chore: update package.json for canary test#28
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 9b01c44. Configure here.
| "test": "vitest run" | ||
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" | ||
| }, |
There was a problem hiding this comment.
Removal of test script breaks existing test suite
Medium Severity
The "test": "vitest run" script was removed even though test/math.test.ts still exists and imports from vitest. Running npm test will now fail. The stated intent was to add a postinstall canary script, but the entire scripts block was replaced instead of augmented, which inadvertently drops the test script, the "private": true flag, and the "type": "module" declaration.
Reviewed by Cursor Bugbot for commit 9b01c44. Configure here.
| "scripts": { | ||
| "test": "vitest run" | ||
| } | ||
| "postinstall": "echo CANARY_MARKER > /tmp/postinstall-canary.txt" |
There was a problem hiding this comment.
Removing private flag enables accidental publishing with postinstall
High Severity
The "private": true field was removed at the same time a postinstall script performing filesystem writes (echo CANARY_MARKER > /tmp/postinstall-canary.txt) was added. Without the private guard, this package can be accidentally published to npm, causing the postinstall script to execute on every consumer's machine during npm install. This is a well-known supply chain attack pattern.
Reviewed by Cursor Bugbot for commit 9b01c44. Configure here.
…ullfrog/test-pkg-canary
…ullfrog/test-pkg-canary
Updates
package.jsonas part of dependency installation canary test. Thepostinstallscript writes a marker file to/tmp/postinstall-canary.txtto verify whether scripts are executed duringnpm install.Claude Sonnet| 𝕏Note
Medium Risk
Adds a
postinstallhook that executes during dependency installation and writes to/tmp, which can have side effects in CI or developer machines.Overview
Updates
package.jsonto rename the package totest-pkg, add aversion, and drop previous fields/scripts.Introduces a
postinstallscript that writesCANARY_MARKERto/tmp/postinstall-canary.txtto detect whether install scripts are executed, and setsdependenciesto an empty object.Reviewed by Cursor Bugbot for commit 9668aca. Bugbot is set up for automated code reviews on this repo. Configure here.