registry  /  dbbackuper  /  1.4.0

dbbackuper@1.4.0

You can backup your database easily using this module

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package performs user-invoked MySQL backup and restore, with potentially destructive restore modes that are aligned with its stated purpose.

Static reason
One or more suspicious static signals were detected.
Trigger
User calls exported function with database config, path, and backup/restore mode.
Impact
Can read database contents into local backup files or restore/drop database/application files only when invoked with supplied config and mode.
Mechanism
MySQL database backup/restore with local zip staging and optional full file restore
Rationale
Static inspection found a backup/restore library with sensitive and destructive capabilities, but they are runtime, caller-configured, and package-aligned. The scanner's built-in dependency-squat signal is not paired with lifecycle execution, exfiltration, persistence, or agent-control mutation.
Evidence
package.jsonindex.jscreatebackup.jsupload.jsfilefunctions.jsgetmetadata.jsgetrows.jsuploaddata.jsvalidateUploads.jslinks.js./backupfiles./backupfiles/backup/database/raw.json./backupfiles/backup/database/dbtaskerdata.jsonconfigured output .zip pathapplication root during full restore

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json declares runtime deps named fs/path/stream, but no package lifecycle hooks use them.
  • upload.js can restore files into the application root when a user supplies a full backup zip.
Evidence against
  • package.json has no preinstall/install/postinstall hooks and main is index.js.
  • index.js only exports an async function; no import-time backup, restore, network, or filesystem mutation.
  • Database credentials are taken from caller config and used for MySQL connections, not harvested from env/files.
  • No child_process, eval/vm/Function, hardcoded exfil endpoint, or AI-agent control-surface writes found.
  • Filesystem writes are package-aligned staging/output paths: ./backupfiles, configured output zip, and user-invoked restore.
Behavioral surface
Source
Filesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 305 KB of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: fs, path, stream
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High3 Low
HighNode Builtin Dependency Squatpackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings