chore: add package-lock.json for sdk quickstart dependencies#30
chore: add package-lock.json for sdk quickstart dependencies#30Jona10i wants to merge 1 commit intocursor:mainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high mode and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 3816f98. Configure here.
| "@cursor/sdk-linux-arm64": "1.0.12", | ||
| "@cursor/sdk-linux-x64": "1.0.12", | ||
| "@cursor/sdk-win32-x64": "1.0.12" | ||
| } |
There was a problem hiding this comment.
Dual lockfiles resolve different SDK versions
Medium Severity · Code Quality
The new package-lock.json resolves @cursor/sdk to version 1.0.12, which conflicts with the 1.0.7 version pinned in pnpm-lock.yaml. This creates inconsistent SDK versions for contributors, depending on whether they use npm ci or pnpm install. Given the project's explicit pnpm configuration, this undermines reproducibility and can lead to dependency drift.
Reviewed by Cursor Bugbot for commit 3816f98. Configure here.
1 participant
Note
Low Risk
Adds a lockfile for the
sdk/quickstartNode project; no runtime/app logic changes. Risk is limited to dependency resolution and potential tooling mismatch (project declarespnpmbut now includes an npm lockfile).Overview
Adds
sdk/quickstart/package-lock.json(lockfile v3) to pin the quickstart’s Node dependencies/devDependencies (notably@cursor/sdk,typescript,tsx, and transitive deps) for reproducible installs.Reviewed by Cursor Bugbot for commit 3816f98. Bugbot is set up for automated code reviews on this repo. Configure here.