Skip to content

build(deps): Bump mariadb from 3.5.2 to 3.5.3#116

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/mariadb-3.5.3
Jun 10, 2026
Merged

build(deps): Bump mariadb from 3.5.2 to 3.5.3#116
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/mariadb-3.5.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 10, 2026

Copy link
Copy Markdown
Contributor

Bumps mariadb from 3.5.2 to 3.5.3.

Release notes

Sourced from mariadb's releases.

MariaDB Connector/Node.js 3.5.3

3.5.3 (Jun1 2026)

Full Changelog

Notable changes

  • Minimum supported Node.js version is now 20 (was 18; Node 18 went EOL in April 2025)
  • CONJS-346: Add RowsWithMeta<T> and WithMeta<T> helper types for typing query() / execute() result shapes — RowsWithMeta<T> for the default rows-array-with-meta shape, WithMeta<T> for the metaAsArray: true tuple form (types-only, no runtime change)

Issues Fixed

  • CONJS-354: Reject a server-initiated LOAD DATA LOCAL INFILE request when permitLocalInfile is disabled (report by tharavel)
  • CONJS-353: PAM (dialog) authentication now requires a secure connection (TLS or a local unix socket), since it transmits the password in clear text (report by fg0x0)
  • CONJS-351: Use constant-time comparison when validating the server certificate fingerprint token, preventing a timing side-channel that could leak the token to a man-in-the-middle
  • CONJS-350: Fixed possible SQL injection in Buffer parameter escaping under big5/gbk/sjis/cp932/gb18030 client charset (report by fg0x0)
  • CONJS-344: Restore dual ESM/CJS support after the 3.5 ESM migration (#346):
    • TypeScript types now compile under moduleResolution: "Node16" / "NodeNext" / "Bundler" — fixes TS2846 / TS2834 reported in 3.5.1 and 3.5.2
    • Ship paired .d.cts declarations for the require condition
    • Ship a real CJS bundle in dist/ so require('mariadb') works on Node 20+ without --experimental-require-module or ExperimentalWarning
    • Restore the default ESM export, so import mariadb from 'mariadb' works again (matches 3.4.x behavior)
Changelog

Sourced from mariadb's changelog.

3.5.3 (Jun1 2026)

Full Changelog

Notable changes

  • Minimum supported Node.js version is now 20 (was 18; Node 18 went EOL in April 2025)
  • CONJS-346: Add RowsWithMeta<T> and WithMeta<T> helper types for typing query() / execute() result shapes — RowsWithMeta<T> for the default rows-array-with-meta shape, WithMeta<T> for the metaAsArray: true tuple form (types-only, no runtime change)

Issues Fixed

  • CONJS-354: Reject a server-initiated LOAD DATA LOCAL INFILE request when permitLocalInfile is disabled (report by tharavel)
  • CONJS-353: PAM (dialog) authentication now requires a secure connection (TLS or a local unix socket), since it transmits the password in clear text (report by fg0x0)
  • CONJS-351: Use constant-time comparison when validating the server certificate fingerprint token, preventing a timing side-channel that could leak the token to a man-in-the-middle
  • CONJS-350: Fixed possible SQL injection in Buffer parameter escaping under big5/gbk/sjis/cp932/gb18030 client charset (report by fg0x0)
  • CONJS-344: Restore dual ESM/CJS support after the 3.5 ESM migration (#346):
    • TypeScript types now compile under moduleResolution: "Node16" / "NodeNext" / "Bundler" — fixes TS2846 / TS2834 reported in 3.5.1 and 3.5.2
    • Ship paired .d.cts declarations for the require condition
    • Ship a real CJS bundle in dist/ so require('mariadb') works on Node 20+ without --experimental-require-module or ExperimentalWarning
    • Restore the default ESM export, so import mariadb from 'mariadb' works again (matches 3.4.x behavior)

3.4.6 (Jun 2026)

Full Changelog

Issues Fixed

  • CONJS-331: Corrected parsec authentication plugin handling
  • CONJS-350: Fixed possible SQL injection in Buffer parameter escaping under big5/gbk/sjis/cp932/gb18030 client charset (report by fg0x0)
  • CONJS-349: Fixed cleartext password disclosure to a man-in-the-middle when relying on certificate fingerprint validation (self-signed trust mode)
  • CONJS-351: Use constant-time comparison when validating the server certificate fingerprint token, preventing a timing side-channel that could leak the token to a man-in-the-middle
  • CONJS-353: PAM (dialog) authentication now requires a secure connection (TLS or a local unix socket), since it transmits the password in clear text (report by fg0x0)
  • CONJS-354: Reject a server-initiated LOAD DATA LOCAL INFILE request when permitLocalInfile is disabled (report by tharavel)
  • Refuse sending the password in clear (mysql_clear_password) over an unencrypted connection

3.3.3 (Jun 2026)

Full Changelog

Issues Fixed

  • CONJS-350: Fixed possible SQL injection in Buffer parameter escaping under big5/gbk/sjis/cp932/gb18030 client charset (report by fg0x0)
  • CONJS-349: Fixed cleartext password disclosure to a man-in-the-middle when relying on certificate fingerprint validation (self-signed trust mode)
  • CONJS-351: Use constant-time comparison when validating the server certificate fingerprint token, preventing a timing side-channel that could leak the token to a man-in-the-middle
  • CONJS-353: PAM (dialog) authentication now requires a secure connection (TLS or a local unix socket), since it transmits the password in clear text (report by fg0x0)
  • CONJS-354: Reject a server-initiated LOAD DATA LOCAL INFILE request when permitLocalInfile is disabled (report by tharavel)
  • Refuse sending the password in clear (mysql_clear_password) over an unencrypted connection

3.2.4 (Jun 2026)

Full Changelog

Issues Fixed

  • CONJS-350: Fixed possible SQL injection in Buffer parameter escaping under big5/gbk/sjis/cp932/gb18030 client charset (report by fg0x0)
  • CONJS-353: PAM (dialog) authentication now requires a secure connection (TLS or a local unix socket), since it transmits the password in clear text (report by fg0x0)

... (truncated)

Commits
  • 14e0f16 [misc] Update CHANGELOG.md to include recent security fixes for PAM authentic...
  • cd00457 Merge branch 'develop'
  • f34b785 [misc] test stability: poll debug log until flushed instead of fixed wait
  • 2df7c26 [CONJS-354] Reject server-initiated LOAD DATA LOCAL INFILE when permitLocalIn...
  • 7d6e44a [misc] Cap the length of server-sent numeric strings before BigInt parsing, p...
  • 53b3042 [CONJS-353] PAM (dialog) authentication now requires a secure connection (TLS...
  • 41eec7f [CONJS-351] Implement constant-time comparison in validateFingerPrint to prev...
  • aa50c50 Update CHANGELOG.md for version 3.4.6, 3.3.3 and 3.2.4, adding fixed issues a...
  • 6c10db5 [misc] test stability correction
  • 5d5293a [misc] Refuse mysql_clear_password over an insecure connection
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): Bump mariadb from 3.5.2 to 3.5.3
3c69f3a 
Bumps [mariadb](https://github.com/mariadb-corporation/mariadb-connector-nodejs) from 3.5.2 to 3.5.3.
- [Release notes](https://github.com/mariadb-corporation/mariadb-connector-nodejs/releases)
- [Changelog](https://github.com/mariadb-corporation/mariadb-connector-nodejs/blob/main/CHANGELOG.md)
- [Commits](mariadb-corporation/mariadb-connector-nodejs@3.5.2...3.5.3)

---
updated-dependencies:
- dependency-name: mariadb
  dependency-version: 3.5.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 10, 2026
@github-actions github-actions Bot merged commit e269d2a into main Jun 10, 2026
3 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/mariadb-3.5.3 branch June 10, 2026 10:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants