chore: update package.json for postinstall canary test#35
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit b941043. Configure here.
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, | ||
| "dependencies": {} |
There was a problem hiding this comment.
Removing private: true risks accidental npm publish
Medium Severity
The "private": true field was removed from package.json without being mentioned in the PR description. This safety guard prevents accidental publication to the npm registry. Without it, running npm publish (even accidentally) could push test-pkg@1.0.0 to the public npm registry — potentially causing a supply-chain concern or namespace squatting. Since the package is a test fixture and not meant to be published, "private": true is worth keeping.
Reviewed by Cursor Bugbot for commit b941043. Configure here.
Updates
package.jsonas part of the dependency installation behavior test — setsname,version, adds apostinstallcanary script, and clearsdependencies.Claude Sonnet| 𝕏Note
Medium Risk
Adds a
postinstallscript that writes to/tmp, which will execute automatically during installs and can affect CI/build environments. Other changes are limited to package metadata and removing the test script/dependencies.Overview
Updates
package.jsonto rename the package and add aversion, and removes the previoustestscript/fields.Adds a
postinstallcanary that writesCANARY_MARKERto/tmp/postinstall-canary.txt, and setsdependenciesto an empty object.Reviewed by Cursor Bugbot for commit b941043. Bugbot is set up for automated code reviews on this repo. Configure here.