Skip to content

chore(deps): bump mongodb from 5.9.2 to 7.4.0#1635

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/mongodb-7.4.0
Open

chore(deps): bump mongodb from 5.9.2 to 7.4.0#1635
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/mongodb-7.4.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 5, 2026

Copy link
Copy Markdown
Contributor

Bumps mongodb from 5.9.2 to 7.4.0.

Release notes

Sourced from mongodb's releases.

v7.4.0

7.4.0 (2026-06-25)

The MongoDB Node.js team is pleased to announce version 7.4.0 of the mongodb package!

Release Notes

Explicit resource management is now stable

The Symbol.asyncDispose methods on MongoClient, ClientSession, ChangeStream, and cursors enable await using for automatic cleanup. These methods were introduced as experimental in v6.9.0. Since then, TC39 Explicit Resource Management proposal reached Stage 4 in 2025, and Node.js enabled explicit resource management as a stable feature in Node.js 24, so the experimental flags have been removed from our APIs and the APIs are now officially supported.

afterClusterTime now sent on writes in causally-consistent sessions

When a session has causal consistency enabled, write operations now include readConcern.afterClusterTime, matching the existing read behavior. This maintains the "read your own writes" guarantee across primary failovers in shareded clusters. There are no API changes.

Features

  • NODE-7634: remove experimental tag from async dispose methods (#4976) (43ce3eb)
  • NODE-7549: send afterClusterTime on writes in causally-consistent sessions (#4963) (3abfd26)

Documentation

We invite you to try the mongodb library immediately, and report any issues to the NODE project.

v7.3.0

[!IMPORTANT] A future minor release will raise the minimum supported MongoDB Server version from 4.2 to 4.4. This is in accordance with MongoDB Software Lifecycle Schedules. Support for MongoDB Server 4.2 will be dropped in a future release!

7.3.0 (2026-06-04)

The MongoDB Node.js team is pleased to announce version 7.3.0 of the mongodb package!

Release Notes

maxWireVersion is bumped to 29

Max wire version & max server version bumped in preparation for MongoDB LTS (v9.0).

Fixed SCRAM authentication for non-Node.js runtimes (e.g., Deno)

SCRAM-based authentication (the default mechanism for username/password connections) was broken when using the driver in non-Node.js environments such as Deno. The root cause was an implicit toString() call on byte arrays that produced incorrect output outside of Node.js. This fix ensures explicit UTF-8 string conversion is used throughout the SCRAM implementation, restoring authentication in Deno and other web-compatible runtimes.

... (truncated)

Changelog

Sourced from mongodb's changelog.

7.4.0 (2026-06-25)

Features

  • NODE-7634: remove experimental tag from async dispose methods (#4976) (43ce3eb)
  • NODE-7549: send afterClusterTime on writes in causally-consistent sessions (#4963) (3abfd26)

7.3.0 (2026-06-04)

Features

Bug Fixes

  • NODE-7548: SCRAM authentication fails on non-Node runtimes (#4932) (a10d2c9)

7.2.0 (2026-04-17)

Features

  • NODE-7142: Exponential backoff and jitter in retry loops (#4871) (22c6031)
  • NODE-7315: Use BSON ByteUtils instead of Nodejs Buffer (#4840) (1add538)
  • NODE-7335: Create dedicated mocha runner with isolated vm context (#4876) (a4cba4c)
  • NODE-7379: Refactor Crypto to Web Crypto API (#4862) (ac98f4a)
  • NODE-7385: add experimental os runtime adapter (#4851) (d2ad07f)
  • NODE-7441: add ChangeStream.bufferedCount (#4870) (f7ea421)
  • NODE-7452: restrict server deprioritization on replica sets to overload errors (#4875) (87a3465)
  • NODE-7467: make token bucket optional in client backpressure (#4878) (4fb0a0a)
  • NODE-7491: finalize client backpressure implementation for phase 1 rollout (#4920) (2cc7983)

Bug Fixes

  • NODE-7430: throw timeout error when withTransaction retries exceed deadline (#4897) (16a899d)
  • NODE-7459: explicitly call setKeepAlive and setNoDelay on socket (#4879) (778a2a1)
  • NODE-7469: overload retry when retryReads/Writes=false (#4888) (4157b26)
  • NODE-7478: OIDC host allowlist fix (#4905) (f36b754)

7.1.0 (2026-02-02)

Features

  • NODE-5393: aws4 no longer required for AWS authentication (#4824) (0f46db8)
  • NODE-7121: prevent connection churn on backpressure errors when establishing connections (#4800) (4cb2b87)

... (truncated)

Commits
  • 1c4333e chore(main): release 7.4.0 (#4974)
  • 43ce3eb feat(NODE-7634): remove experimental tag from async dispose methods (#4976)
  • 3abfd26 fix(NODE-7549): send afterClusterTime on writes in causally-consistent sessio...
  • 88ec159 chore(NODE-7418): skip csot tests on latest (#4969)
  • 1f5ac37 chore(NODE-7473): upgrade to chai 5 (#4958)
  • b17288c chore: skip csfle tests and fix related broken tests (#4965)
  • 5b401aa test(NODE-7493): enable source maps and add nyc-free debug scripts (#4947)
  • 3ba2dd2 docs: clarify release notes verification steps (#4960)
  • 0a434d3 docs: add 7.3 docs (#4959)
  • 99106de chore(main): release 7.3.0 (#4944)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for mongodb since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [mongodb](https://github.com/mongodb/node-mongodb-native) from 5.9.2 to 7.4.0.
- [Release notes](https://github.com/mongodb/node-mongodb-native/releases)
- [Changelog](https://github.com/mongodb/node-mongodb-native/blob/main/HISTORY.md)
- [Commits](mongodb/node-mongodb-native@v5.9.2...v7.4.0)

---
updated-dependencies:
- dependency-name: mongodb
  dependency-version: 7.4.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added automated dependencies Pull requests that update a dependency file labels Jul 5, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 5, 2026 09:41
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file automated labels Jul 5, 2026
@netlify

netlify Bot commented Jul 5, 2026

Copy link
Copy Markdown

Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name Link
🔨 Latest commit 3be74bd
🔍 Latest deploy log https://app.netlify.com/projects/endearing-brigadeiros-63f9d0/deploys/6a4a26c66244600008a005b5

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
npm/@types/node 22.19.8 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 25/28 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/@types/whatwg-url 13.0.0 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 25/28 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/bson 7.3.1 🟢 6
Details
CheckScoreReason
Code-Review🟢 8Found 24/28 approved changesets -- score normalized to 8
Maintained🟢 1016 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Signed-Releases🟢 85 out of the last 5 releases have a total of 5 signed artifacts.
SAST🟢 10SAST tool is run on all commits
npm/mongodb 7.4.0 🟢 6.2
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Signed-Releases🟢 85 out of the last 5 releases have a total of 5 signed artifacts.
SAST🟢 10SAST tool is run on all commits
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
npm/mongodb-connection-string-url 7.0.1 🟢 5.7
Details
CheckScoreReason
Maintained🟢 79 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9
npm/tr46 5.1.1 🟢 3.8
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Code-Review⚠️ 1Found 5/26 approved changesets -- score normalized to 1
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Security-Policy🟢 10security policy file detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/undici-types 6.21.0 🟢 8.2
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Dependency-Update-Tool🟢 10update tool detected
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1030 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 8binaries present in source code
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
Signed-Releases⚠️ -1no releases found
SAST🟢 10SAST tool is run on all commits
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Fuzzing🟢 10project is fuzzed
Vulnerabilities🟢 73 existing vulnerabilities detected
Packaging🟢 10packaging workflow detected
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 76 contributing companies or organizations
npm/whatwg-url 14.2.0 🟢 4.6
Details
CheckScoreReason
Maintained🟢 67 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 6
Code-Review⚠️ 0Found 1/25 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 2dependency not pinned by hash detected -- score normalized to 2
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ -1no releases found
Packaging🟢 10packaging workflow detected
Security-Policy🟢 10security policy file detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

Scanned Files

  • package-lock.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants