[Snyk] Upgrade mysql2 from 3.14.1 to 3.16.0

[Sunwuyuan]

Snyk has created this PR to upgrade mysql2 from 3.14.1 to 3.16.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 21 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Allocation of Resources Without Limits or Throttling SNYK-JS-AXIOS-12613773	666	Proof of Concept
	Allocation of Resources Without Limits or Throttling SNYK-JS-BODYPARSER-14105059	666	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	666	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	666	Proof of Concept
	Predictable Value Range from Previous Values SNYK-JS-FORMDATA-10841150	666	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-JWS-14188253	666	No Known Exploit
	Improper Verification of Cryptographic Signature SNYK-JS-JWS-14188253	666	No Known Exploit
	Uncaught Exception SNYK-JS-MULTER-10773732	666	No Known Exploit
	Incomplete Filtering of One or More Instances of Special Elements SNYK-JS-VALIDATOR-13653476	666	Proof of Concept
	Improper Handling of Unexpected Data Type SNYK-JS-ONHEADERS-10773729	666	No Known Exploit
	Improper Validation of Specified Type of Input SNYK-JS-VALIDATOR-13395830	666	Proof of Concept

Release notes

Package name: mysql2

• 3.16.0 - 2025-12-16
  

  3.16.0 (2025-12-16)

  Features

  • BaseConnection: add state getter to track connection lifecycle (#3958) (a394487)
• 3.15.4-canary.a3944878 - 2025-12-16
• 3.15.3 - 2025-10-21
  

  3.15.3 (2025-10-21)

  Bug Fixes

  • skip SNI for IP addresses in TLS connection (#3835) (6000eb2)
• 3.15.3-canary.6000eb2f - 2025-10-14
• 3.15.2 - 2025-10-08
  

  3.15.2 (2025-10-08)

  Bug Fixes

  • fix sha256_password to work correctly over a TLS connection (#3809) (fb9eae1)
• 3.15.2-canary.fb9eae11 - 2025-10-03
• 3.15.1 - 2025-09-24
  

  3.15.1 (2025-09-24)

  Bug Fixes

  • typings: fix missing callback to PoolCluster.end() (#3819) (53a9bc2)
• 3.15.1-canary.53a9bc24 - 2025-09-24
• 3.15.1-canary.288d757b - 2025-09-18
• 3.15.0 - 2025-09-16
  

  3.15.0 (2025-09-16)

  Features

  • gracefully end pool connections #3148 (#3776) (e72247f)
• 3.14.6-canary.e72247f7 - 2025-09-09
• 3.14.5 - 2025-09-08
  

  3.14.5 (2025-09-08)

  Bug Fixes

  • types: restrict StreamOptions.objectMode to true (#3686) (#3784) (c091f1b)
• 3.14.5-canary.c091f1ba - 2025-09-08
• 3.14.4 - 2025-09-01
  

  3.14.4 (2025-09-01)

  Bug Fixes

  • stream: destroy connection when stream errors (#3769) (cc34a83)
  • stream: resume connection when stream errors or is destroyed (#3775) (9642a1e)
  • stream: fix backpressure when using TLS (#1752) (64ea4cd)
• 3.14.4-canary.cc34a833 - 2025-08-27
• 3.14.4-canary.9642a1e5 - 2025-08-27
• 3.14.4-canary.64ea4cdd - 2025-09-01
• 3.14.3 - 2025-07-29
  

  3.14.3 (2025-07-29)

  Bug Fixes

  • resolve parser cache collision with dual typeCast connections (#3644) (ce2ad75)
• 3.14.3-canary.ce2ad75a - 2025-07-26
• 3.14.2 - 2025-07-10
  

  3.14.2 (2025-07-10)

  Bug Fixes

  • pass columnType to readDateTimeString (#3700) (1ee48cc)
• 3.14.2-canary.1ee48cce - 2025-07-10
• 3.14.1 - 2025-04-27
  

  3.14.1 (2025-04-27)

  Bug Fixes

  • Fix for SET NAMES utf8 causing an unknown encoding error (#3551) 0617813

from mysql2 GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
our-world	Error		Jan 14, 2026 4:00am

[Copilot]

Pull request overview

This PR upgrades the mysql2 dependency from version 3.14.1 to 3.16.0 to address multiple security vulnerabilities identified by Snyk. The upgrade includes 21 intermediate versions with bug fixes and minor features.

