Skip to content

chore: update package.json for canary test#12

Open
pullfrog[bot] wants to merge 7 commits into
mainfrom
pullfrog/canary-test-package-json
Open

chore: update package.json for canary test#12
pullfrog[bot] wants to merge 7 commits into
mainfrom
pullfrog/canary-test-package-json

Conversation

@pullfrog
Copy link
Copy Markdown

@pullfrog pullfrog Bot commented Apr 7, 2026
edited by cursor Bot
Loading

This PR captures the package.json change made during a dependency installation canary test. The file was modified as part of testing postinstall script behavior.

Pullfrog  | Triggered by Pullfrog | Using Claude Opus𝕏

Note

Medium Risk
Adds a postinstall script that writes to /tmp, which can execute during installs in CI/dev machines and may have side effects despite being simple.

Overview
Updates package.json to rename the package to test-pkg, add a version, and remove the prior test script/type/private fields.

Adds a postinstall script that writes a CANARY_MARKER file to /tmp/postinstall-canary.txt, and explicitly includes an empty dependencies object.

Reviewed by Cursor Bugbot for commit 305db59. Bugbot is set up for automated code reviews on this repo. Configure here.

cursor[bot]
cursor Bot reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit fc0783d. Configure here.

Comment thread package.json
"scripts": {
"test": "vitest run"
}
"postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt"
Copy link
Copy Markdown

@cursor cursor Bot May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test artifact postinstall script committed to repository

High Severity

A postinstall script that writes CANARY_MARKER to /tmp/postinstall-canary.txt is being committed. This will execute on every npm install for all contributors, writing to the filesystem as a side effect. This is a canary-test artifact that doesn't belong in the committed package.json. It also replaces the "test": "vitest run" script, so npm test no longer works despite test files (test/math.test.ts using vitest) still existing in the repo.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit fc0783d. Configure here.

Comment thread package.json
}
"postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt"
},
"dependencies": {}
Copy link
Copy Markdown

@cursor cursor Bot May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removal of private: true risks accidental publication

Medium Severity

The "private": true field was removed as part of the canary test changes. This fixture/test repository (per the README) is not intended for npm publication, and without private: true, an accidental npm publish would succeed. The "type": "module" field was also removed, which could affect module resolution for the existing TypeScript source files that use ES module syntax.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit fc0783d. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants