Bump the npm_and_yarn group across 2 directories with 33 updates

[dependabot]

Bumps the npm_and_yarn group with 20 updates in the /vulnerable_repos/NodeGoat directory:

Package	From	To
body-parser	1.18.3	1.20.4
express	4.16.4	4.22.1
marked	0.3.5	4.0.10
underscore	1.9.1	1.13.7
async	2.6.1	2.6.4
grunt	1.0.3	1.6.1
brace-expansion	1.1.11	1.1.12
bson	1.0.9	7.0.0
tmp	0.0.24	0.2.5
decode-uri-component	0.2.0	0.2.2
fsevents	1.2.9	1.2.13
minimatch	3.0.4	3.0.8
got	6.7.1	removed
qs	6.5.2	6.5.3
qs	6.3.2	6.3.3
i	0.3.6	0.3.7
json-schema	0.2.3	0.4.0
jsonpointer	4.0.0	5.0.1
y18n	3.2.1	3.2.2
on-headers	1.0.1	1.1.0
set-value	2.0.0	2.0.1

Bumps the npm_and_yarn group with 4 updates in the /vulnerable_repos/juice-shop directory: jsonwebtoken, multer, sanitize-html and socket.io.

Updates body-parser from 1.18.3 to 1.20.4

Release notes

Sourced from body-parser's releases.

1.20.4

What's Changed

• Remove redundant depth check by @​blakeembrey in expressjs/body-parser#538
• ci: add support for Node.js v23 by @​Phillip9587 in expressjs/body-parser#553
• ci: restore CI for 1.x branch by @​bjohansebas in expressjs/body-parser#665
• deps: qs@^6.14.0 by @​bjohansebas in expressjs/body-parser#664
• deps: use tilde notation and update certain dependencies by @​Phillip9587 in expressjs/body-parser#668
• chore: remove SECURITY.md by @​Phillip9587 in expressjs/body-parser#669
• ci: add CodeQL (SAST) by @​Phillip9587 in expressjs/body-parser#670
• Release: 1.20.4 by @​UlisesGascon in expressjs/body-parser#672

Full Changelog: expressjs/body-parser@1.20.3...1.20.4

1.20.3

What's Changed

Important

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/body-parser#522
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/body-parser#523
• fix: pin to node@22.4.1 by @​wesleytodd in expressjs/body-parser#527
• deps: qs@6.12.3 by @​melikhov-dev in expressjs/body-parser#521
• Add OSSF Scorecard badge by @​bjohansebas in expressjs/body-parser#531
• Linter by @​UlisesGascon in expressjs/body-parser#534
• Release: 1.20.3 by @​UlisesGascon in expressjs/body-parser#535

New Contributors

• @​inigomarquinez made their first contribution in expressjs/body-parser#522
• @​melikhov-dev made their first contribution in expressjs/body-parser#521
• @​bjohansebas made their first contribution in expressjs/body-parser#531
• @​UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

1.20.2

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@2.5.2

1.20.1

• deps: qs@6.11.0
• perf: remove unnecessary object clone

... (truncated)

Changelog

Sourced from body-parser's changelog.

1.20.4 / 2025-12-01

• deps: qs@~6.14.0
• deps: use tilde notation for dependencies
• deps: http-errors@~2.0.1
• deps: raw-body@~2.5.3

1.20.3 / 2024-09-10

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

1.20.2 / 2023-02-21

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@2.5.2

1.20.1 / 2022-10-06

• deps: qs@6.11.0
• perf: remove unnecessary object clone

1.20.0 / 2022-04-02

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: depd@2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: http-errors@2.0.0
  • deps: depd@2.0.0
  • deps: statuses@2.0.1
• deps: on-finished@2.4.1
• deps: qs@6.10.3
• deps: raw-body@2.5.1
  • deps: http-errors@2.0.0

1.19.2 / 2022-02-15

... (truncated)

Commits

• 7db202c 1.20.4 (#672)
• d8f8adb ci: add CodeQL (SAST) (#670)
• 6d133c1 chore: remove SECURITY.md (#669)
• fcd1535 deps: use tilde notation and update certain dependencies (#668)
• ec5fa29 deps: qs@~6.14.0 (#664)
• ffb95c1 ci: restore CI for 1.x branch (#665)
• 48a5f07 ci: add support for Node.js v23 (#553)
• f20f6ad Remove redundant depth check (#538)
• 1752951 1.20.3
• 39744cf chore: linter (#534)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates express from 4.16.4 to 4.22.1

Release notes

Sourced from express's releases.

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 4.22.1 by @​UlisesGascon in expressjs/express#6934

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @​sazk07 in expressjs/express#6190
• ci: add support for Node.js@23.0 by @​UlisesGascon in expressjs/express#6080
• Method functions with no path should error by @​wesleytodd in expressjs/express#5957
• ci: updated github actions ci workflow by @​Phillip9587 in expressjs/express#6323
• ci: reorder npm i steps to fix ci for older node versions by @​Phillip9587 in expressjs/express#6336
• Backport: ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6506
• chore(4.x): wider range for query test skip by @​jonchurch in expressjs/express#6513
• use tilde notation for certain dependencies by @​UlisesGascon in expressjs/express#6905
• deps: qs@6.14.0 by @​UlisesGascon in expressjs/express#6909
• deps: use tilde notation for qs by @​Phillip9587 in expressjs/express#6919
• Release: 4.22.0 by @​UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

... (truncated)

Changelog

Sourced from express's changelog.

4.22.1 / 2025-12-01

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

4.22.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: use tilde notation for dependencies
• deps: qs@6.14.0

4.21.2 / 2024-11-06

• deps: path-to-regexp@0.1.12
  • Fix backtracking protection
• deps: path-to-regexp@0.1.11
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: serve-static@1.16.2
  • includes send@0.19.0
• deps: finalhandler@1.3.1
• deps: qs@6.13.0

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie

... (truncated)

Commits

• 12fae14 4.22.1
• 5ddf311 Revert "sec: security patch for CVE-2024-51999"
• 49744ab 4.22.0 (#6921)
• 6e97452 sec: security patch for CVE-2024-51999
• 6a23d34 deps: use tilde notation for qs (#6919)
• 8c12cdf deps: qs@6.14.0 (#6909)
• 7fea74f deps: use tilde notation for certain dependencies (#6905)
• dac7a04 chore: wider range for query test skip (#6513)
• 997919b ci: add node.js 24 to test matrix (#6506)
• 36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates express from 4.16.4 to 4.22.1

Release notes

Sourced from express's releases.

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 4.22.1 by @​UlisesGascon in expressjs/express#6934

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @​sazk07 in expressjs/express#6190
• ci: add support for Node.js@23.0 by @​UlisesGascon in expressjs/express#6080
• Method functions with no path should error by @​wesleytodd in expressjs/express#5957
• ci: updated github actions ci workflow by @​Phillip9587 in expressjs/express#6323
• ci: reorder npm i steps to fix ci for older node versions by @​Phillip9587 in expressjs/express#6336
• Backport: ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6506
• chore(4.x): wider range for query test skip by @​jonchurch in expressjs/express#6513
• use tilde notation for certain dependencies by @​UlisesGascon in expressjs/express#6905
• deps: qs@6.14.0 by @​UlisesGascon in expressjs/express#6909
• deps: use tilde notation for qs by @​Phillip9587 in expressjs/express#6919
• Release: 4.22.0 by @​UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

... (truncated)

Changelog

Sourced from express's changelog.

4.22.1 / 2025-12-01

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

4.22.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: use tilde notation for dependencies
• deps: qs@6.14.0

4.21.2 / 2024-11-06

• deps: path-to-regexp@0.1.12
  • Fix backtracking protection
• deps: path-to-regexp@0.1.11
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: serve-static@1.16.2
  • includes send@0.19.0
• deps: finalhandler@1.3.1
• deps: qs@6.13.0

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie

... (truncated)

Commits

• 12fae14 4.22.1
• 5ddf311 Revert "sec: security patch for CVE-2024-51999"
• 49744ab 4.22.0 (#6921)
• 6e97452 sec: security patch for CVE-2024-51999
• 6a23d34 deps: use tilde notation for qs (#6919)
• 8c12cdf deps: qs@6.14.0 (#6909)
• 7fea74f deps: use tilde notation for certain dependencies (#6905)
• dac7a04 chore: wider range for query test skip (#6513)
• 997919b ci: add node.js 24 to test matrix (#6506)
• 36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates marked from 0.3.5 to 4.0.10

Release notes

Sourced from marked's releases.

v4.0.10

4.0.10 (2022-01-13)

Bug Fixes

• security: fix redos vulnerabilities (8f80657)

v4.0.9

4.0.9 (2022-01-06)

