yutak23 / serverless-mysql-http

This is an emulator for the serverless driver of PlanetScale and TiDB, which are serverless MySQL services.
MIT License
0 stars 0 forks source link

fix(deps): update dependency mysql2 to v3.9.7 [security] #8

Closed renovate[bot] closed 6 months ago

renovate[bot] commented 7 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
mysql2 (source) 3.6.5 -> 3.9.7 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-21507

Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon : character within a value of the attacker-crafted key.

CVE-2024-21508

Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.

CVE-2024-21509

Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.

CVE-2024-21511

Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.


Release Notes

sidorares/node-mysql2 (mysql2) ### [`v3.9.7`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#397-2024-04-21) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.6...v3.9.7) ##### Bug Fixes - **security:** sanitize timezone parameter value to prevent code injection ([#​2608](https://togithub.com/sidorares/node-mysql2/issues/2608)) ([7d4b098](https://togithub.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713)) ### [`v3.9.6`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#396-2024-04-18) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.5...v3.9.6) ##### Bug Fixes - binary parser sometimes reads out of packet bounds when results contain null and typecast is false ([#​2601](https://togithub.com/sidorares/node-mysql2/issues/2601)) ([705835d](https://togithub.com/sidorares/node-mysql2/commit/705835d06ff437cf0bf3169dac0a5f68002c4f87)) ### [`v3.9.5`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#395-2024-04-17) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.4...v3.9.5) ##### Bug Fixes - revert breaking change in results creation ([#​2591](https://togithub.com/sidorares/node-mysql2/issues/2591)) ([f7c60d0](https://togithub.com/sidorares/node-mysql2/commit/f7c60d01a49666130f51d3847ccfdd3d6e3d33e9)) ### [`v3.9.4`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#394-2024-04-09) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.3...v3.9.4) ##### Bug Fixes - **docs:** improve the contribution guidelines ([#​2552](https://togithub.com/sidorares/node-mysql2/issues/2552)) ([8a818ce](https://togithub.com/sidorares/node-mysql2/commit/8a818ce0f30654eba854759e6409c0ac856fc448)) - **security:** improve results object creation ([#​2574](https://togithub.com/sidorares/node-mysql2/issues/2574)) ([4a964a3](https://togithub.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691)) - **security:** improve supportBigNumbers and bigNumberStrings sanitization ([#​2572](https://togithub.com/sidorares/node-mysql2/issues/2572)) ([74abf9e](https://togithub.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805)) ### [`v3.9.3`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#393-2024-03-26) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.2...v3.9.3) ##### Bug Fixes - **security:** improve cache key formation ([#​2424](https://togithub.com/sidorares/node-mysql2/issues/2424)) ([0d54b0c](https://togithub.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10df02c818)) - Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab - update Amazon RDS SSL CA cert ([#​2131](https://togithub.com/sidorares/node-mysql2/pull/2131)) ([d9dccfd](https://togithub.com/sidorares/node-mysql2/commit/d9dccfd837d701f377574b85a05586be89015460)) ### [`v3.9.2`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#392-2024-02-26) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.1...v3.9.2) ##### Bug Fixes - **stream:** premature close when it is paused ([#​2416](https://togithub.com/sidorares/node-mysql2/issues/2416)) ([7c6bc64](https://togithub.com/sidorares/node-mysql2/commit/7c6bc642addb3e6fee1b1fdc84f83a72ff11ca4a)) - **types:** expose TypeCast types ([#​2425](https://togithub.com/sidorares/node-mysql2/issues/2425)) ([336a7f1](https://togithub.com/sidorares/node-mysql2/commit/336a7f1259c63d2dfe070fe400b141e89255844e)) ### [`v3.9.1`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#391-2024-01-29) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.9.0...v3.9.1) ##### Bug Fixes - **types:** support encoding for string type cast ([#​2407](https://togithub.com/sidorares/node-mysql2/issues/2407)) ([1dc2011](https://togithub.com/sidorares/node-mysql2/commit/1dc201144daceab0b12193ada0f13dbb25e917f6)) ### [`v3.9.0`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#390-2024-01-26) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.8.0...v3.9.0) ##### Features - introduce typeCast for `execute` method ([#​2398](https://togithub.com/sidorares/node-mysql2/issues/2398)) ([baaa92a](https://togithub.com/sidorares/node-mysql2/commit/baaa92a228d32012f7da07826674f7a736e3791d)) ### [`v3.8.0`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#380-2024-01-23) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.7.1...v3.8.0) ##### Features - **perf:** cache iconv decoder ([#​2391](https://togithub.com/sidorares/node-mysql2/issues/2391)) ([b95b3db](https://togithub.com/sidorares/node-mysql2/commit/b95b3dbe4bb34e36d0d1be6948e4d8a169d28eed)) ##### Bug Fixes - **stream:** premature close when using `for await` ([#​2389](https://togithub.com/sidorares/node-mysql2/issues/2389)) ([af47148](https://togithub.com/sidorares/node-mysql2/commit/af4714845603f70e3c1ef635f6c0750ff1987a9e)) - The removeIdleTimeoutConnectionsTimer did not clean up when the … ([#​2384](https://togithub.com/sidorares/node-mysql2/issues/2384)) ([18a44f6](https://togithub.com/sidorares/node-mysql2/commit/18a44f6a0a0b7ef41cc874d7a7bb2d3db83ea533)) - **types:** add missing types to TypeCast ([#​2390](https://togithub.com/sidorares/node-mysql2/issues/2390)) ([78ce495](https://togithub.com/sidorares/node-mysql2/commit/78ce4953e9c66d6cf40ffc2d252fa3701a2d4fe2)) ### [`v3.7.1`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#371-2024-01-17) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.7.0...v3.7.1) ##### Bug Fixes - add condition which allows code in callback to be reachable ([#​2376](https://togithub.com/sidorares/node-mysql2/issues/2376)) ([8d5b903](https://togithub.com/sidorares/node-mysql2/commit/8d5b903f5c24ef6378d4aa98d3fd4e13d39be4db)) ### [`v3.7.0`](https://togithub.com/sidorares/node-mysql2/blob/HEAD/Changelog.md#370-2024-01-07) [Compare Source](https://togithub.com/sidorares/node-mysql2/compare/v3.6.5...v3.7.0) ##### Features - **docs:** release documentation website ([#​2339](https://togithub.com/sidorares/node-mysql2/issues/2339)) ([c0d77c0](https://togithub.com/sidorares/node-mysql2/commit/c0d77c02d2f4ad22b46a712d270fc2654d26de4e))

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - "before 4am" in timezone Asia/Tokyo.

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.



This PR has been generated by Mend Renovate. View repository job log here.