chore: update package.json for canary test#18
Conversation
…to pullfrog/update-package-json
…to pullfrog/update-package-json
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, | ||
| "dependencies": {} |
There was a problem hiding this comment.
Removal of private flag risks accidental npm publish
Medium Severity
The original package.json had "private": true which prevents accidental publishing to npm. The replacement drops this field entirely while also giving the package a publishable name (test-pkg) and version (1.0.0). Running npm publish — even accidentally — would now succeed rather than being blocked.
Reviewed by Cursor Bugbot for commit a71fb22. Configure here.
| "test": "vitest run" | ||
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, |
There was a problem hiding this comment.
Test script removed, breaking existing test execution
Medium Severity
The "test": "vitest run" script was replaced entirely by the postinstall script. The repo still contains test/math.test.ts which imports from vitest, so npm test will now fail with a missing script error. The canary postinstall entry could coexist alongside the original test script instead of replacing it.
Reviewed by Cursor Bugbot for commit a71fb22. Configure here.
…to pullfrog/update-package-json
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 3 total unresolved issues (including 2 from previous reviews).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit e22785c. Configure here.
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, | ||
| "dependencies": {} |
There was a problem hiding this comment.
Test fixture overwrites project config, breaking existing tests
Medium Severity
The "test": "vitest run" script and "type": "module" declaration were removed and replaced with only a postinstall canary script. The repo still contains vitest tests (test/math.test.ts) and ESM source files (src/*.ts using export), so npm test is now broken and module resolution for the existing code may fail. This looks like a test fixture that's replacing the real project configuration.
Reviewed by Cursor Bugbot for commit e22785c. Configure here.
…to pullfrog/update-package-json
…to pullfrog/update-package-json
…to pullfrog/update-package-json
…to pullfrog/update-package-json
…to pullfrog/update-package-json
…to pullfrog/update-package-json
…to pullfrog/update-package-json
…to pullfrog/update-package-json
…to pullfrog/update-package-json
Updates
package.jsonas part of the dependency installation canary test — replaces the original repo metadata with the test fixture used to probepostinstallscript execution behavior.Claude Opus| 𝕏Note
Medium Risk
Adds a
postinstallscript that writes to/tmp, which will execute during dependency installation and could affect CI/build environments. Scope is limited topackage.jsonbut changes install-time behavior.Overview
Switches
package.jsonfrom a minimal private test project to a published-style package (name/version) and removes thevitesttestscript.Adds a
postinstallhook that writesCANARY_MARKERto/tmp/postinstall-canary.txtto probe install-time script execution, and sets an explicit emptydependenciesobject.Reviewed by Cursor Bugbot for commit bd93265. Bugbot is set up for automated code reviews on this repo. Configure here.