New versions trigger no saslprep warnings

Question

New versions trigger no saslprep warnings

nicolassanmar opened this issue a year ago · 8 comments

Versions

NodeJS: 18 LTS
mongodb-memory-server: 8.16.0
mongodb(the binary version): 0.0.0
mongodb(the js package): 4.17.0
system: Linux

package: mongo-memory-server

What is the Problem?

Upgrading from 8.10.2 to 8.16.0 causes my Vercel deployments to print a warning every time a connection is made to mongodb even though mongodb-memory-server is a dev dependency. The warning states: Warning: no saslprep library specified. Passwords will not be sanitized. I confirmed this is caused by updating the library via testing multiple deployments with just a mongo-memory-server update.

The warning goes away after installing saslprep as a dev dependency, but that has two downsides:

I don't want to install saslprep as I don't really use it
It causes jest tests in github actions to fail with an "out of memory" error

Not really sure why these dev dependencies change how the Vercel deployement behaves, but any help is appreciated.

Answer 1 · 2023-10-06T17:11:04.000Z

are you sure MMS is the problem here? because to my knowledge this warning only gets printed for mongodb 5.8 and up and MMS 8.x uses mongodb driver 4.x, which should not have this warning.

and from what i can gather mongodb 5.8.0 had a problem that was introduced via:

NODE-5399: use mongodb-js/saslprep instead of saslprep (mongodb/node-mongodb-native#3818) (c0d3927)

but fixed with 5.8.1:

NODE-5572: fix saslprep import (mongodb/node-mongodb-native#3837) (250dc21)

MMS 9 will ship with mongodb 5.9.0

maybe check your lockfile / requirements of mongodb to use 5.8.1 and not 5.8.0

It causes jest tests in github actions to fail with an "out of memory" error

i have no clue what could cause this problem, and without specifics i cannot help with that

Answer 2 · 2023-10-06T18:19:35.000Z

Thanks for answering @hasezoey!
I have "mongodb": ">=4.17.0" in the package.json.

are you sure MMS is the problem here?

I'm pretty sure, I tested this multiple times by upgrading and downgrading mongodb-memory-server from versions 8.10.2 to 8.16.0, and this issue only happens when the version is 8.16.0.
I am using pnpm and via pnpm why mongodb I can see that the old mongodb-memory-server uses mongodb 4.11, while the newest version is using 4.17.

Regarding the jest issue, I meant to share why I don't want to install saslprep, there is no need to debug that.

Answer 3 · 2023-10-06T18:21:18.000Z

'm pretty sure, I tested this multiple times by upgrading and downgrading mongodb-memory-server from versions 8.10.2 to 8.16.0, and this issue only happens when the version is 8.16.0.

well that is weird, i cannot reproduce this and dont know how this could happen, maybe try mongodb-memory-server 9.0.0? (just released)

Answer 4 · 2023-10-10T13:48:03.000Z

@hasezoey Unfortunately, upgrading to 9.0.0 did not fix the issue.
I was hoping that this would work given the following line from the changelog:

Authentication now is only created when "{ enable: true }" is given also "disable" has been removed

I do not have any explicit auth configuration, but this did not remove the warning.

Answer 5 · 2023-10-10T13:57:00.000Z

I was hoping that this would work given the following line from the changelog:

i dont know if you are using authentication so it may not impact you, before 9.0.0 authentication was enabled if auth was truthy, unless disable: true was set, now in 9.0.0 authentication is only enabled if enable: true is set

also MMS 9.0.0 uses mongodb 5.9.0, which does not cause this anymore (a newer 4.x version did also not cause this anymore, from what i can tell), so try to inspect your dependency tree and see where that problematic version of mongodb is still installed (ex yarn why mongodb / npm ls mongodb)

Answer 6 · 2023-10-11T18:22:24.000Z

@hasezoey Here is the output of pnpm why mongodb:

The production dependency that I use to interact with the DB hosted on Atlas is mongodb: 4.17.0.
I will migrate to a newer mongodb version eventually, but upgrading mongodb-memory-server should not cause these warnings on prod, as it is a dev dependency. Still not really sure why this happens.

Answer 7 · 2023-10-11T21:04:34.000Z

@nicolassanmar your issue seems to be quite simple: you have the old MMS version installed through @shelf/jest-mongodb, try to upgrade that version if available, other options would be (temporarly at least):

update the lockfile (if pnpm even has this, like yarn upgrade)
force the MMS dependency to be 9.0.0 (no major API changes, so there should be no issue), see npm override (Note that i have not personally used it yet and i dont know if pnpm supports it)

if that still does not solve the issue, you probably need to upgrade all the dependencies that use mongodb 4.x to 5.x (or try the latest 4.x available, which at current is 4.17.1)

note: to my knowledge the mongodb version which introduced the saslprep warning is 4.17.0, which apparently is fixed by 4.17.1, see mongodb 4.x changelog

Answer 8 · 2023-10-13T20:02:15.000Z

@hasezoey Thanks for your multiple suggestions, and the helpful back and forth.
I did not know that version 4.17.1 was out, and updating our version + adding an override for MMS to use it fixed the issue.
I did not realize that @shelf/jest-mongodb was also importing MMS, so maybe adding an override there could have worked as well.