Merge branch 'main' into NODE-7335-bundle-and-barrel-approach-poc

Author: tadjik1

.eslintrc.json

@@ -282,7 +282,8 @@
               "**/../lib/**",
               "mongodb-mock-server",
               "node:*",
-              "os"
+              "os",
+              "crypto"
             ],
             "paths": [
               {

.evergreen/config.in.yml

@@ -997,6 +997,8 @@ tasks:
             - { key: VERSION, value: latest }
             - { key: NODE_LTS_VERSION, value: "20.19.0" }
       - func: install dependencies
+        vars:
+          NPM_VERSION: "11.11.1"
       - func: switch source
         vars:
           SOURCE_REV: refs/tags/v7.0.0
@@ -1019,6 +1021,8 @@ tasks:
             - { key: CLIENT_ENCRYPTION, value: "false" }
             - { key: NODE_LTS_VERSION, value: "20.19.0" }
       - func: install dependencies
+        vars:
+          NPM_VERSION: "11.11.1"
       - func: bootstrap mongo-orchestration
       - func: switch source
         vars:
@@ -1042,6 +1046,8 @@ tasks:
             - { key: CLIENT_ENCRYPTION, value: "false" }
             - { key: NODE_LTS_VERSION, value: "20.19.0" }
       - func: install dependencies
+        vars:
+          NPM_VERSION: "11.11.1"
       - func: bootstrap mongo-orchestration
       - func: switch source
         vars:
@@ -1065,6 +1071,8 @@ tasks:
             - { key: CLIENT_ENCRYPTION, value: "false" }
             - { key: NODE_LTS_VERSION, value: "20.19.0" }
       - func: install dependencies
+        vars:
+          NPM_VERSION: "11.11.1"
       - func: bootstrap mongo-orchestration
       - func: switch source
         vars:

.evergreen/config.yml

@@ -921,6 +921,8 @@ tasks:
             - {key: VERSION, value: latest}
             - {key: NODE_LTS_VERSION, value: 20.19.0}
       - func: install dependencies
+        vars:
+          NPM_VERSION: 11.11.1
       - func: switch source
         vars:
           SOURCE_REV: refs/tags/v7.0.0
@@ -942,6 +944,8 @@ tasks:
             - {key: CLIENT_ENCRYPTION, value: 'false'}
             - {key: NODE_LTS_VERSION, value: 20.19.0}
       - func: install dependencies
+        vars:
+          NPM_VERSION: 11.11.1
       - func: bootstrap mongo-orchestration
       - func: switch source
         vars:
@@ -964,6 +968,8 @@ tasks:
             - {key: CLIENT_ENCRYPTION, value: 'false'}
             - {key: NODE_LTS_VERSION, value: 20.19.0}
       - func: install dependencies
+        vars:
+          NPM_VERSION: 11.11.1
       - func: bootstrap mongo-orchestration
       - func: switch source
         vars:
@@ -986,6 +992,8 @@ tasks:
             - {key: CLIENT_ENCRYPTION, value: 'false'}
             - {key: NODE_LTS_VERSION, value: 20.19.0}
       - func: install dependencies
+        vars:
+          NPM_VERSION: 11.11.1
       - func: bootstrap mongo-orchestration
       - func: switch source
         vars:

.github/workflows/codeql.yml

@@ -2,9 +2,9 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ "main", "5.x" ]
+    branches: [ "main", "v7.1.x" ]
   pull_request:
-    branches: [ "main", "5.x" ]
+    branches: [ "main", "v7.1.x" ]
 
 jobs:
   analyze:

README.md

@@ -101,6 +101,17 @@ If you run into any unexpected compiler failures against our supported TypeScrip
 
 Additionally, our Typescript types are compatible with the ECMAScript standard for our minimum supported Node version. Currently, our Typescript targets es2023.
 
+#### Running in Custom Runtimes
+
+We are working on removing Node.js as a dependency of the driver, so that in the future it will be possible to use the driver in non-Node environments.
+This work is currently in progress, and if you're curious, this is [our first runtime adapter commit](https://github.com/mongodb/node-mongodb-native/commit/d2ad07f20903d86334da81222a6df9717f76faaa).
+
+Some things to keep in mind if you are using a non-Node runtime:
+
+1. Users of Webpack/Vite may need to prevent `crypto` polyfill injection.
+2. Auth mechanism `SCRAM-SHA-1` has a hard dependency on Node.js.
+3. Auth mechanism `SCRAM-SHA-1` is not supported in FIPS mode.
+
 ## Installation
 
 The recommended way to get started using the Node.js driver is by using the `npm` (Node Package Manager) to install the dependency in your project.

drivers-evergreen-tools

@@ -30,9 +30,11 @@ Fixes are usually released in either the next patch version or in the next minor
 
 release-please automatically tags release commits with a tag in the format v<major>.<minor>.<patch>.  When backporting, first determine the target minor version and create a release branch for it by branching off of the release tag.  The release branch should follow the format `v<major>.<minor>.x`.  For example, to create a backport of bson's 6.5 release, create a release branch from the v6.5.0 tag with the name v6.5.x.  
 
-Then, backport the release action to the target release branch.  First, create a copy of our current release action (release.yml).  Then, change any references to `main` to the target branch.  Double check that there isn't any release tooling on main that doesn't exist on the target branch.  If there is, make sure this is backported too.  Check if the target branch has a release-please config and manifest file.  If not, make sure to adopt changes for release-please v4 (see https://github.com/mongodb/js-bson/pull/682 as an example).  Backport all of the above changes to the target release branch.
+Then, backport the release action to the target release branch. This should be done as the first PR on the release branch. Use the following instructions to create it.
 
-Now, the release-please will work the same as `main`.  Any PRs that merge to the release branch trigger the release action and update release-pleases' release PR.  Proceed as normal from here.
+First, create a copy of our current release action (release.yml). Then, change any references to `main` to the target branch. Also, add the branch to the list of CodeQL target branches (codeql.yml). Double check that there isn't any release tooling on `main` that doesn't exist on the target branch. If there is, make sure this is backported too. After opening the PR, check the CI to make sure everything works as expected: add backports of CI fixes as needed.
+
+Once the release action PR is merged, release-please will work on this branch in the same way as it does on `main`. Any PRs that merge to the release branch trigger the release action and update the release PR that release-please manages. Proceed as normal from here.
 
 ## `release-please`
 

etc/notes/releasing.md

@@ -705,6 +705,11 @@ export class ChangeStream<
     return this.cursor?.resumeToken;
   }
 
+  /** Returns the currently buffered documents length of the underlying cursor. */
+  bufferedCount(): number {
+    return this.cursor?.bufferedCount() ?? 0;
+  }
+
   /** Check if there is any document still available in the Change Stream */
   async hasNext(): Promise<boolean> {
     this._setIsIterator();

src/change_stream.ts

@@ -169,7 +169,7 @@ export async function performGSSAPICanonicalizeHostName(
 
     try {
       // Perform a reverse ptr lookup on the ip address.
-      const results = await dns.promises.resolvePtr(address);
+      const results = await dns.promises.resolve(address, 'PTR');
       // If the ptr did not error but had no results, return the host.
       return results.length > 0 ? results[0] : host;
     } catch {
@@ -188,7 +188,7 @@ export async function performGSSAPICanonicalizeHostName(
 export async function resolveCname(host: string): Promise<string> {
   // Attempt to resolve the host name
   try {
-    const results = await dns.promises.resolveCname(host);
+    const results = await dns.promises.resolve(host, 'CNAME');
     // Get the first resolved host id
     return results.length > 0 ? results[0] : host;
   } catch {

src/cmap/auth/gssapi.ts

@@ -1,5 +1,4 @@
 import { saslprep } from '@mongodb-js/saslprep';
-import * as crypto from 'crypto';
 
 import { Binary, ByteUtils, type Document } from '../../bson';
 import {
@@ -157,27 +156,27 @@ async function continueScramConversation(
 
   // Set up start of proof
   const withoutProof = `c=biws,r=${rnonce}`;
-  const saltedPassword = HI(
+  const saltedPassword = await HI(
     processedPassword,
     ByteUtils.fromBase64(salt),
     iterations,
     cryptoMethod
   );
 
-  const clientKey = HMAC(cryptoMethod, saltedPassword, 'Client Key');
-  const serverKey = HMAC(cryptoMethod, saltedPassword, 'Server Key');
-  const storedKey = H(cryptoMethod, clientKey);
+  const clientKey = await HMAC(cryptoMethod, saltedPassword, 'Client Key');
+  const serverKey = await HMAC(cryptoMethod, saltedPassword, 'Server Key');
+  const storedKey = await H(cryptoMethod, clientKey);
   const authMessage = [
     clientFirstMessageBare(username, nonce),
     payload.toString('utf8'),
     withoutProof
   ].join(',');
 
-  const clientSignature = HMAC(cryptoMethod, storedKey, authMessage);
+  const clientSignature = await HMAC(cryptoMethod, storedKey, authMessage);
   const clientProof = `p=${xor(clientKey, clientSignature)}`;
   const clientFinal = [withoutProof, clientProof].join(',');
 
-  const serverSignature = HMAC(cryptoMethod, serverKey, authMessage);
+  const serverSignature = await HMAC(cryptoMethod, serverKey, authMessage);
   const saslContinueCmd = {
     saslContinue: 1,
     conversationId: response.conversationId,
@@ -229,19 +228,32 @@ function passwordDigest(username: string, password: string) {
     throw new MongoInvalidArgumentError('Password cannot be empty');
   }
 
-  let md5: crypto.Hash;
+  let nodeCrypto;
   try {
-    md5 = crypto.createHash('md5');
+    // TODO: NODE-7424 - remove dependency on 'crypto' for SCRAM-SHA-1 authentication
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    nodeCrypto = require('crypto');
+  } catch (e) {
+    throw new MongoRuntimeError(
+      'Node.js crypto module is required for SCRAM-SHA-1 authentication',
+      {
+        cause: e
+      }
+    );
+  }
+
+  try {
+    const md5 = nodeCrypto.createHash('md5');
+    md5.update(`${username}:mongo:${password}`, 'utf8');
+    return md5.digest('hex');
   } catch (err) {
-    if (crypto.getFips()) {
+    if (nodeCrypto.getFips()) {
       // This error is (slightly) more helpful than what comes from OpenSSL directly, e.g.
       // 'Error: error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS'
       throw new Error('Auth mechanism SCRAM-SHA-1 is not supported in FIPS mode');
     }
     throw err;
   }
-  md5.update(`${username}:mongo:${password}`, 'utf8');
-  return md5.digest('hex');
 }
 
 // XOR two buffers
@@ -256,12 +268,28 @@ function xor(a: Uint8Array, b: Uint8Array) {
   return ByteUtils.toBase64(ByteUtils.fromNumberArray(res));
 }
 
-function H(method: CryptoMethod, text: Uint8Array): Uint8Array {
-  return crypto.createHash(method).update(text).digest();
+async function H(method: CryptoMethod, text: Uint8Array): Promise<Uint8Array> {
+  const buffer = await crypto.subtle.digest(method === 'sha256' ? 'SHA-256' : 'SHA-1', text);
+  return new Uint8Array(buffer);
 }
 
-function HMAC(method: CryptoMethod, key: Uint8Array, text: Uint8Array | string): Uint8Array {
-  return crypto.createHmac(method, key).update(text).digest();
+async function HMAC(
+  method: CryptoMethod,
+  key: Uint8Array,
+  text: Uint8Array | string
+): Promise<Uint8Array> {
+  const keyBuffer = ByteUtils.toLocalBufferType(key);
+  const cryptoKey = await crypto.subtle.importKey(
+    'raw',
+    keyBuffer,
+    { name: 'HMAC', hash: { name: method === 'sha256' ? 'SHA-256' : 'SHA-1' } },
+    false,
+    ['sign', 'verify']
+  );
+  const textData: Uint8Array = typeof text === 'string' ? new TextEncoder().encode(text) : text;
+  const textBuffer = ByteUtils.toLocalBufferType(textData);
+  const signature = await crypto.subtle.sign('HMAC', cryptoKey, textBuffer);
+  return new Uint8Array(signature);
 }
 
 interface HICache {
@@ -280,21 +308,32 @@ const hiLengthMap = {
   sha1: 20
 };
 
-function HI(data: string, salt: Uint8Array, iterations: number, cryptoMethod: CryptoMethod) {
+async function HI(data: string, salt: Uint8Array, iterations: number, cryptoMethod: CryptoMethod) {
   // omit the work if already generated
   const key = [data, ByteUtils.toBase64(salt), iterations].join('_');
   if (_hiCache[key] != null) {
     return _hiCache[key];
   }
 
-  // generate the salt
-  const saltedData = crypto.pbkdf2Sync(
-    data,
-    salt,
-    iterations,
-    hiLengthMap[cryptoMethod],
-    cryptoMethod
+  const keyMaterial = await crypto.subtle.importKey(
+    'raw',
+    new TextEncoder().encode(data),
+    { name: 'PBKDF2' },
+    false,
+    ['deriveBits']
+  );
+  const params = {
+    name: 'PBKDF2',
+    salt: salt,
+    iterations: iterations,
+    hash: { name: cryptoMethod === 'sha256' ? 'SHA-256' : 'SHA-1' }
+  };
+  const derivedBits = await crypto.subtle.deriveBits(
+    params,
+    keyMaterial,
+    hiLengthMap[cryptoMethod] * 8
   );
+  const saltedData = new Uint8Array(derivedBits);
 
   // cache a copy to speed up the next lookup, but prevent unbounded cache growth
   if (_hiCacheCount >= 200) {
@@ -311,10 +350,6 @@ function compareDigest(lhs: Uint8Array, rhs: Uint8Array) {
     return false;
   }
 
-  if (typeof crypto.timingSafeEqual === 'function') {
-    return crypto.timingSafeEqual(lhs, rhs);
-  }
-
   let result = 0;
   for (let i = 0; i < lhs.length; i++) {
     result |= lhs[i] ^ rhs[i];