Skip to content

[Snyk] Upgrade mysql2 from 3.14.1 to 3.15.1 #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Sunwuyuan wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade mysql2 from 3.14.1 to 3.15.1 #47

Sunwuyuan wants to merge 1 commit into from

Conversation

@Sunwuyuan
Copy link
Member

@Sunwuyuan Sunwuyuan commented Oct 29, 2025

snyk-top-banner

Snyk has created this PR to upgrade mysql2 from 3.14.1 to 3.15.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 15 versions ahead of your current version.

  • The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
medium severity Allocation of Resources Without Limits or Throttling
SNYK-JS-AXIOS-12613773		 666 Proof of Concept
low severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-BRACEEXPANSION-9789073		 666 Proof of Concept
low severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-BRACEEXPANSION-9789073		 666 Proof of Concept
critical severity Predictable Value Range from Previous Values
SNYK-JS-FORMDATA-10841150		 666 Proof of Concept
high severity Uncaught Exception
SNYK-JS-MULTER-10773732		 666 No Known Exploit
medium severity Improper Handling of Unexpected Data Type
SNYK-JS-ONHEADERS-10773729		 666 No Known Exploit
medium severity Improper Validation of Specified Type of Input
SNYK-JS-VALIDATOR-13395830		 666 No Known Exploit
Release notes
Package name: mysql2
  • 3.15.1 - 2025-09-24

    3.15.1 (2025-09-24)

    Bug Fixes

    • typings: fix missing callback to PoolCluster.end() (#3819) (53a9bc2)
  • 3.15.1-canary.53a9bc24 - 2025-09-24
  • 3.15.1-canary.288d757b - 2025-09-18
  • 3.15.0 - 2025-09-16

    3.15.0 (2025-09-16)

    Features

  • 3.14.6-canary.e72247f7 - 2025-09-09
  • 3.14.5 - 2025-09-08

    3.14.5 (2025-09-08)

    Bug Fixes

  • 3.14.5-canary.c091f1ba - 2025-09-08
  • 3.14.4 - 2025-09-01

    3.14.4 (2025-09-01)

    Bug Fixes

    • stream: destroy connection when stream errors (#3769) (cc34a83)
    • stream: resume connection when stream errors or is destroyed (#3775) (9642a1e)
    • stream: fix backpressure when using TLS (#1752) (64ea4cd)
  • 3.14.4-canary.cc34a833 - 2025-08-27
  • 3.14.4-canary.9642a1e5 - 2025-08-27
  • 3.14.4-canary.64ea4cdd - 2025-09-01
  • 3.14.3 - 2025-07-29

    3.14.3 (2025-07-29)

    Bug Fixes

    • resolve parser cache collision with dual typeCast connections (#3644) (ce2ad75)
  • 3.14.3-canary.ce2ad75a - 2025-07-26
  • 3.14.2 - 2025-07-10

    3.14.2 (2025-07-10)

    Bug Fixes

  • 3.14.2-canary.1ee48cce - 2025-07-10
  • 3.14.1 - 2025-04-27

    3.14.1 (2025-04-27)

    Bug Fixes

    • Fix for SET NAMES utf8 causing an unknown encoding error (#3551) 0617813
from mysql2 GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
fix: upgrade mysql2 from 3.14.1 to 3.15.1
991afe5 
Snyk has created this PR to upgrade mysql2 from 3.14.1 to 3.15.1.

See this package in npm:
mysql2

See this project in Snyk:
https://app.snyk.io/org/sunwuyuan/project/7f95d725-ca6f-4cce-ab56-8b055b9f632f?utm_source=github&utm_medium=referral&page=upgrade-pr
@vercel
Copy link

vercel bot commented Oct 29, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
our-world Ready Ready Preview Comment Oct 29, 2025 7:50am

@claude
Copy link

claude bot commented Oct 29, 2025

Pull Request Review: mysql2 Upgrade (3.14.1 → 3.15.1)

Summary

This is a Snyk-automated dependency upgrade that updates mysql2 from ^3.6.0 (currently locked at 3.14.1) to ^3.15.1. The upgrade includes 15 version increments and addresses multiple security vulnerabilities.

✅ Code Quality & Best Practices

Positive aspects:

  • Clean, minimal change affecting only the dependency version
  • Uses semver caret range (^3.15.1) which is appropriate for automatic patch/minor updates
  • Automated dependency management helps maintain security posture

Recommendations:

  • The package.json currently specifies ^3.6.0 but the lock file shows 3.14.1 is installed. This PR changes the specifier to ^3.15.1, which is good for clarity and ensures the minimum version is up-to-date.

🐛 Potential Bugs & Issues

⚠️ Breaking Change Risk: LOW (according to Snyk metadata)

Potential concerns:

  1. Stream handling changes - Multiple stream-related fixes in the changelog (v3.14.4):

    • Connection destruction on stream errors
    • Connection resumption on stream errors/destruction
    • TLS backpressure fixes
    • Action needed: If your application uses streaming queries, test thoroughly

  2. Pool connection graceful shutdown - New feature in v3.15.0:

    • Graceful ending of pool connections was added
    • Action needed: Review any code using pool.end() or poolCluster.end() callbacks

  3. Parser cache collision fix (v3.14.3):

    • Resolved cache collision with dual typeCast connections
    • Action needed: If you use custom typeCast options, verify behavior

  4. DateTime handling change (v3.14.2):

    • Fixed columnType passing to readDateTimeString
    • Action needed: Test any DATE/DATETIME/TIMESTAMP field handling

🚀 Performance Considerations

Improvements:

  • Stream backpressure fixes (v3.14.4) should improve memory usage under load
  • Parser cache collision resolution (v3.14.3) may improve query parsing performance

Testing recommendations:

  • Load test with production-like query patterns
  • Monitor memory usage with streaming queries
  • Test connection pool behavior under high concurrency

🔒 Security Concerns

Critical fixes included:

Severity Vulnerability Score
🔴 Critical Predictable Value Range (form-data) 666
🟠 High Uncaught Exception (multer) 666
🟡 Medium Resource Allocation (axios) 666
🟡 Medium Input Type Handling (on-headers) 666
🟡 Medium Input Validation (validator) 666
🔵 Low ReDoS (brace-expansion) 666

Important notes:

  • While these vulnerabilities are listed by Snyk, they appear to be in transitive dependencies of mysql2, not mysql2 itself
  • The critical form-data vulnerability should be prioritized
  • All vulnerabilities have proof-of-concept exploits available

Recommendation:Merge this PR to address security issues, but also:

  1. Review your application's direct usage of affected packages (axios, multer, validator)
  2. Consider upgrading those packages directly if you use them
  3. Run pnpm audit or snyk test after merging to verify fixes

🧪 Test Coverage

Current state:

  • ❌ No test suite detected
  • Found test files: test/sudo-auth-test.js, test/unified-auth-test.js
  • Found script files: scripts/test-stream-upload.js, scripts/test-assets-upload.js

Critical recommendations:

  1. Before merging:

    • Manual smoke testing of database operations
    • Test authentication flows (based on test file names)
    • Test file upload functionality (especially streaming)
    • Verify pool connection management

  2. Database operations to test:

    • Basic CRUD operations
    • Connection pooling (acquire/release)
    • Streaming queries (if used)
    • Prepared statements
    • Transaction handling
    • Error handling and connection cleanup

  3. Long-term improvement:

    • Implement proper test suite
    • Add CI/CD pipeline with automated tests
    • Consider integration tests for mysql2 functionality

📋 Action Items Before Merging

  • Run manual testing of core database functionality
  • Test authentication flows (sudo-auth-test.js, unified-auth-test.js)
  • Test file upload/streaming (test-stream-upload.js, test-assets-upload.js)
  • Verify connection pool behavior
  • Check application logs for any new warnings/errors
  • Run pnpm audit after upgrade
  • Test in staging environment if available
  • Backup production database before deploying

🎯 Recommendation

✅ APPROVE with conditions

This upgrade addresses important security vulnerabilities and includes several bug fixes. The changes are relatively low-risk (minor version bump), but due to lack of automated tests, thorough manual testing is essential before merging.

Confidence level: Medium-High

  • Pros: Security fixes, bug fixes, active maintenance
  • Cons: No automated test coverage, stream handling changes require validation

Merge timeline: After manual testing is complete and passes all database operations.

Note: This project uses Prisma (based on package.json). If Prisma is your primary database interface, the risk is even lower as Prisma abstracts most mysql2 usage. However, still verify that Prisma is compatible with mysql2 3.15.1.

@claude
Copy link

claude bot commented Oct 29, 2025

Pull Request Review - mysql2 Upgrade (3.14.1 → 3.15.1)

Summary

This PR upgrades mysql2 from version 3.14.1 to 3.15.1, which addresses multiple security vulnerabilities in transitive dependencies. Overall, this is a recommended upgrade with low risk.

