chore(deps): update dependency mysql2 to v3.9.8 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
mysql2 (source)	3.9.4 → 3.9.8

---

MySQL2 for Node Arbitrary Code Injection

CVE-2024-21511 / GHSA-4rch-2fh8-94vw

More information

Details

Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-21511
• https://github.com/sidorares/node-mysql2/pull/2608
• https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713
• https://github.com/sidorares/node-mysql2/releases/tag/v3.9.7
• https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6670046
• https://github.com/advisories/GHSA-4rch-2fh8-94vw

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

mysql2 vulnerable to Prototype Pollution

CVE-2024-21512 / GHSA-pmh2-wpjm-fj45

More information

Details

Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-21512
• https://github.com/sidorares/node-mysql2/pull/2702
• https://github.com/sidorares/node-mysql2/commit/efe3db527a2c94a63c2d14045baba8dfefe922bc
• https://gist.github.com/domdomi3/e9f0f9b9b1ed6bfbbc0bea87c5ca1e4a
• https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6861580
• https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-7176010
• https://github.com/advisories/GHSA-pmh2-wpjm-fj45

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sidorares/node-mysql2 (mysql2)

v3.9.8

Compare Source

Bug Fixes

• security: sanitize fields and tables when using nestTables (#​2702) (efe3db5)
• support deno + caching_sha2_password FULL_AUTHENTICATION_PACKET flow (#​2704) (2e03694)
• typings: typo from jonServerPublicKey to onServerPublicKey (#​2699) (8b5f691)

v3.9.7

Compare Source

Bug Fixes

• security: sanitize timezone parameter value to prevent code injection (#​2608) (7d4b098)

v3.9.6

Compare Source

Bug Fixes

• binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#​2601) (705835d)

v3.9.5

Compare Source

Bug Fixes

• revert breaking change in results creation (#​2591) (f7c60d0)

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.