Merge remote-tracking branch 'refs/remotes/upstream/master' into fix/…

…streaming-interface-should-provide-dataset-index

.github/workflows/ci-linux.yml

@@ -18,7 +18,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [14.x, 16.x, 18.x, 20.x, "21.x"]
+        node-version: [18.x, 20.x, 21.x]
         mysql-version: ["mysql:8.0.33"]
         use-compression: [0, 1]
         use-tls: [0, 1]

.nycrc

@@ -0,0 +1,12 @@
+{
+  "all": true,
+  "include": ["index.js", "promise.js", "lib/**/*.js"],
+  "exclude": ["mysqldata/**", "node_modules/**", "test/**"],
+  "reporter": ["text", "lcov", "cobertura"],
+  "statements": 88,
+  "branches": 84,
+  "functions": 77,
+  "lines": 88,
+  "checkCoverage": true,
+  "clean": true
+}

Changelog.md

@@ -1,5 +1,44 @@
 # Changelog
 
+## [3.9.7](https://github.com/sidorares/node-mysql2/compare/v3.9.6...v3.9.7) (2024-04-21)
+
+
+### Bug Fixes
+
+* **security:** sanitize timezone parameter value to prevent code injection ([#2608](https://github.com/sidorares/node-mysql2/issues/2608)) ([7d4b098](https://github.com/sidorares/node-mysql2/commit/7d4b098c7e29d5a6cb9eac2633bfcc2f0f1db713))
+
+## [3.9.6](https://github.com/sidorares/node-mysql2/compare/v3.9.5...v3.9.6) (2024-04-18)
+
+
+### Bug Fixes
+
+* binary parser sometimes reads out of packet bounds when results contain null and typecast is false ([#2601](https://github.com/sidorares/node-mysql2/issues/2601)) ([705835d](https://github.com/sidorares/node-mysql2/commit/705835d06ff437cf0bf3169dac0a5f68002c4f87))
+
+## [3.9.5](https://github.com/sidorares/node-mysql2/compare/v3.9.4...v3.9.5) (2024-04-17)
+
+
+### Bug Fixes
+
+* revert breaking change in results creation ([#2591](https://github.com/sidorares/node-mysql2/issues/2591)) ([f7c60d0](https://github.com/sidorares/node-mysql2/commit/f7c60d01a49666130f51d3847ccfdd3d6e3d33e9))
+
+## [3.9.4](https://github.com/sidorares/node-mysql2/compare/v3.9.3...v3.9.4) (2024-04-09)
+
+
+### Bug Fixes
+
+* **docs:** improve the contribution guidelines ([#2552](https://github.com/sidorares/node-mysql2/issues/2552)) ([8a818ce](https://github.com/sidorares/node-mysql2/commit/8a818ce0f30654eba854759e6409c0ac856fc448))
+* **security:** improve results object creation ([#2574](https://github.com/sidorares/node-mysql2/issues/2574)) ([4a964a3](https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691))
+* **security:** improve supportBigNumbers and bigNumberStrings sanitization ([#2572](https://github.com/sidorares/node-mysql2/issues/2572)) ([74abf9e](https://github.com/sidorares/node-mysql2/commit/74abf9ef94d76114d9a09415e28b496522a94805))
+
+## [3.9.3](https://github.com/sidorares/node-mysql2/compare/v3.9.2...v3.9.3) (2024-03-26)
+
+
+### Bug Fixes
+
+* **security:** improve cache key formation ([#2424](https://github.com/sidorares/node-mysql2/issues/2424)) ([0d54b0c](https://github.com/sidorares/node-mysql2/commit/0d54b0ca6498c823098426038162ef10df02c818))
+  * Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
+* update Amazon RDS SSL CA cert ([#2131](https://github.com/sidorares/node-mysql2/pull/2131)) ([d9dccfd](https://github.com/sidorares/node-mysql2/commit/d9dccfd837d701f377574b85a05586be89015460))
+
 ## [3.9.2](https://github.com/sidorares/node-mysql2/compare/v3.9.1...v3.9.2) (2024-02-26)
 
