Hello everyone, it’s time for another update on the weekly work we’ve been doing since Meteor 3.3.

Meteor 3.3.1-rc.2 is now available!

This release focuses on catching up on pending work around the MongoDB driver upgrade, adding Cordova 14 support to help migrate your apps to Android SDK 35, and refining the new build stack based on your feedback.

Tasks and fixes for Meteor 3.3.1-rc.2

• MongoDB Driver Upgrades
  • Upgraded core MongoDB driver to 6.16.0 to address latest issues reported #13710
  • Introduced npm-mongo-legacy to maintain compatibility with MongoDB 3.6 via mongodb@6.9.0 #13736
  • Mitigated a cursor leak issue by synchronizing next() and close() operations #13786
• Mobile Support
  • Upgraded Cordova platform to version 14 #13837
• Improved SWC integration
  • Fixed edge cases in config cache invalidation #13809
  • Ensured @swc/helpers is consistently used for better bundle size and performance #13820
  • Updated to SWC 1.12.14 #13851
• Tooling and Build System
  • Fixed regression affecting rebuild behavior #13810
  • Addressed issues getting performance profiles in mounted volumes #13827
  • Fallback to Babel parser when Acorn fails to parse source code #13844
• Developer Experience
  • Added TypeScript types for isModern and getMinimumBrowserVersions functions #13704
  • Enhanced CLI help output and documented admin commands #13826
• Vite Tooling
  • Updated official Meteor + Vite skeletons #13835
• Runtime & Dependencies
  • Updated to Node.js 22.17.1 #13853
  • Bumped meteor-node-stubs to 1.2.21 #13825

Your feedback is crucial in adjusting this beta before the official launch. Our core team is running tests, but community testing is key to ensuring Meteor 3.3.1 is stable. Let us know what you find!

Hands on

Please run the following command to update your project:

meteor update --release 3.3.1-rc.2

or create a new app with:

meteor create --release 3.3.1-rc.2

Highlights

MongoDB Driver Upgrade

Before Meteor 3.3, we had already prepared a Mongo driver upgrade, including fixes we contributed that directly affected Meteor. However, we found a breaking change in some apps and decided to hold the update until we could address the issue.

MongoDB 3.6 is not supported beyond driver version 6.9.0. To avoid problems for projects still using it, we’ve created a new package:

meteor add npm-mongo-legacy

This pins the driver to 6.9.0 for compatibility.

Don’t add this package if you’re using MongoDB 4 or newer. The new driver 6.16.0 will be used automatically.

Keep in mind that older MongoDB versions won’t receive updates. We recommend migrating to MongoDB 5 or later, as the upcoming driver 6.17.0 will drop support for version 4. We’ll continue maintaining npm-mongo-legacy so you can still receive Meteor updates.

Cordova Upgrade

As every year around this time, Android now requires native apps to target a new minimum SDK version, this time API 35 and above. To comply, the Cordova platform bundled with Meteor has been updated to version 14.

See the Cordova 14 Changelog for details and migration steps.

Modern Build Stack

Meteor 3.3.1 release focuses on addressing your feedback on the new modern build stack introduced in Meteor 3.3. Thanks to your reports and reproduction steps, we’ve fixed several edge cases, including support for @swc/helpers to lean the bundles, cache invalidation issues and improvements to the meteor profile command.

To help reduce your bundle size when using SWC, run in your Meteor project:

meteor npm install --save @swc/helpers

This ensures the modern build stack using SWC externalizes common helpers, avoiding duplication and reducing overhead. This is only needed if you’re using the modern build stack.

image1420×135 67.1 KB

This picture shows how @swc/helpers reduces your app’s bundle size, fixing a regression compared to using Babel.

If you’re interested in adopting the new modern build stack and get 3x faster build times, here’s how to migrate:

Add this to your package.json to enable the modern build stack:

"meteor": {
  "modern": true
}

Check the docs for help with the SWC migration, especially if your project uses multiple Babel plugins:

Modern Transpiler: SWC docs

If you find any issues, please report them to the Meteor issues tracker.

Huge thanks to our contributors

• @nachocodoner
• @italojs
• @StorytellerCZ
• @JorgenVatle
• @welkinwong
• @Saksham-Goel1107

Join us and contribute! Test this beta, check out Meteor GitHub issues or start with Good first issues.

What’s Next?

• Meteor 3.3.1 – Coming Soon
  • The release is complete and live.
  • We’re testing and acting on feedback.
  • Official 3.3.1 release will follow after testing
• Meteor 3.4 – On the Horizon
  • Deeper bundler integration with Meteor-Rspack for new production features, better plugin support, and faster builds
  • Optimizations like dev-only packages to reduce final server build size
  • Includes many community-driven improvements
• Meteor 3.5 – Beyond
  • Add support for MongoDB change streams in the Meteor reactivity layer through a new driver that replaces the current OPLOG and polling strategies.

Stay tuned, and as always, happy coding!

Looking forward to talk to you about this on today’s Dispatches:

Mongo <4.x CVEs list mentioned in the live

1. CVE-2017-15535 – Memory Corruption via Network Compression

• Description: A vulnerability in MongoDB when the networkMessageCompressors option is enabled allows an unauthenticated remote attacker to send a specially crafted message that can cause memory corruption, leading to a crash or potentially remote code execution (RCE).
• Affected Versions: MongoDB < 3.4.10
• Severity: Critical — Remote unauthenticated DoS or RCE
• CVE-2017-15535 on NVD

2. CVE-2019-2386 – Authentication Session Reuse After User Deletion

• Description: If a user is deleted but another user is created with the same name shortly after, any active authentication session associated with the deleted user may persist and be accepted as valid for the new user. This can lead to privilege escalation or unauthorized access.
• Affected Versions: MongoDB 3.6 < 3.6.13, MongoDB 4.0 < 4.0.9
• Severity: High — Privilege Escalation
• CVE-2019-2386 on NVD

3. CVE-2019-2390 – Local Code Execution via OpenSSL Config (Windows only)

• Description: On Windows, MongoDB utility binaries load OpenSSL configuration files from paths that can be controlled by low-privileged users. This allows an attacker to execute arbitrary code when an admin runs one of these tools.
• Affected Versions: MongoDB 3.6 < 3.6.14, MongoDB 4.0 < 4.0.11 (on Windows)
• Severity: High — Local Code Execution
• CVE-2019-2390 on NVD

4. CVE-2019-20925 – Remote DoS via Malformed Mongo Wire Protocol Message

• Description: MongoDB does not properly handle certain malformed messages sent over the wire protocol. An unauthenticated attacker can send a specially crafted compressed packet that exhausts the decompressor’s memory and crashes the server.
• Affected Versions: MongoDB 3.6 < 3.6.15, MongoDB 4.0 < 4.0.13, MongoDB 4.2 < 4.2.1
• Severity: High — Remote Denial of Service (pre-authentication)
• CVE-2019-20925 on NVD

5. CVE-2020-7928 – Buffer Over-read via NULL Byte in Query

• Description: A specially crafted query containing a null byte (\x00) can cause a buffer over-read, allowing an attacker to read arbitrary memory from the mongod process. This could result in information disclosure and crash the server.
• Affected Versions: MongoDB 3.6 < 3.6.20, MongoDB 4.0 < 4.0.20
• Severity: High — Information Disclosure + Denial of Service
• CVE-2020-7928 on NVD