Bug: Malformed `private` field in react-devtools-fusebox package.json

[MohammadBinAftab]

Bug: Malformed private field in react-devtools-fusebox package.json

Current Behavior

The package.json file for react-devtools-fusebox uses a string for the private field instead of a boolean:

Location [packages/react-devtools-fusebox/package.json](https://github.com/facebook/react/blob/main/packages/react-devtools-fusebox/package.json)

{
  "private": "true",  //  Should be: "private": true
}

Expected Behavior

According to the [npm package.json specification](https://docs.npmjs.com/cli/v11/configuring-npm/package.json#private), the private field must be a boolean, not a string:

{
  "private": true,  // Correct
}

Impact

This causes failures in package scanning tools that validate package metadata:

• ScanCode.io pipeline fails when scanning pkg:github/facebook/react@v19.2.1
• Type validation error: '"true" value must be either True or False.'
• Non-compliant with npm specification

Related upstream issues:

• [aboutcode-org/scancode.io#1986](BUG: Pipeline failure when scanning pkg:github/facebook/react@v19.2.1 aboutcode-org/scancode.io#1986) - Pipeline failure report
• [aboutcode-org/scancode-toolkit#4631](is_private returned as str in place of boolean aboutcode-org/scancode-toolkit#4631) - Root cause analysis
• [aboutcode-org/scancode-toolkit#4635](Handle string is private aboutcode-org/scancode-toolkit#4635) - Defensive fix to handle malformed data

While downstream tools are adding workarounds, the source data should comply with the npm specification.

Reproduction

# Scan the package with ScanCode
scancode --package packages/react-devtools-fusebox/package.json --json-pp -

# Output shows:
# "is_private": "true",    <-- String instead of boolean

Proposed Fix

{
  "name": "react-devtools-fusebox",
  "version": "0.0.0",
- "private": "true",
+ "private": true,
  "license": "MIT",
}

Questions

1. Are there other package.json files in the React monorepo with similar issues?
2. Was the string value intentional for any specific reason?

---

I'm happy to submit a PR to fix this if helpful.

[dill-lk]

"Hi there!

I noticed this issue as well while investigating package metadata compliance. As per the npm documentation, the private field is strictly expected to be a boolean.

The string value "true" is likely a legacy typo, but as mentioned, it’s causing real-world failures in scanning tools like ScanCode.io. Fixing this at the source is the right approach rather than relying on downstream workarounds.

I have already audited the monorepo and found that most other packages correctly use true (boolean).

I’m happy to submit a quick PR to fix this specifically for react-devtools-fusebox and any other instances if found. Should I go ahead?"

[dill-lk]

Actually, I just ran a full audit across the monorepo and found two more instances of this malformed field:

compiler/packages/react-forgive/client/package.json

compiler/packages/react-forgive/server/package.json

@Pantkartik, did your PR #35802 cover these as well? If not, I can provide the fixes for these legacy packages too to ensure full compliance.

[Pantkartik]

It's shall cover that also

[dill-lk]

Since PR #35802 has been updated to cover all the malformed fields I identified during my audit, I am closing this PR to avoid duplication. Glad to see the entire monorepo is getting fixed!