fix(deps): update dependency mongodb to v7

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
mongodb	^6.17.0 → ^7.0.0

---

Release Notes

mongodb/node-mongodb-native (mongodb)

v7.2.0

Compare Source

Features

• NODE-7142: Exponential backoff and jitter in retry loops (#​4871) (22c6031)
• NODE-7315: Use BSON ByteUtils instead of Nodejs Buffer (#​4840) (1add538)
• NODE-7335: Create dedicated mocha runner with isolated vm context (#​4876) (a4cba4c)
• NODE-7379: Refactor Crypto to Web Crypto API (#​4862) (ac98f4a)
• NODE-7385: add experimental os runtime adapter (#​4851) (d2ad07f)
• NODE-7441: add ChangeStream.bufferedCount (#​4870) (f7ea421)
• NODE-7452: restrict server deprioritization on replica sets to overload errors (#​4875) (87a3465)
• NODE-7467: make token bucket optional in client backpressure (#​4878) (4fb0a0a)
• NODE-7491: finalize client backpressure implementation for phase 1 rollout (#​4920) (2cc7983)

Bug Fixes

• NODE-7430: throw timeout error when withTransaction retries exceed deadline (#​4897) (16a899d)
• NODE-7459: explicitly call setKeepAlive and setNoDelay on socket (#​4879) (778a2a1)
• NODE-7469: overload retry when retryReads/Writes=false (#​4888) (4157b26)
• NODE-7478: OIDC host allowlist fix (#​4905) (f36b754)

v7.1.1

Compare Source

The MongoDB Node.js team is pleased to announce version 7.1.1 of the mongodb package!

Release Notes

Tighten OIDC ALLOWED_HOSTS wildcard matching

The OIDC ALLOWED_HOSTS wildcard handling has been fixed to require full subdomain/path matches for *. and */ entries, preventing partial suffix matches from being incorrectly accepted.

Fixed TCP keep-alive and no-delay settings not being applied on TLS connections

Due to a Node.js bug, tls.connect() silently ignores keepAlive, keepAliveInitialDelay, and noDelay options passed through its constructor. This could cause idle connections - particularly through cloud load balancers like Azure (240s idle timeout) or AWS PrivateLink/NLB - to be dropped unexpectedly due to missing TCP keep-alive probes.

The driver now explicitly calls setKeepAlive() and setNoDelay() on the socket after creation, ensuring these settings are always applied regardless of whether TLS is used.

Bug Fixes

• NODE-7477: OIDC host allowlist fix (#​4896) (237c9ab)
• NODE-7482: explicitly call setKeepAlive and setNoDelay on socket (#​4900) (b14ba21)

Documentation

• Reference
• API
• Changelog

We invite you to try the mongodb library immediately, and report any issues to the NODE project.

v7.1.0

Compare Source

Features

• NODE-5393: aws4 no longer required for AWS authentication (#​4824) (0f46db8)
• NODE-7121: prevent connection churn on backpressure errors when establishing connections (#​4800) (4cb2b87)
• NODE-7122: exponential backoff between retries in convenient transaction API (#​4765) (e70fdc9)
• NODE-7304: remove usages in src of promisify (#​4799) (761b9bf)
• NODE-7306: Replace global process with import node:process (#​4820) (cc503cb)
• NODE-7310: Replace process.arch with os.arch() (#​4823) (f0af829)
• NODE-7311: Replace process.platform with os.platform() (#​4822) (c58ca1f)
• NODE-7317: use BSON.NumberUtils to determine endianness (#​4808) (4e9467e)
• NODE-7319: update allowed hosts list with *.mongo.com (#​4802) (bfb7160)
• NODE-7330: deprecate RenameCollectionOptions.new_collection (#​4815) (a96fa26)
• NODE-7333: add support for deprioritized servers to all topologies (#​4821) (a4211e7)

Bug Fixes

• NODE-7290: use valueof for error code check (#​4791) (1cc3d1c)
• NODE-7298: ensure commonWireVersion is computed from server maxWireVersion (#​4805) (2b2366d)
• NODE-7307: Replace node:process.hrtime() with performance.now() (#​4816) (ae2e037)
• NODE-7308: replace process.nextTick with queueMicrotask (#​4817) (b1b6e81)

v7.0.0

Compare Source

⚠ BREAKING CHANGES

• NODE-7259: use alphas of all supporting packages (#​4746)
• NODE-5510: dont filter change stream options (#​4723)
• NODE-6296: remove cursor default batch size of 1000 (#​4729)
• NODE-7150: update peer dependency matrix for 3rd party peer deps (#​4720)
• NODE-7046: remove AWS uri/options support (#​4689)
• NODE-4808: remove support for stream() transform on cursors and change streams (#​4728)
• NODE-6377: remove noResponse option (#​4724)
• NODE-6473: remove MONGODB-CR auth (#​4717)
• NODE-5994: Remove metadata-related properties from public driver API (#​4716)
• NODE-7016: remove beta namespace and move resource management into driver (#​4719)
• NODE-4184: don't throw on aggregate with write concern and explain (#​4718)
• NODE-7043, NODE-7217: adopt mongodb-client-encryption v7 (#​4705)
• NODE-6065: throw MongoRuntimeError instead of MissingDependencyError in crypto connection (#​4711)
• NODE-6584: improve typing for filepaths in AutoEncryptionOptions (#​4341)
• NODE-6334: rename PoolRequstedRetry to PoolRequestedRetry (#​4696)
• NODE-7174: drop support for Node16 and Node18 (#​4668)
• NODE-7047: use custom credential provider first after URI (#​4656)
• NODE-6988: require aws sdk for aws auth (#​4659)

Features

• bump bson to 7.0.0-alpha.2 (#​4756) (9b34953)
• NODE-4184: don't throw on aggregate with write concern and explain (#​4718) (88e02a4)
• NODE-4243: drop collection checks ns not found (#​4742) (a8d7c5f)
• NODE-4808: remove support for stream() transform on cursors and change streams (#​4728) (1702987)
• NODE-5510: dont filter change stream options (#​4723) (a2daf76)
• NODE-5545: remove deprecated objects (#​4704) (cfbada6)
• NODE-5994: Remove metadata-related properties from public driver API (#​4716) (b59c5ce)
• NODE-6065: throw MongoRuntimeError instead of MissingDependencyError in crypto connection (#​4711) (ff229fa)
• NODE-6296: remove cursor default batch size of 1000 (#​4729) (f8a855f)
• NODE-6334: rename PoolRequstedRetry to PoolRequestedRetry (#​4696) (84db848)
• NODE-6377: remove noResponse option (#​4724) (9e9059a)
• NODE-6473: remove MONGODB-CR auth (#​4717) (9a1bc65)
• NODE-6584: improve typing for filepaths in AutoEncryptionOptions (#​4341) (dab4c7c)
• NODE-6988: require aws sdk for aws auth (#​4659) (b7c6750)
• NODE-7016: remove beta namespace and move resource management into driver (#​4719) (fb2824f)
• NODE-7043, NODE-7217: adopt mongodb-client-encryption v7 (#​4705) (3f7196e)
• NODE-7046: remove AWS uri/options support (#​4689) (d14ac3f)
• NODE-7047: use custom credential provider first after URI (#​4656) (2a47bbb)
• NODE-7150: update peer dependency matrix for 3rd party peer deps (#​4720) (0451dae)
• NODE-7174: drop support for Node16 and Node18 (#​4668) (a576b7d)
• NODE-7223: run checkout on connect regardless of credentials (#​4715) (c5f74ab)
• NODE-7259: use alphas of all supporting packages (#​4746) (e1ea14c)
• NODE-7260: update bson alpha to latest (#​4748) (4e88559)

Bug Fixes

• NODE-7067: Wrap socket write in a try/catch to ensure errors can be properly wrapped (#​4759) (66c18b7)
• NODE-7232: only send endSessions during client close if the topology supports sessions (#​4722) (cc85ebf)
• NODE-7247: clarify #rewrapManyDataKey() parameter types (#​4760) (cb522bf)
• NODE-7270: remove extra BSONType file in docs/Next/variables (#​4754) (df3aaaa)

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
weekly-eats	Ready	Preview, Comment	Jun 1, 2026 12:26pm

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @auth/mongodb-adapter@3.11.2
npm error Found: mongodb@7.2.0
npm error node_modules/mongodb
npm error   mongodb@"^7.0.0" from the root project
npm error
npm error Could not resolve dependency:
npm error peer mongodb@"^6" from @auth/mongodb-adapter@3.11.2
npm error node_modules/@auth/mongodb-adapter
npm error   @auth/mongodb-adapter@"^3.9.1" from the root project
npm error
npm error Conflicting peer dependency: mongodb@6.21.0
npm error node_modules/mongodb
npm error   peer mongodb@"^6" from @auth/mongodb-adapter@3.11.2
npm error   node_modules/@auth/mongodb-adapter
npm error     @auth/mongodb-adapter@"^3.9.1" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-06-01T12_25_27_636Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-06-01T12_25_27_636Z-debug-0.log

[vercel]

Deployment failed with the following error:

Resource is limited - try again in 24 hours (more than 100, code: "api-deployments-free-per-day").

Learn More: https://vercel.com/zach-roses-projects?upgradeToPro=build-rate-limit

[zwrose]

Hold — blocked by @auth/mongodb-adapter peer dependency.

Researched against the codebase: the app's own driver usage is fully v7-ready (no removed/changed APIs are used — connection options are empty, no change streams, .stream(), GridFS, AWS auth, or deprecated collection methods; bulkWrite/createIndex/ObjectId signatures unchanged).

The blocker is upstream: every published version of @auth/mongodb-adapter (incl. latest 3.11.2) pins peerDependencies: { mongodb: "^6" }. Bumping the driver to v7 produces an unmet peer dependency, and the adapter is contractually untested against v7 — it shares the MongoClient into @auth/core for session/account persistence, so a mismatch risks runtime auth breakage.

Leaving open until @auth/mongodb-adapter widens its mongodb peer range to include ^7. (Driver v7 also raises the Node floor to ≥20.19, which CI's Node 20.x already satisfies.)