mongodb 7.1.0 → 7.2.0

package/src/cmap/auth/plain.ts

@@ -1,4 +1,4 @@
-import { Binary } from '../../bson';
+import { Binary, ByteUtils } from '../../bson';
 import { MongoMissingCredentialsError } from '../../error';
 import { ns } from '../../utils';
 import { type AuthContext, AuthProvider } from './auth_provider';
@@ -12,7 +12,7 @@ export class Plain extends AuthProvider {
 
     const { username, password } = credentials;
 
-    const payload = new Binary(Buffer.from(`\x00${username}\x00${password}`));
+    const payload = new Binary(ByteUtils.fromUTF8(`\x00${username}\x00${password}`));
     const command = {
       saslStart: 1,
       mechanism: 'PLAIN',

package/src/cmap/auth/scram.ts

@@ -1,7 +1,6 @@
 import { saslprep } from '@mongodb-js/saslprep';
-import * as crypto from 'crypto';
 
-import { Binary, type Document } from '../../bson';
+import { Binary, ByteUtils, type Document } from '../../bson';
 import {
   MongoInvalidArgumentError,
   MongoMissingCredentialsError,
@@ -65,21 +64,21 @@ function cleanUsername(username: string) {
   return username.replace('=', '=3D').replace(',', '=2C');
 }
 
-function clientFirstMessageBare(username: string, nonce: Buffer) {
+function clientFirstMessageBare(username: string, nonce: Uint8Array) {
   // NOTE: This is done b/c Javascript uses UTF-16, but the server is hashing in UTF-8.
   // Since the username is not sasl-prep-d, we need to do this here.
-  return Buffer.concat([
-    Buffer.from('n=', 'utf8'),
-    Buffer.from(username, 'utf8'),
-    Buffer.from(',r=', 'utf8'),
-    Buffer.from(nonce.toString('base64'), 'utf8')
+  return ByteUtils.concat([
+    ByteUtils.fromUTF8('n='),
+    ByteUtils.fromUTF8(username),
+    ByteUtils.fromUTF8(',r='),
+    ByteUtils.fromUTF8(ByteUtils.toBase64(nonce))
   ]);
 }
 
 function makeFirstMessage(
   cryptoMethod: CryptoMethod,
   credentials: MongoCredentials,
-  nonce: Buffer
+  nonce: Uint8Array
 ) {
   const username = cleanUsername(credentials.username);
   const mechanism =
@@ -91,7 +90,7 @@ function makeFirstMessage(
     saslStart: 1,
     mechanism,
     payload: new Binary(
-      Buffer.concat([Buffer.from('n,,', 'utf8'), clientFirstMessageBare(username, nonce)])
+      ByteUtils.concat([ByteUtils.fromUTF8('n,,'), clientFirstMessageBare(username, nonce)])
     ),
     autoAuthorize: 1,
     options: { skipEmptyExchange: true }
@@ -136,7 +135,7 @@ async function continueScramConversation(
   const processedPassword =
     cryptoMethod === 'sha256' ? saslprep(password) : passwordDigest(username, password);
 
-  const payload: Binary = Buffer.isBuffer(response.payload)
+  const payload: Binary = ByteUtils.isUint8Array(response.payload)
     ? new Binary(response.payload)
     : response.payload;
 
@@ -157,37 +156,37 @@ async function continueScramConversation(
 
   // Set up start of proof
   const withoutProof = `c=biws,r=${rnonce}`;
-  const saltedPassword = HI(
+  const saltedPassword = await HI(
     processedPassword,
-    Buffer.from(salt, 'base64'),
+    ByteUtils.fromBase64(salt),
     iterations,
     cryptoMethod
   );
 
-  const clientKey = HMAC(cryptoMethod, saltedPassword, 'Client Key');
-  const serverKey = HMAC(cryptoMethod, saltedPassword, 'Server Key');
-  const storedKey = H(cryptoMethod, clientKey);
+  const clientKey = await HMAC(cryptoMethod, saltedPassword, 'Client Key');
+  const serverKey = await HMAC(cryptoMethod, saltedPassword, 'Server Key');
+  const storedKey = await H(cryptoMethod, clientKey);
   const authMessage = [
     clientFirstMessageBare(username, nonce),
     payload.toString('utf8'),
     withoutProof
   ].join(',');
 
-  const clientSignature = HMAC(cryptoMethod, storedKey, authMessage);
+  const clientSignature = await HMAC(cryptoMethod, storedKey, authMessage);
   const clientProof = `p=${xor(clientKey, clientSignature)}`;
   const clientFinal = [withoutProof, clientProof].join(',');
 
-  const serverSignature = HMAC(cryptoMethod, serverKey, authMessage);
+  const serverSignature = await HMAC(cryptoMethod, serverKey, authMessage);
   const saslContinueCmd = {
     saslContinue: 1,
     conversationId: response.conversationId,
-    payload: new Binary(Buffer.from(clientFinal))
+    payload: new Binary(ByteUtils.fromUTF8(clientFinal))
   };
 
   const r = await connection.command(ns(`${db}.$cmd`), saslContinueCmd, undefined);
   const parsedResponse = parsePayload(r.payload);
 
-  if (!compareDigest(Buffer.from(parsedResponse.v, 'base64'), serverSignature)) {
+  if (!compareDigest(ByteUtils.fromBase64(parsedResponse.v), serverSignature)) {
     throw new MongoRuntimeError('Server returned an invalid signature');
   }
 
@@ -199,7 +198,7 @@ async function continueScramConversation(
   const retrySaslContinueCmd = {
     saslContinue: 1,
     conversationId: r.conversationId,
-    payload: Buffer.alloc(0)
+    payload: ByteUtils.allocate(0)
   };
 
   await connection.command(ns(`${db}.$cmd`), retrySaslContinueCmd, undefined);
@@ -229,31 +228,36 @@ function passwordDigest(username: string, password: string) {
     throw new MongoInvalidArgumentError('Password cannot be empty');
   }
 
-  let md5: crypto.Hash;
+  let nodeCrypto;
   try {
-    md5 = crypto.createHash('md5');
+    // TODO: NODE-7424 - remove dependency on 'crypto' for SCRAM-SHA-1 authentication
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    nodeCrypto = require('crypto');
+  } catch (e) {
+    throw new MongoRuntimeError(
+      'Node.js crypto module is required for SCRAM-SHA-1 authentication',
+      {
+        cause: e
+      }
+    );
+  }
+
+  try {
+    const md5 = nodeCrypto.createHash('md5');
+    md5.update(`${username}:mongo:${password}`, 'utf8');
+    return md5.digest('hex');
   } catch (err) {
-    if (crypto.getFips()) {
+    if (nodeCrypto.getFips()) {
       // This error is (slightly) more helpful than what comes from OpenSSL directly, e.g.
       // 'Error: error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS'
       throw new Error('Auth mechanism SCRAM-SHA-1 is not supported in FIPS mode');
     }
     throw err;
   }
-  md5.update(`${username}:mongo:${password}`, 'utf8');
-  return md5.digest('hex');
 }
 
 // XOR two buffers
-function xor(a: Buffer, b: Buffer) {
-  if (!Buffer.isBuffer(a)) {
-    a = Buffer.from(a);
-  }
-
-  if (!Buffer.isBuffer(b)) {
-    b = Buffer.from(b);
-  }
-
+function xor(a: Uint8Array, b: Uint8Array) {
   const length = Math.max(a.length, b.length);
   const res = [];
 
@@ -261,19 +265,35 @@ function xor(a: Buffer, b: Buffer) {
     res.push(a[i] ^ b[i]);
   }
 
-  return Buffer.from(res).toString('base64');
+  return ByteUtils.toBase64(ByteUtils.fromNumberArray(res));
 }
 
-function H(method: CryptoMethod, text: Buffer) {
-  return crypto.createHash(method).update(text).digest();
+async function H(method: CryptoMethod, text: Uint8Array): Promise<Uint8Array> {
+  const buffer = await crypto.subtle.digest(method === 'sha256' ? 'SHA-256' : 'SHA-1', text);
+  return new Uint8Array(buffer);
 }
 
-function HMAC(method: CryptoMethod, key: Buffer, text: Buffer | string) {
-  return crypto.createHmac(method, key).update(text).digest();
+async function HMAC(
+  method: CryptoMethod,
+  key: Uint8Array,
+  text: Uint8Array | string
+): Promise<Uint8Array> {
+  const keyBuffer = ByteUtils.toLocalBufferType(key);
+  const cryptoKey = await crypto.subtle.importKey(
+    'raw',
+    keyBuffer,
+    { name: 'HMAC', hash: { name: method === 'sha256' ? 'SHA-256' : 'SHA-1' } },
+    false,
+    ['sign', 'verify']
+  );
+  const textData: Uint8Array = typeof text === 'string' ? new TextEncoder().encode(text) : text;
+  const textBuffer = ByteUtils.toLocalBufferType(textData);
+  const signature = await crypto.subtle.sign('HMAC', cryptoKey, textBuffer);
+  return new Uint8Array(signature);
 }
 
 interface HICache {
-  [key: string]: Buffer;
+  [key: string]: Uint8Array;
 }
 
 let _hiCache: HICache = {};
@@ -288,21 +308,32 @@ const hiLengthMap = {
   sha1: 20
 };
 
-function HI(data: string, salt: Buffer, iterations: number, cryptoMethod: CryptoMethod) {
+async function HI(data: string, salt: Uint8Array, iterations: number, cryptoMethod: CryptoMethod) {
   // omit the work if already generated
-  const key = [data, salt.toString('base64'), iterations].join('_');
+  const key = [data, ByteUtils.toBase64(salt), iterations].join('_');
   if (_hiCache[key] != null) {
     return _hiCache[key];
   }
 
-  // generate the salt
-  const saltedData = crypto.pbkdf2Sync(
-    data,
-    salt,
-    iterations,
-    hiLengthMap[cryptoMethod],
-    cryptoMethod
+  const keyMaterial = await crypto.subtle.importKey(
+    'raw',
+    new TextEncoder().encode(data),
+    { name: 'PBKDF2' },
+    false,
+    ['deriveBits']
   );
+  const params = {
+    name: 'PBKDF2',
+    salt: salt,
+    iterations: iterations,
+    hash: { name: cryptoMethod === 'sha256' ? 'SHA-256' : 'SHA-1' }
+  };
+  const derivedBits = await crypto.subtle.deriveBits(
+    params,
+    keyMaterial,
+    hiLengthMap[cryptoMethod] * 8
+  );
+  const saltedData = new Uint8Array(derivedBits);
 
   // cache a copy to speed up the next lookup, but prevent unbounded cache growth
   if (_hiCacheCount >= 200) {
@@ -314,15 +345,11 @@ function HI(data: string, salt: Buffer, iterations: number, cryptoMethod: Crypto
   return saltedData;
 }
 
-function compareDigest(lhs: Buffer, rhs: Uint8Array) {
+function compareDigest(lhs: Uint8Array, rhs: Uint8Array) {
   if (lhs.length !== rhs.length) {
     return false;
   }
 
-  if (typeof crypto.timingSafeEqual === 'function') {
-    return crypto.timingSafeEqual(lhs, rhs);
-  }
-
   let result = 0;
   for (let i = 0; i < lhs.length; i++) {
     result |= lhs[i] ^ rhs[i];

package/src/cmap/commands.ts

@@ -1,5 +1,13 @@
-import type { BSONSerializeOptions, Document, Long } from '../bson';
-import * as BSON from '../bson';
+import {
+  BSON,
+  type BSONSerializeOptions,
+  ByteUtils,
+  type Document,
+  type Long,
+  NumberUtils,
+  readInt32LE,
+  setUint32LE
+} from '../bson';
 import { MongoInvalidArgumentError, MongoRuntimeError } from '../error';
 import { type ReadPreference } from '../read_preference';
 import type { ClientSession } from '../sessions';
@@ -30,7 +38,7 @@ const QUERY_FAILURE = 2;
 const SHARD_CONFIG_STALE = 4;
 const AWAIT_CAPABLE = 8;
 
-const encodeUTF8Into = BSON.BSON.onDemand.ByteUtils.encodeUTF8Into;
+const encodeUTF8Into = ByteUtils.encodeUTF8Into;
 
 /** @internal */
 export type WriteProtocolMessageType = OpQueryRequest | OpMsgRequest;
@@ -182,10 +190,10 @@ export class OpQueryRequest {
     if (this.batchSize !== this.numberToReturn) this.numberToReturn = this.batchSize;
 
     // Allocate write protocol header buffer
-    const header = Buffer.alloc(
+    const header = ByteUtils.allocate(
       4 * 4 + // Header
         4 + // Flags
-        Buffer.byteLength(this.ns) +
+        ByteUtils.utf8ByteLength(this.ns) +
         1 + // namespace
         4 + // numberToSkip
         4 // numberToReturn
@@ -256,7 +264,7 @@ export class OpQueryRequest {
     index = index + 4;
 
     // Write collection name
-    index = index + header.write(this.ns, index, 'utf8') + 1;
+    index = index + encodeUTF8Into(header, this.ns, index) + 1;
     header[index - 1] = 0;
 
     // Write header information flags numberToSkip
@@ -290,8 +298,8 @@ export interface MessageHeader {
 /** @internal */
 export class OpReply {
   parsed: boolean;
-  raw: Buffer;
-  data: Buffer;
+  raw: Uint8Array;
+  data: Uint8Array;
   opts: BSONSerializeOptions;
   length: number;
   requestId: number;
@@ -318,9 +326,9 @@ export class OpReply {
   moreToCome = false;
 
   constructor(
-    message: Buffer,
+    message: Uint8Array,
     msgHeader: MessageHeader,
-    msgBody: Buffer,
+    msgBody: Uint8Array,
     opts?: BSONSerializeOptions
   ) {
     this.parsed = false;
@@ -364,10 +372,10 @@ export class OpReply {
     this.index = 20;
 
     // Read the message body
-    this.responseFlags = this.data.readInt32LE(0);
-    this.cursorId = new BSON.Long(this.data.readInt32LE(4), this.data.readInt32LE(8));
-    this.startingFrom = this.data.readInt32LE(12);
-    this.numberReturned = this.data.readInt32LE(16);
+    this.responseFlags = readInt32LE(this.data, 0);
+    this.cursorId = new BSON.Long(readInt32LE(this.data, 4), readInt32LE(this.data, 8));
+    this.startingFrom = readInt32LE(this.data, 12);
+    this.numberReturned = readInt32LE(this.data, 16);
 
     if (this.numberReturned < 0 || this.numberReturned > 2 ** 32 - 1) {
       throw new RangeError(
@@ -433,7 +441,7 @@ export class DocumentSequence {
   documents: Document[];
   serializedDocumentsLength: number;
   private chunks: Uint8Array[];
-  private header: Buffer;
+  private header: Uint8Array;
 
   /**
    * Create a new document sequence for the provided field.
@@ -446,7 +454,7 @@ export class DocumentSequence {
     this.serializedDocumentsLength = 0;
     // Document sequences starts with type 1 at the first byte.
     // Field strings must always be UTF-8.
-    const buffer = Buffer.allocUnsafe(1 + 4 + this.field.length + 1);
+    const buffer = ByteUtils.allocateUnsafe(1 + 4 + this.field.length + 1);
     buffer[0] = 1;
     // Third part is the field name at offset 5 with trailing null byte.
     encodeUTF8Into(buffer, `${this.field}\0`, 5);
@@ -473,7 +481,13 @@ export class DocumentSequence {
     // Push the document raw bson.
     this.chunks.push(buffer);
     // Write the new length.
-    this.header?.writeInt32LE(4 + this.field.length + 1 + this.serializedDocumentsLength, 1);
+    if (this.header) {
+      NumberUtils.setInt32LE(
+        this.header,
+        1,
+        4 + this.field.length + 1 + this.serializedDocumentsLength
+      );
+    }
     return this.serializedDocumentsLength + this.header.length;
   }
 
@@ -482,7 +496,7 @@ export class DocumentSequence {
    * @returns The section bytes.
    */
   toBin(): Uint8Array {
-    return Buffer.concat(this.chunks);
+    return ByteUtils.concat(this.chunks);
   }
 }
 
@@ -531,8 +545,8 @@ export class OpMsgRequest {
       typeof options.exhaustAllowed === 'boolean' ? options.exhaustAllowed : false;
   }
 
-  toBin(): Buffer[] {
-    const buffers: Buffer[] = [];
+  toBin(): Uint8Array[] {
+    const buffers: Uint8Array[] = [];
     let flags = 0;
 
     if (this.checksumPresent) {
@@ -547,7 +561,7 @@ export class OpMsgRequest {
       flags |= OPTS_EXHAUST_ALLOWED;
     }
 
-    const header = Buffer.alloc(
+    const header = ByteUtils.allocate(
       4 * 4 + // Header
         4 // Flags
     );
@@ -558,11 +572,13 @@ export class OpMsgRequest {
     const command = this.command;
     totalLength += this.makeSections(buffers, command);
 
-    header.writeInt32LE(totalLength, 0); // messageLength
-    header.writeInt32LE(this.requestId, 4); // requestID
-    header.writeInt32LE(0, 8); // responseTo
-    header.writeInt32LE(OP_MSG, 12); // opCode
-    header.writeUInt32LE(flags, 16); // flags
+    NumberUtils.setInt32LE(header, 0, totalLength); // messageLength
+    NumberUtils.setInt32LE(header, 4, this.requestId); // requestID
+    NumberUtils.setInt32LE(header, 8, 0); // responseTo
+    NumberUtils.setInt32LE(header, 12, OP_MSG); // opCode
+    // The OP_MSG spec calls out that flags is uint32:
+    // https://github.com/mongodb/specifications/blob/master/source/message/OP_MSG.md#op_msg-1
+    setUint32LE(header, 16, flags); // flags
     return buffers;
   }
 
@@ -571,7 +587,7 @@ export class OpMsgRequest {
    */
   makeSections(buffers: Uint8Array[], document: Document): number {
     const sequencesBuffer = this.extractDocumentSequences(document);
-    const payloadTypeBuffer = Buffer.allocUnsafe(1);
+    const payloadTypeBuffer = ByteUtils.allocateUnsafe(1);
     payloadTypeBuffer[0] = 0;
 
     const documentBuffer = this.serializeBson(document);
@@ -606,11 +622,11 @@ export class OpMsgRequest {
       }
     }
     if (chunks.length > 0) {
-      return Buffer.concat(chunks);
+      return ByteUtils.concat(chunks);
     }
     // If we have no document sequences we return an empty buffer for nothing to add
     // to the payload.
-    return Buffer.alloc(0);
+    return ByteUtils.allocate(0);
   }
 
   serializeBson(document: Document): Uint8Array {
@@ -630,8 +646,8 @@ export class OpMsgRequest {
 /** @internal */
 export class OpMsgResponse {
   parsed: boolean;
-  raw: Buffer;
-  data: Buffer;
+  raw: Uint8Array;
+  data: Uint8Array;
   opts: BSONSerializeOptions;
   length: number;
   requestId: number;
@@ -652,9 +668,9 @@ export class OpMsgResponse {
   sections: Uint8Array[] = [];
 
   constructor(
-    message: Buffer,
+    message: Uint8Array,
     msgHeader: MessageHeader,
-    msgBody: Buffer,
+    msgBody: Uint8Array,
     opts?: BSONSerializeOptions
   ) {
     this.parsed = false;
@@ -676,7 +692,7 @@ export class OpMsgResponse {
     this.fromCompressed = msgHeader.fromCompressed;
 
     // Read response flags
-    this.responseFlags = msgBody.readInt32LE(0);
+    this.responseFlags = readInt32LE(msgBody, 0);
     this.checksumPresent = (this.responseFlags & OPTS_CHECKSUM_PRESENT) !== 0;
     this.moreToCome = (this.responseFlags & OPTS_MORE_TO_COME) !== 0;
     this.exhaustAllowed = (this.responseFlags & OPTS_EXHAUST_ALLOWED) !== 0;
@@ -700,9 +716,12 @@ export class OpMsgResponse {
     this.index = 4;
 
     while (this.index < this.data.length) {
-      const payloadType = this.data.readUInt8(this.index++);
+      const payloadType = this.data[this.index++];
       if (payloadType === 0) {
-        const bsonSize = this.data.readUInt32LE(this.index);
+        // BSON spec specifies that this is a 32-bit signed integer: https://bsonspec.org/spec.html#:~:text=%3A%3A%3D-,int32,-e_list%20unsigned_byte(0
+        // While allowing negative sizes seems odd, in practice we never expect a negative size. Also, the server's 16mb limit for BSON documents leaves plenty
+        // of room in an int32 to store a document of the max BSON size that the server supports
+        const bsonSize = readInt32LE(this.data, this.index);
         const bin = this.data.subarray(this.index, this.index + bsonSize);
 
         this.sections.push(bin);
@@ -758,31 +777,31 @@ export class OpCompressedRequest {
     return !uncompressibleCommands.has(commandName);
   }
 
-  async toBin(): Promise<Buffer[]> {
-    const concatenatedOriginalCommandBuffer = Buffer.concat(this.command.toBin());
+  async toBin(): Promise<Uint8Array[]> {
+    const concatenatedOriginalCommandBuffer = ByteUtils.concat(this.command.toBin());
     // otherwise, compress the message
     const messageToBeCompressed = concatenatedOriginalCommandBuffer.slice(MESSAGE_HEADER_SIZE);
 
     // Extract information needed for OP_COMPRESSED from the uncompressed message
-    const originalCommandOpCode = concatenatedOriginalCommandBuffer.readInt32LE(12);
+    const originalCommandOpCode = readInt32LE(concatenatedOriginalCommandBuffer, 12);
 
     // Compress the message body
     const compressedMessage = await compress(this.options, messageToBeCompressed);
     // Create the msgHeader of OP_COMPRESSED
-    const msgHeader = Buffer.alloc(MESSAGE_HEADER_SIZE);
-    msgHeader.writeInt32LE(
-      MESSAGE_HEADER_SIZE + COMPRESSION_DETAILS_SIZE + compressedMessage.length,
-      0
+    const msgHeader = ByteUtils.allocate(MESSAGE_HEADER_SIZE);
+    NumberUtils.setInt32LE(
+      msgHeader,
+      0,
+      MESSAGE_HEADER_SIZE + COMPRESSION_DETAILS_SIZE + compressedMessage.length
     ); // messageLength
-    msgHeader.writeInt32LE(this.command.requestId, 4); // requestID
-    msgHeader.writeInt32LE(0, 8); // responseTo (zero)
-    msgHeader.writeInt32LE(OP_COMPRESSED, 12); // opCode
-
+    NumberUtils.setInt32LE(msgHeader, 4, this.command.requestId); // requestID
+    NumberUtils.setInt32LE(msgHeader, 8, 0); // responseTo (zero)
+    NumberUtils.setInt32LE(msgHeader, 12, OP_COMPRESSED); // opCode
     // Create the compression details of OP_COMPRESSED
-    const compressionDetails = Buffer.alloc(COMPRESSION_DETAILS_SIZE);
-    compressionDetails.writeInt32LE(originalCommandOpCode, 0); // originalOpcode
-    compressionDetails.writeInt32LE(messageToBeCompressed.length, 4); // Size of the uncompressed compressedMessage, excluding the MsgHeader
-    compressionDetails.writeUInt8(Compressor[this.options.agreedCompressor], 8); // compressorID
+    const compressionDetails = ByteUtils.allocate(COMPRESSION_DETAILS_SIZE);
+    NumberUtils.setInt32LE(compressionDetails, 0, originalCommandOpCode); // originalOpcode
+    NumberUtils.setInt32LE(compressionDetails, 4, messageToBeCompressed.length); // Size of the uncompressed compressedMessage, excluding the MsgHeader
+    compressionDetails[8] = Compressor[this.options.agreedCompressor]; // compressorID
     return [msgHeader, compressionDetails, compressedMessage];
   }
 }

