diff --git a/x-pack/package.json b/x-pack/package.json
index e51f0e19ff6fd..4ab2f1280bd38 100644
--- a/x-pack/package.json
+++ b/x-pack/package.json
@@ -251,8 +251,8 @@
     "rimraf": "^2.6.2",
     "rison-node": "0.3.1",
     "rxjs": "^6.2.1",
+    "safe-squel": "^5.12.5",
     "semver": "5.1.0",
-    "squel": "^5.12.2",
     "style-it": "2.1.2",
     "styled-components": "3.3.3",
     "tar-fs": "2.1.0",
diff --git a/x-pack/plugins/canvas/canvas_plugin_src/functions/server/esdocs.js b/x-pack/plugins/canvas/canvas_plugin_src/functions/server/esdocs.js
index 0c80e9165e63c..f5f589267de7b 100644
--- a/x-pack/plugins/canvas/canvas_plugin_src/functions/server/esdocs.js
+++ b/x-pack/plugins/canvas/canvas_plugin_src/functions/server/esdocs.js
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import squel from 'squel';
+import squel from 'safe-squel';
 import { queryEsSQL } from '../../../server/lib/query_es_sql';
 
 export const esdocs = () => ({
diff --git a/yarn.lock b/yarn.lock
index 49949ba8cb897..21e1c1720de2b 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -18786,6 +18786,13 @@ safe-regex@^1.1.0:
   dependencies:
     ret "~0.1.10"
 
+safe-squel@^5.12.5:
+  version "5.12.5"
+  resolved "https://registry.yarnpkg.com/safe-squel/-/safe-squel-5.12.5.tgz#9597cec498dc184a15fe94082b7bcc80cb4d048b"
+  integrity sha512-ls4iMpRE+/yTJ3W9GDRAT9rjqNVl220ng+N55udJXNu9ubcidMFA66Nung5UuE3xFlSSwvkV9PaMR5HZvShuvw==
+  dependencies:
+    sql-escape-string "^1.1.0"
+
 safefs@^4.0.0:
   version "4.1.0"
   resolved "https://registry.yarnpkg.com/safefs/-/safefs-4.1.0.tgz#f82aeb4bdd7ae51f653eb20f6728b3058c8d6445"
@@ -19632,10 +19639,10 @@ sprintf-js@~1.0.2:
   resolved "https://registry.yarnpkg.com/sprintf-js/-/sprintf-js-1.0.3.tgz#04e6926f662895354f3dd015203633b857297e2c"
   integrity sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=
 
-squel@^5.12.2:
-  version "5.12.2"
-  resolved "https://registry.yarnpkg.com/squel/-/squel-5.12.2.tgz#8c7b54fd5462d95fe2432663c8762b65d29efe4c"
-  integrity sha512-pIM8SjlUJlN2G6xz3we+lCp2aNQgxauGqKXJDi8y2n0hqJlSot0IUEdHh7/zGFFuRYnypbDiOhSWLZzT1BXnlQ==
+sql-escape-string@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/sql-escape-string/-/sql-escape-string-1.1.0.tgz#fe744b8514868c0eb4bfb9e4a989271d40f30eb9"
+  integrity sha1-/nRLhRSGjA60v7nkqYknHUDzDrk=
 
 sshpk@^1.7.0:
   version "1.15.2"