Changes:

• Updates mysql2 minimum version requirement from ^3.6.0 to ^3.16.0 in package.json
• Resolves 11 security vulnerabilities ranging from low to critical severity
• Incorporates bug fixes for TLS connections, stream handling, and type definitions

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[claude]

Pull Request Review: mysql2 Upgrade (3.14.1 → 3.16.0)

Overview

This PR upgrades mysql2 from version 3.14.1 to 3.16.0 (21 versions ahead). This is an automated security and maintenance upgrade by Snyk.

✅ Code Quality & Best Practices

• Automated Dependency Management: Good practice using Snyk for automated security updates
• Change Scope: Minimal impact - single line change in package.json
• Semantic Versioning: Minor version bump (3.14.1 → 3.16.0), should be backward compatible

🐛 Potential Issues

CRITICAL - Test Coverage Gap:

• ⚠️ No automated tests exist for mysql2/database functionality (package.json:7 shows "test": "echo \"Error: no test specified\" && exit 1")
• The project uses Prisma ORM which depends on mysql2, but there are no integration tests to validate database connectivity after this upgrade
• Test files found (test/unified-auth-test.js, test/sudo-auth-test.js) are manual scripts, not automated test suites

Recommendation: Before merging, manually test:

1. Database connection establishment
2. Prisma operations (create, read, update, delete)
3. Connection pooling behavior
4. Authentication flows (the project has complex auth with OAuth, 2FA, passkeys)

🚀 Performance Considerations

Positive Changes (from mysql2 release notes):

• v3.15.0: Graceful pool connection ending (#3148) - improves connection management
• v3.14.4: Fixed stream backpressure when using TLS (#1752) - potential performance improvement for TLS connections
• v3.16.0: Added state getter to track connection lifecycle (#3958) - better observability

Potential Concerns:

• The Prisma schema (prisma/schema.prisma:9) uses relationMode = "prisma" which may behave differently with connection state changes
• 21 version jump is significant - review full changelog for breaking changes

🔒 Security Concerns

Good:

• Addresses multiple security vulnerabilities (Critical, High, Medium severity) in transitive dependencies:
  • CRITICAL: form-data predictable value range (SNYK-JS-FORMDATA-10841150)
  • HIGH: JWS improper signature verification (SNYK-JS-JWS-14188253)
  • HIGH: Validator incomplete filtering (SNYK-JS-VALIDATOR-13653476)
  • MEDIUM: axios & body-parser resource allocation issues

Concerns:

• TLS Configuration: v3.15.3 fixes SNI for IP addresses in TLS - verify your database connection string doesn't use IP addresses directly, or ensure TLS configuration is correct
• SHA256 Password Auth: v3.15.2 fixes sha256_password over TLS - if using this auth method, test thoroughly

🧪 Test Coverage Assessment

FAIL - Inadequate Test Coverage:

Current State:
- ❌ No automated unit tests
- ❌ No automated integration tests
- ❌ No CI/CD test pipeline visible
- ✅ Manual test scripts exist (but not executable in CI)

Impact: High risk for production deployment without validation

📋 Recommendations

Before Merging:

1. Manual Testing (REQUIRED):

   npm install
   npm run prisma:pull  # Verify Prisma can connect
   node test/unified-auth-test.js  # Test authentication flows
   node test/sudo-auth-test.js     # Test sudo authentication

2. Verify Database Connection:

   • Test in development environment first
   • Monitor connection pool behavior
   • Check for any connection timeout issues

3. Review Breaking Changes:

   • Read mysql2 v3.15.0 release notes for graceful pool ending changes
   • Verify your application properly closes database connections on shutdown

After Merging:

1. Add Automated Tests:

   // Example: tests/database.test.js
   import { PrismaClient } from '@prisma/client';
   
   test('database connection', async () => {
     const prisma = new PrismaClient();
     await prisma.$connect();
     const result = await prisma.$queryRaw`SELECT 1`;
     expect(result).toBeDefined();
     await prisma.$disconnect();
   });

2. Monitor Production:

   • Watch for connection errors in logs
   • Monitor database connection pool metrics
   • Set up alerts for authentication failures

Long-term Improvements:

1. Set up proper test framework (Jest, Vitest, or Mocha)
2. Add integration tests for critical paths
3. Implement CI/CD pipeline with automated testing
4. Consider adding database migration tests

🎯 Verdict

Conditional Approval with Manual Testing Required

The upgrade itself is well-intentioned and addresses security vulnerabilities. However, the lack of automated tests means this change carries risk. The code change is minimal and the mysql2 updates appear beneficial, but proper validation is essential before production deployment.

Risk Level: MEDIUM

• Low code risk (single dependency version bump)
• High operational risk (no automated test validation)
• Security benefit (addresses multiple CVEs)

---

Next Steps:

1. Run manual tests in development environment
2. If tests pass, deploy to staging environment
3. Monitor for 24-48 hours before production
4. Plan to add automated test coverage in follow-up PR

[claude]

Pull Request Review: mysql2 Upgrade (3.14.1 → 3.16.0)

Summary

This PR upgrades the mysql2 dependency from version 3.14.1 to 3.16.0 (21 versions ahead). The upgrade addresses multiple security vulnerabilities in transitive dependencies.

Code Quality & Best Practices ✅

Positive aspects:

• Clean, minimal change focused on a single dependency
• Follows semantic versioning (minor version bump)
• Package.json already uses caret range which will accept this update

Observations:

• The project uses Prisma ORM as the database layer, which internally uses mysql2 as a driver
• No direct mysql2 API calls found in the codebase - all database interactions go through Prisma
• This means the upgrade is primarily for security fixes rather than new feature adoption

Security Assessment 🔒

Fixed vulnerabilities (High Priority):

Critical:

• SNYK-JS-FORMDATA-10841150 - Predictable Value Range (Score: 666)

High Severity:

• SNYK-JS-JWS-14188253 - Improper Verification of Cryptographic Signature (Score: 666) - 2 instances
• SNYK-JS-MULTER-10773732 - Uncaught Exception (Score: 666)
• SNYK-JS-VALIDATOR-13653476 - Incomplete Filtering of Special Elements (Score: 666)

Medium Severity:

• SNYK-JS-AXIOS-12613773 - Allocation of Resources Without Limits (Score: 666)
• SNYK-JS-BODYPARSER-14105059 - Allocation of Resources Without Limits (Score: 666)
• SNYK-JS-ONHEADERS-10773729 - Improper Handling of Unexpected Data Type (Score: 666)
• SNYK-JS-VALIDATOR-13395830 - Improper Validation of Specified Type (Score: 666)

Recommendation: STRONGLY RECOMMENDED - This upgrade fixes critical and high-severity vulnerabilities, especially cryptographic signature verification issues.

Potential Issues & Concerns

1. Breaking Changes Analysis

mysql2 v3.16.0 changelog highlights:

• v3.16.0: Adds BaseConnection.state getter - NON-BREAKING (new feature)
• v3.15.3: SNI fix for IP addresses - BUG FIX
• v3.15.2: sha256_password TLS fix - BUG FIX
• v3.15.1: TypeScript typing fix - NON-BREAKING
• v3.15.0: Graceful pool connection ending - ENHANCEMENT

Assessment: No breaking changes detected. All updates are additive features or bug fixes.

2. Compatibility Concerns

• Prisma compatibility: Prisma 6.13.0 should be compatible with mysql2 3.16.0
• Action needed: Verify Prisma connection pooling works correctly with the graceful shutdown feature added in v3.15.0

3. Testing Gap

Critical Issue: No automated tests exist in this project. This makes it difficult to verify:

• Database connection stability
• Query execution correctness
• Connection pool behavior
• Error handling

Performance Considerations

Positive impacts:

• v3.15.0 adds graceful pool connection ending (benefits during server shutdown)
• v3.14.4 includes TLS backpressure fixes - important for SSL/TLS database connections
• v3.15.3 improves SNI handling for IP-based connections

No negative performance impacts expected.

Test Coverage

Current state:

• No test suite exists
• No integration tests for database operations

Recommendations:

1. Before merging: Manually test critical user flows:

   • User registration/login
   • Project creation/update
   • OAuth flows
   • Asset uploads

2. After merging: Monitor production logs for database connection errors

3. Long-term: Add integration tests for database operations

Final Verdict

APPROVE with conditions

Strengths:

• Fixes multiple critical and high-severity security vulnerabilities
• No breaking changes in mysql2 3.16.0
• Minimal change scope reduces risk

Required actions before merge:

1. Manual testing of critical flows
2. Verify database connectivity in staging/development
3. Run pnpm audit to confirm vulnerabilities are resolved
4. Ensure pnpm-lock.yaml is updated

Post-merge monitoring:

1. Watch for database connection errors in logs
2. Monitor application performance metrics

Deployment recommendation: Merge after successful manual testing, deploy to staging first, monitor for 24-48 hours before production.

Generated by Claude Code - Review completed 2026-01-14