package/src/cmap/connect.ts

@@ -224,6 +224,7 @@ export interface HandshakeDocument extends Document {
   compression: string[];
   saslSupportedMechs?: string;
   loadBalanced?: boolean;
+  backpressure: true;
 }
 
 /**
@@ -241,6 +242,7 @@ export async function prepareHandshakeDocument(
 
   const handshakeDoc: HandshakeDocument = {
     [serverApi?.version || options.loadBalanced === true ? 'hello' : LEGACY_HELLO_COMMAND]: 1,
+    backpressure: true,
     helloOk: true,
     client: clientMetadata,
     compression: compressors
@@ -279,6 +281,15 @@ export async function prepareHandshakeDocument(
   return handshakeDoc;
 }
 
+/**
+ * @internal
+ * Default TCP keepAlive initial delay in milliseconds.
+ * Set to half the Azure load balancer idle timeout (240s) to ensure
+ * probes fire well before cloud LBs (Azure, AWS PrivateLink/NLB)
+ * drop idle connections.
+ */
+export const DEFAULT_KEEP_ALIVE_INITIAL_DELAY_MS = 120_000;
+
 /** @public */
 export const LEGAL_TLS_SOCKET_OPTIONS = [
   'allowPartialTrustChain',
@@ -322,7 +333,7 @@ function parseConnectOptions(options: ConnectionOptions): SocketConnectOpts {
       (result as Document)[name] = options[name];
     }
   }
-  result.keepAliveInitialDelay ??= 120000;
+  result.keepAliveInitialDelay ??= DEFAULT_KEEP_ALIVE_INITIAL_DELAY_MS;
   result.keepAlive = true;
   result.noDelay = options.noDelay ?? true;
 
@@ -368,6 +379,9 @@ export async function makeSocket(options: MakeConnectionOptions): Promise<Stream
   const useTLS = options.tls ?? false;
   const connectTimeoutMS = options.connectTimeoutMS ?? 30000;
   const existingSocket = options.existingSocket;
+  const keepAliveInitialDelay =
+    options.keepAliveInitialDelay ?? DEFAULT_KEEP_ALIVE_INITIAL_DELAY_MS;
+  const noDelay = options.noDelay ?? true;
 
   let socket: Stream;
 
@@ -394,6 +408,12 @@ export async function makeSocket(options: MakeConnectionOptions): Promise<Stream
     socket = net.createConnection(parseConnectOptions(options));
   }
 
+  // Explicit setKeepAlive/setNoDelay are required because tls.connect() silently
+  // ignores these constructor options due to a Node.js bug.
+  // See: https://github.com/nodejs/node/issues/62003
+  // TODO(NODE-7474): remove this fix once the underlying Node.js issue is resolved.
+  socket.setKeepAlive(true, keepAliveInitialDelay);
+  socket.setNoDelay(noDelay);
   socket.setTimeout(connectTimeoutMS);
 
   let cancellationHandler: ((err: Error) => void) | null = null;