Advisories for Npm/Bson package

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.

bson is vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

The MongoDB bson JavaScript module is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimaljs. The flaw is triggered when the DecimalfromString() function is called to parse a long untrusted string.