chore: update package.json for dep install test#23
chore: update package.json for dep install test#23pullfrog[bot] wants to merge 1 commit intomainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 4 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit f451527. Configure here.
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, | ||
| "dependencies": {} |
There was a problem hiding this comment.
Removing private: true risks accidental npm publishing
Medium Severity
The "private": true field was removed from package.json. This safety guard prevents accidental publishing to the npm registry. Without it, running npm publish in this repo would attempt to publish test-pkg@1.0.0 publicly, which is especially risky since this is a test/fixture repository not intended for distribution.
Reviewed by Cursor Bugbot for commit f451527. Configure here.
| "test": "vitest run" | ||
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, |
There was a problem hiding this comment.
Test script removed, npm test no longer works
Medium Severity
The "test": "vitest run" script was removed and replaced only with a postinstall script. The repo still contains test/math.test.ts which imports from vitest, so running npm test will now fail. Any CI pipeline or developer workflow relying on the standard test command is broken.
Reviewed by Cursor Bugbot for commit f451527. Configure here.
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, | ||
| "dependencies": {} |
There was a problem hiding this comment.
Removal of "type": "module" breaks ESM resolution
Low Severity
The "type": "module" field was removed, changing the default module system from ESM to CommonJS. The existing source files in src/ use ESM export syntax and the test file uses ESM import syntax. While TypeScript tooling may compensate in some cases, this changes the module resolution semantics and could cause issues depending on the runtime or toolchain configuration.
Reviewed by Cursor Bugbot for commit f451527. Configure here.
| "scripts": { | ||
| "test": "vitest run" | ||
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" |
There was a problem hiding this comment.
Test-only postinstall canary script persisted into repository
Medium Severity
The postinstall script writing CANARY_MARKER to /tmp/postinstall-canary.txt is debug/test scaffolding from an ephemeral test run now committed permanently. Every npm install will execute this side effect, writing to a hardcoded /tmp path (which also fails on Windows). This canary marker has no purpose in the actual project and pollutes every developer and CI environment.
Reviewed by Cursor Bugbot for commit f451527. Configure here.
Updates
package.jsonas part of the dependency installation behavior test. The file was modified to include apostinstallscript and restructured metadata; this PR persists that change from the ephemeral run.Claude Opus| 𝕏Note
Medium Risk
Adds a
postinstallscript that runs on dependency installation, which can affect CI/dev environments despite the current command being a simple echo. Also changes package metadata and removes the test script, which may impact existing workflows.Overview
Updates
package.jsonby renaming the package totest-pkg, adding aversion, and removingprivate/typemetadata.Replaces the
testscript with apostinstallcanary that writesCANARY_MARKERto/tmp/postinstall-canary.txt, and introduces an emptydependenciessection.Reviewed by Cursor Bugbot for commit f451527. Bugbot is set up for automated code reviews on this repo. Configure here.