Bug Fixes

• retain line breaks in tokens properly (#2341) (a9696e2)

v4.0.8

4.0.8 (2021-12-19)

Bug Fixes

• spaces on a newline after a table (#2319) (f82ea2c)

Commits

• ae01170 chore(release): 4.0.10 [skip ci]
• fceda57 🗜️ build [skip ci]
• 8f80657 fix(security): fix redos vulnerabilities
• c4a3ccd Merge pull request from GHSA-rrrm-qjm4-v8hf
• d7212a6 chore(deps-dev): Bump jasmine from 4.0.0 to 4.0.1 (#2352)
• 5a84db5 chore(deps-dev): Bump rollup from 2.62.0 to 2.63.0 (#2350)
• 2bc67a5 chore(deps-dev): Bump markdown-it from 12.3.0 to 12.3.2 (#2351)
• 98996b8 chore(deps-dev): Bump @​babel/preset-env from 7.16.5 to 7.16.7 (#2353)
• ebc2c95 chore(deps-dev): Bump highlight.js from 11.3.1 to 11.4.0 (#2354)
• e5171a9 chore(release): 4.0.9 [skip ci]
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by tonybrix, a new releaser for marked since your current version.

Updates underscore from 1.9.1 to 1.13.7

Commits

• d2e7e61 Update autogenerated files for 1.13.7
• b1d4f23 Add a change log entry for 1.13.7
• 473970a Bump the copyright years
• a1cbb48 Bump the version to 1.13.7
• 1205eb5 Merge pull request #2996 from elkcityhazard/feature/theme-toggle
• bd3468b even more css formatting
• dd23fd0 formatting, filter, darker darkmode
• 184aae5 unncessary prefers-color-scheme: light removal
• 55720c0 minimal dark mode implementation
• de20b6f incorporated stylesheet that was already available
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jgonggrijp, a new releaser for underscore since your current version.

Updates async from 2.6.1 to 2.6.4

Changelog

Sourced from async's changelog.

v2.6.4

• Fix potential prototype pollution exploit (#1828)

v2.6.3

• Updated lodash to squelch a security warning (#1675)

v2.6.2

• Updated lodash to squelch a security warning (#1620)

Commits

• c6bdaca Version 2.6.4
• 8870da9 Update built files
• 4df6754 update changelog
• 8f7f903 Fix prototype pollution vulnerability (#1828)
• f1d8383 Version 2.6.3
• 2b674c1 update changelog
• eab740f fix: udpate lodash. closes #1675
• eaf32be Version 2.6.2
• 684b42e Update built files
• e1bd3da update changelog
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by hargasinski, a new releaser for async since your current version.

Updates grunt from 1.0.3 to 1.6.1

Release notes

Sourced from grunt's releases.

v1.6.1

• Changelog updates 72f6f03
• Merge pull request #1755 from gruntjs/rm-dep 8d4c183
• Add recursive 1c7d483
• Merge pull request #1756 from gruntjs/downgrade-glob 2d4fd38
• Downgrade glob 902db7c
• Fix syntax 494f243
• remove mkdirp b01389e
• remove dep on rimraf and mkdirp 0072510

gruntjs/grunt@v1.6.0...v1.6.1

v1.6.0

• Merge pull request #1750 from gruntjs/dep-update-jan28 2805dc3
• README updates 3f1e423
• Bump to 16 8fd096d
• Update more deps 42c5f95
• Bump eslint and node version 1d88050

gruntjs/grunt@v1.5.3...v1.6.0

v1.5.3

• Merge pull request #1745 from gruntjs/fix-copy-op 572d79b
• Patch up race condition in symlink copying. 58016ff
• Merge pull request #1746 from JamieSlome/patch-1 0749e1d
• Create SECURITY.md 69b7c50

gruntjs/grunt@v1.5.2...v1.5.3

v1.5.2

• Update Changelog 7f15fd5
• Merge pull request #1743 from gruntjs/cleanup-link b0ec6e1
• Clean up link handling 433f91b

gruntjs/grunt@v1.5.1...v1.5.2

v1.5.1

• Merge pull request #1742 from gruntjs/update-symlink-test ad22608
• Fix symlink test 0652305

gruntjs/grunt@v1.5.0...v1.5.1

v1.5.0

• Updated changelog b2b2c2b
• Merge pull request #1740 from gruntjs/update-deps-22-10 3eda6ae
• Update testing matrix 47d32de
• More updates 2e9161c
• Remove console log 04b960e
• Update dependencies, tests... aad3d45
• Merge pull request #1736 from justlep/main fdc7056

