mongodb 6.20.0 → 7.0.0-dev.20251111.sha.b183de39

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mongodb",
-  "version": "6.20.0",
+  "version": "7.0.0-dev.20251111.sha.b183de39",
   "description": "The official MongoDB driver for Node.js",
   "main": "lib/index.js",
   "files": [
@@ -26,17 +26,17 @@
   },
   "dependencies": {
     "@mongodb-js/saslprep": "^1.3.0",
-    "bson": "^6.10.4",
-    "mongodb-connection-string-url": "^3.0.2"
+    "bson": "^7.0.0",
+    "mongodb-connection-string-url": "^7.0.0"
   },
   "peerDependencies": {
-    "@aws-sdk/credential-providers": "^3.188.0",
-    "@mongodb-js/zstd": "^1.1.0 || ^2.0.0",
-    "gcp-metadata": "^5.2.0",
-    "kerberos": "^2.0.1",
-    "mongodb-client-encryption": ">=6.0.0 <7",
+    "@aws-sdk/credential-providers": "^3.806.0",
+    "@mongodb-js/zstd": "^7.0.0",
+    "gcp-metadata": "^7.0.1",
+    "kerberos": "^7.0.0",
+    "mongodb-client-encryption": ">=7.0.0 <7.1.0",
     "snappy": "^7.3.2",
-    "socks": "^2.7.1"
+    "socks": "^2.8.6"
   },
   "peerDependenciesMeta": {
     "@aws-sdk/credential-providers": {
@@ -67,7 +67,7 @@
     "@istanbuljs/nyc-config-typescript": "^1.0.2",
     "@microsoft/api-extractor": "^7.52.11",
     "@microsoft/tsdoc-config": "^0.17.1",
-    "@mongodb-js/zstd": "^2.0.1",
+    "@mongodb-js/zstd": "^7.0.0",
     "@types/chai": "^4.3.17",
     "@types/chai-subset": "^1.3.5",
     "@types/express": "^5.0.3",
@@ -92,12 +92,11 @@
     "eslint-plugin-tsdoc": "^0.4.0",
     "eslint-plugin-unused-imports": "^4.2.0",
     "express": "^5.1.0",
-    "gcp-metadata": "^5.3.0",
+    "gcp-metadata": "^7.0.1",
     "js-yaml": "^4.1.0",
     "mocha": "^11.7.1",
     "mocha-sinon": "^2.1.2",
-    "mongodb-client-encryption": "^6.5.0",
-    "mongodb-legacy": "^6.1.3",
+    "mongodb-client-encryption": "^7.0.0",
     "nyc": "^15.1.0",
     "prettier": "^3.6.2",
     "semver": "^7.7.2",
@@ -115,7 +114,7 @@
   },
   "license": "Apache-2.0",
   "engines": {
-    "node": ">=16.20.1"
+    "node": ">=20.19.0"
   },
   "bugs": {
     "url": "https://jira.mongodb.org/projects/NODE/issues/"
@@ -124,7 +123,7 @@
   "scripts": {
     "build:evergreen": "node .evergreen/generate_evergreen_tasks.js",
     "build:ts": "node ./node_modules/typescript/bin/tsc",
-    "build:dts": "npm run build:ts && api-extractor run && node etc/clean_definition_files.cjs && ESLINT_USE_FLAT_CONFIG=false eslint --no-ignore --fix mongodb.d.ts lib/beta.d.ts",
+    "build:dts": "npm run build:ts && api-extractor run && node etc/clean_definition_files.cjs && ESLINT_USE_FLAT_CONFIG=false eslint --no-ignore --fix mongodb.d.ts",
     "build:docs": "./etc/docs/build.ts",
     "build:typedoc": "typedoc",
     "build:nightly": "node ./.github/scripts/nightly.mjs",
@@ -137,16 +136,14 @@
     "check:eslint": "npm run build:dts && ESLINT_USE_FLAT_CONFIG=false eslint -v && ESLINT_USE_FLAT_CONFIG=false eslint --max-warnings=0 --ext '.js,.ts' src test",
     "check:tsd": "tsd --version && tsd",
     "check:dependencies": "mocha test/action/dependency.test.ts",
-    "check:dts": "node ./node_modules/typescript/bin/tsc --noEmit mongodb.d.ts && tsd",
+    "check:dts": "node ./node_modules/typescript/bin/tsc --target es2023 --module commonjs --noEmit mongodb.d.ts && tsd",
     "check:search-indexes": "nyc mocha --config test/mocha_mongodb.js test/manual/search-index-management.prose.test.ts",
     "check:test": "mocha --config test/mocha_mongodb.js test/integration",
     "check:unit": "nyc mocha test/unit",
     "check:ts": "node ./node_modules/typescript/bin/tsc -v && node ./node_modules/typescript/bin/tsc --noEmit",
     "check:atlas": "nyc mocha --config test/manual/mocharc.js test/manual/atlas_connectivity.test.ts",
-    "check:resource-management": "nyc mocha --config test/manual/mocharc.js test/manual/resource_management.test.ts",
     "check:drivers-atlas-testing": "nyc mocha --config test/mocha_mongodb.js test/atlas/drivers_atlas_testing.test.ts",
-    "check:adl": "nyc mocha --config test/mocha_mongodb.js test/manual/atlas-data-lake-testing",
-    "check:aws": "nyc mocha --config test/mocha_mongodb.js test/integration/auth/mongodb_aws.test.ts",
+    "check:aws": "nyc mocha --config test/mocha_mongodb.js test/integration/auth/mongodb_aws.test.ts test/integration/auth/mongodb_aws.prose.test.ts",
     "check:oidc-auth": "nyc mocha --config test/mocha_mongodb.js test/integration/auth/auth.spec.test.ts",
     "check:oidc-test": "nyc mocha --config test/mocha_mongodb.js test/integration/auth/mongodb_oidc.prose.test.ts",
     "check:oidc-azure": "nyc mocha --config test/mocha_mongodb.js test/integration/auth/mongodb_oidc_azure.prose.05.test.ts",
@@ -175,4 +172,4 @@
       "moduleResolution": "node"
     }
   }
-}
+}

package/src/bulk/common.ts

@@ -20,7 +20,6 @@ import type { Topology } from '../sdam/topology';
 import { type Sort } from '../sort';
 import { TimeoutContext } from '../timeout';
 import {
-  applyRetryableWrites,
   getTopology,
   hasAtomicOperators,
   maybeAddIdToDocuments,
@@ -527,15 +526,15 @@ async function executeCommands(
       finalOptions.checkKeys = false;
     }
 
-    if (finalOptions.retryWrites) {
+    if (bulkOperation.retryWrites) {
       if (isUpdateBatch(batch)) {
-        finalOptions.retryWrites =
-          finalOptions.retryWrites && !batch.operations.some(op => op.multi);
+        bulkOperation.retryWrites =
+          bulkOperation.retryWrites && !batch.operations.some(op => op.multi);
       }
 
       if (isDeleteBatch(batch)) {
-        finalOptions.retryWrites =
-          finalOptions.retryWrites && !batch.operations.some(op => op.limit === 0);
+        bulkOperation.retryWrites =
+          bulkOperation.retryWrites && !batch.operations.some(op => op.limit === 0);
       }
     }
 
@@ -859,6 +858,8 @@ export abstract class BulkOperationBase {
   s: BulkOperationPrivate;
   operationId?: number;
   private collection: Collection;
+  /** @internal */
+  retryWrites?: boolean;
 
   /**
    * Create a new OrderedBulkOperation or UnorderedBulkOperation instance
@@ -866,6 +867,7 @@ export abstract class BulkOperationBase {
    */
   constructor(collection: Collection, options: BulkWriteOptions, isOrdered: boolean) {
     this.collection = collection;
+    this.retryWrites = collection.db.options?.retryWrites;
     // determine whether bulkOperation is ordered or unordered
     this.isOrdered = isOrdered;
 
@@ -898,10 +900,6 @@ export abstract class BulkOperationBase {
     //   + 1 bytes for null terminator
     const maxKeySize = (maxWriteBatchSize - 1).toString(10).length + 2;
 
-    // Final options for retryable writes
-    let finalOptions = Object.assign({}, options);
-    finalOptions = applyRetryableWrites(finalOptions, collection.db);
-
     // Final results
     const bulkResult: BulkResult = {
       ok: 1,
@@ -943,7 +941,7 @@ export abstract class BulkOperationBase {
       // Topology
       topology,
       // Options
-      options: finalOptions,
+      options: options,
       // BSON options
       bsonOptions: resolveBSONOptions(options),
       // Current operation

package/src/change_stream.ts

@@ -3,7 +3,7 @@ import type { Readable } from 'stream';
 import type { Binary, Document, Timestamp } from './bson';
 import { Collection } from './collection';
 import { CHANGE, CLOSE, END, ERROR, INIT, MORE, RESPONSE, RESUME_TOKEN_CHANGED } from './constants';
-import { type CursorStreamOptions, CursorTimeoutContext } from './cursor/abstract_cursor';
+import { CursorTimeoutContext } from './cursor/abstract_cursor';
 import { ChangeStreamCursor, type ChangeStreamCursorOptions } from './cursor/change_stream_cursor';
 import { Db } from './db';
 import {
@@ -17,21 +17,10 @@ import {
 import { MongoClient } from './mongo_client';
 import { type InferIdType, TypedEventEmitter } from './mongo_types';
 import type { AggregateOptions } from './operations/aggregate';
-import type { CollationOptions, OperationParent } from './operations/command';
-import type { ReadPreference } from './read_preference';
-import { type AsyncDisposable, configureResourceManagement } from './resource_management';
+import type { OperationParent } from './operations/command';
 import type { ServerSessionId } from './sessions';
 import { CSOTTimeoutContext, type TimeoutContext } from './timeout';
-import { filterOptions, getTopology, type MongoDBNamespace, squashError } from './utils';
-
-const CHANGE_STREAM_OPTIONS = [
-  'resumeAfter',
-  'startAfter',
-  'startAtOperationTime',
-  'fullDocument',
-  'fullDocumentBeforeChange',
-  'showExpandedEvents'
-] as const;
+import { type AnyOptions, getTopology, type MongoDBNamespace, squashError } from './utils';
 
 const CHANGE_DOMAIN_TYPES = {
   COLLECTION: Symbol('Collection'),
@@ -45,19 +34,12 @@ const NO_RESUME_TOKEN_ERROR =
   'A change stream document has been received that lacks a resume token (_id).';
 const CHANGESTREAM_CLOSED_ERROR = 'ChangeStream is closed';
 
-/**
- * @public
- * @deprecated Please use the ChangeStreamCursorOptions type instead.
- */
-export interface ResumeOptions {
-  startAtOperationTime?: Timestamp;
-  batchSize?: number;
-  maxAwaitTimeMS?: number;
-  collation?: CollationOptions;
-  readPreference?: ReadPreference;
-  resumeAfter?: ResumeToken;
-  startAfter?: ResumeToken;
-  fullDocument?: string;
+const INVALID_STAGE_OPTIONS = buildDisallowedChangeStreamOptions();
+
+export function filterOutOptions(options: AnyOptions): AnyOptions {
+  return Object.fromEntries(
+    Object.entries(options).filter(([k, _]) => !INVALID_STAGE_OPTIONS.has(k))
+  );
 }
 
 /**
@@ -590,13 +572,10 @@ export class ChangeStream<
   implements AsyncDisposable
 {
   /**
-   * @beta
    * @experimental
    * An alias for {@link ChangeStream.close|ChangeStream.close()}.
    */
-  declare [Symbol.asyncDispose]: () => Promise<void>;
-  /** @internal */
-  async asyncDispose() {
+  async [Symbol.asyncDispose]() {
     await this.close();
   }
 
