Merge branch 'main' into generate-docs-6.8

.mocharc.json

@@ -3,7 +3,7 @@
   "require": [
     "source-map-support/register",
     "ts-node/register",
-    "test/tools/runner/chai-addons.js",
+    "test/tools/runner/chai_addons.ts",
     "test/tools/runner/hooks/unhandled_checker.ts"
   ],
   "extension": [

README.md

@@ -24,6 +24,12 @@ The official [MongoDB](https://www.mongodb.com/) driver for Node.js.
 
 ### Release Integrity
 
+Releases are created automatically and signed using the [Node team's GPG key](https://pgp.mongodb.com/node-driver.asc). This applies to the git tag as well as all release packages provided as part of a GitHub release. To verify the provided packages, download the key and import it using gpg:
+
+```shell
+gpg --import node-driver.asc
+```
+
 The GitHub release contains a detached signature file for the NPM package (named
 `mongodb-X.Y.Z.tgz.sig`).
 
@@ -39,6 +45,9 @@ To verify the integrity of the downloaded package, run the following command:
 gpg --verify mongodb-X.Y.Z.tgz.sig mongodb-X.Y.Z.tgz
 ```
 
+>[!Note]
+No verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical.
+
 ### Bugs / Feature Requests
 
 Think you’ve found a bug? Want to see a new feature in `node-mongodb-native`? Please open a

src/client-side-encryption/auto_encrypter.ts

@@ -26,85 +26,7 @@ export interface AutoEncryptionOptions {
   /** The namespace where keys are stored in the key vault */
   keyVaultNamespace?: string;
   /** Configuration options that are used by specific KMS providers during key generation, encryption, and decryption. */
-  kmsProviders?: {
-    /** Configuration options for using 'aws' as your KMS provider */
-    aws?:
-      | {
-          /** The access key used for the AWS KMS provider */
-          accessKeyId: string;
-          /** The secret access key used for the AWS KMS provider */
-          secretAccessKey: string;
-          /**
-           * An optional AWS session token that will be used as the
-           * X-Amz-Security-Token header for AWS requests.
-           */
-          sessionToken?: string;
-        }
-      | Record<string, never>;
-    /** Configuration options for using 'local' as your KMS provider */
-    local?: {
-      /**
-       * The master key used to encrypt/decrypt data keys.
-       * A 96-byte long Buffer or base64 encoded string.
-       */
-      key: Buffer | string;
-    };
-    /** Configuration options for using 'azure' as your KMS provider */
-    azure?:
-      | {
-          /** The tenant ID identifies the organization for the account */
-          tenantId: string;
-          /** The client ID to authenticate a registered application */
-          clientId: string;
-          /** The client secret to authenticate a registered application */
-          clientSecret: string;
-          /**
-           * If present, a host with optional port. E.g. "example.com" or "example.com:443".
-           * This is optional, and only needed if customer is using a non-commercial Azure instance
-           * (e.g. a government or China account, which use different URLs).
-           * Defaults to "login.microsoftonline.com"
-           */
-          identityPlatformEndpoint?: string | undefined;
-        }
-      | {
-          /**
-           * If present, an access token to authenticate with Azure.
-           */
-          accessToken: string;
-        }
-      | Record<string, never>;
-    /** Configuration options for using 'gcp' as your KMS provider */
-    gcp?:
-      | {
-          /** The service account email to authenticate */
-          email: string;
-          /** A PKCS#8 encrypted key. This can either be a base64 string or a binary representation */
-          privateKey: string | Buffer;
-          /**
-           * If present, a host with optional port. E.g. "example.com" or "example.com:443".
-           * Defaults to "oauth2.googleapis.com"
-           */
-          endpoint?: string | undefined;
-        }
-      | {
-          /**
-           * If present, an access token to authenticate with GCP.
-           */
-          accessToken: string;
-        }
-      | Record<string, never>;
-    /**
-     * Configuration options for using 'kmip' as your KMS provider
-     */
-    kmip?: {
-      /**
-       * The output endpoint string.
-       * The endpoint consists of a hostname and port separated by a colon.
-       * E.g. "example.com:123". A port is always present.
-       */
-      endpoint?: string;
-    };
-  };
+  kmsProviders?: KMSProviders;
   /**
    * A map of namespaces to a local JSON schema for encryption
    *

src/client-side-encryption/mongocryptd_manager.ts

@@ -12,8 +12,8 @@ export class MongocryptdManager {
 
   uri: string;
   bypassSpawn: boolean;
-  spawnPath: string;
-  spawnArgs: Array<string>;
+  spawnPath = '';
+  spawnArgs: Array<string> = [];
   _child?: ChildProcess;
 
   constructor(extraOptions: AutoEncryptionExtraOptions = {}) {
@@ -24,9 +24,13 @@ export class MongocryptdManager {
 
     this.bypassSpawn = !!extraOptions.mongocryptdBypassSpawn;
 
-    this.spawnPath = extraOptions.mongocryptdSpawnPath || '';
-    this.spawnArgs = [];
-    if (Array.isArray(extraOptions.mongocryptdSpawnArgs)) {
+    if (Object.hasOwn(extraOptions, 'mongocryptdSpawnPath') && extraOptions.mongocryptdSpawnPath) {
+      this.spawnPath = extraOptions.mongocryptdSpawnPath;
+    }
+    if (
+      Object.hasOwn(extraOptions, 'mongocryptdSpawnArgs') &&
+      Array.isArray(extraOptions.mongocryptdSpawnArgs)
+    ) {
       this.spawnArgs = this.spawnArgs.concat(extraOptions.mongocryptdSpawnArgs);
     }
     if (

src/cmap/wire_protocol/constants.ts

@@ -1,7 +1,7 @@
 export const MIN_SUPPORTED_SERVER_VERSION = '3.6';
-export const MAX_SUPPORTED_SERVER_VERSION = '7.0';
+export const MAX_SUPPORTED_SERVER_VERSION = '8.0';
 export const MIN_SUPPORTED_WIRE_VERSION = 6;
-export const MAX_SUPPORTED_WIRE_VERSION = 21;
+export const MAX_SUPPORTED_WIRE_VERSION = 25;
 export const MIN_SUPPORTED_QE_WIRE_VERSION = 21;
 export const MIN_SUPPORTED_QE_SERVER_VERSION = '7.0';
 export const OP_REPLY = 1;

test/mocha_mongodb.json

@@ -3,7 +3,7 @@
   "require": [
     "source-map-support/register",
     "ts-node/register",
-    "test/tools/runner/chai-addons.js",
+    "test/tools/runner/chai_addons.ts",
     "test/tools/runner/hooks/configuration.ts",
     "test/tools/runner/hooks/unhandled_checker.ts",
     "test/tools/runner/hooks/leak_checker.ts",

test/tools/runner/chai-addons.js → test/tools/runner/chai_addons.ts

@@ -1,7 +1,7 @@
-'use strict';
+/* eslint-disable @typescript-eslint/no-var-requires */
+
+import chai = require('chai');
 
-// configure chai
-const chai = require('chai');
 chai.use(require('sinon-chai'));
 chai.use(require('chai-subset'));
 chai.use(require('../spec-runner/matcher').default);

test/tools/runner/hooks/configuration.ts

@@ -107,7 +107,7 @@ const testSkipBeforeEachHook = async function () {
  * @param skippedTests - define list of tests to skip
  * @returns
  */
-const skipBrokenAuthTestBeforeEachHook = function (
+export const skipBrokenAuthTestBeforeEachHook = function (
   { skippedTests }: { skippedTests: string[] } = { skippedTests: [] }
 ) {
   return function () {
@@ -222,12 +222,8 @@ export function installNodeDNSWorkaroundHooks() {
   }
 }
 
-module.exports = {
-  mochaHooks: {
-    beforeAll: [beforeAllPluginImports, testConfigBeforeHook],
-    beforeEach: [testSkipBeforeEachHook],
-    afterAll: [cleanUpMocksAfterHook]
-  },
-  skipBrokenAuthTestBeforeEachHook,
-  installNodeDNSWorkaroundHooks
+export const mochaHooks = {
+  beforeAll: [beforeAllPluginImports, testConfigBeforeHook],
+  beforeEach: [testSkipBeforeEachHook],
+  afterAll: [cleanUpMocksAfterHook]
 };

test/tools/runner/hooks/leak_checker.ts

@@ -178,4 +178,4 @@ const socketLeakCheckAfterEach: Mocha.AsyncFunc = async function socketLeakCheck
 const beforeAll = TRACE_SOCKETS ? [socketLeakCheckBeforeAll] : [];
 const beforeEach = [leakCheckerBeforeEach];
 const afterEach = [leakCheckerAfterEach, ...(TRACE_SOCKETS ? [socketLeakCheckAfterEach] : [])];
-module.exports = { mochaHooks: { beforeAll, beforeEach, afterEach } };
+export const mochaHooks = { beforeAll, beforeEach, afterEach };

test/tools/runner/hooks/unhandled_checker.ts

@@ -41,4 +41,4 @@ function afterEachUnhandled() {
   unhandled.unknown = [];
 }
 
-module.exports = { mochaHooks: { beforeEach: beforeEachUnhandled, afterEach: afterEachUnhandled } };
+export const mochaHooks = { beforeEach: beforeEachUnhandled, afterEach: afterEachUnhandled };

test/unit/assorted/wire_version.test.js → test/unit/assorted/wire_version.test.ts

@@ -1,18 +1,21 @@
-'use strict';
+import { expect } from 'chai';
 
-const mock = require('../../tools/mongodb-mock/index');
-const { expect } = require('chai');
-const { MongoServerSelectionError, MongoClient } = require('../../mongodb');
-const { isHello } = require('../../mongodb');
+import {
+  isHello,
+  MAX_SUPPORTED_WIRE_VERSION,
+  MIN_SUPPORTED_WIRE_VERSION,
+  MongoClient,
+  MongoServerSelectionError
+} from '../../mongodb';
+import * as mock from '../../tools/mongodb-mock/index';
 
 const minCompatErrMsg = `minimum wire version ${
   Number.MAX_SAFE_INTEGER - 1
-}, but this version of the Node.js Driver requires at most 21`;
-const maxCompatErrMsg = `reports maximum wire version 1, but this version of the Node.js Driver requires at least 6`;
+}, but this version of the Node.js Driver requires at most ${MAX_SUPPORTED_WIRE_VERSION}`;
+const maxCompatErrMsg = `reports maximum wire version 1, but this version of the Node.js Driver requires at least ${MIN_SUPPORTED_WIRE_VERSION}`;
 
 describe('Wire Protocol Version', () => {
-  /** @type {mock.MockServer} */
-  let server, client;
+  let server, client: MongoClient;
 
   function setWireProtocolMessageHandler(min, max) {
     server.setMessageHandler(req => {
@@ -41,7 +44,6 @@ describe('Wire Protocol Version', () => {
     it('should raise a compatibility error', async function () {
       setWireProtocolMessageHandler(Number.MAX_SAFE_INTEGER - 1, Number.MAX_SAFE_INTEGER);
 
-      /** @type {MongoClient} */
       client = new MongoClient(
         `mongodb://${server.uri()}/wireVersionTest?serverSelectionTimeoutMS=200`
       );
@@ -59,7 +61,6 @@ describe('Wire Protocol Version', () => {
     it('should raise a compatibility error', async function () {
       setWireProtocolMessageHandler(1, 1);
 
-      /** @type {MongoClient} */
       client = new MongoClient(
         `mongodb://${server.uri()}/wireVersionTest?serverSelectionTimeoutMS=200`
       );

test/unit/client-side-encryption/mongocryptd_manager.test.ts

@@ -22,6 +22,16 @@ describe('MongocryptdManager', function () {
     expect(mcdm.spawnArgs).to.deep.equal(['--idleShutdownTimeoutSecs', '12']);
   });
 
+  it('does not allow prototype pollution on spawn path', function () {
+    const mcdm = new MongocryptdManager({ __proto__: { mongocryptdSpawnPath: 'test' } });
+    expect(mcdm.spawnPath).to.equal('');
+  });
+
+  it('does not allow prototype pollution on spawn args', function () {
+    const mcdm = new MongocryptdManager({ __proto__: { mongocryptdSpawnArgs: ['test'] } });
+    expect(mcdm.spawnArgs).to.deep.equal(['--idleShutdownTimeoutSecs', '60']);
+  });
+
   it('should not override `idleShutdownTimeoutSecs` if the user sets it using `key=value` form', function () {
     const mcdm = new MongocryptdManager({
       mongocryptdSpawnArgs: ['--idleShutdownTimeoutSecs=12']

test/unit/cmap/wire_protocol/constants.test.js → test/unit/cmap/wire_protocol/constants.test.ts

@@ -1,10 +1,11 @@
-const { expect } = require('chai');
-const {
-  MIN_SUPPORTED_SERVER_VERSION,
+import { expect } from 'chai';
+
+import {
   MAX_SUPPORTED_SERVER_VERSION,
-  MIN_SUPPORTED_WIRE_VERSION,
-  MAX_SUPPORTED_WIRE_VERSION
-} = require('../../../mongodb');
+  MAX_SUPPORTED_WIRE_VERSION,
+  MIN_SUPPORTED_SERVER_VERSION,
+  MIN_SUPPORTED_WIRE_VERSION
+} from '../../../mongodb';
 
 describe('Wire Protocol Constants', function () {
   describe('MIN_SUPPORTED_SERVER_VERSION', function () {
@@ -14,8 +15,8 @@ describe('Wire Protocol Constants', function () {
   });
 
   describe('MAX_SUPPORTED_SERVER_VERSION', function () {
-    it('returns 7.0', function () {
-      expect(MAX_SUPPORTED_SERVER_VERSION).to.equal('7.0');
+    it('returns 8.0', function () {
+      expect(MAX_SUPPORTED_SERVER_VERSION).to.equal('8.0');
     });
   });
 
@@ -26,8 +27,8 @@ describe('Wire Protocol Constants', function () {
   });
 
   describe('MAX_SUPPORTED_WIRE_VERSION', function () {
-    it('returns 21', function () {
-      expect(MAX_SUPPORTED_WIRE_VERSION).to.equal(21);
+    it('returns 25', function () {
+      expect(MAX_SUPPORTED_WIRE_VERSION).to.equal(25);
     });
   });
 });

tsconfig.json

@@ -10,7 +10,8 @@
     "skipLibCheck": true,
     "lib": [
       "es2021",
-      "ES2022.Error"
+      "ES2022.Error",
+      "ES2022.Object"
     ],
     // We don't make use of tslib helpers, all syntax used is supported by target engine
     "importHelpers": false,