... (truncated)

Changelog

Sourced from grunt's changelog.

v1.6.1 date: 2023-01-31 changes: - Downgrades to glob 7 for Windows compatability - Removes mkdirp and rimraf in favour of node.js APIs. v1.6.0 date: 2023-01-28 changes: - Requires node.js 16+. - template.date now uses dateformat ~4.6.2. - other dependency updates such as glob, rimraf, etc. v1.5.3 date: 2022-04-23 changes: - Patch up race condition in symlink copying. v1.5.2 date: 2022-04-12 changes: - Unlink symlinks when copy destination is a symlink. v1.5.1 date: 2022-04-11 changes: - Fixed symlink destination handling. v1.5.0 date: 2022-04-10 changes: - Updated dependencies. - Add symlink handling for copying files. v1.4.1 date: 2021-05-24 changes: - Fix --preload option to be a known option - Switch to GitHub Actions v1.4.0 date: 2021-04-21 changes: - Security fixes in production and dev dependencies - Liftup/Liftoff upgrade breaking change. Update your scripts to use --preload instead of --require. Ref: gulpjs/liftoff@e7a969d. v1.3.0 date: 2020-08-18 changes: - Switch to use safeLoad for loading YML files via file.readYAML. - Upgrade legacy-log to ~3.0.0. - Upgrade legacy-util to ~2.0.0. v1.2.1 date: 2020-07-07 changes: - Remove path-is-absolute dependency. (PR: gruntjs/grunt#1715) v1.2.0

... (truncated)

Commits

• 8372e11 1.6.1
• 72f6f03 Changelog updates
• 8d4c183 Merge pull request #1755 from gruntjs/rm-dep
• 1c7d483 Add recursive
• 2d4fd38 Merge pull request #1756 from gruntjs/downgrade-glob
• 902db7c Downgrade glob
• 494f243 Fix syntax
• b01389e remove mkdirp
• 0072510 remove dep on rimraf and mkdirp
• 0afeb5c 1.6.0
• Additional commits viewable in compare view

Updates ajv from 6.10.0 to 6.12.6

Release notes

Sourced from ajv's releases.

v6.12.6

Fix performance issue of "url" format.

v6.12.5

Fix uri scheme validation (@​ChALkeR). Fix boolean schemas with strictKeywords option (#1270)

v6.12.4

Fix: coercion of one-item arrays to scalar that should fail validation (failing example).

v6.12.3

Pass schema object to processCode function Option for strictNumbers (@​issacgerges, #1128) Fixed vulnerability related to untrusted schemas (CVE-2020-15366)

v6.12.2

Removed post-install script

v6.12.1

Docs and dependency updates

v6.12.0

Improved hostname validation (@​sambauers, #1143) Option keywords to add custom keywords (@​franciscomorais, #1137) Types fixes (@​boenrobot, @​MattiAstedrone) Docs:

• error logging example (@​RadiationSickness)
• TypeScript usage notes (@​thetric)

v6.11.0

Time formats support two digit and colon-less variants of timezone offset (#1061 , @​cjpillsbury) Docs: RegExp related security considerations Tests: Disabled failing typescript test

v6.10.2

Fix: the unknown keywords were ignored with the option strictKeywords: true (instead of failing compilation) in some sub-schemas (e.g. anyOf), when the sub-schema didn't have known keywords.

v6.10.1

Fix types Fix addSchema (#1001) Update dependencies

Commits

• fe59143 6.12.6
• d580d3e Merge pull request #1298 from ajv-validator/fix-url
• fd36389 fix: regular expression for "url" format
• 490e34c docs: link to v7-beta branch
• 9cd93a1 docs: note about v7 in readme
• 877d286 Merge pull request #1262 from b4h0-c4t/refactor-opt-object-type
• f1c8e45 6.12.5
• 764035e Merge branch 'ChALkeR-chalker/fix-comma'
• 3798160 Merge branch 'chalker/fix-comma' of git://github.com/ChALkeR/ajv into ChALkeR...
• a3c7eba Merge branch 'refactor-opt-object-type' of github.com:b4h0-c4t/ajv into refac...
• Additional commits viewable in compare view

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates bson from 1.0.9 to 7.0.0

Release notes

Sourced from bson's releases.

v7.0.0

7.0.0 (2025-11-05)

The MongoDB Node.js team is pleased to announce version 7.0.0 of the bson package!

