Skip to content

Fix malformed private field in package.json files#35802

Open
Pantkartik wants to merge 1 commit intofacebook:mainfrom
Pantkartik:fix/malformed-private-field-fusebox
Open

Fix malformed private field in package.json files#35802
Pantkartik wants to merge 1 commit intofacebook:mainfrom
Pantkartik:fix/malformed-private-field-fusebox

Conversation

@Pantkartik
Copy link

@Pantkartik Pantkartik commented Feb 16, 2026

Summary

This PR fixes a compliance issue with the npm package.json specification where the private field was incorrectly typed as a string ("true") instead of a boolean (true).

While some tools may handle this leniently, strict package scanners and validation pipelines (such as ScanCode.io) fail when encountering this malformed metadata. According to the npm documentation, the private field must be a boolean.

Approach & Changes

I conducted a codebase-wide audit to identify all instances of this pattern, rather than fixing only the reported file.

I updated the private field from "true" to true in the following files:

  1. packages/react-devtools-fusebox/package.json (Reported in Bug: Malformed private field in react-devtools-fusebox package.json #35793)
  2. compiler/packages/react-forgive/server/package.json (Identified during audit)
  3. compiler/packages/react-forgive/client/package.json (Identified during audit)

Test Plan

  • Audit: Executed a grep search (grep -r "\"private\": \"true\"" .) to confirm no other occurrences remain in the repository.
  • Validation: Verified that the modified files remain valid JSON.
  • Impact: Confirmed this is a metadata-only change that brings the repository into spec compliance without altering runtime behavior or build configurations.

Related Issues

Fixes #35793

@Pantkartik
Fix malformed private field in package.json files
b68f73e 
This commit corrects the type of the 'private' field in several package.json files from string to boolean, ensuring compliance with the npm specification.
@meta-cla
Copy link

meta-cla bot commented Feb 16, 2026

Hi @Pantkartik!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!

@meta-cla
Copy link

meta-cla bot commented Feb 16, 2026

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

@meta-cla meta-cla bot added the CLA Signed label Feb 16, 2026
@meta-cla
Copy link

meta-cla bot commented Feb 16, 2026

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

This was referenced Feb 17, 2026
Open
Closed
@dill-lk
Copy link

dill-lk commented Feb 17, 2026

Since PR #35802 has been updated to cover all the malformed fields I identified during my audit, I am closing this PR to avoid duplication. Glad to see the entire monorepo is getting fixed!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CLA Signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: Malformed private field in react-devtools-fusebox package.json

2 participants

@Pantkartik @dill-lk