mongodb-core — Greenflagged

Core MongoDB driver functionality, no bells and whistles and meant for integration not end applications

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

daprahamianmbroadst

Keywords

mongodbcore

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:dynamic-require	AI (semgrep): The dynamic require is `require(__dirname + '/../../package.json').version` — a static path to the package's own JSON file, not user-controlled. This is a stable false positive for this package.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): mbroadst (Matt Broadstone) is a known MongoDB engineer and mongodb-js org maintainer; this is a legitimate organizational maintainer transition, not a compromise.	ai	2026/04/24
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding in scram.js is part of the standard SCRAM authentication protocol (decoding the server-provided salt). This is legitimate cryptographic code, not obfuscation.	ai	2026/04/23
semgrep	semgrep:hex-decode	AI (semgrep): Hex encoding/decoding of MongoDB ObjectIds for comparison is standard MongoDB driver functionality, not malicious payload hiding.	ai	2026/04/23

Versions (showing 59 of 159)

Version	Deps	Published
1.2.20	2 / 10	2015-10-28
1.2.19	2 / 10	2015-10-15
1.2.18	2 / 10	2015-10-15
1.2.17	2 / 10	2015-10-08
1.2.16	2 / 10	2015-10-06
1.2.14	2 / 10	2015-09-28
1.2.13	2 / 10	2015-09-18
1.2.12	2 / 10	2015-09-09
1.2.11	2 / 10	2015-08-31
1.2.10	2 / 10	2015-08-14
1.2.9	2 / 10	2015-08-06
1.2.8	2 / 10	2015-07-24
1.2.7	2 / 10	2015-07-16
1.2.6	2 / 10	2015-07-14
1.2.5	2 / 10	2015-07-14
1.2.4	2 / 9	2015-07-07
1.2.3	2 / 9	2015-06-26
1.2.2	2 / 9	2015-06-22
1.2.0	2 / 9	2015-06-17
1.1.33	2 / 9	2015-05-31
1.1.32	2 / 9	2015-05-19
1.1.31	2 / 9	2015-05-18
1.1.30	2 / 9	2015-05-18
1.1.29	2 / 9	2015-05-17
1.1.28	2 / 9	2015-05-12
1.1.27	2 / 9	2015-05-12
1.1.26	2 / 9	2015-05-06
1.1.25	2 / 9	2015-04-24
1.1.24	2 / 9	2015-04-22
1.1.23	2 / 8	2015-04-15
1.1.22	4 / 6	2015-04-10
1.1.21	4 / 6	2015-03-26
1.1.20	4 / 6	2015-03-24
1.1.19	4 / 6	2015-03-21
1.1.18	4 / 6	2015-03-17
1.1.17	4 / 6	2015-03-16
1.1.16	4 / 6	2015-03-06
1.1.15	4 / 6	2015-03-04
1.1.14	4 / 6	2015-02-26
1.1.13	4 / 6	2015-02-24
1.1.12	4 / 6	2015-02-16
1.1.11	4 / 6	2015-02-02
1.1.10	4 / 5	2015-01-30
1.1.9	4 / 5	2015-01-21
1.1.8	4 / 5	2015-01-08
1.1.7	4 / 5	2014-12-18
1.1.6	4 / 5	2014-12-18
1.1.5	4 / 5	2014-12-17
1.1.4	4 / 5	2014-12-17
1.1.3	4 / 5	2014-12-01
1.1.2	4 / 4	2014-11-20
1.1.1	4 / 4	2014-11-14
1.1.0	4 / 3	2014-11-13
1.0.5	4 / 3	2014-10-29
1.0.4	4 / 3	2014-10-23
1.0.3	4 / 3	2014-10-21
1.0.2	4 / 3	2014-10-08
1.0.1	4 / 3	2014-10-07
1.0.0	4 / 3	2014-10-07