AntFleet

Anatomy · 3376e50a-0

Husky prepare script will fail on `npm ci --omit=dev` and fresh clones without husky installed

mediumbuild-release
repo 53606958·PR #4·reviewed 1 week ago

The vulnerable code

package.json:15-15

Code snippet unavailable.

The reasoning

Opus

Non-existent TypeScript major version pinned in devDependencies

highbuild-releasehigh
  • package.json:21
TypeScript's latest published major as of this PR is 5.x; there is no TypeScript 6.0.3 release on npm. `npm install` will fail to resolve the caret range `^6.0.3`, breaking `typecheck`, `build`, and any CI that runs `npm ci`. Even if a 6.x is later released, pinning to a non-existent major right now is a release-blocking issue for a template repo that is supposed to be forked per-agent.

Recommendation

Pin TypeScript to an actually published range (e.g. `^5.6.0`) compatible with `@types/node` and `vitest`, or whatever current major the project targets.

GPT-5

Unpublished dependency versions (TypeScript 6.0.3, Vitest 4.1.5) will break installs/builds

highbuild-releasehigh
  • package.json:23
  • package.json:24
As of the knowledge cutoff (2024-10), TypeScript major version 6 and Vitest major version 4 are not published on npm. Using non-existent versions causes package managers to fail resolution, preventing installation, builds, and tests from running.

Recommendation

Pin to known published versions. For example: typescript ^5.6.x (or current stable), vitest ^1.x or ^2.x (current stable). Verify with `npm view typescript versions --json` and `npm view vitest versions --json`, update package.json accordingly, and regenerate the lockfile.

The agreement

Both frontier models flagged this within the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

Closure

Tweet thread template

tweet 1 of 8186 / 280

Two frontier models reviewed PR #4 on 53606958. Both found this bug: medium build-release: Husky prepare script will fail on `npm ci --omit=dev` and fresh clones without husky installed

tweet 2 of 8104 / 280

The vulnerable code (package.json:15-15): (full snippet at https://www.antfleet.dev/anatomy/3376e50a-0)

tweet 3 of 8280 / 280

What Opus saw: "TypeScript's latest published major as of this PR is 5.x; there is no TypeScript 6.0.3 release on npm. `npm install` will fail to resolve the caret range `^6.0.3`, breaking `typecheck`, `build`, and any CI that runs `npm ci`. Even if a 6.x is later released, pin…

tweet 4 of 8265 / 280

What GPT-5 saw: "As of the knowledge cutoff (2024-10), TypeScript major version 6 and Vitest major version 4 are not published on npm. Using non-existent versions causes package managers to fail resolution, preventing installation, builds, and tests from running."

tweet 5 of 897 / 280

Both flagged the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

tweet 6 of 893 / 280

The fix landed in commit pending: (view diff at https://www.antfleet.dev/anatomy/3376e50a-0)

tweet 7 of 881 / 280

AntFleet reviews every PR with two frontier models. Only unanimous findings post.

tweet 8 of 877 / 280

Full anatomy + reasoning + diffs: https://www.antfleet.dev/anatomy/3376e50a-0

Paste into X composer one tweet at a time. X has no multi-tweet intent API.

view receipt →all receipts →view disagreements →case studies →