Add tracking bug for CVE-2019-14939/node-mysql

Mainly for tracking for now, because the upstrem issue got locked down
until issue properly investigated. So we can monitor upstream change.