build(deps): bump mongodb from 6.20.0 to 7.0.0

[dependabot]

Bumps mongodb from 6.20.0 to 7.0.0.

Release notes

Sourced from mongodb's releases.

v7.0.0

7.0.0 (2025-11-06)

The MongoDB Node.js team is pleased to announce version 7.0.0 of the mongodb package!

Release Notes

The following is a detailed collection of the changes in the major v7 release of the mongodb package for Node.js. The main focus of this release was usability improvements and a streamlined API. Read on for details!

[!IMPORTANT] This is a list of changes relative to v6.21.0 of the driver. ALL changes listed below are BREAKING unless indicated otherwise. Users migrating from an older version of the driver are advised to upgrade to at least v6.21.0 before adopting v7.

🛠️ Runtime and dependency updates

Minimum Node.js version is now v20.19.0

The minimum supported Node.js version is now v20.19.0 and our TypeScript target has been updated to ES2023. We strive to keep our minimum supported Node.js version in sync with the runtime's release cadence to keep up with the latest security updates and modern language features.

Notably, the driver now offers native support for explicit resource management. Symbol.asyncDispose implementations are available on the MongoClient, ClientSession, ChangeStream and on cursors.

[!Note] Explicit resource management is considered experimental in the driver and will be until the TC39 explicit resource management proposal is completed.

bson and mongodb-connection-string-url versions 7.0.0

This driver version has been updated to use [email protected] and [email protected], which match the driver's Node.js runtime version support. BSON functionality re-exported from the driver is furthermore subject to the changes outlined in the BSON V7 release notes.

Optional peer dependency releases and version bumps

• @mongodb-js/zstd optional peer dependency minimum version raised to 7.0.0, dropped support for 1.x and 2.x (note that @mongodb-js/zstd does not have 3.x-6.x version releases)
• kerberos optional peer dependency minimum version raised to 7.0.0, dropped support for 2.x (note that kerberos does not have 3.x-6.x version releases)
• mongodb-client-encryption optional peer dependency minimum version raised to 7.0.0, dropped support for 6.x

Additionally, the driver is now compatible with the following packages:

Dependency	Previous Range	New Allowed Range
@​aws-sdk/credential-providers	^3.188.0	^3.806.0
gcp-metadata	^5.2.0	^7.0.1
socks	^2.7.1	^2.8.6

🔐 AWS authentication

To improve long-term maintainability and ensure compatibility with AWS updates, we’ve standardized AWS auth to use the official SDK in all cases and made a number of supporting changes outlined below.

@aws-sdk/credential-providers is now required for MONGODB-AWS authentication

Previous versions of the driver contained two implementations for AWS authentication and could run the risk of the custom driver implementation not supporting all AWS authentication features as well as not being correct when AWS makes changes. Using the official AWS SDK in all cases alleviates these issues.

... (truncated)

Changelog

Sourced from mongodb's changelog.

7.0.0 (2025-11-06)

⚠ BREAKING CHANGES

• NODE-7259: use alphas of all supporting packages (#4746)
• NODE-5510: dont filter change stream options (#4723)
• NODE-6296: remove cursor default batch size of 1000 (#4729)
• NODE-7150: update peer dependency matrix for 3rd party peer deps (#4720)
• NODE-7046: remove AWS uri/options support (#4689)
• NODE-4808: remove support for stream() transform on cursors and change streams (#4728)
• NODE-6377: remove noResponse option (#4724)
• NODE-6473: remove MONGODB-CR auth (#4717)
• NODE-5994: Remove metadata-related properties from public driver API (#4716)
• NODE-7016: remove beta namespace and move resource management into driver (#4719)
• NODE-4184: don't throw on aggregate with write concern and explain (#4718)
• NODE-7043, NODE-7217: adopt mongodb-client-encryption v7 (#4705)
• NODE-6065: throw MongoRuntimeError instead of MissingDependencyError in crypto connection (#4711)
• NODE-6584: improve typing for filepaths in AutoEncryptionOptions (#4341)
• NODE-6334: rename PoolRequstedRetry to PoolRequestedRetry (#4696)
• NODE-7174: drop support for Node16 and Node18 (#4668)
• NODE-7047: use custom credential provider first after URI (#4656)
• NODE-6988: require aws sdk for aws auth (#4659)

Features

• bump bson to 7.0.0-alpha.2 (#4756) (9b34953)
• NODE-4184: don't throw on aggregate with write concern and explain (#4718) (88e02a4)
• NODE-4243: drop collection checks ns not found (#4742) (a8d7c5f)
• NODE-4808: remove support for stream() transform on cursors and change streams (#4728) (1702987)
• NODE-5510: dont filter change stream options (#4723) (a2daf76)
• NODE-5545: remove deprecated objects (#4704) (cfbada6)
• NODE-5994: Remove metadata-related properties from public driver API (#4716) (b59c5ce)
• NODE-6065: throw MongoRuntimeError instead of MissingDependencyError in crypto connection (#4711) (ff229fa)
• NODE-6296: remove cursor default batch size of 1000 (#4729) (f8a855f)
• NODE-6334: rename PoolRequstedRetry to PoolRequestedRetry (#4696) (84db848)
• NODE-6377: remove noResponse option (#4724) (9e9059a)
• NODE-6473: remove MONGODB-CR auth (#4717) (9a1bc65)
• NODE-6584: improve typing for filepaths in AutoEncryptionOptions (#4341) (dab4c7c)
• NODE-6988: require aws sdk for aws auth (#4659) (b7c6750)
• NODE-7016: remove beta namespace and move resource management into driver (#4719) (fb2824f)
• NODE-7043, NODE-7217: adopt mongodb-client-encryption v7 (#4705) (3f7196e)
• NODE-7046: remove AWS uri/options support (#4689) (d14ac3f)
• NODE-7047: use custom credential provider first after URI (#4656) (2a47bbb)
• NODE-7150: update peer dependency matrix for 3rd party peer deps (#4720) (0451dae)
• NODE-7174: drop support for Node16 and Node18 (#4668) (a576b7d)
• NODE-7223: run checkout on connect regardless of credentials (#4715) (c5f74ab)
• NODE-7259: use alphas of all supporting packages (#4746) (e1ea14c)
• NODE-7260: update bson alpha to latest (#4748) (4e88559)

... (truncated)

Commits

• 2512137 chore(main): release 7.0.0 (#4667)
• e4881f5 docs(NODE-7172): create v7 migration guide (#4751)
• 53a4fb1 docs: 6.21 docs (#4782)
• 696664c feat!(NODE-7286): update peer dependencies (#4780)
• 517da84 docs: add info about testing with different versions and the rosetta setup fo...
• 252dab8 test(NODE-7219): remove unused tests (#4767)
• 76c98bb test(NODE-5206): fix flaky sdam prose test (#4752)
• cb522bf fix(NODE-7247): clarify #rewrapManyDataKey() parameter types (#4760)
• ec996e6 chore(NODE-6945): remove dependency on v8-heapsnapshot (#4763)
• 7d879fd test(NODE-7280): remove test/mongodb.ts and its usage (#4766)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[Copilot]

Pull Request Overview

This PR upgrades the MongoDB Node.js driver from version 6.20.0 to 7.0.0, a major version update that includes breaking changes and requires Node.js >= 20.19.0. The upgrade necessitated updates to the device update logic to handle ObjectId conversion properly.

Key Changes:

• Upgraded mongodb package from 6.20.0 to 7.0.0 with corresponding dependency updates (bson, mongodb-connection-string-url, @types/whatwg-url)
• Added ObjectId validation and conversion logic in the device update method
• Reformatted code in device routes for improved readability
• Applied formatting improvements to swagger.yaml

Reviewed Changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
package.json	Upgraded mongodb dependency to version 7.0.0
package-lock.json	Updated lockfile with MongoDB 7.0.0 and related dependency versions including bson 7.0.0 and updated peer dependency versions
src/data/mongo/collections/device.ts	Added validation for _id field and ObjectId conversion logic with support for both valid ObjectId strings and numeric IDs
src/routes/devices/index.ts	Reformatted redirectstatus route definition for better readability
swagger.yaml	Applied consistent formatting and whitespace cleanup throughout the API documentation

Comments suppressed due to low confidence (1)

src/data/mongo/collections/device.ts:78

• The findOneAndUpdate call may return null if no document is found matching the filter criteria, but the method doesn't handle this case before returning result as any. This will cause the method to return null when a device with the given _id and tenantId doesn't exist, potentially leading to null reference errors in calling code.

Consider adding a null check:

if (!result) {
  throw new Error(`Device not found with _id: ${objectId}`)
}
return result as any

    const result = await this.collection.findOneAndUpdate(
      { _id: objectId, tenantId: item.tenantId },
      { $set: item },
      { returnDocument: 'after', includeResultMetadata: false }
    )
    return result as any

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Converting a number to an ObjectId by padding with zeros is fragile and could lead to unexpected behavior. This assumes numeric IDs are always less than 24 characters when stringified and that padding them to create a valid ObjectId hex string is meaningful.

Consider one of these approaches instead:

• Store the original ObjectId format consistently in the database
• Document why numeric IDs need special handling
• Validate that the numeric ID is within acceptable bounds before conversion

Suggested change

	} else if (typeof itemId === 'number') {
	objectId = new ObjectId(itemId.toString().padStart(24, '0'))
	} else {
	throw new Error(`Invalid _id format: ${itemId}`)
	} else {
	throw new Error(`Invalid _id format: ${itemId}. Only valid ObjectId strings are supported.`)