build(deps): bump bson from 7.2.0 to 7.3.0

[dependabot]

Bumps bson from 7.2.0 to 7.3.0.

Release notes

Sourced from bson's releases.

v7.3.0

7.3.0 (2026-06-17)

The MongoDB Node.js team is pleased to announce version 7.3.0 of the bson package!

Release Notes

Deprecated inapplicable Long members on Timestamp

Timestamp inherits from Long for storage convenience, but it is semantically a (t, i) pair, not a general 64-bit integer. If you have called Long methods directly on Timestamp instances (for example toNumber(), getHighBits(), getLowBits(), or aithmetic and bitwise operations), those are now marked @deprecated with no runtime behavior changes. The .t and .i accessors provide direct, semantically consistent access to the two timestamp components.

BSON operations no longer throw on deeply nested documents

Core serialization and deserialization function (serialize, deserialize, calculateObjectSize) have been rewritten as iterative algorithms, so a sufficiently-nested document will no longer exhaust the call stack.

Behavior change: Code with Scope scopes are no longer promoted to DBRef

As a side effect of the rewrite, a Code with Scope scope that happens to carry $ref, $id, and $db keys is no longer promoted to a DBRef instance. The scope is returned as a plain object, which is the correct behavior: a scope represents JavaScript variable bindings, not a document reference.

new Binary(buffer, subType) now coerces subType to match BSON bytes

The Binary constructor now normalizes subtype inputs to match BSON serialization. Previously, passing a stringified subtype like '4' would cause a mismatch between the sub_type property (string '4') and the serialized BSON value (0x04). The constructor now converts inputs to ensure consistency.

EJSON.stringify now correctly handles all parameter combinations

Previously, calling EJSON.stringify(value, options, space) silently discarded the space parameter, producing unformatted output. This has been fixed so all documented call signatures work as expected:

// This now correctly produces indented canonical EJSON
EJSON.stringify(doc, { relaxed: false }, 2);

Thanks to @​chdanielmueller for working on this problem!

ObjectId generates unique values across Node.js startup snapshot processes

ObjectId now resets its random state (process-unique bytes and counter seed) when a process restores from a Node.js startup snapshot. Previously these values were frozen into the snapshot blob, causing processes restored from the same snapshot to generate colliding ObjectIds.

Features

• NODE-7069: deprecate Long members inapplicable to Timestamp (#887) (c5d1dd8)

... (truncated)

Changelog

Sourced from bson's changelog.

7.3.0 (2026-06-17)

Features

• NODE-7069: deprecate Long members inapplicable to Timestamp (#887) (c5d1dd8)

Bug Fixes

• NODE-5937: rewrite deserializeObject as iterative, not recursive (#886) (0231603)
• NODE-7354: eagerly make Binary sub_type into a number (#858) (5b42c5a)
• NODE-7436: EJSON.stringify type signature (#870) (c949780)
• NODE-7575: reset ObjectId state when building startup snapshot (#884) (ba29d33)
• NODE-7606: restore serializer performance by removing generator-based iteration (#890) (7c4d1aa)
• NODE-7618: propagate serializing flags to the parsing frames (#891) (a7cee8c)
• NODE-7619: reject embedded BSON document sizes below minimum valid length (#892) (b43c657)

Commits

• 2f7fdb1 chore(main): release 7.3.0 (#883)
• b43c657 fix(NODE-7619): reject embedded BSON document sizes below minimum valid lengt...
• a7cee8c fix(NODE-7618): propagate serializing flags to the parsing frames (#891)
• 7c4d1aa fix(NODE-7606): restore serializer performance by removing generator-based it...
• c5d1dd8 feat(NODE-7069): deprecate Long members inapplicable to Timestamp (#887)
• 0231603 fix(NODE-5937): rewrite deserializeObject as iterative, not recursive (#886)
• 2ea8dbb chore(NODE-7599): tighten workflow permissions and update docs (#888)
• 5499890 chore(NODE-7564): Migrate js-bson into trusted publisher workflow. (#885)
• ba29d33 fix(NODE-7575): reset ObjectId state when building startup snapshot (#884)
• 5b42c5a fix(NODE-7354): eagerly make Binary sub_type into a number (#858)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for bson since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)