Skip to content

test: add postinstall canary script to package.json #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pullfrog wants to merge 27 commits into
base: main
Choose a base branch
from
+5 −5
Open

test: add postinstall canary script to package.json #17

Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
dbb0899
test: add postinstall canary script to package.json
pullfrog[bot] Apr 16, 2026
899475e
chore: update package.json for postinstall canary test
pullfrog[bot] May 13, 2026
5e99cc6
Merge remote-tracking branch 'origin/pullfrog/test-canary-package-jso…
pullfrog[bot] May 13, 2026
3237810
chore: update package.json for canary test
pullfrog[bot] May 13, 2026
0ef09ee
Merge remote-tracking branch 'origin/pullfrog/test-canary-package-jso…
pullfrog[bot] May 13, 2026
ca0c746
chore: update package.json for canary test
pullfrog[bot] May 13, 2026
0bf0d43
Merge remote-tracking branch 'origin/pullfrog/test-canary-package-jso…
pullfrog[bot] May 13, 2026
4ecd60b
test: add postinstall canary script to package.json
pullfrog[bot] May 14, 2026
c0d3ac5
Merge remote-tracking branch 'origin/pullfrog/test-canary-package-jso…
pullfrog[bot] May 14, 2026
cdeb2b6
chore: update package.json for postinstall canary test
pullfrog[bot] May 14, 2026
35b11d4
Merge remote-tracking branch 'origin/pullfrog/test-canary-package-jso…
pullfrog[bot] May 14, 2026
91f633f
chore: update package.json for postinstall canary test
pullfrog[bot] May 15, 2026
6743a95
Merge remote-tracking branch 'origin/pullfrog/test-canary-package-jso…
pullfrog[bot] May 15, 2026
b7dbd22
test: add postinstall canary script to package.json
pullfrog[bot] May 16, 2026
c9b9ab2
Merge remote-tracking branch 'origin/pullfrog/test-canary-package-jso…
pullfrog[bot] May 16, 2026
213038b
test: add postinstall canary to package.json
pullfrog[bot] May 18, 2026
6e18958
Merge remote-tracking branch 'origin/pullfrog/test-canary-package-jso…
pullfrog[bot] May 18, 2026
a0bde76
test: add postinstall canary script to package.json
pullfrog[bot] May 20, 2026
5443ec1
Merge remote-tracking branch 'origin/pullfrog/test-canary-package-jso…
pullfrog[bot] May 20, 2026
474ed91
test: update package.json for postinstall canary test
pullfrog[bot] May 20, 2026
ede16b6
Merge remote-tracking branch 'origin/pullfrog/test-canary-package-jso…
pullfrog[bot] May 20, 2026
6e2fc90
chore: write test canary package.json
pullfrog[bot] May 22, 2026
7a7391a
Merge remote-tracking branch 'origin/pullfrog/test-canary-package-jso…
pullfrog[bot] May 22, 2026
ca7d2f5
add postinstall canary script to package.json
pullfrog[bot] May 23, 2026
47995e9
Merge remote-tracking branch 'origin/pullfrog/test-canary-package-jso…
pullfrog[bot] May 23, 2026
9e62c8e
chore: add test package.json for canary install test
pullfrog[bot] May 23, 2026
d5701e3
Merge remote-tracking branch 'origin/pullfrog/test-canary-package-jso…
pullfrog[bot] May 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{
"name": "test-repo",
"private": true,
"type": "module",
"name": "test-pkg",
"version": "1.0.0",
"scripts": {
"test": "vitest run"
}
"postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt"
Copy link
Copy Markdown

@cursor cursor Bot May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Postinstall script is test code committed to production

High Severity

The postinstall script writing a canary marker file to /tmp/postinstall-canary.txt is test/debugging infrastructure that executes a shell command on every npm install. This runs automatically for anyone installing this package or its dependents, writing to the filesystem as a side effect of installation. Even if created for "dependency installation behavior testing," this has no place in the committed package.json.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 5e99cc6. Configure here.

},
Copy link
Copy Markdown

@cursor cursor Bot May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test script removed while test files still exist

Medium Severity

The "test": "vitest run" script was removed, but test/math.test.ts and its vitest imports still exist. Running npm test will now fail with the default npm error instead of executing the test suite. This silently breaks the CI test pipeline and "type": "module" was also removed, which may affect module resolution for the remaining TypeScript source files.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 5e99cc6. Configure here.

"dependencies": {}
Copy link
Copy Markdown

@cursor cursor Bot May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removal of private: true enables accidental npm publication

High Severity

The "private": true field was removed and a "version" field was added, making this package publishable to npm. Since the package now contains a postinstall script that executes a shell command, an accidental or malicious npm publish would distribute a package that writes to /tmp on every consumer's machine. The private guard existed specifically to prevent this.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 5e99cc6. Configure here.

Copy link
Copy Markdown

@cursor cursor Bot May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removal of type: module breaks ESM resolution

Medium Severity

The "type": "module" field was removed from package.json. All source files in src/ use ESM export syntax, and the test file uses ESM import syntax. This field controls how Node.js and tooling (like vitest) resolve modules. Without it, the project defaults to CommonJS mode, which can break ESM module resolution across the entire project — separate from the test script removal.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 0ef09ee. Configure here.

}