From bdb338643b6bb7267c2c5b8804b7778b1ba1e9ef Mon Sep 17 00:00:00 2001
From: Durran Jordan <durran@gmail.com>
Date: Tue, 4 Nov 2025 16:02:03 -0500
Subject: [PATCH 1/2] feat(NODE-7230): add deprecations

---
 src/cmap/auth/mongo_credentials.ts | 1 +
 src/cmap/connection.ts             | 2 ++
 src/cursor/abstract_cursor.ts      | 7 +++++--
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/cmap/auth/mongo_credentials.ts b/src/cmap/auth/mongo_credentials.ts
index 259147d5b07..bf804745e32 100644
--- a/src/cmap/auth/mongo_credentials.ts
+++ b/src/cmap/auth/mongo_credentials.ts
@@ -58,6 +58,7 @@ export interface AuthMechanismProperties extends Document {
   SERVICE_NAME?: string;
   SERVICE_REALM?: string;
   CANONICALIZE_HOST_NAME?: GSSAPICanonicalizationValue;
+  /** @deprecated Will be removed in the next major version. */
   AWS_SESSION_TOKEN?: string;
   /** A user provided OIDC machine callback function. */
   OIDC_CALLBACK?: OIDCCallbackFunction;
diff --git a/src/cmap/connection.ts b/src/cmap/connection.ts
index ce62f9a7dad..91c4fa85910 100644
--- a/src/cmap/connection.ts
+++ b/src/cmap/connection.ts
@@ -91,6 +91,7 @@ export interface CommandOptions extends BSONSerializeOptions {
   /** Session to use for the operation */
   session?: ClientSession;
   documentsReturnedIn?: string;
+  /** @deprecated Will be removed in the next major version. */
   noResponse?: boolean;
   omitMaxTimeMS?: boolean;
 
@@ -139,6 +140,7 @@ export interface ConnectionOptions
   tls: boolean;
   noDelay?: boolean;
   socketTimeoutMS?: number;
+  /** @deprecated Will be removed in the next major version */
   cancellationToken?: CancellationToken;
   metadata: ClientMetadata;
   /** @internal */
diff --git a/src/cursor/abstract_cursor.ts b/src/cursor/abstract_cursor.ts
index a69f9fbabf9..a596e0710e1 100644
--- a/src/cursor/abstract_cursor.ts
+++ b/src/cursor/abstract_cursor.ts
@@ -59,9 +59,12 @@ export const CURSOR_FLAGS = [
   'partial'
 ] as const;
 
-/** @public */
+/**
+ * @public
+ * @deprecated Will be removed in the next major version
+ */
 export interface CursorStreamOptions {
-  /** A transformation method applied to each document emitted by the stream */
+  /** @deprecated Will be removed in the next major version */
   transform?(this: void, doc: Document): Document;
 }
 

From 22e9c4e59018c542567c5d476003b21a595e95b6 Mon Sep 17 00:00:00 2001
From: Pavel Safronov <pavel.safronov@gmail.com>
Date: Thu, 16 Oct 2025 15:17:12 -0700
Subject: [PATCH 2/2] test: skip TLS tests when node >v24 (#4737)

---
 ...t_side_encryption.prose.10.kms_tls.test.ts |  5 ++-
 .../client_side_encryption.prose.test.ts      | 36 ++++++++++++-------
 2 files changed, 27 insertions(+), 14 deletions(-)

diff --git a/test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts b/test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts
index b829f9ddfe6..ffd8f621dfc 100644
--- a/test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts
+++ b/test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts
@@ -1,11 +1,14 @@
 import { expect } from 'chai';
+import { satisfies } from 'semver';
 
 import { getCSFLEKMSProviders } from '../../csfle-kms-providers';
 import { ClientEncryption, type MongoClient } from '../../mongodb';
 
 const metadata: MongoDBMetadataUI = {
   requires: {
-    clientSideEncryption: true
+    clientSideEncryption: true,
+    predicate: () =>
+      satisfies(process.version, '<25.0.0') ? true : 'TODO(NODE-7252): fix these tests in v25'
   }
 };
 
diff --git a/test/integration/client-side-encryption/client_side_encryption.prose.test.ts b/test/integration/client-side-encryption/client_side_encryption.prose.test.ts
index eaf1746f2b7..5ba6557b903 100644
--- a/test/integration/client-side-encryption/client_side_encryption.prose.test.ts
+++ b/test/integration/client-side-encryption/client_side_encryption.prose.test.ts
@@ -2,6 +2,7 @@ import { BSON, EJSON } from 'bson';
 import { expect } from 'chai';
 import * as fs from 'fs/promises';
 import * as path from 'path';
+import { satisfies } from 'semver';
 
 // eslint-disable-next-line @typescript-eslint/no-restricted-imports
 import { ClientEncryption } from '../../../src/client-side-encryption/client_encryption';
@@ -47,6 +48,15 @@ const metadata: MongoDBMetadataUI = {
   }
 };
 
+const kmsTlsMetadata: MongoDBMetadataUI = {
+  requires: {
+    clientSideEncryption: true,
+    topology: '!load-balanced',
+    predicate: () =>
+      satisfies(process.version, '<25.0.0') ? true : 'TODO(NODE-7252): fix these tests in v25'
+  }
+};
+
 const eeMetadata: MongoDBMetadataUI = {
   requires: {
     clientSideEncryption: true,
@@ -1370,7 +1380,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
    * - Create client encryption expired
    * - Create client encryption invalid hostname
    */
-  context('KMS TLS Options Tests', metadata, function () {
+  context('KMS TLS Options Tests', kmsTlsMetadata, function () {
     let clientNoTls;
     let clientWithTls;
     let clientWithTlsExpired;
@@ -1507,7 +1517,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
     });
 
     // Case 1.
-    context('Case 1: AWS', metadata, function () {
+    context('Case 1: AWS', kmsTlsMetadata, function () {
       const masterKey = {
         region: 'us-east-1',
         key: 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0',
@@ -1526,7 +1536,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
         }
       });
 
-      it('should succeed with valid TLS options', metadata, async function () {
+      it('should succeed with valid TLS options', async function () {
         try {
           await clientEncryptionWithTls.createDataKey('aws', { masterKey });
           expect.fail('it must fail to parse response');
@@ -1549,7 +1559,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
         }
       });
 
-      it('should fail with an invalid hostname', metadata, async function () {
+      it('should fail with an invalid hostname', async function () {
         try {
           await clientEncryptionWithInvalidHostname.createDataKey('aws', {
             masterKey: masterKeyInvalidHostname
@@ -1563,7 +1573,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
     });
 
     // Case 2.
-    context('Case 2: Azure', metadata, function () {
+    context('Case 2: Azure', kmsTlsMetadata, function () {
       const masterKey = {
         keyVaultEndpoint: 'doesnotexist.invalid',
         keyName: 'foo'
@@ -1579,7 +1589,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
         }
       }).skipReason = 'TODO(NODE-6861): fix flaky test';
 
-      it('should succeed with valid TLS options', metadata, async function () {
+      it('should succeed with valid TLS options', async function () {
         try {
           await clientEncryptionWithTls.createDataKey('azure', { masterKey });
           expect.fail('it must fail with HTTP 404');
@@ -1600,7 +1610,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
         }
       });
 
-      it('should fail with an invalid hostname', metadata, async function () {
+      it('should fail with an invalid hostname', async function () {
         try {
           await clientEncryptionWithInvalidHostname.createDataKey('azure', { masterKey });
           expect.fail('it must fail with invalid hostnames');
@@ -1612,7 +1622,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
     });
 
     // Case 3.
-    context('Case 3: GCP', metadata, function () {
+    context('Case 3: GCP', kmsTlsMetadata, function () {
       const masterKey = {
         projectId: 'foo',
         location: 'bar',
@@ -1630,7 +1640,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
         }
       });
 
-      it('should succeed with valid TLS options', metadata, async function () {
+      it('should succeed with valid TLS options', async function () {
         try {
           await clientEncryptionWithTls.createDataKey('gcp', { masterKey });
           expect.fail('it must fail with HTTP 404');
@@ -1651,7 +1661,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
         }
       });
 
-      it('should fail with an invalid hostname', metadata, async function () {
+      it('should fail with an invalid hostname', async function () {
         try {
           await clientEncryptionWithInvalidHostname.createDataKey('gcp', { masterKey });
           expect.fail('it must fail with invalid hostnames');
@@ -1663,7 +1673,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
     });
 
     // Case 4.
-    context('Case 4: KMIP', metadata, function () {
+    context('Case 4: KMIP', kmsTlsMetadata, function () {
       const masterKey = {};
 
       it('should fail with no TLS', metadata, async function () {
@@ -1688,7 +1698,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
         }
       });
 
-      it('should fail with an invalid hostname', metadata, async function () {
+      it('should fail with an invalid hostname', async function () {
         try {
           await clientEncryptionWithInvalidHostname.createDataKey('kmip', { masterKey });
           expect.fail('it must fail with invalid hostnames');
@@ -1706,7 +1716,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
       function () {}
     ).skipReason = 'TODO(NODE-4840): Node does not support any OCSP options';
 
-    context('Case 6: named KMS providers apply TLS options', function () {
+    context('Case 6: named KMS providers apply TLS options', kmsTlsMetadata, function () {
       afterEach(() => keyvaultClient?.close());
       beforeEach(async function () {
         const shouldSkip = this.configuration.filters.ClientSideEncryptionFilter.filter({