mongodb · dariakp · Nov 5, 2025 · Nov 4, 2025 · Oct 16, 2025
@@ -58,6 +58,7 @@ export interface AuthMechanismProperties extends Document {
   SERVICE_NAME?: string;
   SERVICE_REALM?: string;
   CANONICALIZE_HOST_NAME?: GSSAPICanonicalizationValue;
+  /** @deprecated Will be removed in the next major version. */
   AWS_SESSION_TOKEN?: string;
   /** A user provided OIDC machine callback function. */
   OIDC_CALLBACK?: OIDCCallbackFunction;

@@ -91,6 +91,7 @@ export interface CommandOptions extends BSONSerializeOptions {
   /** Session to use for the operation */
   session?: ClientSession;
   documentsReturnedIn?: string;
+  /** @deprecated Will be removed in the next major version. */
   noResponse?: boolean;
   omitMaxTimeMS?: boolean;
 
@@ -139,6 +140,7 @@ export interface ConnectionOptions
   tls: boolean;
   noDelay?: boolean;
   socketTimeoutMS?: number;
+  /** @deprecated Will be removed in the next major version */
   cancellationToken?: CancellationToken;
   metadata: ClientMetadata;
   /** @internal */

@@ -59,9 +59,12 @@ export const CURSOR_FLAGS = [
   'partial'
 ] as const;
 
-/** @public */
+/**
+ * @public
+ * @deprecated Will be removed in the next major version
+ */
 export interface CursorStreamOptions {
-  /** A transformation method applied to each document emitted by the stream */
+  /** @deprecated Will be removed in the next major version */
   transform?(this: void, doc: Document): Document;
 }
 

@@ -1,11 +1,14 @@
 import { expect } from 'chai';
+import { satisfies } from 'semver';
 
 import { getCSFLEKMSProviders } from '../../csfle-kms-providers';
 import { ClientEncryption, type MongoClient } from '../../mongodb';
 
 const metadata: MongoDBMetadataUI = {
   requires: {
-    clientSideEncryption: true
+    clientSideEncryption: true,
+    predicate: () =>
+      satisfies(process.version, '<25.0.0') ? true : 'TODO(NODE-7252): fix these tests in v25'
   }
 };
 

@@ -2,6 +2,7 @@ import { BSON, EJSON } from 'bson';
 import { expect } from 'chai';
 import * as fs from 'fs/promises';
 import * as path from 'path';
+import { satisfies } from 'semver';
 
 // eslint-disable-next-line @typescript-eslint/no-restricted-imports
 import { ClientEncryption } from '../../../src/client-side-encryption/client_encryption';
@@ -47,6 +48,15 @@ const metadata: MongoDBMetadataUI = {
   }
 };
 
+const kmsTlsMetadata: MongoDBMetadataUI = {
+  requires: {
+    clientSideEncryption: true,
+    topology: '!load-balanced',
+    predicate: () =>
+      satisfies(process.version, '<25.0.0') ? true : 'TODO(NODE-7252): fix these tests in v25'
+  }
+};
+
 const eeMetadata: MongoDBMetadataUI = {
   requires: {
     clientSideEncryption: true,
@@ -1370,7 +1380,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
    * - Create client encryption expired
    * - Create client encryption invalid hostname
    */
-  context('KMS TLS Options Tests', metadata, function () {
+  context('KMS TLS Options Tests', kmsTlsMetadata, function () {
     let clientNoTls;
     let clientWithTls;
     let clientWithTlsExpired;
@@ -1507,7 +1517,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
     });
 
     // Case 1.
-    context('Case 1: AWS', metadata, function () {
+    context('Case 1: AWS', kmsTlsMetadata, function () {
       const masterKey = {
         region: 'us-east-1',
         key: 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0',
@@ -1526,7 +1536,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
         }
       });
 
-      it('should succeed with valid TLS options', metadata, async function () {
+      it('should succeed with valid TLS options', async function () {
         try {
           await clientEncryptionWithTls.createDataKey('aws', { masterKey });
           expect.fail('it must fail to parse response');
@@ -1549,7 +1559,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
         }
       });
 
-      it('should fail with an invalid hostname', metadata, async function () {
+      it('should fail with an invalid hostname', async function () {
         try {
           await clientEncryptionWithInvalidHostname.createDataKey('aws', {
             masterKey: masterKeyInvalidHostname
@@ -1563,7 +1573,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
     });
 
     // Case 2.
-    context('Case 2: Azure', metadata, function () {
+    context('Case 2: Azure', kmsTlsMetadata, function () {
       const masterKey = {
         keyVaultEndpoint: 'doesnotexist.invalid',
         keyName: 'foo'
@@ -1579,7 +1589,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
         }
       }).skipReason = 'TODO(NODE-6861): fix flaky test';
 
-      it('should succeed with valid TLS options', metadata, async function () {
+      it('should succeed with valid TLS options', async function () {
         try {
           await clientEncryptionWithTls.createDataKey('azure', { masterKey });
           expect.fail('it must fail with HTTP 404');
@@ -1600,7 +1610,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
         }
       });
 
-      it('should fail with an invalid hostname', metadata, async function () {
+      it('should fail with an invalid hostname', async function () {
         try {
           await clientEncryptionWithInvalidHostname.createDataKey('azure', { masterKey });
           expect.fail('it must fail with invalid hostnames');
@@ -1612,7 +1622,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
     });
 
     // Case 3.
-    context('Case 3: GCP', metadata, function () {
+    context('Case 3: GCP', kmsTlsMetadata, function () {
       const masterKey = {
         projectId: 'foo',
         location: 'bar',
@@ -1630,7 +1640,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
         }
       });
 
-      it('should succeed with valid TLS options', metadata, async function () {
+      it('should succeed with valid TLS options', async function () {
         try {
           await clientEncryptionWithTls.createDataKey('gcp', { masterKey });
           expect.fail('it must fail with HTTP 404');
@@ -1651,7 +1661,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
         }
       });
 
-      it('should fail with an invalid hostname', metadata, async function () {
+      it('should fail with an invalid hostname', async function () {
         try {
           await clientEncryptionWithInvalidHostname.createDataKey('gcp', { masterKey });
           expect.fail('it must fail with invalid hostnames');
@@ -1663,7 +1673,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
     });
 
     // Case 4.
-    context('Case 4: KMIP', metadata, function () {
+    context('Case 4: KMIP', kmsTlsMetadata, function () {
       const masterKey = {};
 
       it('should fail with no TLS', metadata, async function () {
@@ -1688,7 +1698,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
         }
       });
 
-      it('should fail with an invalid hostname', metadata, async function () {
+      it('should fail with an invalid hostname', async function () {
         try {
           await clientEncryptionWithInvalidHostname.createDataKey('kmip', { masterKey });
           expect.fail('it must fail with invalid hostnames');
@@ -1706,7 +1716,7 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
       function () {}
     ).skipReason = 'TODO(NODE-4840): Node does not support any OCSP options';
 
-    context('Case 6: named KMS providers apply TLS options', function () {
+    context('Case 6: named KMS providers apply TLS options', kmsTlsMetadata, function () {
       afterEach(() => keyvaultClient?.close());
       beforeEach(async function () {
         const shouldSkip = this.configuration.filters.ClientSideEncryptionFilter.filter({