@@ -614,7 +593,6 @@ export class ChangeStream<
   type: symbol;
   /** @internal */
   private cursor: ChangeStreamCursor<TSchema, TChange>;
-  streamOptions?: CursorStreamOptions;
   /** @internal */
   private cursorStream?: Readable & AsyncIterable<TChange>;
   /** @internal */
@@ -882,13 +860,12 @@ export class ChangeStream<
    *
    * @throws MongoChangeStreamError if the underlying cursor or the change stream is closed
    */
-  stream(options?: CursorStreamOptions): Readable & AsyncIterable<TChange> {
+  stream(): Readable & AsyncIterable<TChange> {
     if (this.closed) {
       throw new MongoChangeStreamError(CHANGESTREAM_CLOSED_ERROR);
     }
 
-    this.streamOptions = options;
-    return this.cursor.stream(options);
+    return this.cursor.stream();
   }
 
   /** @internal */
@@ -920,7 +897,7 @@ export class ChangeStream<
   private _createChangeStreamCursor(
     options: ChangeStreamOptions | ChangeStreamCursorOptions
   ): ChangeStreamCursor<TSchema, TChange> {
-    const changeStreamStageOptions = filterOptions(options, CHANGE_STREAM_OPTIONS);
+    const changeStreamStageOptions: Document = filterOutOptions(options);
     if (this.type === CHANGE_DOMAIN_TYPES.CLUSTER) {
       changeStreamStageOptions.allChangesForCluster = true;
     }
@@ -1107,4 +1084,75 @@ export class ChangeStream<
   }
 }
 
-configureResourceManagement(ChangeStream.prototype);
+/**
+ * This function returns a list of options that are *not* supported by the $changeStream
+ * aggregation stage.  This is best-effort - it uses the options "officially supported" by the driver
+ * to derive a list of known, unsupported options for the $changeStream stage.
+ *
+ * Notably, at runtime, users can still provide options unknown to the driver and the driver will
+ * *not* filter them out of the options object (see NODE-5510).
+ */
+function buildDisallowedChangeStreamOptions(): Set<string> {
+  /** hard-coded list of allowed ChangeStream options */
+  type CSOptions =
+    | 'resumeAfter'
+    | 'startAfter'
+    | 'startAtOperationTime'
+    | 'fullDocument'
+    | 'fullDocumentBeforeChange'
+    | 'showExpandedEvents';
+
+  /**
+   * a type representing all known options that the driver supports that are *not* change stream stage options.
+   *
+   * each known key is mapped to a non-optional string, so that if new driver-specific options are added, the
+   * instantiation of `denyList` below results in a TS error.
+   */
+  type DisallowedOptions = {
+    [k in Exclude<
+      keyof ChangeStreamOptions & { timeoutContext: TimeoutContext },
+      CSOptions
+    >]: string;
+  };
+
+  const denyList: DisallowedOptions = {
+    allowDiskUse: '',
+    authdb: '',
+    batchSize: '',
+    bsonRegExp: '',
+    bypassDocumentValidation: '',
+    bypassPinningCheck: '',
+    checkKeys: '',
+    collation: '',
+    comment: '',
+    cursor: '',
+    dbName: '',
+    enableUtf8Validation: '',
+    explain: '',
+    fieldsAsRaw: '',
+    hint: '',
+    ignoreUndefined: '',
+    let: '',
+    maxAwaitTimeMS: '',
+    maxTimeMS: '',
+    omitMaxTimeMS: '',
+    out: '',
+    promoteBuffers: '',
+    promoteLongs: '',
+    promoteValues: '',
+    raw: '',
+    rawData: '',
+    readConcern: '',
+    readPreference: '',
+    serializeFunctions: '',
+    session: '',
+    timeoutContext: '',
+    timeoutMS: '',
+    timeoutMode: '',
+    useBigInt64: '',
+    willRetryWrite: '',
+    writeConcern: ''
+  };
+
+  return new Set(Object.keys(denyList));
+}

package/src/client-side-encryption/auto_encrypter.ts

@@ -1,8 +1,4 @@
-import {
-  type MongoCrypt,
-  type MongoCryptConstructor,
-  type MongoCryptOptions
-} from 'mongodb-client-encryption';
+import { type MongoCrypt, type MongoCryptOptions } from 'mongodb-client-encryption';
 import * as net from 'net';
 
 import { deserialize, type Document, serialize } from '../bson';
@@ -14,8 +10,7 @@ import { MongoClient, type MongoClientOptions } from '../mongo_client';
 import { type Abortable } from '../mongo_types';
 import { MongoDBCollectionNamespace } from '../utils';
 import { autoSelectSocketOptions } from './client_encryption';
-import * as cryptoCallbacks from './crypto_callbacks';
-import { MongoCryptInvalidArgumentError } from './errors';
+import { defaultErrorWrapper, MongoCryptInvalidArgumentError } from './errors';
 import { MongocryptdManager } from './mongocryptd_manager';
 import {
   type CredentialProviders,
@@ -69,7 +64,7 @@ export interface AutoEncryptionOptions {
     /** If true, autoEncryption will not attempt to spawn a mongocryptd before connecting  */
     mongocryptdBypassSpawn?: boolean;
     /** The path to the mongocryptd executable on the system */
-    mongocryptdSpawnPath?: string;
+    mongocryptdSpawnPath?: `${string}mongocryptd${'.exe' | ''}`;
     /** Command line arguments to use when auto-spawning a mongocryptd */
     mongocryptdSpawnArgs?: string[];
     /**
@@ -95,7 +90,7 @@ export interface AutoEncryptionOptions {
      *
      * Requires the MongoDB Crypt shared library, available in MongoDB 6.0 or higher.
      */
-    cryptSharedLibPath?: string;
+    cryptSharedLibPath?: `${string}mongo_crypt_v${number}.${'so' | 'dll' | 'dylib'}`;
     /**
      * If specified, never use mongocryptd and instead fail when the MongoDB Crypt
      * shared library could not be loaded.
@@ -183,7 +178,7 @@ export class AutoEncrypter {
   [kDecorateResult] = false;
 
   /** @internal */
-  static getMongoCrypt(): MongoCryptConstructor {
+  static getMongoCrypt(): typeof MongoCrypt {
     const encryption = getMongoDBClientEncryption();
     if ('kModuleError' in encryption) {
       throw encryption.kModuleError;
@@ -258,8 +253,7 @@ export class AutoEncrypter {
     }
 
     const mongoCryptOptions: MongoCryptOptions = {
-      enableMultipleCollinfo: true,
-      cryptoCallbacks
+      errorWrapper: defaultErrorWrapper
     };
     if (options.schemaMap) {
       mongoCryptOptions.schemaMap = Buffer.isBuffer(options.schemaMap)

package/src/client-side-encryption/client_encryption.ts

@@ -1,7 +1,6 @@
 import type {
   ExplicitEncryptionContextOptions,
   MongoCrypt,
-  MongoCryptConstructor,
   MongoCryptOptions
 } from 'mongodb-client-encryption';
 
@@ -26,8 +25,8 @@ import { type CreateCollectionOptions } from '../operations/create_collection';
 import { type DeleteResult } from '../operations/delete';
 import { type CSOTTimeoutContext, TimeoutContext } from '../timeout';
 import { MongoDBCollectionNamespace, resolveTimeoutOptions } from '../utils';
-import * as cryptoCallbacks from './crypto_callbacks';
 import {
+  defaultErrorWrapper,
   MongoCryptCreateDataKeyError,
   MongoCryptCreateEncryptedCollectionError,
   MongoCryptInvalidArgumentError
@@ -87,7 +86,7 @@ export class ClientEncryption {
   _credentialProviders?: CredentialProviders;
 
