Update 2023-09-07

For people coming back to this because they got CVE notification
This alleged SQLi bug can only be allegedly possible if you are using mysql as your backend.
If you are using any other backend, you are not affected and can move on and ignore this.
In fact it would be better for you guys to ignore this because the "fixes" that have been introduced break core functionality and introduce a lot of issues so far.

This is a really weird bug but if you do:

knex('sometable').where({
  stringfield: { hello: 1 }
})

It will crash with Unknown column 'hello' in 'where clause'] which is an EXTREMELY scary message to see considering the almost potential(?) possibility of doing SQL injection or something.

This only happens though when using the mysql client, tested with pg and it worked as it should, giving empty result.

Here's a working gist reproducing the problem: https://gist.github.com/TheThing/00be586e2d71e7b9a4b8