 
@@ -313,50 +352,50 @@
 
 3.0.0-rc.1 ( 6/11/2021 )
   - fix .ping() return value signature #1650
-  - documentation: clarify `SUM()` and `AVG()` 
+  - documentation: clarify `SUM()` and `AVG()`
     return types difference with mysqljs/myql    #1649
   - misc: add release-please action              #1631, #1647
-  - fix: .end() callback is not called 
+  - fix: .end() callback is not called
     when connection is in closed state           #1642, #1638
   - typescript: getConnection typings fix        #1620
   - fix uncatchable exception                    #1359
   - add mysql_clear_password built in support    #1552
-  - typescript: typings unit test, variouts type 
+  - typescript: typings unit test, variouts type
     improvements, server protocol additions      #1610, #1610
-  - typescript: more complete way of adding 
+  - typescript: more complete way of adding
     typings for the Server module                #1606
-  - typescript, documentation: improve prepared 
+  - typescript, documentation: improve prepared
     typings statements                           #1493
-  - typescript: add type declarations for Prepare 
+  - typescript: add type declarations for Prepare
     & PrepareStatementInfo                       #1565
-  - fix: webpack projects no longer show warning 
+  - fix: webpack projects no longer show warning
     for cardinal dependency                      #1589
-  - typescript: accept Buffer and Buffer[] in 
+  - typescript: accept Buffer and Buffer[] in
     typings for key, cert, and ca                #1599
-  - fix: use rotatingXor instead of xor in 
+  - fix: use rotatingXor instead of xor in
     sha256_password plugin                       #1592, #1044
   - documentation: add Simplified Chinese        #1572
   - fix: add type as an alias to columnType      #1546, #1549
   - Update collation list up to MySQL 8.0.26     #1410
   - typescript: Add minVersion for ssl option.   #1517
   - Add support for multi-factor authentication  #1436
-  - typescript: add namedPlaceholders option to 
+  - typescript: add namedPlaceholders option to
     QueryOptions interface                       #1475
-  - fix: update how the ECONNRESET error is 
+  - fix: update how the ECONNRESET error is
     caught when connection already closing       #1438
 
 
 2.3.3 ( 14/11/2021 )
   - no changes compared to 2.3.3-rc.0
 
 2.3.3-rc.0 ( 5/11/2021 )
-  - fix ColumnDefinition.db is broken when 
-    encoding is not utf-8                         #1423                 
+  - fix ColumnDefinition.db is broken when
+    encoding is not utf-8                         #1423
   - typeCast: Fix field.length to be number       #1427, #1426
   - initiall support for coverage reporting in CI #1425
   - fix performance regression for results with   #1445, #1432
-    large (300+) number of columns                
-                                                  
+    large (300+) number of columns
+
 
 2.3.2 ( 16/10/2021 )
   - fix regression causing typeCast + JSON field
@@ -365,34 +404,34 @@
 2.3.1 ( 15/10/2021 )
   - Update error codes up to mysql 8.0.26          #1411
   - perf: optimize Query.row call                  #1408
-  - build: update to node 12/14/16, migrate from 
+  - build: update to node 12/14/16, migrate from
     travis-ci and appveyor to GH actions, add perf
     benchmarking workflow                          #1406, #1399
   - perf: avoid leaking TextRow/BinaryRow object   #1402
-  - perf: optimize string decoding by removing 
+  - perf: optimize string decoding by removing
     the use of slice()                             #1401
   - perf: cache lazy-evaluated fields              #1400
   - fix: clear timeout after error                 #1390
-  - TS: adds the optional column changedRows to 
+  - TS: adds the optional column changedRows to
     ResultSetHeader                                #1377
 
 2.3.0 ( 5/08/2021 )
   - Add PoolCluster promise wrappers               #1369, #1363
   - support for connect and query timeouts         #1364
   - add missing query() method on PoolCluster      #1362
-  - fix incorrect parsing of passwords 
+  - fix incorrect parsing of passwords
     containing ":"                                 #1357
-  - handle errors generated by asynchronous 
+  - handle errors generated by asynchronous
     authentication plugins                         #1354
   - add proper handshake fatal error handling      #1352
-  - fix tests to work with the latest MySQL 
+  - fix tests to work with the latest MySQL
     server versions (up to 8.0.25)                 #1338
   - expose SQL query in errors                     #1295
   - typing and readme docs for rowAsArray          #1288
-  - allow unnamed placeholders even if the 
+  - allow unnamed placeholders even if the
     namedPlaceholders flag is enabled              #1251
   - better ESM support                             #1217
-  
+
 2.2.5 ( 21/09/2020 )
   - typings: add ResultSetHeader                   #1213
 
@@ -406,18 +445,18 @@
   - Add the authPlugins types to ConnectionOptions #1206
 
 2.2.1 ( 18/09/2020 )
-  - update package.json files entry to include 
+  - update package.json files entry to include
     type definition files                          #1205
 
 2.2.0 ( 18/09/2020 )
   - added TS type definitions                      #1204, #1028
-  - better error handling for invalid JSON row 
+  - better error handling for invalid JSON row
     responses                                      #915
   - fix for iconv-lite and some bundlers issues    #1187
   - error early when callbacks incorrectly passed  #1025
     to a promise wrapper
   - add support for sha256_password authentication #1153, #1152
-    plugin                                          
+    plugin
   - handle backpressure when loading data from     #1167
     file
   - Pass in the callback when ending the pool      #1170
@@ -438,26 +477,26 @@
   - added `enableKeepAlive` connection option      #1081, #683
 
 2.0.2
-  - Fix for clearing connection timeout state when 
+  - Fix for clearing connection timeout state when
     connection is re-attempted (failure or success) #1075
   - Avoid setting numeric config options to NaN     #1074, #721
   - PoolCluster#end now accepts a callback function #1065, #1063
 
 2.0.1
-  - Add missing authPlugins assignment in 
+  - Add missing authPlugins assignment in
     ConnectionConfig                                 #1052
-  - Fix 4.1 auth on old servers not 
+  - Fix 4.1 auth on old servers not
     supporting PLUGIN_AUTH                           #1062, #1054, #1053
 
 2.0.0
-  - Mysql8 caching_sha2_password - fix bug in 
-    authenticating when password is longer 
+  - Mysql8 caching_sha2_password - fix bug in
+    authenticating when password is longer
     than 19 chars                                     #1044 #1045
   - Support ConnectionConfig.flags as an array        #1003
 
 2.0.0-alpha1
-  - MAJOR: new `authPlugins` api replacing 
-    `authSwitchHandler`, added caching_sha2_password 
+  - MAJOR: new `authPlugins` api replacing
+    `authSwitchHandler`, added caching_sha2_password
     and mysql_native_password as default plugins.
     Added tests for mysql 8 and ssl. Mysql 8 server
     now supported with default settings.              #1021, #906, #991
@@ -469,16 +508,16 @@
   - fix pool ignoring namedPlaceholders config        #1022
 
 1.7.0
-  - Fix crashing when session info packet does not 
+  - Fix crashing when session info packet does not
     start with length-coded string                    #1004, #989
   - build: drop node 4 and 6 and add node v12         #997
-  - Add support for timezone connection option        #996, #15, #262, 
+  - Add support for timezone connection option        #996, #15, #262,
                                                       #642, #877, #888
-  - Make mysql2 compatible with minification          #992, #890, #899, 
+  - Make mysql2 compatible with minification          #992, #890, #899,
                                                       #890
   - fix serialisation of '00:00:00' time              #968, #967
   - Allow to set minVersion ssl option                #961, #960
-  - Fix a MaxListenersExceededWarning with stream 
+  - Fix a MaxListenersExceededWarning with stream
     local infile                                      #965
 
