mongodb — Greenflagged

The official MongoDB driver for Node.js

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

dariakpdbx-node

Keywords

mongodbdriverofficial

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-removed	AI (maintainer-change): christkv is the original MongoDB driver author who has since transitioned out. Maintainer rotation is expected for this long-lived official MongoDB package.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): daprahamian is a long-standing MongoDB org contributor (2980 days, 70 approved packages). Publisher transitions are expected for this official MongoDB package over its 8+ year lifespan.	ai	2026/04/23
semgrep	semgrep:eval-usage	AI (semgrep): eval() usage is in bundled test dependency deps/nodeunit/deps/json2.js — a legacy JSON polyfill. Not in the main driver code and not a supply-chain risk.	ai	2026/04/23
install-scripts	install-script:install	AI (install-scripts): The install script (node install.js) is a long-standing part of the mongodb package for native binding setup, not a new or suspicious addition.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require() is in deps/nodeunit test framework code, not in the main mongodb driver. Standard test runner pattern.	ai	2026/04/23
semgrep	semgrep:new-function-constructor	AI (semgrep): new Function() is in deps/nodeunit/deps/ejs.js, a bundled test template engine. Standard pattern for template compilation, not in production driver code.	ai	2026/04/23
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding in SCRAM auth (salt handling) is standard cryptographic practice for a MongoDB driver; not a malicious payload indicator.	ai	2026/04/23
semgrep	semgrep:hex-decode	AI (semgrep): Hex decoding used for ObjectId comparison is standard driver functionality; not a malicious payload indicator.	ai	2026/04/23
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get/set used for generic options object cloning in encrypter.js — legitimate JavaScript pattern, not obfuscation.	ai	2026/04/21
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): 169.254.169.254 is the Azure IMDS link-local address for managed identity token retrieval — standard Azure SDK pattern.	ai	2026/04/21
semgrep	semgrep:child-process-spawn	AI (semgrep): Spawns 'npm run build:dts' in prepare script for development builds only; benign build tooling.	ai	2026/04/21
semgrep	semgrep:child-process-import	AI (semgrep): etc/prepare.js uses child_process only to run npm build:dts when src/ exists — standard build tooling, not runtime code.	ai	2026/04/21
semgrep	semgrep:silent-process-exec-var	AI (semgrep): Same mongocryptd spawn as above; detached process is required for CSFLE daemon lifecycle management.	ai	2026/04/21
semgrep	semgrep:silent-process-exec	AI (semgrep): mongocryptd_manager.js spawns the MongoDB CSFLE daemon as a detached process — documented, expected behavior for client-side encryption support.	ai	2026/04/21

Versions (showing 43 of 143)

Hide prereleases

Version	Deps	Published
7.1.0-dev.20260207.sha.cfb0bbdd	3 / 50	2026-02-07
7.1.0-dev.20260206.sha.311cc779	3 / 50	2026-02-06
7.1.0-dev.20260205.sha.d2ad07f2	3 / 50	2026-02-05
7.0.0-dev.20260203.sha.9151d481	3 / 50	2026-02-03
7.0.0-dev.20260131.sha.59c2557d	3 / 50	2026-01-31
7.0.0-dev.20260129.sha.0358360b	3 / 50	2026-01-29
7.0.0-dev.20260128.sha.840c77bb	3 / 50	2026-01-28
7.0.0-dev.20260124.sha.2b2366dd	3 / 50	2026-01-24
7.0.0-dev.20260123.sha.7a8276e5	3 / 50	2026-01-23
7.0.0-dev.20260121.sha.4e9467e8	3 / 50	2026-01-21
7.0.0-dev.20260117.sha.bf751818	3 / 50	2026-01-17
7.0.0-dev.20260115.sha.92a0470c	3 / 50	2026-01-15
7.0.0-dev.20260114.sha.f6375c99	3 / 50	2026-01-14
7.0.0-dev.20260113.sha.0f46db8a	3 / 50	2026-01-13
7.0.0-dev.20260110.sha.97686403	3 / 49	2026-01-10
7.0.0-dev.20260109.sha.cc503cb9	3 / 49	2026-01-09
7.0.0-dev.20260108.sha.5e66f9a2	3 / 49	2026-01-08
7.0.0-dev.20251220.sha.e70fdc98	3 / 49	2025-12-20
7.0.0-dev.20251219.sha.a4211e77	3 / 49	2025-12-19
7.0.0-dev.20251218.sha.f0af829f	3 / 49	2025-12-18
7.0.0-dev.20251217.sha.c990750f	3 / 49	2025-12-17
7.0.0-dev.20251213.sha.4cb2b875	3 / 49	2025-12-13
7.0.0-dev.20251211.sha.f88bfe18	3 / 49	2025-12-11
7.0.0-dev.20251204.sha.ae2e037e	3 / 49	2025-12-04
7.0.0-dev.20251203.sha.a96fa26d	3 / 49	2025-12-03
7.0.0-dev.20251202.sha.d4e44388	3 / 49	2025-12-02
7.0.0-dev.20251125.sha.f433e11a	3 / 49	2025-11-25
7.0.0-dev.20251121.sha.761b9bfa	3 / 49	2025-11-21
7.0.0-dev.20251119.sha.49c5b6fe	3 / 49	2025-11-19
7.0.0-dev.20251115.sha.287c98a9	3 / 49	2025-11-15
7.0.0-dev.20251114.sha.1cc3d1c9	3 / 49	2025-11-14
7.0.0-dev.20251113.sha.26eb0e61	3 / 49	2025-11-13
7.0.0-dev.20251112.sha.3cf02a8d	3 / 49	2025-11-12
7.0.0-dev.20251111.sha.b183de39	3 / 49	2025-11-11
7.0.0-dev.20251107.sha.5db818c2	3 / 49	2025-11-07
6.20.0-dev.20251106.sha.696664cb	3 / 49	2025-11-06
6.20.0-dev.20251101.sha.517da849	3 / 49	2025-11-01
6.20.0-dev.20251031.sha.76c98bb6	3 / 49	2025-10-31
6.20.0-dev.20251030.sha.8e95b0dc	3 / 49	2025-10-30
6.20.0-dev.20251029.sha.66c18b7e	3 / 49	2025-10-29
6.20.0-dev.20251028.sha.447dad7e	3 / 50	2025-10-28
6.20.0-dev.20251026.sha.9b349535	3 / 50	2025-10-26
6.20.0-dev.20251025.sha.df3aaaa3	3 / 50	2025-10-25