Skip to content

chore: update package.json for canary test#28

Open
pullfrog[bot] wants to merge 1 commit intomainfrom
pullfrog/test-pkg-canary
Open

chore: update package.json for canary test#28
pullfrog[bot] wants to merge 1 commit intomainfrom
pullfrog/test-pkg-canary

Conversation

@pullfrog
Copy link
Copy Markdown

@pullfrog pullfrog Bot commented May 9, 2026
edited by cursor Bot
Loading

Updates package.json as part of dependency installation canary test. The postinstall script writes a marker file to /tmp/postinstall-canary.txt to verify whether scripts are executed during npm install.

Pullfrog  | via Pullfrog | Using Claude Sonnet𝕏

Note

Medium Risk
Adds a postinstall script that executes during dependency installation and writes to /tmp, which can affect install environments/CI and may be undesirable in real packages.

Overview
Updates package.json to convert the project into a versioned package (name/version) and removes the prior test setup.

Adds a postinstall canary that writes CANARY_MARKER to /tmp/postinstall-canary.txt to detect whether install scripts run, and leaves dependencies empty.

Reviewed by Cursor Bugbot for commit 9b01c44. Bugbot is set up for automated code reviews on this repo. Configure here.

cursor[bot]
cursor Bot reviewed May 9, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 9b01c44. Configure here.

Comment thread package.json
"test": "vitest run"
}
"postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt"
},
Copy link
Copy Markdown

@cursor cursor Bot May 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removal of test script breaks existing test suite

Medium Severity

The "test": "vitest run" script was removed even though test/math.test.ts still exists and imports from vitest. Running npm test will now fail. The stated intent was to add a postinstall canary script, but the entire scripts block was replaced instead of augmented, which inadvertently drops the test script, the "private": true flag, and the "type": "module" declaration.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 9b01c44. Configure here.

Comment thread package.json
"scripts": {
"test": "vitest run"
}
"postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt"
Copy link
Copy Markdown

@cursor cursor Bot May 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing private flag enables accidental publishing with postinstall

High Severity

The "private": true field was removed at the same time a postinstall script performing filesystem writes (echo CANARY_MARKER > /tmp/postinstall-canary.txt) was added. Without the private guard, this package can be accidentally published to npm, causing the postinstall script to execute on every consumer's machine during npm install. This is a well-known supply chain attack pattern.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 9b01c44. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants