We actively support the following versions of Database Handler CLI:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
The Database Handler CLI team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
- Email: romaintibo6@gmail.com
- Subject: [SECURITY] Brief description of the issue
To help us better understand and resolve the issue, please include as much of the following information as possible:
- Type of vulnerability (e.g., SQL injection, command injection, etc.)
- Full paths of affected source files
- Location of the affected code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability and how it could be exploited
- Any potential fixes you've identified
- Initial Response: Within 48 hours of receiving your report
- Assessment: Within 7 days, we'll provide an assessment of the issue
- Fix Timeline: We aim to release patches for confirmed vulnerabilities within 30 days
- Disclosure: We'll coordinate with you on the public disclosure timeline
- Acknowledgment: We'll acknowledge receipt of your report
- Investigation: We'll investigate and validate the vulnerability
- Updates: We'll keep you informed of our progress
- Resolution: Once fixed, we'll notify you and coordinate disclosure
- Credit: With your permission, we'll credit you in the release notes
When using Database Handler CLI in production:
- Never commit database credentials to version control
- Use
.envfiles that are properly gitignored - Rotate credentials regularly
- Use read-only accounts when possible for dump operations
- Limit permissions to only what's necessary
- Use SSL/TLS for database connections in production
- Firewall rules should restrict database access
- VPN/Bastion hosts for sensitive environments
- Encrypt backups containing sensitive data
- Secure storage for backup files (proper permissions)
- Regular cleanup of old dumps
- Access control on the
backups/directory
- Don't use
network_mode: hostin production - Isolate containers with proper networking
- Update base images regularly
- Scan for vulnerabilities in dependencies
The tool uses SET session_replication_role = 'replica' to temporarily disable foreign key constraints during imports. This requires:
- Appropriate PostgreSQL user permissions
- Trust in the imported SQL content
- Awareness that constraint validation is bypassed
Mitigation: Only import dumps from trusted sources, preferably those you've created yourself with this tool.
The tool is designed to prevent SQL injection:
- Uses parameterized queries via Kysely
- Properly escapes identifiers and values
- Avoids dynamic SQL construction from user input
However, when importing SQL dumps, the tool executes raw SQL. Only import dumps from trusted sources.
Security patches are released as minor version updates. To stay protected:
npm update -g database-handler-cliCheck for updates regularly:
npm outdated -g database-handler-cliWe regularly audit and update our dependencies for known vulnerabilities. Major dependencies:
kysely- SQL query builder with parameterized queriespg- PostgreSQL driverinquirer- CLI prompts (no security-critical operations)chalk- Terminal styling (no security implications)
We follow coordinated vulnerability disclosure:
- Security issues are fixed in a private repository
- A security advisory is prepared
- Patches are released
- Public disclosure is made after fixes are available
- Credit is given to the reporter (unless they prefer anonymity)
We appreciate the following individuals for responsibly disclosing security issues:
- No vulnerabilities reported yet
Thank you for helping keep Database Handler CLI and its users safe!