refactor: Bump mongodb-runner from 5.9.3 to 6.7.3

[mtrezza]

Changes

Bumps mongodb-runner (devDependency) from 5.9.3 to 6.7.3.

This also resolves tar security vulnerabilities transitively. The top-level tar package is updated to 7.5.13 (>= 7.5.11) which addresses multiple CVEs for tar versions <= 7.5.10.

Breaking Changes

None expected. mongodb-runner is a devDependency used only for test infrastructure (spinning up MongoDB instances in CI). The major version bump (5.x to 6.x) primarily reflects an upgrade of the internal @mongodb-js/mongodb-downloader dependency from 0.x to 1.x.

Code Changes Required

None.

Closes #10419

Summary by CodeRabbit

• Chores
  • Updated MongoDB-runner (5.9.3 → 6.7.3) and associated MongoDB development dependencies to latest versions for improved tooling support.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 10faaae4-72a1-4ced-a31f-8953fb01317e

📥 Commits

Reviewing files that changed from the base of the PR and between 406a927 and 61674ff.

📒 Files selected for processing (2)

• package-lock.json
• package.json

---

📝 Walkthrough

Walkthrough

This PR updates the mongodb-runner development dependency from 5.9.3 to 6.7.3, cascading transitive dependency version changes including tar, minipass, and introducing new OIDC and X.509 support packages. The lockfile reflects resolved versions across the complete dependency tree.

Changes

Cohort / File(s)	Summary
Dependency Version Updates package.json, package-lock.json	Updated mongodb-runner from 5.9.3 to 6.7.3; broadened mongodb and mongodb-connection-string-url ranges to ^7.0.0. Transitive upgrades include tar (6.2.1→7.5.13), minipass (5.0.0→7.1.3), minizlib (2.1.2→3.1.0), and introduces @mongodb-js/oidc-mock-provider 0.13.7, @peculiar/x509 1.14.2, and related packages.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• ci: Fix MongoDB test instance not terminated after running tests #9860: Updates the mongodb-runner dependency version to align test-runner behavior with upstream changes.

🚥 Pre-merge checks | ✅ 4 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete. It lacks required sections from the template including Issue, Approach, and Tasks sections. While it provides useful context about the changes and linked issue, it does not follow the repository's description template structure.	Restructure the description to include Issue, Approach, and Tasks sections as specified in the repository template. Add Issue section linking to #10419, expand Approach section with details on approach taken, and include Tasks checklist.
Linked Issues check	⚠️ Warning	The PR only implements a partial update from #10419. The linked issue requires coordinated updates to tar, npm, and mongodb-runner, but this PR only updates mongodb-runner. Node compatibility confirmation and supply-chain auditing are not addressed.	Complete the remaining requirements from #10419: update tar to 7.5.13 and npm to 10.9.8, confirm Node ≥18 compatibility, audit package contents and prepare scripts, and run full test matrix for regressions.
Engage In Review Feedback	❓ Inconclusive	Git history shows only a single commit with no follow-up changes, but GitHub PR review comments are not accessible through git repository data alone.	Directly review the GitHub PR page at #10421 to examine all reviewer comments and author responses in the Conversation tab.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title correctly uses the 'refactor:' prefix as required and clearly describes the main change: bumping mongodb-runner from 5.9.3 to 6.7.3.
Out of Scope Changes check	✅ Passed	All changes in the PR (mongodb-runner and transitive dependency updates) are directly scoped to the objective of updating mongodb-runner from 5.9.3 to 6.7.3 as part of resolving #10419.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Security Check	✅ Passed	Pull request resolves known security vulnerabilities (CVE-2024-28863, CVE-2024-28864) in tar and mongodb-runner without introducing new security risks.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Checkov (3.2.513)

package.json

2026-04-10 18:44:21,119 [MainThread ] [ERROR] Template file not found: package.json
2026-04-10 18:44:21,121 [MainThread ] [ERROR] Template file not found: package.json
2026-04-10 18:44:21,124 [MainThread ] [ERROR] Template file not found: package.json
2026-04-10 18:44:21,163 [MainThread ] [ERROR] Failed to invoke function /usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner. with package.json
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 88, in func_wrapper
result = original_func(item)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner.py", line 74, in
results = parallel_runner.run_function(lambda f: (f, self._parse_file(f)), files_to_load)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/ope

... [truncated 2547 characters] ...

ck__)
FileNotFoundError: [Errno 2] No such file or directory: 'package.json'
2026-04-10 18:44:21,196 [MainThread ] [ERROR] Exception traceback:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/main.py", line 647, in run
self.scan_reports = runner_registry.run(
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/runner_registry.py", line 177, in run
for result in parallel_runner_results:
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 118, in _run_function_multiprocess_fork
raise v.internal_exception.with_traceback(v.internal_exception.traceback)
FileNotFoundError: [Errno 2] No such file or directory: 'package.json'

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.49%. Comparing base (bf40004) to head (61674ff).
⚠️ Report is 1 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10421      +/-   ##
==========================================
- Coverage   92.49%   92.49%   -0.01%     
==========================================
  Files         192      192              
  Lines       16786    16786              
  Branches      234      234              
==========================================
- Hits        15527    15526       -1     
- Misses       1236     1237       +1     
  Partials       23       23              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mtrezza]

Closing this replacement PR. The mongodb-runner 6.x upgrade causes consistent CI failures on replica set topology tests (MongoDB 7 and MongoDB 8 ReplicaSet).

Root cause: There is a bug in mongodb-runner 6.x's removePortArg function in mongocluster.ts. When --port 27017 is passed via parse-server's npm scripts (mongodb-runner exec -t replset --version X -- --port 27017 -- npm run coverage), the function is supposed to remove the --port flag for secondary replica set members (so they can use random ports). However, removePortArg only removes the port value (27017) but leaves the --port flag itself in the array. This results in secondary members receiving invalid arguments like --port --replSet replSetName --port 0, causing mongod to fail to start and the "Server log output did not include port or socket" error.

The 5.x version handled this correctly by replacing the port value in-place: args.splice(args.indexOf('--port') + 1, 1, '0').

This is an upstream bug in mongodb-runner 6.x that needs to be fixed before this upgrade can proceed.