Investigate unresolved MySQL helper-component CVEs in mysql:8.4

[josecelano]

Overview

Track unresolved MySQL image vulnerabilities after remediation pass 1 in issue #428.

Context

Current scan for mysql:8.4 reports:

• 7 HIGH
• 1 CRITICAL

Findings are primarily in helper components (gosu and Python packages), not MySQL server core.

Goals

• Validate if any compatible MySQL image variant/tag reduces the gosu/Python findings
• Determine mitigation options while preserving LTS/stability requirements
• Document risk acceptance path if no practical low-risk upgrade exists

Acceptance Criteria

• Compare compatible MySQL tags/variants with vulnerability deltas
• Document recommended strategy (upgrade, pin, or monitored acceptance)
• Update deployer defaults if an improved option is validated
• Pre-commit checks pass: ./scripts/pre-commit.sh

Related

• Parent: Analyze and remediate Docker image vulnerabilities from April 8, 2026 scan #428
• Epic: Implement Automated Docker Image Vulnerability Scanning #250