Gathering detailed insights and metrics for mongodb
Gathering detailed insights and metrics for mongodb
Installations
npm install mongodbScore
65.3
Supply Chain
97.9
Quality
98.3
Maintenance
100
Vulnerability
74.8
License
Releases
110
Contributors
886
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4){kind=avatar}
Developer
Developer Guide
BETA
Module System
CommonJS
Min. Node Version
>=16.20.1
Typescript Support
Yes
Node Version
22.11.0
NPM Version
10.9.1
Statistics
10,053 Stars
9,060 Commits
1,786 Forks
264 Watching
159 Branches
886 Contributors
Updated on 27 Nov 2024
Bundle Size
757.43 kB
Minified
203.03 kB
Minified + Gzipped
Languages
TypeScript (80.04%)
JavaScript (18.64%)
Shell (0.91%)
Python (0.35%)
Makefile (0.06%)
Total Downloads
Cumulative downloads
Total Downloads
1,070,573,295
Last day
-13.3%
1,247,983
Compared to previous day
Last week
2.6%
6,964,887
Compared to previous week
Last month
7.5%
29,012,498
Compared to previous month
Last year
26%
282,074,750
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Peer Dependencies
7
Dev Dependencies
50
nyctsdchaichalkmochasinonsocksyargseslintsemversnappyexpressjs-yamlts-nodeprettiersinon-chaitypescript@iarna/toml@types/chai@types/nodechai-subsetmocha-sinon@types/mocha@types/sinongcp-metadata@types/semver@types/expressmongodb-legacy@types/kerberos@types/saslprepv8-heapsnapshot@mongodb-js/zstd@types/sinon-chai@types/whatwg-url@types/chai-subsetsource-map-supporteslint-plugin-mochaeslint-plugin-tsdoceslint-config-prettiereslint-plugin-prettier@microsoft/tsdoc-config@microsoft/api-extractor@typescript-eslint/parsermongodb-client-encryptiontypescript-cached-transpileeslint-plugin-unused-imports@aws-sdk/credential-providers@typescript-eslint/eslint-plugineslint-plugin-simple-import-sort@istanbuljs/nyc-config-typescript
Versions
MongoDB Node.js Driver
The official MongoDB driver for Node.js.
Upgrading to version 6? Take a look at our upgrade guide here!
Quick Links
| Site | Link |
|---|---|
| Documentation | www.mongodb.com/docs/drivers/node |
| API Docs | mongodb.github.io/node-mongodb-native |
npm package | www.npmjs.com/package/mongodb |
| MongoDB | www.mongodb.com |
| MongoDB University | learn.mongodb.com |
| MongoDB Developer Center | www.mongodb.com/developer |
| Stack Overflow | stackoverflow.com |
| Source Code | github.com/mongodb/node-mongodb-native |
| Upgrade to v6 | etc/notes/CHANGES_6.0.0.md |
| Contributing | CONTRIBUTING.md |
| Changelog | HISTORY.md |
Release Integrity
Releases are created automatically and signed using the Node team's GPG key. This applies to the git tag as well as all release packages provided as part of a GitHub release. To verify the provided packages, download the key and import it using gpg:
1gpg --import node-driver.asc
The GitHub release contains a detached signature file for the NPM package (named
mongodb-X.Y.Z.tgz.sig).
The following command returns the link npm package.
1npm view mongodb@vX.Y.Z dist.tarball
Using the result of the above command, a curl command can return the official npm package for the release.
To verify the integrity of the downloaded package, run the following command:
1gpg --verify mongodb-X.Y.Z.tgz.sig mongodb-X.Y.Z.tgz
[!Note] No verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical.
Bugs / Feature Requests
Think you’ve found a bug? Want to see a new feature in node-mongodb-native? Please open a
case in our issue management tool, JIRA:
- Create an account and login jira.mongodb.org.
- Navigate to the NODE project jira.mongodb.org/browse/NODE.
- Click Create Issue - Please provide as much information as possible about the issue type and how to reproduce it.
Bug reports in JIRA for all driver projects (i.e. NODE, PYTHON, CSHARP, JAVA) and the Core Server (i.e. SERVER) project are public.
Support / Feedback
For issues with, questions about, or feedback for the Node.js driver, please look into our support channels. Please do not email any of the driver developers directly with issues or questions - you're more likely to get an answer on the MongoDB Community Forums.
Change Log
Change history can be found in HISTORY.md.
Compatibility
The driver currently supports 3.6+ servers.
** 3.6 support is deprecated and support will be removed in a future version **
For exhaustive server and runtime version compatibility matrices, please refer to the following links:
Component Support Matrix
The following table describes add-on component version compatibility for the Node.js driver. Only packages with versions in these supported ranges are stable when used in combination.
| Component | mongodb@3.x | mongodb@4.x | mongodb@5.x | mongodb@6.x |
|---|---|---|---|---|
| bson | ^1.0.0 | ^4.0.0 | ^5.0.0 | ^6.0.0 |
| bson-ext | ^1.0.0 || ^2.0.0 | ^4.0.0 | N/A | N/A |
| kerberos | ^1.0.0 | ^1.0.0 || ^2.0.0 | ^1.0.0 || ^2.0.0 | ^2.0.1 |
| mongodb-client-encryption | ^1.0.0 | ^1.0.0 || ^2.0.0 | ^2.3.0 | ^6.0.0 |
| mongodb-legacy | N/A | ^4.0.0 | ^5.0.0 | ^6.0.0 |
| @mongodb-js/zstd | N/A | ^1.0.0 | ^1.0.0 | ^1.1.0 |
Typescript Version
We recommend using the latest version of typescript, however we currently ensure the driver's public types compile against typescript@4.4.0.
This is the lowest typescript version guaranteed to work with our driver: older versions may or may not work - use at your own risk.
Since typescript does not restrict breaking changes to major versions, we consider this support best effort.
If you run into any unexpected compiler failures against our supported TypeScript versions, please let us know by filing an issue on our JIRA.
Additionally, our Typescript types are compatible with the ECMAScript standard for our minimum supported Node version. Currently, our Typescript targets es2021.
Installation
The recommended way to get started using the Node.js 5.x driver is by using the npm (Node Package Manager) to install the dependency in your project.
After you've created your own project using npm init, you can run:
1npm install mongodb 2# or ... 3yarn add mongodb
This will download the MongoDB driver and add a dependency entry in your package.json file.
If you are a Typescript user, you will need the Node.js type definitions to use the driver's definitions:
1npm install -D @types/node
Driver Extensions
The MongoDB driver can optionally be enhanced by the following feature packages:
Maintained by MongoDB:
- Zstd network compression - @mongodb-js/zstd
- MongoDB field level and queryable encryption - mongodb-client-encryption
- GSSAPI / SSPI / Kerberos authentication - kerberos
Some of these packages include native C++ extensions. Consult the trouble shooting guide here if you run into compilation issues.
Third party:
- Snappy network compression - snappy
- AWS authentication - @aws-sdk/credential-providers
Quick Start
This guide will show you how to set up a simple application using Node.js and MongoDB. Its scope is only how to set up the driver and perform the simple CRUD operations. For more in-depth coverage, see the official documentation.
Create the package.json file
First, create a directory where your application will live.
1mkdir myProject 2cd myProject
Enter the following command and answer the questions to create the initial structure for your new project:
1npm init -y
Next, install the driver as a dependency.
1npm install mongodb
Start a MongoDB Server
For complete MongoDB installation instructions, see the manual.
- Download the right MongoDB version from MongoDB
- Create a database directory (in this case under /data).
- Install and start a
mongodprocess.
1mongod --dbpath=/data
You should see the mongod process start up and print some status information.
Connect to MongoDB
Create a new app.js file and add the following code to try out some basic CRUD operations using the MongoDB driver.
Add code to connect to the server and the database myProject:
NOTE: Resolving DNS Connection issues
Node.js 18 changed the default DNS resolution ordering from always prioritizing IPv4 to the ordering returned by the DNS provider. In some environments, this can result in
localhostresolving to an IPv6 address instead of IPv4 and a consequent failure to connect to the server.This can be resolved by:
- specifying the IP address family using the MongoClient
familyoption (MongoClient(<uri>, { family: 4 } ))- launching mongod or mongos with the ipv6 flag enabled (--ipv6 mongod option documentation)
- using a host of
127.0.0.1in place of localhost- specifying the DNS resolution ordering with the
--dns-resolution-orderNode.js command line argument (e.g.node --dns-resolution-order=ipv4first)
1const { MongoClient } = require('mongodb'); 2// or as an es module: 3// import { MongoClient } from 'mongodb' 4 5// Connection URL 6const url = 'mongodb://localhost:27017'; 7const client = new MongoClient(url); 8 9// Database Name 10const dbName = 'myProject'; 11 12async function main() { 13 // Use connect method to connect to the server 14 await client.connect(); 15 console.log('Connected successfully to server'); 16 const db = client.db(dbName); 17 const collection = db.collection('documents'); 18 19 // the following code examples can be pasted here... 20 21 return 'done.'; 22} 23 24main() 25 .then(console.log) 26 .catch(console.error) 27 .finally(() => client.close());
Run your app from the command line with:
1node app.js
The application should print Connected successfully to server to the console.
