The mysql npm package provides a pure JavaScript driver for connecting Node.js applications to MySQL databases. Both versions 2.3.1 and 2.3.2 share the same core functionality and licensing (MIT), offering developers a lightweight, dependency-free solution for database interaction. They both boast an identical set of dependencies, relying on 'bignumber.js' for handling large numbers, 'readable-stream' for stream processing, and 'require-all' for simplified module loading. Similarly, their development dependencies for testing and utility operations remain consistent.
The key difference between versions 2.3.1 and 2.3.2 lies in the release date. Version 2.3.2 was released on May 29, 2014, a couple of days after version 2.3.1 (May 27, 2014). This suggests that version 2.3.2 may include bug fixes, performance improvements, or minor adjustments made after the initial release of 2.3.1. While the specific nature of these changes isn't detailed in the provided metadata, developers choosing between the two versions should generally opt for the newer 2.3.2 to benefit from any potential enhancements. Developers can be confident that they are using a stable, well-maintained library for their MySQL database connectivity needs in Node.js projects with either version. Check the changelog to be sure to have all the changes.
All the vulnerabilities related to the version 2.3.2 of the package
mysql Node.JS Module Vulnerable to Remote Memory Exposure
Versions of mysql before 2.14.0 are vulnerable to remove memory exposure.
Affected versions of mysql package allocate and send an uninitialized memory over the network when a number is provided as a password.
Only mysql running on Node.js versions below 6.0.0 are affected due to a throw added in newer node.js versions.
Proof of Concept:
require('mysql').createConnection({
host: 'localhost',
user: 'user',
password : USERPROVIDEDINPUT, // number
database : 'my_db'
}).connect();
Update to version 2.14.0 or later.