Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update mysql2 version #2415

Closed
nicholas-lockhart opened this issue Jun 20, 2024 · 5 comments
Closed

Update mysql2 version #2415

nicholas-lockhart opened this issue Jun 20, 2024 · 5 comments
Assignees
@blueww
Labels
dependencies Pull requests that update a dependency file question Further information is requested

Comments

@nicholas-lockhart
Copy link
Contributor

Which service(blob, file, queue, table) does this issue concern?

N/A

Which version of the Azurite was used?

Azurite 3.30.0

Where do you get Azurite? (npm, DockerHub, NuGet, Visual Studio Code Extension)

DockerHub
mcr.microsoft.com/azure-storage/azurite:3.30.0

What's the Node.js version?

v20.10.0

What problem was encountered?

I noticed that the version of mysql2 (3.7.0) being used is several months old. I know that there were a couple of significant CVEs that were resolved in 3.9.7, and there was a new version created not too long ago (3.10.0).

When do we think that Azurite will be using a newer version of mysql2 for testing?

Steps to reproduce the issue?

N/A

Have you found a mitigation/solution?
@blueww blueww self-assigned this Jun 21, 2024
@blueww blueww added question Further information is requested dependencies Pull requests that update a dependency file labels Jun 21, 2024
@blueww
Copy link
Member

blueww commented Jun 21, 2024

@nicholas-lockhart

Thanks for raising the issue!
Could you please help to clarify which mysql2 version do you mean?

Do you mean mysql client, Azurite currently refer to "mysql2": "^3.2.0", see link.

We are currently working on some other new features and improvements, so this might won't be our recent priority.

Azurite welcome contribution!
It would be great if you could raise a PR to update mysql2 version!

@nicholas-lockhart
Copy link
Contributor Author

@blueww

Yes, the mysql client is the dependency in question. You can see here that is resolves to 3.7.0 for this project. Looking at NPM's versions available, it can be seen that there is now a 3.10.1 version available which has been a popular download, assuming it fixed some security issues based on the download count trends.

@blueww
Copy link
Member

blueww commented Jun 26, 2024

Hi @nicholas-lockhart

Azurite welcome contribution!
It would be great if you could raise a PR to update mysql2 version!

We are currently working on some other new features and improvements, so this might won't be our recent priority.

@nicholas-lockhart
Copy link
Contributor Author

@blueww, PR opened #2418

blueww pushed a commit that referenced this issue Jul 2, 2024
@nicholas-lockhart
[Issue #2415] Bump mysql2 version (#2418)
ef2e312 
* Bump mysql2 for critical security updates

* Updated for upcoming release

* Corrected version

* Update mysql2 for recent package availability
@blueww
Copy link
Member

blueww commented Jul 3, 2024

Close as the fix PR is merged. #2418
The fix will be in the next Azurite release.

@blueww blueww closed this as completed Jul 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@blueww blueww

Labels
dependencies Pull requests that update a dependency file question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@blueww @nicholas-lockhart