2 Critical sverity vulnerabilites due to old version of mysql2

[wirdehall]

When running npm audit fix in my repo I'm now reciving critial warnings due to old version of mysql2 in this package.
Output below:

# npm audit report

mysql2  <=3.9.3
Severity: critical
mysql2 Remote Code Execution (RCE) via the readCodeFor function - https://github.com/advisories/GHSA-fpw7-j2hg-69v5
mysql2 vulnerable to Prototype Poisoning - https://github.com/advisories/GHSA-49j4-86m8-q2jw
mysql2 cache poisoning vulnerability - https://github.com/advisories/GHSA-mqr2-w7wj-jjgr
fix available via `npm audit fix`
node_modules/mysql2
  db-migrate-mysql  >=2.2.0
  Depends on vulnerable versions of mysql2
  node_modules/db-migrate-mysql

2 critical severity vulnerabilities

This seams like something that would be good to fix as soon as possible.
I looked it up, db-migrate-mysql is using mysql2 v2.2.5 that was released 4 years ago, since then there has been a lot of releases and currently the latest version is 3.9.4.

Could we bump the version?
Since it's a major version update with potential breaking changes, will this be a big fix or something we could just bump and go on with our day?

[wzrdtales]

generally no problem with that. since this is a major release if you could validate by either pointing out what was broken in version 3 or testing the driver we could bump it

[ZigaStrgar]

This would be closed if we merge #50.

[saitodeveloper]

For a temp fix, If someone wants to remove this issue manually just change the mysql2 version to ^3.9.7 in package-lock.json, find the dependencies in node_modules/db-migrate-mysql2, and node_modules/db-migrate-mysql/node_modules/mysql2.