   /** @internal */
-  static getMongoCrypt(): MongoCryptConstructor {
+  static getMongoCrypt(): typeof MongoCrypt {
     const encryption = getMongoDBClientEncryption();
     if ('kModuleError' in encryption) {
       throw encryption.kModuleError;
@@ -144,10 +143,10 @@ export class ClientEncryption {
 
     const mongoCryptOptions: MongoCryptOptions = {
       ...options,
-      cryptoCallbacks,
       kmsProviders: !Buffer.isBuffer(this._kmsProviders)
         ? (serialize(this._kmsProviders) as Buffer)
-        : this._kmsProviders
+        : this._kmsProviders,
+      errorWrapper: defaultErrorWrapper
     };
 
     this._keyVaultNamespace = options.keyVaultNamespace;
@@ -286,7 +285,7 @@ export class ClientEncryption {
    */
   async rewrapManyDataKey(
     filter: Filter<DataKey>,
-    options: ClientEncryptionRewrapManyDataKeyProviderOptions
+    options?: ClientEncryptionRewrapManyDataKeyProviderOptions
   ): Promise<{ bulkWriteResult?: BulkWriteResult }> {
     let keyEncryptionKeyBson = undefined;
     if (options) {

package/src/client-side-encryption/errors.ts

@@ -26,6 +26,9 @@ export class MongoCryptError extends MongoError {
   }
 }
 
+export const defaultErrorWrapper = (error: Error) =>
+  new MongoCryptError(error.message, { cause: error });
+
 /**
  * @public
  *

package/src/cmap/auth/aws_temporary_credentials.ts

@@ -1,10 +1,5 @@
 import { type AWSCredentials, getAwsCredentialProvider } from '../../deps';
 import { MongoAWSError } from '../../error';
-import { request } from '../../utils';
-
-const AWS_RELATIVE_URI = 'http://169.254.170.2';
-const AWS_EC2_URI = 'http://169.254.169.254';
-const AWS_EC2_PATH = '/latest/meta-data/iam/security-credentials';
 
 /**
  * @internal
@@ -24,26 +19,9 @@ export interface AWSTempCredentials {
 /** @public **/
 export type AWSCredentialProvider = () => Promise<AWSCredentials>;
 
-/**
- * @internal
- *
- * Fetches temporary AWS credentials.
- */
-export abstract class AWSTemporaryCredentialProvider {
-  abstract getCredentials(): Promise<AWSTempCredentials>;
-  private static _awsSDK: ReturnType<typeof getAwsCredentialProvider>;
-  protected static get awsSDK() {
-    AWSTemporaryCredentialProvider._awsSDK ??= getAwsCredentialProvider();
-    return AWSTemporaryCredentialProvider._awsSDK;
-  }
-
-  static get isAWSSDKInstalled(): boolean {
-    return !('kModuleError' in AWSTemporaryCredentialProvider.awsSDK);
-  }
-}
-
 /** @internal */
-export class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
+export class AWSSDKCredentialProvider {
+  private static _awsSDK: ReturnType<typeof getAwsCredentialProvider>;
   private _provider?: AWSCredentialProvider;
 
   /**
@@ -51,20 +29,23 @@ export class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
    * @param credentialsProvider - The credentials provider.
    */
   constructor(credentialsProvider?: AWSCredentialProvider) {
-    super();
-
     if (credentialsProvider) {
       this._provider = credentialsProvider;
     }
   }
 
+  static get awsSDK() {
+    AWSSDKCredentialProvider._awsSDK ??= getAwsCredentialProvider();
+    return AWSSDKCredentialProvider._awsSDK;
+  }
+
   /**
    * The AWS SDK caches credentials automatically and handles refresh when the credentials have expired.
    * To ensure this occurs, we need to cache the `provider` returned by the AWS sdk and re-use it when fetching credentials.
    */
   private get provider(): () => Promise<AWSCredentials> {
-    if ('kModuleError' in AWSTemporaryCredentialProvider.awsSDK) {
-      throw AWSTemporaryCredentialProvider.awsSDK.kModuleError;
+    if ('kModuleError' in AWSSDKCredentialProvider.awsSDK) {
+      throw AWSSDKCredentialProvider.awsSDK.kModuleError;
     }
     if (this._provider) {
       return this._provider;
@@ -112,15 +93,15 @@ export class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
 
     this._provider =
       awsRegionSettingsExist && useRegionalSts
-        ? AWSTemporaryCredentialProvider.awsSDK.fromNodeProviderChain({
+        ? AWSSDKCredentialProvider.awsSDK.fromNodeProviderChain({
             clientConfig: { region: AWS_REGION }
           })
-        : AWSTemporaryCredentialProvider.awsSDK.fromNodeProviderChain();
+        : AWSSDKCredentialProvider.awsSDK.fromNodeProviderChain();
 
     return this._provider;
   }
 
-  override async getCredentials(): Promise<AWSTempCredentials> {
+  async getCredentials(): Promise<AWSTempCredentials> {
     /*
      * Creates a credential provider that will attempt to find credentials from the
      * following sources (listed in order of precedence):
@@ -144,42 +125,3 @@ export class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
     }
   }
 }
-
-/**
- * @internal
- * Fetches credentials manually (without the AWS SDK), as outlined in the [Obtaining Credentials](https://github.com/mongodb/specifications/blob/master/source/auth/auth.md#obtaining-credentials)
- * section of the Auth spec.
- */
-export class LegacyAWSTemporaryCredentialProvider extends AWSTemporaryCredentialProvider {
-  override async getCredentials(): Promise<AWSTempCredentials> {
-    // If the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
-    // is set then drivers MUST assume that it was set by an AWS ECS agent
-    if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) {
-      return await request(
-        `${AWS_RELATIVE_URI}${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`
-      );
-    }
-
-    // Otherwise assume we are on an EC2 instance
-
-    // get a token
-    const token = await request(`${AWS_EC2_URI}/latest/api/token`, {
-      method: 'PUT',
-      json: false,
-      headers: { 'X-aws-ec2-metadata-token-ttl-seconds': 30 }
-    });
-
-    // get role name
-    const roleName = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}`, {
-      json: false,
-      headers: { 'X-aws-ec2-metadata-token': token }
-    });
-
-    // get temp credentials
-    const creds = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}/${roleName}`, {
-      headers: { 'X-aws-ec2-metadata-token': token }
-    });
-
-    return creds;
-  }
-}

package/src/cmap/auth/mongo_credentials.ts

@@ -58,6 +58,7 @@ export interface AuthMechanismProperties extends Document {
   SERVICE_NAME?: string;
   SERVICE_REALM?: string;
   CANONICALIZE_HOST_NAME?: GSSAPICanonicalizationValue;
+  /** @internal */
   AWS_SESSION_TOKEN?: string;
   /** A user provided OIDC machine callback function. */
   OIDC_CALLBACK?: OIDCCallbackFunction;
@@ -134,26 +135,6 @@ export class MongoCredentials {
     this.mechanism = options.mechanism || AuthMechanism.MONGODB_DEFAULT;
     this.mechanismProperties = options.mechanismProperties || {};
 
-    if (this.mechanism.match(/MONGODB-AWS/i)) {
-      if (!this.username && process.env.AWS_ACCESS_KEY_ID) {
-        this.username = process.env.AWS_ACCESS_KEY_ID;
-      }
-
-      if (!this.password && process.env.AWS_SECRET_ACCESS_KEY) {
-        this.password = process.env.AWS_SECRET_ACCESS_KEY;
-      }
-
-      if (
-        this.mechanismProperties.AWS_SESSION_TOKEN == null &&
-        process.env.AWS_SESSION_TOKEN != null
-      ) {
-        this.mechanismProperties = {
-          ...this.mechanismProperties,
-          AWS_SESSION_TOKEN: process.env.AWS_SESSION_TOKEN
-        };
-      }
-    }
-
     if (this.mechanism === AuthMechanism.MONGODB_OIDC && !this.mechanismProperties.ALLOWED_HOSTS) {
       this.mechanismProperties = {
         ...this.mechanismProperties,