Release Notes

⚠ Breaking Changes

Minimum supported Node.js version now 20.19.0

The minimum supported Node.js version is now v20.19.0. We strive to keep our minimum supported Node.js version in sync with the runtime's release cadence to keep up with the latest security updates and modern language features. Our TypeScript target has also been updated to ES2023.

BSON now requires BigInt literal support

BSON now uses Javascript BigInt syntax and requires a JS engine with support for BigInt literal syntax.

All BSON bundles now use globalThis.crypto for random byte generation

Until BSON@7.x, BSON has supported Node.js v16. Node.js v16 does not include crypto in the global object, which necessitated importing crypto from node:crypto. This require has caused many headaches for bundlers. We improved the situation in NODE-6074, but this release updates our Node.js bundle to rely on the global object instead and removes all requires from the bundle.

BSON no longer vendors atob, btoa, and TextEncoder for react native builds

The React Native JS engine (Hermes) now supports atob, btoa, and TextEncoder natively and polyfills are no longer needed. BSON no longer includes these polyfills for react native builds.

ObjectId constructor no longer accepts a number

If you wish to create an ObjectId from a numeric timestamp, use ObjectId.createFromTime() instead.

BSON Binary subtype 2 constant deprecated

BSON Binary subtype 2 was previously deprecated in the BSON specification, but the corresponding subtype constant remained available in the BSON library. This constant has now been deprecated to align with the specification.

Non-breaking Features

New bsonType symbol property as an alias for _bsontype

JS classes representing BSON values now have a bsonType symbol property as an alias for the existing _bsontype property. This makes it easier to distinguish between values of a specific BSON type and documents with arbitrary keys after deserializing:

import { bsonType, deserialize } from 'bson';
const doc = deserialize(...);
// will be set when doc.value is a BSON wrapper class or a sub-document { _bsontype: '...' }
console.log(doc.value._bsontype);
// will be set if and only if doc.value is a BSON wrapper class
console.log(doc.value[bsonType]);

It is safe to replace all uses of value._bsontype with value[bsonType].

... (truncated)

Changelog

Sourced from bson's changelog.

7.0.0 (2025-11-05)

Miscellaneous Chores

• prerelease false (#847) (b925f26)

7.0.0-alpha.2 (2025-10-24)

Bug Fixes

• NODE-7271: revert private property usage in ObjectId (#835) (79faf75)

7.0.0-alpha.1 (2025-10-21)

⚠ BREAKING CHANGES

• bump BSON_MAJOR_VERSION to 7 (#832)

Features

• bump BSON_MAJOR_VERSION to 7 (#832) (3ada791)

7.0.0-alpha (2025-10-21)

⚠ BREAKING CHANGES

• NODE-7098: use bigint literal syntax (#826)
• NODE-5763: remove support for new ObjectId() (#824)
• NODE-6625: remove support for Node 16 and 18 (#821)

Features

• NODE-5763: remove support for new ObjectId(<number>) (#824) (21cc3ff)
• NODE-6321: remove require('crypto') from Nodejs bundle (#825) (7ba8917)
• NODE-6625: remove support for Node 16 and 18 (#821) (f636254)
• NODE-7019: remove react native vendor polyfills (#827) (883f238)
• NODE-7098: use bigint literal syntax (#826) (94bf732)
• NODE-7099: deprecate BSON binary subtype 2 constant (#812) (f61946d)
• NODE-7255: add well-known Symbol alias for _bsontype (#829) (1e1b619)

6.10.4 (2025-06-02)

Bug Fixes

• NODE-6074: Removes top-level await in bson with separate node and browser ESM bundles (#749) (4602973)

... (truncated)

Commits

• 988fa17 chore(main): release 7.0.0 (#848)
• b925f26 chore: prerelease false (#847)
• 186d5f3 chore: remove alpha tag on main (#846)
• d9bf5c8 chore: prepare for 7.0.0 release (#845)
• 40a6082 docs(NODE-7173): update v7 compat table (#844)
• e8840dc test(NODE-7281): add node 24 to ci (#839)
• 5d9ff9d chore(deps-dev): bump tar from 7.5.1 to 7.5.2 (#838)
• b2be66a chore(deps-dev): bump the development-dependencies group across 1 directory w...
• Description has been truncated

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.
• ⚠️ 20 packages with OpenSSF Scorecard issues.

View full job summary