 1.6.5 (08/02/2019)
@@ -489,7 +528,7 @@
   - fix(debug): remove usage of callee                #882
 
 1.6.4 (08/11/2018)
- - revert changes breaking node v4 and add v4 to 
+ - revert changes breaking node v4 and add v4 to
    build matrix                                       #872, #873
 
 1.6.3 (06/10/2018)
@@ -509,7 +548,7 @@
  - Fixed `PromiseConnection.ping()` ignoring errors   #813
  - Added a uri parameter to the connection config     #815
  - Added a `.promise()` method shortcut on Pool,
-   Connection and PoolConnection                      #810 
+   Connection and PoolConnection                      #810
  - Added more functions from node-mysql:
    `createQuery`, `raw`, `escape`, `escapeId`,
    `format`                                           #799
@@ -525,7 +564,7 @@
  - use strich lru-cache version                        #751
  - bump sqlstring to 2.3.1
  - remove noAssert flag from Buffer functions          #748
- 
+
 1.5.2 (06/02/2018)
  - perf: Store Compiled Packet Parsers in a global
    cache                                               #722, #723
@@ -545,7 +584,7 @@
 1.5.0 (13/11/2017)
  - Added sqlMessage to Error callback object           #665
  - Normalized sqlState to a string of 5 chars          #667
-   as Mysql specifies it  
+   as Mysql specifies it
  - Remove destroyed promise pool connections from
    pool                                                #674, #672
  - Expose escape & format methods on connection pool   #669, #663

Contributing.md

@@ -16,6 +16,8 @@ Contributions are always welcomed. You can help **MySQL2** community in various
 - Performance improvements
 - Add Features
 
+---
+
 ## Security Issues
 
 Please contact project maintainers privately before opening a security issue on Github. It will allow us to fix the issue before attackers know about it.
@@ -24,18 +26,22 @@ Please contact project maintainers privately before opening a security issue on
 
 - Andrey Sidorov, sidorares@yandex.ru
 
+---
+
 ## New Features
 
 It's better to discuss an API before actually start implementing it. You can open an issue on Github. We can discuss design of API and implementation ideas.
 
+---
+
 ## Development
 
 We assume you already have these tools installed on your system:
 
 - MySQL Server
 - Node.JS
 
-As **MySQL2** is purely JS based you can develop it on Linux, Mac or Windows. Please follow these steps
+As **MySQL2** is purely JS based, you can develop it on Linux, Mac or Windows. Please follow these steps
 
 ```bash
 # clone node-mysql2
@@ -47,6 +53,40 @@ cd /path/to/node-mysql2
 npm install
 ```
 
+---
+
+### Commits and Pull Request Titles
+
+To ensure a clean commit history pattern, please use the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/#summary) format.
+
+Prefixes that will trigger a new release version:
+
+- `fix:` for patches, e.g., bug fixes that result in a patch version release.
+- `feat:` for new features, e.g., additions that result in a minor version release.
+
+Examples:
+
+- `fix: message`
+- `feat: message`
+- `docs: message`
+- `fix(module): message`
+- `feat(module): message`
+- etc.
+
+---
+
+### Including Tests
+
+#### Fixes
+
+Where possible, provide an error test case that your fix covers.
+
+#### Features
+
+Please ensure test cases to cover your features.
+
+---
+
 ### Running Tests
 
 Running tests requires MySQL server and an empty database. You can run `bash` command given below to create `test` database
@@ -77,3 +117,12 @@ FILTER='test-timestamp' npm run test
 # or
 FILTER='timeout' npm run test
 ```
+
+> [!Tip]
+> You can also run a single test by performing `node ./test/path-to-test-file`.
+
+For testing **coverage**:
+
+```bash
+npm run coverage-test
+```

codecov.yml

@@ -0,0 +1,6 @@
+coverage:
+  status:
+    project:
+      default:
+        target: 89%
+        threshold: 2%