Skip to content

chore: update package.json for dependency installation test #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pullfrog wants to merge 5 commits into
base: main
Choose a base branch
from
Open

chore: update package.json for dependency installation test #29

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1400374
chore: update package.json for dependency installation test
pullfrog[bot] May 11, 2026
def256f
chore: update package.json for dependency installation test
pullfrog[bot] May 11, 2026
3805798
Merge remote-tracking branch 'origin/pullfrog/test-dep-installation' …
pullfrog[bot] May 11, 2026
a425556
chore: update package.json for dependency install test
pullfrog[bot] May 14, 2026
819c786
Merge remote-tracking branch 'origin/pullfrog/test-dep-installation' …
pullfrog[bot] May 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{
"name": "test-repo",
"private": true,
"type": "module",
"name": "test-pkg",
"version": "1.0.0",
Copy link
Copy Markdown

@cursor cursor Bot May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removal of private flag enables accidental npm publishing

Medium Severity

The "private": true field was removed but this isn't mentioned as an intended change in the PR description. Without it, running npm publish (accidentally or via CI misconfiguration) would attempt to publish this package as test-pkg to the public npm registry. Even for a test fixture repo, retaining "private": true is an important safety net against accidental publication.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 3805798. Configure here.

"scripts": {
"test": "vitest run"
}
"postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt"
Copy link
Copy Markdown

@cursor cursor Bot May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Postinstall script runs arbitrary command on install

Medium Severity

The postinstall script writes to a hardcoded path (/tmp/postinstall-canary.txt) on every npm install. While intended as a test canary, this runs automatically for anyone cloning the repo or any CI pipeline that installs dependencies. Combined with the removal of "private": true, if this package were accidentally published under the generic name test-pkg, the postinstall hook would execute on any consumer's machine — a classic supply-chain attack pattern.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 1400374. Configure here.

},
Copy link
Copy Markdown

@cursor cursor Bot May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test script removed instead of postinstall being added alongside

Medium Severity

The PR description says it "adds a postinstall canary script," but the "test": "vitest run" script was removed rather than preserved alongside the new postinstall entry. The existing test/math.test.ts still imports from vitest and expects to be run via that script. This means npm test no longer works, silently breaking the existing test infrastructure of this fixture repo.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 1400374. Configure here.

"dependencies": {}
Copy link
Copy Markdown

@cursor cursor Bot May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removal of "type": "module" breaks ESM source files

Medium Severity

The "type": "module" field was removed but not mentioned in the PR description. All source files under src/ use ESM export syntax, and the test file uses ESM import. Without "type": "module", Node.js defaults to CommonJS module resolution, which would break any tooling or runtime that relies on this setting to correctly resolve the existing .ts files as ES modules.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 1400374. Configure here.

}