Skip to content

chore: update package.json for canary test#28

Open
pullfrog[bot] wants to merge 7 commits into
mainfrom
pullfrog/test-pkg-canary
Open

chore: update package.json for canary test#28
pullfrog[bot] wants to merge 7 commits into
mainfrom
pullfrog/test-pkg-canary

Conversation

@pullfrog

@pullfrog pullfrog Bot commented May 9, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown

Updates package.json as part of dependency installation canary test. The postinstall script writes a marker file to /tmp/postinstall-canary.txt to verify whether scripts are executed during npm install.

Pullfrog  | via Pullfrog | Using Claude Sonnet𝕏

Note

Low Risk
Test-only manifest change; postinstall writes to /tmp locally and has no production app surface in this repo.

Overview
Reconfigures package.json for a dependency-install canary: renames the package to test-pkg, adds 1.0.0, and drops the previous vitest test script and module setup.

Adds a postinstall script that writes CANARY_MARKER to /tmp/postinstall-canary.txt so installs can be checked for script execution. Declares an empty dependencies object.

Reviewed by Cursor Bugbot for commit 8c92bb6. Bugbot is set up for automated code reviews on this repo. Configure here.

cursor[bot]
cursor Bot reviewed May 9, 2026
View reviewed changes

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 9b01c44. Configure here.

Comment thread package.json
"test": "vitest run"
}
"postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt"
},

@cursor cursor Bot May 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removal of test script breaks existing test suite

Medium Severity

The "test": "vitest run" script was removed even though test/math.test.ts still exists and imports from vitest. Running npm test will now fail. The stated intent was to add a postinstall canary script, but the entire scripts block was replaced instead of augmented, which inadvertently drops the test script, the "private": true flag, and the "type": "module" declaration.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 9b01c44. Configure here.

Comment thread package.json
"scripts": {
"test": "vitest run"
}
"postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt"

@cursor cursor Bot May 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing private flag enables accidental publishing with postinstall

High Severity

The "private": true field was removed at the same time a postinstall script performing filesystem writes (echo CANARY_MARKER > /tmp/postinstall-canary.txt) was added. Without the private guard, this package can be accidentally published to npm, causing the postinstall script to execute on every consumer's machine during npm install. This is a well-known supply chain attack pattern.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 9b01c44. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants