registry  /  @reachu/database  /  1.0.234

@reachu/database@1.0.234

reachu-database

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a TypeORM database model/migration library with optional user-run database migration scripts.

Static reason
One or more suspicious static signals were detected.
Trigger
importing the library or explicitly running migration scripts
Impact
Database schema changes only when consumer invokes migration connection code
Mechanism
TypeORM entity export and database migration execution
Rationale
The suspicious signals are package-aligned database configuration and bundled test secrets, with no install-time execution, exfiltration, destructive behavior, or agent-control mutation found by source inspection. Mark clean despite the noisy secret/env scanner hints.
Evidence
package.jsondist/index.jssrc/index.tssrc/utils/index.tssrc/config/connect.tssrc/migrations/execute/index.ts.env.test.vscode/launch.jsonnodemon.json

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • .env.test includes credential-looking test configuration values such as service/API key fields
  • src/migrations/execute/index.ts is a user-invoked migration helper that loads dotenv and connects to the database
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • dist/index.js and src/index.ts only re-export migrations, entities, static data, utils, repositories, helpers, and subscribers
  • src/utils/index.ts reads DB_* environment variables only to build TypeORM connection config
  • src/config/connect.ts runs TypeORM migrations for configured database; no shell, file mutation, or network exfiltration logic seen
  • rg found no child_process, eval/Function, dynamic payload loading, or AI-agent control-surface writes in source
Behavioral surface
Source
EnvironmentVars
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 668 file(s), 1.57 MB of source

Source & flagged code

2 flagged · loading source
.env.testView file
21patternName = private_key_rsa severity = critical line = 21 matchedText = FIREBASE...-\n"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.env.testView on unpkg · L21
21patternName = private_key_rsa severity = critical line = 21 matchedText = FIREBASE...-\n"
Critical
Secret Pattern

RSA private key in .env.test

.env.testView on unpkg · L21

Findings

2 Critical1 Medium2 Low
CriticalCritical Secret.env.test
CriticalSecret Pattern.env.test
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings