registry  /  spindb  /  0.61.5

spindb@0.61.5

Zero-config Docker-free local database containers. Create, backup, and clone a variety of popular databases.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 290 file(s), 2.92 MB of source, external domains: 127.0.0.1, api.github.com, clickhouse.com, deb.nodesource.com, dev.mysql.com, github.com, postgresapp.com, qdrant.tech, questdb.io, raw.githubusercontent.com, registry.layerbase.host, registry.npmjs.org, weaviate.io, www.enterprisedb.com, www.mongodb.com, www.sqlite.org

Source & flagged code

6 flagged · loading source
dist/core/docker-exporter.jsView file
366patternName = generic_password severity = medium line = 366 matchedText = pwd: "$S...RD",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/core/docker-exporter.jsView on unpkg · L366
dist/core/spawn-utils.jsView file
3* L4: * This module provides a Promise-based wrapper around child_process.spawn L5: * with proper timeout handling and error messages.
High
Child Process

Package source references child process execution.

dist/core/spawn-utils.jsView on unpkg · L3
65/** L66: * Escape a string for use in a PowerShell single-quoted string. L67: * PowerShell escapes single quotes by doubling them: ' becomes ''
High
Shell

Package source references shell execution.

dist/core/spawn-utils.jsView on unpkg · L65
dist/engines/questdb/index.jsView file
456throw new Error('psql not found. Install PostgreSQL client tools or use the Web Console at ' + L457: `http://127.0.0.1:${port + 188}`); L458: } ... L461: stdio: 'inherit', L462: env: { ...process.env, PGPASSWORD: auth.password }, L463: }; L464: return new Promise((resolve, reject) => { L465: const proc = spawn(psqlPath, ['-h', '127.0.0.1', '-p', String(port), '-U', auth.user, '-d', db], spawnOptions); L466: proc.on('error', reject);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/engines/questdb/index.jsView on unpkg · L456
dist/engines/typedb/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = spindb@0.61.2 matchedIdentity = npm:c3BpbmRi:0.61.2 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/engines/typedb/index.jsView on unpkg
dist/config/engine-defaults.jsView file
227patternName = generic_password severity = medium line = 227 matchedText = superuse...rd')
Medium
Secret Pattern

Hardcoded password in dist/config/engine-defaults.js

dist/config/engine-defaults.jsView on unpkg · L227

Findings

4 High6 Medium5 Low
HighChild Processdist/core/spawn-utils.js
HighShelldist/core/spawn-utils.js
HighSame File Env Network Executiondist/engines/questdb/index.js
HighPrevious Version Dangerous Deltadist/engines/typedb/index.js
MediumSecret Patterndist/core/docker-exporter.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/config/engine-defaults.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings