Bump pymongo from 4.3.3 to 4.6.3

[dependabot]

Bumps pymongo from 4.3.3 to 4.6.3.

Release notes

Sourced from pymongo's releases.

PyMongo 4.6.2

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-2-released/267404

PyMongo 4.6.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-1-released/255752

PyMongo 4.6.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-0-released/251866

PyMongo 4.5.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-5-0-released/240662

PyMongo 4.4.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-1-released/235045

PyMongo 4.4.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-released/232211

PyMongo 4.4.0b0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-0b0-release/210471

Changelog

Sourced from pymongo's changelog.

Changelog

Changes in Version 4.7

PyMongo 4.7 brings a number of improvements including:

• Added the :class:pymongo.hello.Hello.connection_id, :attr:pymongo.monitoring.CommandStartedEvent.server_connection_id, :attr:pymongo.monitoring.CommandSucceededEvent.server_connection_id, and :attr:pymongo.monitoring.CommandFailedEvent.server_connection_id properties.

• Fixed a bug where inflating a :class:~bson.raw_bson.RawBSONDocument containing a :class:~bson.code.Code would cause an error.

• Significantly improved the performance of encoding BSON documents to JSON.

• Support for named KMS providers for client side field level encryption. Previously supported KMS providers were only: aws, azure, gcp, kmip, and local. The KMS provider is now expanded to support name suffixes (e.g. local:myname). Named KMS providers enables more than one of each KMS provider type to be configured. See the docstring for :class:~pymongo.encryption_options.AutoEncryptionOpts. Note that named KMS providers requires pymongocrypt >=1.9 and libmongocrypt >=1.9.

• :meth:~pymongo.encryption.ClientEncryption.encrypt and :meth:~pymongo.encryption.ClientEncryption.encrypt_expression now allow key_id to be passed in as a :class:uuid.UUID.

• Fixed a bug where :class:~bson.int64.Int64 instances could not always be encoded by orjson_. The following now works::

  import orjson from bson import json_util orjson.dumps({'a': Int64(1)}, default=json_util.default, option=orjson.OPT_PASSTHROUGH_SUBCLASS)

.. _orjson: https://github.com/ijl/orjson

• Fixed a bug appearing in Python 3.12 where "RuntimeError: can't create new thread at interpreter shutdown" could be written to stderr when a MongoClient's thread starts as the python interpreter is shutting down.
• Added a warning when connecting to DocumentDB and CosmosDB clusters. For more information regarding feature compatibility and support please visit mongodb.com/supportability/documentdb <https://mongodb.com/supportability/documentdb>_ and mongodb.com/supportability/cosmosdb <https://mongodb.com/supportability/cosmosdb>_.
• Added the :attr:pymongo.monitoring.ConnectionCheckedOutEvent.duration, :attr:pymongo.monitoring.ConnectionCheckOutFailedEvent.duration, and :attr:pymongo.monitoring.ConnectionReadyEvent.duration properties.
• Added the type and kwargs arguments to :class:~pymongo.operations.SearchIndexModel to enable creating vector search indexes in MongoDB Atlas.
• Fixed a bug where read_concern and write_concern were improperly added to :meth:~pymongo.collection.Collection.list_search_indexes queries.

Unavoidable breaking changes ............................

... (truncated)

Commits

• 8da192f BUMP 4.6.3
• 56b6b6d PYTHON-4305 Fix bson size check (#1564)
• 449d0f3 BUMP to 4.6.3.dev0
• e04576d DEVPROD-3871 Use teardown_task when there is one function/command (#1533)
• cf1c6a1 PYTHON-4219 Prep for 4.6.2 Release (#1530)
• d29b2b7 PYTHON-4147 [v4.6]: Silence noisy thread.start() RuntimeError at shutdown (#1...
• 0477b9b PYTHON-4077 [v4.6]: Ensure there is a MacOS wheel for Python 3.7 (#1527)
• ecad17d BUMP 4.6.2.dev0
• 485e0a5 BUMP 4.6.1
• 995365c PYTHON-4038 [v4.6]: Ensure retryable read OperationFailures re-raise except...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[justinclift]

For the moment, lets hold off on this. The 4.6.3 release isn't listed in their official releases. Version 4.6.2 is the highest one in the list so far:

https://github.com/mongodb/mongo-python-driver/releases

It's probably just an oversight, but lets be careful just in case.

[justinclift]

The pymongo repository on GitHub doesn't allow issues to be filed, so I've just gone through the main official website looking for a security contact or something else appropriate.

There doesn't seem like anything that's actually a good fit to ask about this though, so instead I've submitted a security vulnerability report here:

https://www.mongodb.com/company/contact/feedback/bug-submission-form

## Bug Report Vulnerability

Dependabot is generating version bumps to a non-existent pymongo 4.6.3 release


## Description

On our GitHub repo, Dependabot has generated a new version bump of the pymongo dependency
up to version 4.6.3:

https://github.com/getredash/redash/pull/6863

However, checking the pymongo project... the highest release there is 4.6.2:

https://github.com/mongodb/mongo-python-driver/releases

Is this a real version, or is this a supply chain attack?


## Proof of Concept (can't be left empty)

As above


## Impact (can't be left empty)

Well, we're not going to upgrade to an unlisted release. :(

Also, it'd be nice if there was a way to ask basic security questions rather than using
the bug submission form. :( :(


## Remediation

NA


## References (if any)

NA


# Tools used

NA


## CVSS Score (can't be left empty)

10


## Do you wish to upload POC?

No

[justinclift]

Wow, it's been a day and there's still no response from the MongoDB security people.

That's unusual for a security report. And it's not like it's the weekend or something.

[justinclift]

I've just attempted to contact MongoDB through their main official "contact us" web form... with this result after pressing the Submit button:

That's unfortunate.

[lucydodo]

https://pypi.org/project/pymongo/#history

As a side note, PyPI shows that version 4.6.3 was released on March 28th.

[justinclift]

Yeah. It's probably safe, but supply chain attacks on OSS package repositories have been happening more frequently recently.

So we should probably prod the MongoDB people to make the release official in the actual source repository itself - like their other releases - just to make sure. 😄

[justinclift]

It's been 3 days and there's still no response from the MongoDB Security team, nor from their Support team.

The official releases list for MongoDB does not list this supposed release either.

There seems to be something seriously wrong with MongoDB's approach to security. 😦 😦 😦

[justinclift]

Created a slightly pissed off IssuePR in their repository to ask if the release is real:

mongodb/mongo-python-driver#1581

Lets see if anyone from their team can actually be bothered responding to security questions.

[lucydodo]

Yes 4.6.3 is an official release which fixes a bug in the C BSON decoding layer. Apologies for the confusion around the release announcements. We will publish the release announcement in our regular channels soon.

The MongoDB team replied that this is indeed an official release. I think it's okay to merge it. :)

[justinclift]

Awesome! Thanks @lucydodo. 😄

[justinclift]

Looks good to me. 😄