Insert a Document
Add to app.js the following function which uses the insertMany method to add three documents to the documents collection.
1const insertResult = await collection.insertMany([{ a: 1 }, { a: 2 }, { a: 3 }]); 2console.log('Inserted documents =>', insertResult);
The insertMany command returns an object with information about the insert operations.
Find All Documents
Add a query that returns all the documents.
1const findResult = await collection.find({}).toArray(); 2console.log('Found documents =>', findResult);
This query returns all the documents in the documents collection. If you add this below the insertMany example, you'll see the documents you've inserted.
Find Documents with a Query Filter
Add a query filter to find only documents which meet the query criteria.
1const filteredDocs = await collection.find({ a: 3 }).toArray(); 2console.log('Found documents filtered by { a: 3 } =>', filteredDocs);
Only the documents which match 'a' : 3 should be returned.
Update a document
The following operation updates a document in the documents collection.
1const updateResult = await collection.updateOne({ a: 3 }, { $set: { b: 1 } }); 2console.log('Updated documents =>', updateResult);
The method updates the first document where the field a is equal to 3 by adding a new field b to the document set to 1. updateResult contains information about whether there was a matching document to update or not.
Remove a document
Remove the document where the field a is equal to 3.
1const deleteResult = await collection.deleteMany({ a: 3 }); 2console.log('Deleted documents =>', deleteResult);
Index a Collection
Indexes can improve your application's performance. The following function creates an index on the a field in the documents collection.
1const indexName = await collection.createIndex({ a: 1 }); 2console.log('index name =', indexName);
For more detailed information, see the indexing strategies page.
Error Handling
If you need to filter certain errors from our driver, we have a helpful tree of errors described in etc/notes/errors.md.
It is our recommendation to use instanceof checks on errors and to avoid relying on parsing error.message and error.name strings in your code.
We guarantee instanceof checks will pass according to semver guidelines, but errors may be sub-classed or their messages may change at any time, even patch releases, as we see fit to increase the helpfulness of the errors.
Any new errors we add to the driver will directly extend an existing error class and no existing error will be moved to a different parent class outside of a major release.
This means instanceof will always be able to accurately capture the errors that our driver throws.
1const client = new MongoClient(url); 2await client.connect(); 3const collection = client.db().collection('collection'); 4 5try { 6 await collection.insertOne({ _id: 1 }); 7 await collection.insertOne({ _id: 1 }); // duplicate key error 8} catch (error) { 9 if (error instanceof MongoServerError) { 10 console.log(`Error worth logging: ${error}`); // special case for some reason 11 } 12 throw error; // still want to crash 13}
Nightly releases
If you need to test with a change from the latest main branch, our mongodb npm package has nightly versions released under the nightly tag.
1npm install mongodb@nightly
Nightly versions are published regardless of testing outcome. This means there could be semantic breakages or partially implemented features. The nightly build is not suitable for production use.
Next Steps
License
© 2012-present MongoDB Contributors
© 2009-2012 Christian Amor Kvalheim
Stable Version
The latest stable version of the package.
Stable Version
6.11.0
HIGH
1
HIGH
0/10
Summary
Denial of Service in mongodb
Affected Versions
< 3.1.13
Patched Versions
3.1.13
MODERATE
3
MODERATE
4.2/10
Summary
MongoDB Driver may publish events containing authentication-related data
Affected Versions
>= 5.0.0, < 5.8.0
Patched Versions
5.8.0
MODERATE
4.2/10
Summary
MongoDB Driver may publish events containing authentication-related data
Affected Versions
>= 4.0.0, < 4.17.0
Patched Versions
4.17.0
MODERATE
4.2/10
Summary
MongoDB Driver may publish events containing authentication-related data
Affected Versions
>= 3.6.0, < 3.6.10
Patched Versions
3.6.10
Reason
all changesets reviewed
Reason
no dangerous workflow patterns detected
Reason
30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Reason
license file detected
Details
- Info: project has a license file: LICENSE.md:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE.md:0
Reason
no binaries found in the repo
Reason
SAST tool is run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Info: all commits (30) are checked with a SAST tool
Reason
5 out of the last 5 releases have a total of 5 signed artifacts.
