chore: update package.json for postinstall canary test#13
chore: update package.json for postinstall canary test#13pullfrog[bot] wants to merge 15 commits intomainfrom
Conversation
pullfrog
Bot
force-pushed
the
pullfrog/test-pkg-postinstall
branch
from
104e3ef to
ac3b8e5
Compare
pullfrog
Bot
force-pushed
the
pullfrog/test-pkg-postinstall
branch
from
ac3b8e5 to
3fdf91c
Compare
…nto pullfrog/test-pkg-postinstall
…nto pullfrog/test-pkg-postinstall
…nto pullfrog/test-pkg-postinstall
…nto pullfrog/test-pkg-postinstall
…nto pullfrog/test-pkg-postinstall
…nto pullfrog/test-pkg-postinstall
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 0f8cb09. Configure here.
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, | ||
| "dependencies": {} |
There was a problem hiding this comment.
Removal of private field risks accidental npm publish
Medium Severity
The "private": true field was removed from package.json. This safety guard prevents accidental publication to the npm registry. Without it, an npm publish (manual or via CI misconfiguration) would push this test package publicly, which could also enable a dependency-confusion vector since the name test-pkg is generic.
Reviewed by Cursor Bugbot for commit 0f8cb09. Configure here.
| "test": "vitest run" | ||
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, |
There was a problem hiding this comment.
Test script removed while test files still exist
Low Severity
The "test": "vitest run" script was deleted and replaced solely with a postinstall script. The test file test/math.test.ts still imports from vitest and expects to be runnable, so npm test now produces an error instead of running the existing test suite. The postinstall canary could have been added alongside the existing test script rather than replacing it.
Reviewed by Cursor Bugbot for commit 0f8cb09. Configure here.
…nto pullfrog/test-pkg-postinstall
Updates
package.jsonas part of the dependency installation behavior test. Changes the package name totest-pkgand adds apostinstallscript that writes a canary file to/tmp/postinstall-canary.txt.Claude Opus| 𝕏Note
Medium Risk
Adds a
postinstallscript that writes to/tmp, which can affect install behavior and is commonly flagged by security tooling. Changes are limited topackage.jsonmetadata and scripts.Overview
Renames the npm package to
test-pkg, adds aversion, and simplifiespackage.jsonby removingprivate/typeand thetestscript.Introduces a
postinstallscript that writes a canary marker to/tmp/postinstall-canary.txtto validate install-time behavior.Reviewed by Cursor Bugbot for commit 047b187. Bugbot is set up for automated code reviews on this repo. Configure here.