✅ Code Quality & Best Practices

Positive Aspects:

  • The upgrade follows semantic versioning (minor version bump)
  • Package version constraint uses caret (^) which is appropriate for production dependencies
  • The project uses Prisma ORM as the database abstraction layer, which shields the codebase from direct mysql2 API changes

Observations:

  • No direct imports of mysql2 were found in the codebase
  • All database operations go through Prisma Client (@prisma/client), which internally uses mysql2
  • This indirect usage pattern provides good isolation from mysql2 API changes

🐛 Potential Bugs or Issues

Low Risk - No Breaking Changes Detected:

  • The mysql2 releases between 3.14.1 and 3.15.1 contain bug fixes and a new feature for graceful pool shutdown
  • No breaking changes were documented in the changelog
  • Key improvements in this version range:
    • Fixed missing callback typing for PoolCluster.end() (v3.15.1)
    • Added graceful pool connection termination (v3.15.0)
    • Fixed stream error handling and TLS backpressure issues (v3.14.4)
    • Fixed parser cache collision with dual typeCast connections (v3.14.3)
    • Fixed DateTime parsing (v3.14.2)

Recommendations:

  • Since Prisma abstracts mysql2, the upgrade should be transparent
  • However, testing database operations after upgrade is still recommended

⚡ Performance Considerations

Positive Changes:

  • Stream backpressure fixes (v3.14.4) may improve performance for large result sets
  • Graceful connection termination (v3.15.0) should improve connection pool behavior
  • Parser cache collision fix (v3.14.3) eliminates potential performance issues with multiple connection types

No Performance Regressions Expected:

  • This is a minor version bump with bug fixes and features
  • No reported performance degradations in the changelog

🔒 Security Concerns

Critical Security Fixes:
The primary motivation for this upgrade appears to be addressing vulnerabilities in transitive dependencies (not mysql2 itself):

  • CRITICAL: form-data - Predictable Value Range (SNYK-JS-FORMDATA-10841150)
  • ⚠️ HIGH: multer - Uncaught Exception (SNYK-JS-MULTER-10773732)
  • ⚠️ MEDIUM: axios - Resource Allocation Without Limits (SNYK-JS-AXIOS-12613773)
  • ⚠️ MEDIUM: on-headers - Improper Handling of Unexpected Data Type (SNYK-JS-ONHEADERS-10773729)
  • ⚠️ MEDIUM: validator - Improper Input Validation (SNYK-JS-VALIDATOR-13395830)
  • ℹ️ LOW: brace-expansion - ReDoS vulnerabilities (2 instances)

Security Recommendation:
This upgrade should be merged to address the security vulnerabilities, especially the critical form-data issue.

🧪 Test Coverage

Current State:

  • No test files found in the repository (checked for *.test.js, *.spec.js)
  • The project has a test/ directory but it appears to be empty or not following standard naming conventions

Critical Recommendations:

  1. Add integration tests for database operations before merging significant dependency upgrades
  2. Consider adding tests for:
    • Database connection initialization
    • Basic CRUD operations via Prisma
    • Connection pool behavior
    • Transaction handling
    • Error scenarios

Testing Strategy for This PR:
Since no automated tests exist, recommend:

  1. Manual testing of core database functionality in a staging environment
  2. Verify connection pooling works correctly
  3. Test high-load scenarios if applicable
  4. Monitor error logs after deployment

📋 Additional Considerations

Dependency Management:

Deployment Recommendations:

  1. Test in a staging environment first
  2. Monitor application logs for any database connection issues
  3. Watch for any performance changes in database query execution
  4. Have a rollback plan ready

Related PRs:
Consider reviewing these related dependency upgrades together:

✅ Final Recommendation

APPROVE with conditions:

  1. ✅ Merge this PR to address security vulnerabilities
  2. ⚠️ Test database functionality in staging before production deployment
  3. ⚠️ Add test coverage for database operations in future work
  4. 💡 Consider merging PR [Snyk] Upgrade @prisma/client from 6.13.0 to 6.17.0 #45 (@prisma/client upgrade) alongside this one for better compatibility

Risk Level: 🟢 LOW - This is a minor version bump with bug fixes and security improvements, using an ORM abstraction layer.

🤖 Generated with Claude Code

@claude
Copy link

claude bot commented Oct 29, 2025

Pull Request Review: mysql2 Upgrade from 3.14.1 to 3.15.1

Summary

This PR upgrades mysql2 from version 3.14.1 to 3.15.1, spanning 15 intermediate versions. This is an automated dependency upgrade by Snyk that addresses several security vulnerabilities.

