chore: update package.json for dependency install test#19
chore: update package.json for dependency install test#19pullfrog[bot] wants to merge 9 commits intomainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit a91189a. Configure here.
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, | ||
| "dependencies": {} |
There was a problem hiding this comment.
Removing private field risks accidental npm publication
High Severity
The "private": true field was removed while simultaneously adding a "version" field and a postinstall script that executes a shell command. Without the private flag, this package can be accidentally published to npm via npm publish. A published package with a postinstall script writing to /tmp would execute on every consumer's machine during install — this mirrors a common supply chain attack vector. The private guard needs to remain in place.
Reviewed by Cursor Bugbot for commit a91189a. Configure here.
| "test": "vitest run" | ||
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, |
There was a problem hiding this comment.
Test script removed, existing tests cannot run
Medium Severity
The "test": "vitest run" script was replaced entirely by the postinstall canary script. The repository still contains test/math.test.ts which imports from vitest, so npm test will no longer execute the existing test suite. This silently breaks CI and local test workflows.
Reviewed by Cursor Bugbot for commit a91189a. Configure here.
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, | ||
| "dependencies": {} |
There was a problem hiding this comment.
Removal of "type": "module" breaks ESM resolution
Medium Severity
The "type": "module" field was removed, which changes the default module system from ESM to CommonJS. The existing source files in src/ use ESM export syntax and the test file uses ESM import syntax. Without this field, Node.js will default to CommonJS resolution for .js output, potentially breaking module loading when the TypeScript is compiled and run.
Reviewed by Cursor Bugbot for commit a91189a. Configure here.
…into pullfrog/test-pkg-package-json
…into pullfrog/test-pkg-package-json
…into pullfrog/test-pkg-package-json
Updates
package.jsonas part of the dependency installation behavior test. Changes the package name totest-pkgand adds apostinstallscript canary.Claude Opus| 𝕏Note
Medium Risk
Adds a
postinstallscript that runs during dependency installation and writes to/tmp, which can affect install-time behavior and CI environments.Overview
Updates
package.jsonmetadata (renames the package totest-pkg, addsversion, and removes the previoustestscript).Adds a
postinstallcanary script that writesCANARY_MARKERto/tmp/postinstall-canary.txt, and defines an emptydependenciesobject.Reviewed by Cursor Bugbot for commit c393560. Bugbot is set up for automated code reviews on this repo. Configure here.