test: write package.json for dependency install canary test#15
test: write package.json for dependency install canary test#15pullfrog[bot] wants to merge 27 commits into
Conversation
…pullfrog/test-dep-install
…pullfrog/test-dep-install
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, | ||
| "dependencies": {} |
There was a problem hiding this comment.
Test package.json overwrites real project configuration
High Severity
The root package.json appears to have been overwritten with a canary-test-only version. This removes "private": true (risking accidental npm publish), "type": "module" (breaking existing ES module imports in src/ and test/), and the "test": "vitest run" script (breaking npm test). The existing test/math.test.ts imports from vitest and uses ES module syntax, which will no longer work. Per the PR description, this file was "overwritten as part of the test task" — it looks like a test artifact that was accidentally committed.
Reviewed by Cursor Bugbot for commit ab76b76. Configure here.
…pullfrog/test-dep-install
…pullfrog/test-dep-install
…pullfrog/test-dep-install
| "requires": true, | ||
| "packages": { | ||
| "": { | ||
| "name": "test-repo" |
There was a problem hiding this comment.
Package name mismatch between lockfile and manifest
Medium Severity
The package-lock.json uses "name": "test-repo" (in both the root and the packages[""] entry) while package.json was changed to "name": "test-pkg". This mismatch means npm will detect an inconsistency and may regenerate the lockfile on install, which could interfere with the deterministic behavior expected by the canary test.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 17fb087. Configure here.
…pullfrog/test-dep-install
…pullfrog/test-dep-install
…pullfrog/test-dep-install
…pullfrog/test-dep-install
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 3 total unresolved issues (including 2 from previous reviews).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 767a1ad. Configure here.
| "name": "test-repo", | ||
| "private": true, | ||
| "type": "module", | ||
| "name": "test-pkg", |
There was a problem hiding this comment.
Name mismatch between package.json and package-lock.json
Medium Severity
The package.json declares "name": "test-pkg" while the new package-lock.json declares "name": "test-repo". This mismatch causes npm to emit warnings and may lead to unexpected behavior during dependency installation—the very operation this canary test is meant to verify.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 767a1ad. Configure here.
…pullfrog/test-dep-install
…pullfrog/test-dep-install
…pullfrog/test-dep-install
…pullfrog/test-dep-install
This PR captures the
package.jsonchange made during a dependency installation behavior test. The file was overwritten as part of the test task to verify postinstall script execution viastart_dependency_installation/await_dependency_installation.Claude Opus| 𝕏Note
Medium Risk
Adds a
postinstallscript that writes to/tmp, which will execute on dependency installs and could affect CI environments. Otherwise changes are limited to package metadata and a minimalpackage-lock.json.Overview
Adjusts
package.jsonto act as a dependency-install canary by renaming the package and adding apostinstallscript that writesCANARY_MARKERto/tmp/postinstall-canary.txt.Adds a minimal
package-lock.json(lockfile v3) to capture the npm install state for this test setup.Reviewed by Cursor Bugbot for commit c2aec6c. Bugbot is set up for automated code reviews on this repo. Configure here.