Details
- Info: signed release artifact: mongodb-6.10.0.tgz.sig: https://github.com/mongodb/node-mongodb-native/releases/tag/v6.10.0
- Info: signed release artifact: mongodb-6.9.0.tgz.sig: https://github.com/mongodb/node-mongodb-native/releases/tag/v6.9.0
- Info: signed release artifact: mongodb-6.8.2.tgz.sig: https://github.com/mongodb/node-mongodb-native/releases/tag/v6.8.2
- Info: signed release artifact: mongodb-6.8.1.tgz.sig: https://github.com/mongodb/node-mongodb-native/releases/tag/v6.8.1
- Info: signed release artifact: mongodb-6.8.0.tgz.sig: https://github.com/mongodb/node-mongodb-native/releases/tag/v6.8.0
- Warn: release artifact v6.10.0 does not have provenance: https://api.github.com/repos/mongodb/node-mongodb-native/releases/181094401
- Warn: release artifact v6.9.0 does not have provenance: https://api.github.com/repos/mongodb/node-mongodb-native/releases/174811917
- Warn: release artifact v6.8.2 does not have provenance: https://api.github.com/repos/mongodb/node-mongodb-native/releases/174811081
- Warn: release artifact v6.8.1 does not have provenance: https://api.github.com/repos/mongodb/node-mongodb-native/releases/173931311
- Warn: release artifact v6.8.0 does not have provenance: https://api.github.com/repos/mongodb/node-mongodb-native/releases/162849420
Reason
3 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'allow deletion' disabled on branch 'main'
- Info: 'force pushes' disabled on branch 'main'
- Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'
- Info: 'stale review dismissal' is required to merge on branch 'main'
- Warn: required approving review count is 1 on branch 'main'
- Warn: codeowners review is required - but no codeowners file found in repo
- Warn: 'last push approval' is disabled on branch 'main'
- Warn: 'up-to-date branches' is disabled on branch 'main'
- Info: status check found to merge onto on branch 'main'
- Info: PRs are required in order to make changes on branch 'main'
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'packages' permission set to 'read': .github/workflows/codeql.yml:19
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:22
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:23
- Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/release-5.x.yml:33
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-5.x.yml:35
- Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/release-6.8.yml:33
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-6.8.yml:35
- Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/release.yml:33
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:35
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/build.yml:7
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/build_docs.yml:8
- Warn: no topLevel permission defined: .github/workflows/codeql.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/dependencies.yml:10
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/release-5.x.yml:7
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/release-6.8.yml:7
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:7
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/release_notes.yml:14
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_docs.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/build_docs.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_docs.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/build_docs.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_docs.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/build_docs.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependencies.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/dependencies.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/dependencies.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/dependencies.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-5.x.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-5.x.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-5.x.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-5.x.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-5.x.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-5.x.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-5.x.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-5.x.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-5.x.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-5.x.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-5.x.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-5.x.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-5.x.yml:88: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-5.x.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-5.x.yml:99: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-5.x.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-5.x.yml:104: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-5.x.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-5.x.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-5.x.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-6.8.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-6.8.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-6.8.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-6.8.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-6.8.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-6.8.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-6.8.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-6.8.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-6.8.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-6.8.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-6.8.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-6.8.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-6.8.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-6.8.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-6.8.yml:88: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-6.8.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-6.8.yml:99: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-6.8.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-6.8.yml:104: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-6.8.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-alpha.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-alpha.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-alpha.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-alpha.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-nightly.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-nightly.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-nightly.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release-nightly.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:86: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:97: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release_notes.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release_notes.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release_notes.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/node-mongodb-native/release_notes.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .evergreen/install-dependencies.sh:21
- Warn: npmCommand not pinned by hash: .evergreen/run-kerberos-tests.sh:24
- Warn: npmCommand not pinned by hash: .evergreen/run-lambda-aws-tests.sh:23
- Warn: npmCommand not pinned by hash: .evergreen/run-mongodb-aws-ecs-test.sh:18
- Warn: npmCommand not pinned by hash: .evergreen/run-mongodb-aws-test.sh:23
- Warn: npmCommand not pinned by hash: .evergreen/run-mongosh-integration-tests.sh:22
- Warn: npmCommand not pinned by hash: .evergreen/run-mongosh-integration-tests.sh:27
- Warn: npmCommand not pinned by hash: .evergreen/run-tests.sh:57
- Warn: npmCommand not pinned by hash: .evergreen/run-tests.sh:58
- Warn: npmCommand not pinned by hash: .evergreen/run-typescript.sh:19
- Warn: npmCommand not pinned by hash: .evergreen/run-typescript.sh:33
- Warn: npmCommand not pinned by hash: etc/docs/legacy-generate.sh:81
- Warn: npmCommand not pinned by hash: etc/docs/legacy-generate.sh:82
- Warn: npmCommand not pinned by hash: etc/docs/legacy-generate.sh:83
- Info: 0 out of 14 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 30 third-party GitHubAction dependencies pinned
- Info: 0 out of 14 npmCommand dependencies pinned
Score
6.2
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More