chore: update package.json for dependency install smoke test#25
chore: update package.json for dependency install smoke test#25pullfrog[bot] wants to merge 11 commits intomainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 4cbfca1. Configure here.
| "scripts": { | ||
| "test": "vitest run" | ||
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" |
There was a problem hiding this comment.
Test postinstall script accidentally committed to repository
High Severity
The postinstall script (echo CANARY_MARKER > /tmp/postinstall-canary.txt) is a smoke-test artifact that the PR description confirms already served its purpose. It will now execute on every npm install (without --ignore-scripts), writing a canary file to /tmp. Meanwhile, the original "test": "vitest run" script was removed, breaking npm test for the existing test suite in test/math.test.ts.
Reviewed by Cursor Bugbot for commit 4cbfca1. Configure here.
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, | ||
| "dependencies": {} |
There was a problem hiding this comment.
Removed private field risks accidental npm publish
Medium Severity
The "private": true field was removed from package.json. This fixture repo (per README.md) was previously guarded against accidental publishing to the npm registry. Without it, an npm publish invocation would attempt to publish test-pkg@1.0.0 publicly.
Reviewed by Cursor Bugbot for commit 4cbfca1. Configure here.
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, | ||
| "dependencies": {} |
There was a problem hiding this comment.
Removed type: "module" may break ES module resolution
Medium Severity
The "type": "module" field was removed, reverting the package to CommonJS module resolution by default. The existing source files in src/ (.ts files) and tests importing them with ESM syntax (import { ... } from "...") may no longer resolve correctly depending on the toolchain configuration.
Reviewed by Cursor Bugbot for commit 4cbfca1. Configure here.
…' into pullfrog/smoke-test-package-json
…' into pullfrog/smoke-test-package-json
…' into pullfrog/smoke-test-package-json
…' into pullfrog/smoke-test-package-json
…' into pullfrog/smoke-test-package-json
Updates
package.jsonas part of a dependency installation behavior smoke test. Thepostinstallcanary script confirmed thatnpm ci --ignore-scriptssuppresses lifecycle scripts —/tmp/postinstall-canary.txtwas never created.Claude Opus| 𝕏Note
Medium Risk
Adds a
postinstalllifecycle script that writes to/tmp, which can have side effects during installs in CI or developer machines if scripts aren’t disabled.Overview
Updates
package.jsonto rename the package, add aversion, and replace thetestscript with apostinstallcanary that writesCANARY_MARKERto/tmp/postinstall-canary.txt.Removes
private/type: modulemetadata and leaves an emptydependenciesset, shifting the project toward a minimal install smoke-test setup.Reviewed by Cursor Bugbot for commit 81ab146. Bugbot is set up for automated code reviews on this repo. Configure here.