registry  /  dbbackuper  /  1.2.4

dbbackuper@1.2.4

You can backup your database easily using this module

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Risky database and filesystem operations are user-invoked backup/restore behavior aligned with the package purpose.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing is inert; exported function runs only when caller invokes it with database and path config.
Impact
Can read/write backup files and modify target databases when explicitly used, including destructive clean/replace restore modes.
Mechanism
database backup/restore with optional full filesystem backup
Rationale
Static inspection found dangerous primitives, but they are documented, user-triggered backup/restore capabilities with no install-time execution, credential harvesting, or exfiltration endpoint. The builtin dependency warning is noisy because runtime requires resolve Node builtins and there are no lifecycle hooks.
Evidence
package.jsonindex.jscreatebackup.jsupload.jsfilefunctions.jsfunctions.jsREADME.md./backupfilesuser-provided output zip pathapplication root when fullBackup is enabled

Decision evidence

public snapshot
AI called this Clean at 83.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json declares builtin-like deps fs/path/stream, but no lifecycle hooks
  • upload.js has user-invoked destructive restore modes that can clear DB rows and move project files for full backups
  • createbackup.js can copy application root files when fullBackup is enabled
Evidence against
  • package.json has no install/preinstall/postinstall hooks and main is index.js
  • No child_process, eval, Function, process.env harvesting, or hardcoded exfil endpoints found
  • index.js only runs backup/restore after exported function is called with config
  • Network activity is limited to user-provided MySQL/Postgres database connections
  • File writes target backup/restore paths as part of documented backup functionality
Behavioral surface
Source
Filesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 301 KB of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: fs, path, stream
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High3 Low
HighNode Builtin Dependency Squatpackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings