Initialize scripts#26
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| let request = await fetch("https://pump.fun/api/ipfs", { | ||
| method: "POST", | ||
| headers: { | ||
| Host: "www.pump.fun", |
There was a problem hiding this comment.
Host header mismatches the request URL domain
Medium Severity
The fetch request targets https://pump.fun/api/ipfs but the Host header is manually set to www.pump.fun. This domain mismatch between the URL and the Host header can cause the server to reject the request, route it incorrectly, or fail TLS validation depending on server configuration.
| console.log("✅ Token created successfully!"); | ||
| }; | ||
|
|
||
| createToken(); |
There was a problem hiding this comment.
Module-level invocation causes side effects on import
Medium Severity
createToken() is called at module scope in a file that index.ts re-exports via export * from "./create-token". This means any import of the package (or running node ./dist/index.js) will unconditionally execute createToken. When the planned Buy Token and Sell Token scripts are added and similarly re-exported from index.ts, running the entry point will execute all scripts simultaneously rather than the intended one. The module-level constants (RPC_URL, creator, CONNECTION) also evaluate eagerly on import, which prevents this from functioning as a reusable library.
Additional Locations (1)
| formData.append("twitter", create.twitter || ""), | ||
| formData.append("telegram", create.telegram || ""), | ||
| formData.append("website", create.website || ""), | ||
| formData.append("showName", "true")); |
There was a problem hiding this comment.
Comma operator obscures sequential append calls
Low Severity
The formData.append calls are chained using the comma operator inside a single expression statement with wrapping parentheses. While functionally correct, this is a very unusual and confusing pattern — the parenthesized group evaluates each sub-expression but discards all results except the last. Using separate statements would be much clearer and less error-prone.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| website: TOKEN_WEBSITE, | ||
| }); | ||
| const metadataUri = (metadata as any).metadataUri ?? (metadata as any).uri; | ||
| console.log("✅ Metadata URI:", metadataUri); |
There was a problem hiding this comment.
Metadata upload failure silently produces undefined URI
Medium Severity
When createTokenMetadata catches an error, it returns { success: false, error }. The caller extracts metadataUri via (metadata as any).metadataUri ?? (metadata as any).uri, which resolves to undefined on this error object. The script then proceeds to build and submit a transaction with uri: undefined, producing a confusing downstream failure instead of surfacing the actual metadata upload error.
Additional Locations (1)
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| }, | ||
| body: formData, | ||
| }); | ||
| return request.json(); |
There was a problem hiding this comment.
Missing await on request.json() bypasses try-catch
Medium Severity
return request.json() returns the promise without awaiting it inside the try block. If the response body isn't valid JSON, the resulting rejection won't be caught by the surrounding catch, which was clearly intended to handle all errors and return { success: false, error }. This needs return await request.json() for the try-catch to work as expected.
| const TOKEN_TELEGRAM = "https://t.me/mytoken"; | ||
| const TOKEN_WEBSITE = "https://mytoken.com"; | ||
|
|
||
| const creator = Keypair.generate(); |
There was a problem hiding this comment.
Random keypair generates unfunded creator every run
High Severity
Keypair.generate() creates a fresh random keypair with zero SOL balance on every execution. Since createToken() is invoked at module scope (line 91), this script will always submit a transaction from an unfunded account, guaranteeing failure. The creator keypair needs to be loaded from a file or environment variable to reference a funded wallet.
1 participant
Note
Medium Risk
Introduces a script that can create and immediately buy a token on Solana and upload metadata to a third-party endpoint; mistakes in RPC/config or key handling can lead to unintended on-chain transactions and fund loss.
Overview
Adds a new
scriptspackage that can create a pump.fun token and optionally seed an initial buy by building and submitting a Solana v0 transaction via@pump-fun/pump-sdk.Includes a helper to upload token metadata (image + socials) to pump.fun’s IPFS API using
fetch/undici, and updates.gitignoreto excludenode_modules(plus adds ayarn.lockfor the scripts dependencies).Written by Cursor Bugbot for commit b39db3e. This will update automatically on new commits. Configure here.