Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
By Socket Research Team - Dec 02, 2024
Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
mongodb-client-encryption
Advanced tools
mongodb-client-encryption
Official client encryption module for the MongoDB Node.js driver
MongoDB Client Encryption
The Node.js wrapper for libmongocrypt
Note This library provides encryption functionality for the MongoDB Node.js driver but is not intended to be consumed in isolation. The public API that uses the functionality in this library is available in the mongodb package.
MongoDB Node.js Driver Version Compatibility
Only the following version combinations with the MongoDB Node.js Driver are considered stable.
mongodb-client-encryption@1.x | mongodb-client-encryption@2.x | mongodb-client-encryption@6.x | |
|---|---|---|---|
mongodb@6.x | N/A | N/A | ✓ |
mongodb@5.x | N/A | ✓ | N/A |
mongodb@4.x | ✓ | ✓ | N/A |
mongodb@3.x | ✓ | N/A | N/A |
Installation
You can install mongodb-client-encryption with the following:
npm install mongodb-client-encryption
Release Integrity
Releases are created automatically and signed using the Node team's GPG key. This applies to the git tag as well as all release packages provided as part of a GitHub release. To verify the provided packages, download the key and import it using gpg:
gpg --import node-driver.asc
The GitHub release contains a detached signature file for the NPM package (named
mongodb-client-encryption-X.Y.Z.tgz.sig).
The following command returns the link npm package.
npm view mongodb-client-encryption@vX.Y.Z dist.tarball
Using the result of the above command, a curl command can return the official npm package for the release.
To verify the integrity of the downloaded package, run the following command:
gpg --verify mongodb-client-encryption-X.Y.Z.tgz.sig mongodb-client-encryption-X.Y.Z.tgz
[!Note] No verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical.
To verify the native .node packages, follow the same steps as above using mongodb-client-encryption-X.Y.Z-platform.tgz and the corresponding .sig file.
Development
Setup
Run the following command to build libmongocrypt and you are setup to develop the node bindings:
npm run install:libmongocrypt
libmongocrypt.mjs
node libmongocrypt.mjs [optional flags]
By default attempts to download and compile the bindings with the crypto prebuilds of libmongocrypt.
Can be configured to clone and build without crypto.
--gitURL=string A custom remote git repository to clone libmongocrypt from. You must also set --build to use this.
--libVersion=string A custom version reference to either download or checkout after cloning.
You may use "latest" to get current libmongocrypt `HEAD`.
--clean Combined with --build, the script will not skip cloning and rebuilding libmongocrypt.
--build Instead of downloading, clone and build libmongocrypt along with the bindings.
--dynamic Skips cloning or downloading libmongocrypt, runs prebuild with build_type set to "dynamic" to compile
a prebuild that links to a system copy of libmongocrypt.
--skip-bindings Skips running prebuild. Useful if only the libmongocrypt dependency is desired.
Only suitable for local development:
--fastDownload If you are improving this script or otherwise repeatedly downloading libmongocrypt,
this flag will interrupt the un-tar operation as early as possible. It should work, most of the time.
Prebuild Platforms
Below are the platforms that are available as prebuilds on each github release.
prebuild-install downloads these automatically depending on the platform you are running npm install on.
- Linux GLIBC 2.23 or later
- s390x
- arm64
- x64
- MacOS universal binary
- x64
- arm64
- Windows
- x64
Linting
We lint both the c++ bindings and the Typescript.
To lint the Typescript, you can run npm run check:eslint -- --fix. To lint the c++, run npm run clang-format.
Testing
The unit tests require the binding to be built. Run npm run rebuild to build the addon from the c++ source. Then the tests can be run with npm test.
Note: changes to c++ source are not automatically re-compiled. One needs to rebuild the bindings after each change.
FAQs
Official client encryption module for the MongoDB Node.js driver
The npm package mongodb-client-encryption receives a total of 86,210 weekly downloads. As such, mongodb-client-encryption popularity was classified as popular.
We found that mongodb-client-encryption demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 7 open source maintainers collaborating on the project.
Package last updated on 13 Aug 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Research
Typosquatting Cryptographic Libraries: Malicious npm Packages Threaten Crypto Developers with Keylogging and Wallet Theft
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
By Kirill Boychenko - Nov 27, 2024
Security News
Weekly Downloads Now Available in npm Package Search Results
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.
By Sarah Gooding - Nov 26, 2024