Code Quality & Best Practices

Positive:

  • Minor version upgrade (semantic versioning suggests backward compatibility)
  • Automated dependency management using Snyk
  • Clear documentation of fixed vulnerabilities in PR description
  • Single-purpose change (follows single responsibility principle)

Observations:

  • The change is minimal and straightforward (1 line modified in package.json)
  • Uses caret version range which is appropriate for production dependencies

Potential Bugs & Issues

Medium Priority:

  1. No Test Coverage - The project has no automated tests in package.json. This makes it difficult to verify the upgrade does not break existing functionality.

  2. Version Range Concern - The current package.json shows mysql2 at v3.6.0, but this PR updates it to v3.15.1. This is a significant jump that skips many versions.

  3. Missing Integration Testing - Without knowing how mysql2 is used in the codebase (appears to be indirect through Prisma), verification of compatibility with your Prisma setup is needed.

Notable Changes in mysql2 v3.14.1 to v3.15.1:

  • v3.15.0: Added graceful pool connection ending
  • v3.14.4: Stream error handling improvements
  • v3.14.3: Fixed parser cache collision with dual typeCast connections
  • v3.14.2: DateTime parsing improvements
  • v3.15.1: Fixed TypeScript typing for PoolCluster.end() callback

Security Concerns

Critical - This PR Addresses Multiple Vulnerabilities:

The Snyk report indicates this upgrade fixes several security issues in transitive dependencies:

  • Critical: Predictable Value Range from Previous Values (formdata)
  • High: Uncaught Exception (multer)
  • Medium: Allocation of Resources Without Limits (axios), Improper Validation (validator), Improper Handling of Data Type (on-headers)
  • Low: ReDoS vulnerabilities (brace-expansion)

Recommendation: This security upgrade should be prioritized and merged promptly.

Performance Considerations

Based on the release notes:

  • v3.15.0 introduces graceful connection ending, which should improve cleanup performance
  • v3.14.4 fixes stream backpressure with TLS, potentially improving throughput
  • v3.14.3 resolves parser cache collision, which could improve query performance

Expected Impact: Minor performance improvements, especially for connection pooling and TLS connections.

Test Coverage

Critical Gap:

  • Project has no automated test suite
  • Cannot verify backward compatibility automatically
  • Regression testing relies entirely on manual QA

Recommendations:

  1. Add integration tests for database operations before merging large dependency updates
  2. Consider implementing smoke tests at minimum
  3. Test in a staging environment first
  4. Verify Prisma migrations work correctly with the new mysql2 version

Recommendations

Before Merging:

  1. Manual Testing Required - Test the following in a staging environment:

    • Database connections (ensure pool connections work)
    • All CRUD operations
    • Transaction handling
    • Connection pool behavior under load
    • Prisma migrations and queries

  2. Check Prisma Compatibility - Verify your Prisma version (6.13.0) is compatible with mysql2 3.15.1

  3. Review Lock File Changes - Ensure pnpm-lock.yaml updates are consistent

  4. Consider Staging Deployment - Deploy to a non-production environment first

After Merging:

  1. Monitor application logs for any database-related errors
  2. Watch for connection pool exhaustion or timeout issues
  3. Monitor query performance metrics

Long-term Improvements:

  1. Add Test Coverage - Implement automated testing (Jest/Mocha + Supertest)
  2. Add Pre-merge Checks - Set up CI/CD with automated tests
  3. Dependency Management - Consider using Renovate or Dependabot alongside Snyk

Verdict

Status: APPROVE with conditions

Rationale:

  • This is a necessary security upgrade addressing multiple vulnerabilities
  • Changes are minimal and follow semantic versioning
  • mysql2 maintains good backward compatibility for minor versions
  • Risk is low, but testing is essential due to lack of automated tests

Action Items:

  1. Manually test database operations in staging (Required)
  2. Verify Prisma compatibility (Required)
  3. Monitor production after deployment (Recommended)
  4. Create test suite (Future work)

Note: Given the security fixes and the conservative nature of this minor version upgrade, I recommend merging this PR after manual testing is complete. The lack of breaking changes and the security benefits outweigh the minimal risk.

Reviewed by Claude Code

@Sunwuyuan
Copy link
Member Author

Sunwuyuan commented Oct 31, 2025

@claude 还有哪里在使用MySQL2?是不是可以删除了

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Sunwuyuan @snyk-bot