fix(deps): update dependency mysql2 to v3.9.8 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mysql2 (source)	3.9.0 -> 3.9.8

GitHub Vulnerability Alerts

CVE-2024-21507

Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon : character within a value of the attacker-crafted key.

CVE-2024-21509

Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.

CVE-2024-21508

Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.

CVE-2024-21511

Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.

CVE-2024-21512

Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.

---

Release Notes

sidorares/node-mysql2 (mysql2)

v3.9.8

Compare Source

Bug Fixes

• security: sanitize fields and tables when using nestTables (#​2702) (efe3db5)
• support deno + caching_sha2_password FULL_AUTHENTICATION_PACKET flow (#​2704) (2e03694)
• typings: typo from jonServerPublicKey to onServerPublicKey (#​2699) (8b5f691)

v3.9.7

Compare Source

Bug Fixes

• security: sanitize timezone parameter value to prevent code injection (#​2608) (7d4b098)

v3.9.6

Compare Source

Bug Fixes

• binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#​2601) (705835d)

v3.9.5

Compare Source

Bug Fixes

• revert breaking change in results creation (#​2591) (f7c60d0)

v3.9.4

Compare Source

Bug Fixes

• docs: improve the contribution guidelines (#​2552) (8a818ce)
• security: improve results object creation (#​2574) (4a964a3)
• security: improve supportBigNumbers and bigNumberStrings sanitization (#​2572) (74abf9e)

v3.9.3

Compare Source

Bug Fixes

• security: improve cache key formation (#​2424) (0d54b0c)
  • Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
• update Amazon RDS SSL CA cert (#​2131) (d9dccfd)

v3.9.2

Compare Source

Bug Fixes

• stream: premature close when it is paused (#​2416) (7c6bc64)
• types: expose TypeCast types (#​2425) (336a7f1)

v3.9.1

Compare Source

Bug Fixes

• types: support encoding for string type cast (#​2407) (1dc2011)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: sample/007-sequelize-app/package-lock.json

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: @nestjs/common@10.3.1
npm ERR! Found: reflect-metadata@0.2.1
npm ERR! node_modules/reflect-metadata
npm ERR!   reflect-metadata@"0.2.1" from the root project
npm ERR!   peer reflect-metadata@"*" from sequelize-typescript@2.1.6
npm ERR!   node_modules/sequelize-typescript
npm ERR!     sequelize-typescript@"2.1.6" from the root project
npm ERR!     peer sequelize-typescript@"^2.0.0" from @nestjs/sequelize@10.0.0
npm ERR!     node_modules/@nestjs/sequelize
npm ERR!       @nestjs/sequelize@"10.0.0" from the root project
npm ERR!       1 more (@nestjs/terminus)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer reflect-metadata@"^0.1.12" from @nestjs/common@10.3.1
npm ERR! node_modules/@nestjs/common
npm ERR!   @nestjs/common@"10.3.1" from the root project
npm ERR!   peer @nestjs/common@"^10.0.0" from @nestjs/core@10.3.1
npm ERR!   node_modules/@nestjs/core
npm ERR!     @nestjs/core@"10.3.1" from the root project
npm ERR!     4 more (@nestjs/platform-express, @nestjs/sequelize, ...)
npm ERR!   4 more (@nestjs/platform-express, @nestjs/sequelize, ...)
npm ERR! 
npm ERR! Conflicting peer dependency: reflect-metadata@0.1.14
npm ERR! node_modules/reflect-metadata
npm ERR!   peer reflect-metadata@"^0.1.12" from @nestjs/common@10.3.1
npm ERR!   node_modules/@nestjs/common
npm ERR!     @nestjs/common@"10.3.1" from the root project
npm ERR!     peer @nestjs/common@"^10.0.0" from @nestjs/core@10.3.1
npm ERR!     node_modules/@nestjs/core
npm ERR!       @nestjs/core@"10.3.1" from the root project
npm ERR!       4 more (@nestjs/platform-express, @nestjs/sequelize, ...)
npm ERR!     4 more (@nestjs/platform-express, @nestjs/sequelize, ...)
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! 
npm ERR! For a full report see:
npm ERR! /tmp/renovate/cache/others/npm/_logs/2024-04-23T23_04_08_991Z-eresolve-report.txt

npm ERR! A complete log of this run can be found in: /tmp/renovate/cache/others/npm/_logs/2024-04-23T23_04_08_991Z-debug-0.log

File name: package-lock.json

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: @nestjs/sequelize@10.0.0
npm ERR! Found: reflect-metadata@0.2.1
npm ERR! node_modules/reflect-metadata
npm ERR!   dev reflect-metadata@"0.2.1" from the root project
npm ERR!   peer reflect-metadata@"^0.1.12 || ^0.2.0" from @nestjs/common@10.3.2
npm ERR!   node_modules/@nestjs/common
npm ERR!     dev @nestjs/common@"10.3.2" from the root project
npm ERR!     peer @nestjs/common@"^8.0.0 || ^9.0.0 || ^10.0.0" from @mikro-orm/nestjs@5.2.3
npm ERR!     node_modules/@mikro-orm/nestjs
npm ERR!       dev @mikro-orm/nestjs@"5.2.3" from the root project
npm ERR!     11 more (@nestjs/axios, @nestjs/core, @nestjs/mapped-types, ...)
npm ERR!   7 more (@nestjs/core, @nestjs/mapped-types, ...)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer reflect-metadata@"^0.1.13" from @nestjs/sequelize@10.0.0
npm ERR! node_modules/@nestjs/sequelize
npm ERR!   dev @nestjs/sequelize@"10.0.0" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: reflect-metadata@0.1.14
npm ERR! node_modules/reflect-metadata
npm ERR!   peer reflect-metadata@"^0.1.13" from @nestjs/sequelize@10.0.0
npm ERR!   node_modules/@nestjs/sequelize
npm ERR!     dev @nestjs/sequelize@"10.0.0" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /tmp/renovate/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate/cache/others/npm/_logs/2024-04-23T23_04_24_800Z-debug-0.log