This pull request updates the mysql2 module version in package.json and package-lock.json to address a high severity vulnerability. The modifications ensure that the application no longer depends on a vulnerable version of mysql2 used by the express-mysql-session module.
Changes Made
Updated package.json:
Changed the version of the mysql2 module to a version higher than 3.9.8 to address the security vulnerability.
Updated package-lock.json:
Corresponding changes in package-lock.json to reflect the updated mysql2 module version.
Reason for Changes
The express-mysql-session module was using a version of mysql2 that is vulnerable to prototype pollution, as identified by the following advisory:
The npm audit report indicated the following issues:
mysql2 <3.9.8 - Severity: High
Vulnerable to Prototype Pollution
By updating the mysql2 module version, this pull request resolves these high severity vulnerabilities and enhances the security of the application.
Audit Report Summary
# npm audit report
mysql2 <3.9.8
Severity: high
mysql2 vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-pmh2-wpjm-fj45
fix available via `npm audit fix --force`
Will install express-mysql-session@2.1.8, which is a breaking change
node_modules/express-mysql-session/node_modules/mysql2
express-mysql-session >=3.0.0
Depends on vulnerable versions of mysql2
node_modules/express-mysql-session
2 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Additional Notes
Running npm audit fix --force was not used to avoid unintended breaking changes. Instead, the specific dependency was manually updated to a secure version.
This update ensures compatibility with existing dependencies while addressing the identified vulnerabilities.
Description
This pull request updates the
mysql2
module version inpackage.json
andpackage-lock.json
to address a high severity vulnerability. The modifications ensure that the application no longer depends on a vulnerable version ofmysql2
used by theexpress-mysql-session
module.Changes Made
Updated
package.json
:mysql2
module to a version higher than 3.9.8 to address the security vulnerability.Updated
package-lock.json
:package-lock.json
to reflect the updatedmysql2
module version.Reason for Changes
The
express-mysql-session
module was using a version ofmysql2
that is vulnerable to prototype pollution, as identified by the following advisory:The npm audit report indicated the following issues:
mysql2 <3.9.8
- Severity: HighBy updating the
mysql2
module version, this pull request resolves these high severity vulnerabilities and enhances the security of the application.Audit Report Summary
Additional Notes
npm audit fix --force
was not used to avoid unintended breaking changes. Instead, the specific dependency was manually updated to a secure version.