[deps] BRE: Update mysql Docker tag to v8.4

[renovate]

This PR contains the following updates:

Package	Update	Change
mysql	minor	8.0 → 8.4

---

Configuration

📅 Schedule: Branch creation - "every 2nd week starting on the 2 week of the year before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bitwarden-bot]

Internal tracking:

• ID: PM-30028
• Link: https://bitwarden.atlassian.net/browse/PM-30028

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.45%. Comparing base (b3c8950) to head (aec0164).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #6763   +/-   ##
=======================================
  Coverage   58.45%   58.45%           
=======================================
  Files        2067     2067           
  Lines       90997    90997           
  Branches     8083     8083           
=======================================
  Hits        53195    53195           
  Misses      35901    35901           
  Partials     1901     1901           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[aj-bw]

since this is just the dev resource, I assume this does not need full QA testing? cc @bitwarden/team-platform-dev

[rkac-bw]

since this is just the dev resource, I assume this does not need full QA testing? cc @bitwarden/team-platform-dev

This will be part of bitwarden lite which can support mariadb and possibly mysql so should be be sent to qa if approved

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[rkac-bw]

Tested locally: MySQL 8.4.8 works with Bitwarden. EF migrations, Identity, and API all pass against caching_sha2_password (default in 8.4).

Additional changes needed beyond the image tag bump:

1. Remove --default-authentication-plugin=mysql_native_password from the mysql command in docker-compose.yml — this option is deprecated in 8.4 and removed in 9.0.
2. Add --mysql-native-password=ON to the mysql command — this re-enables the plugin for users and developers with existing 8.0 data volumes, preventing auth failures on upgrade. Without this, existing
   databases break because users were created with mysql_native_password which is disabled by default in 8.4. The flag is deprecated but functional in 8.4, giving time to migrate.
3. Update secrets.json.example MySQL connection string to include AllowPublicKeyRetrieval=true;SslMode=Preferred — required for caching_sha2_password authentication from the .NET connector.

Suggested docker-compose change:
mysql:
image: mysql:8.4
ports:
- "3306:3306"
command:
- --mysql-native-password=ON
- --innodb-print-all-deadlocks=ON

Post-upgrade action required: We should announce this change and advise users and developers that after upgrading to MySQL 8.4, they should convert their database users from mysql_native_password to caching_sha2_password to be fully secure:

ALTER USER 'root'@'%' IDENTIFIED WITH caching_sha2_password BY 'your_password';
ALTER USER 'root'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'your_password';

Once all users are migrated, --mysql-native-password=ON can be removed from the compose file. This is important because mysql_native_password is less secure (weaker password hashing) and will be fully removed in MySQL 9.0.

Reference: https://bitwarden.atlassian.net/wiki/spaces/EN/pages/1860108507 (Confluence, Engineering space)

MariaDB is unaffected — separate container, separate connection string, separate auth mechanism. Tested side-by-side with MariaDB 12.2.2, no issues.

Do we want to push backup scripts like SQL server has before releasing this upgrade?

[github-actions]

Checkmarx One – Scan Summary & Details – 81a95b93-985e-4f57-9fbe-cd5bfd0e7959

Great job! No new security vulnerabilities introduced in this pull request

[rkac-bw]

Tested MySQL 8.4 and MariaDB locally — both fully working with the connection string changes.

Note: MariaDB uses the same globalSettings.mySql.connectionString (via databaseProvider=mariadb mapping in ServiceCollectionExtensions.cs), so the added AllowPublicKeyRetrieval=true;SslMode=Preferred params
apply to both. These params are harmlessly ignored by MariaDB since it doesn't use caching_sha2_password.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[withinfocus]

This is a dev tooling change so there really isn't much risk, but you should make the upgrade path known internally given the auth differences -- might as well get ahead to prep for v9. What documentation needs to be updated outside of here?

For Maria and therefore Unified / lite users, you said we're already good with the stronger auth mechanism right?