chore: update package.json for dependency install test#19
chore: update package.json for dependency install test#19pullfrog[bot] wants to merge 31 commits into
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit a91189a. Configure here.
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, | ||
| "dependencies": {} |
There was a problem hiding this comment.
Removing private field risks accidental npm publication
High Severity
The "private": true field was removed while simultaneously adding a "version" field and a postinstall script that executes a shell command. Without the private flag, this package can be accidentally published to npm via npm publish. A published package with a postinstall script writing to /tmp would execute on every consumer's machine during install — this mirrors a common supply chain attack vector. The private guard needs to remain in place.
Reviewed by Cursor Bugbot for commit a91189a. Configure here.
| "test": "vitest run" | ||
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, |
There was a problem hiding this comment.
Test script removed, existing tests cannot run
Medium Severity
The "test": "vitest run" script was replaced entirely by the postinstall canary script. The repository still contains test/math.test.ts which imports from vitest, so npm test will no longer execute the existing test suite. This silently breaks CI and local test workflows.
Reviewed by Cursor Bugbot for commit a91189a. Configure here.
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, | ||
| "dependencies": {} |
There was a problem hiding this comment.
Removal of "type": "module" breaks ESM resolution
Medium Severity
The "type": "module" field was removed, which changes the default module system from ESM to CommonJS. The existing source files in src/ use ESM export syntax and the test file uses ESM import syntax. Without this field, Node.js will default to CommonJS resolution for .js output, potentially breaking module loading when the TypeScript is compiled and run.
Reviewed by Cursor Bugbot for commit a91189a. Configure here.
…into pullfrog/test-pkg-package-json
…into pullfrog/test-pkg-package-json
…into pullfrog/test-pkg-package-json
…into pullfrog/test-pkg-package-json
…into pullfrog/test-pkg-package-json
…into pullfrog/test-pkg-package-json
…into pullfrog/test-pkg-package-json
…into pullfrog/test-pkg-package-json
…into pullfrog/test-pkg-package-json
…into pullfrog/test-pkg-package-json
…into pullfrog/test-pkg-package-json
…into pullfrog/test-pkg-package-json
…into pullfrog/test-pkg-package-json
…into pullfrog/test-pkg-package-json
Updates
package.jsonas part of the dependency installation behavior test. Changes the package name totest-pkgand adds apostinstallscript canary.Claude Opus| 𝕏Note
Medium Risk
Adds a
postinstallhook that writes to/tmp, which executes on every install and could have side effects in CI/user environments. Otherwise changes are limited topackage.jsonmetadata and removing the prior test script.Overview
Updates
package.jsonto rename the package totest-pkgand introduce versioning/empty dependencies.Replaces the prior
vitesttest script with apostinstallscript that writes aCANARY_MARKERfile to/tmpon install, and removes the previousprivate/type: modulesettings.Reviewed by Cursor Bugbot for commit fd17e7f. Bugbot is set up for automated code reviews on this repo. Configure here.