070) (3a0e011)
• NODE-5745: ignore Read/Write Concern in Atlas Search Index Helpers (#​4042) (67d7bab)
• NODE-5925: driver throws error when non-read operation in a transaction has a ReadPreferenceMode other than primary (#​4075) (39fc198)
• NODE-5971: attach v to createIndexes command when version is specified (#​4043) (1879a04)
• NODE-5999: Change TopologyDescription.error type to MongoError (#​4028) (30432e8)
• NODE-6019: indexExists always returns false when full is set to true (#​4034) (0ebc1ac)
• NODE-6029: update types for collection listing indexes (#​4072) (232bf3c)
• NODE-6051: only provide expected allowed keys to libmongocrypt after fetching AWS KMS credentials (#​4057) (c604e74)
• NODE-6066: ClusterTime.signature can be undefined (#​4069) (ce55ca9)

Performance Improvements

• NODE-6127: move error construction into setTimeout callback (#​4094) (6abc074)

Documentation

• Reference
• API
• Changelog

We invite you to try the mongodb library immediately, and report any issues to the NODE project.

v6.5.0

Compare Source

Features

• NODE-5968: container and Kubernetes awareness in client metadata (#​4005) (28b7040)
• NODE-5988: Provide access to raw results doc on MongoServerError (#​4016) (c023242)
• NODE-6008: deprecate CloseOptions interface (#​4030) (f6cd8d9)

Bug Fixes

• NODE-5636: generate _ids using pkFactory in bulk write operations (#​4025) (fbb5059)
• NODE-5981: read preference not applied to commands properly (#​4010) (937c9c8)
• NODE-5985: throw Nodejs' certificate expired error when TLS fails to connect instead of CERT_HAS_EXPIRED (#​4014) (057c223)
• NODE-5993: memory leak in the Connection class (#​4022) (69de253)

Performance Improvements

• NODE-5986: parallelize SRV/TXT resolution (#​4012) (eab8f23)

v6.4.0

Compare Source

Features

• NODE-3449: Add serverConnectionId to Command Monitoring Spec (735f7aa)
• NODE-3470: retry selects another mongos (#​3963) (84959ee)
• NODE-3689: require hello command for connection handshake to use OP_MSG disallowing OP_QUERY (#​3938) (ce7df0f)
• NODE-4686: Add log messages to CLAM (#​3955) (e3bfa30)
• NODE-4687: Add logging to server selection (#​3946) (7f3ce0b)
• NODE-4719: add SDAM Logging Spec (#​3940) (a3c0298)
• NODE-4847: Add config error handling to logging (#​3970) (8f7bb59)
• NODE-5717: make ExceededTimeLimit retryable reads error (#​3947) (106ab09)
• NODE-5885: upgrade BSON to ^6.3.0 (#​3983) (9401d09)
• NODE-5939: Implement 6.x: cache the AWS credentials provider in the MONGODB-AWS auth logic (#​3991) (e0a37e5)
• NODE-5978: upgrade BSON to ^6.4.0 (#​4007) (90f2f70)

Bug Fixes

• NODE-5127: implement reject kmsRequest on server close (#​3964) (568e05f)
• NODE-5609: node driver omits base64 padding in sasl-continue command (#​3975) (b7d28d3)
• NODE-5765: change type for countDocuments (#​3932) (22cae0f)
• NODE-5791: type error with $addToSet in bulkWrite (#​3953) (b93d405)
• NODE-5818: Add feature flagging to server selection logging (#​3974) (55203ef)
• NODE-5839: support for multibyte code-points in stringifyWithMaxLen (#​3979) (aed1cf0)
• NODE-5840: heartbeat duration includes socket creation (#​3973) (a42039b)
• NODE-5901: propagate errors to transformed stream in cursor (#​3985) (ecfc615)
• NODE-5944: make AWS session token optional (#​4002) (f26de76)

Performance Improvements

• NODE-5771: improve new connection (#​3948) (a4776cf)
• NODE-5854: Conditional logger instantiation and precompute willLog perf fix (#​3984) (a63fbc2)
• NODE-5928: consolidate signal use and abort promise wrap (#​3992) (38742c2)

v6.3.0

Compare Source

Features

• NODE-3881: require hello command + OP_MSG when 'loadBalanced=True' (#​3907) (fd58eec)
• NODE-4849: Add Typescript support for log path in client options (#​3886) (f495abb)
• NODE-4878: Add remaining log configurable client options (#​3908) (54adc9f)
• NODE-5197: add server monitoring mode (#​3899) (ae4c94a)
• NODE-5452: Logging Cosmos Document DB Info Message (#​3902) (bb5fa43)
• NODE-5590: deprecate GridFS fields (#​3905) (d2225da)

Bug Fixes

• NODE-4863: do not use RetryableWriteError for non-server errors (#​3914) (08c9fb4)
• NODE-5709: bump mongodb-connection-string-url to 3.0.0 (#​3909) (1c3dc02)
• NODE-5749: RTTPinger always sends legacy hello (#​3921) (ebbfb8a)

v6.2.0

Compare Source

Features

• NODE-5613: add awaited field to SDAM heartbeat events (#​3895) (b50aadc)
• update bson to 6.2.0 (#​3898) (32b7176)

Bug Fixes

• NODE-5496: remove client-side collection and database name check validation (#​3873) (98550c6)
• NODE-5628: bulkWriteResult.insertedIds does not filter out _ids that are not actually inserted (#​3867) (09f2a67)
• NODE-5706: make findOne() close implicit session to avoid memory leak (#​3897) (995d138)

v6.1.0

Compare Source

Features

• NODE-5634: bump bson version to ^6.1.0 (#​3866) (c6edabb)

Bug Fixes

• NODE-5551: set AWS region from environment variable for STSClient (#​3831) (e9a5079)
• NODE-5588: recursive calls to next cause memory leak (#​3841) (9a8fdb2)

v6.0.0

Compare Source

⚠ BREAKING CHANGES

• NODE-5584: adopt bson v6 and mongodb-client-encryption v6 (#​3845)
• NODE-5484: mark MongoError for internal use and remove Node14 cause assignment logic (#​3800)
• NODE-4788: use implementer Writable methods for GridFSBucketWriteStream (#​3808)
• NODE-4986: remove callbacks from ClientEncryption encrypt, decrypt, and createDataKey (#​3797)
• NODE-5490: bump kerberos compatibility to ^2.0.1 (#​3798)
• NODE-3568: ensure includeResultsMetadata is false by default (#​3786)
• NODE-3989: only accept true and false for boolean options (#​3791)
• NODE-5233: prevent session from one client from being used on another (#​3790)
• NODE-5444: emit deprecation warning for useNewUrlParser and useUnifiedTopology (#​3792)
• NODE-5470: convert remaining FLE to TS and drop support for onKMSProvidersRefresh (#​3787)
• NODE-5508: remove EvalOperation and EvalOptions (#​3795)
• NODE-3920: validate options are not repeated in connection string (#​3788)
• NODE-3924: read tls files async (#​3776)
• NODE-5430: make AutoEncrypter and MongoClient.autoEncrypter internal (#​3789)
• NODE-4961: remove command result from commit and abort transaction APIs (#​3784)
• NODE-2014: return executor result from withSession and withTransaction (#​3783)
• NODE-5409: allow socks to be installed optionally (#​3782)
• NODE-4796: remove addUser and collection.stats APIs (#​3781)
• NODE-4936: remove unsupported options from db.command and admin.command (#​3775)
• NODE-5228: remove unneeded fields from ConnectionPoolCreatedEvent.options (#​3772)
• NODE-5190: remove deprecated keep alive options (#​3771)
• NODE-5186: remove duplicate BulkWriteResult accessors (#​3766)
• NODE-5376: remove deprecated ssl options (#​3755)
• NODE-5415: bump minimum Node.js version to v16.20.1 (#​3760)

Features

• NODE-2014: return executor result from withSession and withTransaction (#​3783) (65aa288)
• NODE-3568: ensure includeResultsMetadata is false by default (#​3786) (fee8d3e)
• NODE-3920: validate options are not repeated in connection string (#​3788) (11631a2)
• NODE-3924: read tls files async (#​3776) (68adaf1)
• NODE-3989: only accept true and false for boolean options (#​3791) (e2e36cc)
• NODE-4796: remove addUser and collection.stats APIs (#​3781) (e79ac9d)
• NODE-4961: remove command result from commit and abort transaction APIs (#​3784) (71c5936)
• NODE-4986: remove callbacks from ClientEncryption encrypt, decrypt, and createDataKey (#​3797) (51a573f)
• NODE-5186: remove duplicate BulkWriteResult accessors (#​3766) (8693987)
• NODE-5190: remove deprecated keep alive options (#​3771) (7ade907)
• NODE-5233: prevent session from one client from being used on another (#​3790) (9268b35)
• NODE-5376: remove deprecated ssl options (#​3755) (ee56c8e)
• NODE-5396: add mongodb-js/saslprep as a required dependency (#​3815) (bd031fc)
• NODE-5409: allow socks to be installed optionally (#​3782) (787bdbf)
• NODE-5415: bump minimum Node.js version to v16.20.1 (#​3760) (de158b2)
• NODE-5430: make AutoEncrypter and MongoClient.autoEncrypter internal (#​3789) (b16ef9e)
• NODE-5444: emit deprecation warning for useNewUrlParser and useUnifiedTopology (#​3792) (c08060d)
• NODE-5470: convert remaining FLE to TS and drop support for onKMSProvidersRefresh (#​3787) (844aa52)
• NODE-5484: mark MongoError for internal use and remove Node14 cause assignment logic (#​3800) (a17b0af)
• NODE-5490: bump kerberos compatibility to ^2.0.1 (#​3798) (1044be1)
• NODE-5508: remove EvalOperation and EvalOptions (#​3795) (225cb81)
• NODE-5566: add ability to provide CRL file via tlsCRLFile (#​3834) (33c86c9)
• NODE-5584: adopt bson v6 and mongodb-client-encryption v6 (#​3845) (7bef363)

Bug Fixes

• NODE-4788: use implementer Writable methods for GridFSBucketWriteStream (#​3808) (7955610)
• NODE-4936: remove unsupported options from db.command and admin.command (#​3775) (52cd649)
• NODE-5228: remove unneeded fields from ConnectionPoolCreatedEvent.options (#​3772) (7a91714)
• NODE-5412: drop aws sdk version to match node18 runtime (#​3809) (1e96e49)
• NODE-5548: ensure that tlsCertificateKeyFile maps to cert and key (#​3819) (a0955bd)
• NODE-5592: withTransaction return type (#​3846) (05d2725)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/@mongodb-js/saslprep	1.1.9	Unknown	Unknown
npm/@types/node	20.10.7	🟢 6.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/@types/whatwg-url	11.0.5	🟢 6.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/bson	6.9.0	🟢 5.9	Details Check Score Reason Code-Review 🟢 8 Found 24/28 approved changesets -- score normalized to 8 Maintained 🟢 10 14 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases 🟢 8 2 out of the last 2 releases have a total of 2 signed artifacts. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 4 6 existing vulnerabilities detected
npm/mongodb	6.10.0	🟢 5.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Packaging ⚠️ -1 packaging workflow not detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected SAST 🟢 9 SAST tool detected but not run on all commits Binary-Artifacts 🟢 10 no binaries found in the repo Vulnerabilities 🟢 3 7 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
npm/mongodb-connection-string-url	3.0.1	🟢 4.4	Details Check Score Reason Code-Review 🟢 4 Found 10/23 approved changesets -- score normalized to 4 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 2 SAST tool is not run on all commits -- score normalized to 2
npm/tr46	4.1.1	🟢 4.6	Details Check Score Reason Code-Review ⚠️ 1 Found 4/22 approved changesets -- score normalized to 1 Maintained 🟢 3 0 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
npm/undici-types	5.26.5	🟢 8.2	Details Check Score Reason Binary-Artifacts 🟢 8 binaries present in source code Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 28 out of 28 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 9 Found 26/28 approved changesets -- score normalized to 9 Contributors 🟢 10 project has 90 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Packaging 🟢 10 packaging workflow detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 9 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities 🟢 10 0 existing vulnerabilities detected
npm/whatwg-url	13.0.0	🟢 4.4	Details Check Score Reason Code-Review ⚠️ 0 Found 2/23 approved changesets -- score normalized to 0 Maintained ⚠️ 2 0 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
npm/mongodb	^6.0.0	🟢 5.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Packaging ⚠️ -1 packaging workflow not detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected SAST 🟢 9 SAST tool detected but not run on all commits Binary-Artifacts 🟢 10 no binaries found in the repo Vulnerabilities 🟢 3 7 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0

Scanned Files

• package-lock.json
• package.json

[netlify]

✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name	Link
🔨 Latest commit	ae25d7d
🔍 Latest deploy log	https://app.netlify.com/sites/endearing-brigadeiros-63f9d0/deploys/672387b66815ef000854cb28

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 60.23%. Comparing base (39dd45c) to head (ae25d7d).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #593   +/-   ##
=======================================
  Coverage   60.23%   60.23%           
=======================================
  Files          47       47           
  Lines        1647     1647           
=======================================
  Hits          992      992           
  Misses        655      655           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.