Convert from yarn to npm

[peachbits]

CHANGELOG

Does this branch warrant an entry to the CHANGELOG?

• Yes
• No

Dependencies

none

Description

none

---

Note

Low Risk
Documentation, CI, and lockfile/tooling only; no runtime or security-sensitive application logic changes in the diff.

Overview
Switches the repo’s package manager workflow from Yarn to npm: CI runs npm run verify, contributor docs use npm install, npm run prepare, npm run verify, npm run fix, and npm run start instead of Yarn equivalents, and the v0.19.0 changelog note for core debugging is updated accordingly.

Adds .npmrc with legacy-peer-deps=true and ignore-scripts=true (replacing .yarnrc), and stops ignoring package-lock.json in .gitignore so npm lockfiles are tracked.

^{Reviewed by Cursor Bugbot for commit f5aa4ea. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​babel/​runtime@​7.23.1 ⏵ 7.26.10	+1	+2
	webpack@​5.89.0 ⏵ 5.104.1	-1	+4
	base-x@​4.0.0 ⏵ 4.0.1	+1	+16	+1
	rollup@​2.79.1 ⏵ 2.80.0	+1	+22
	mocha@​10.1.0 ⏵ 10.6.0	+1		+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Deprecated by its maintainer: npm lodash Reason: Bad release. Please use lodash@4.17.21 instead. From: package-lock.json → npm/eslint-plugin-flowtype@5.2.0 → npm/lodash@4.18.0 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash@4.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit ab5348a. Configure here.}

[cursor]

Missing ESLint build ignores

Medium Severity

Removing .eslintignore dropped global excludes for lib/, root types.js / types.mjs / types.js.flow, and android/src/main/assets/, but eslint.config.mjs only ignores a handful of lib/ files. After npm install runs prepare, npm run verify’s eslint . can lint generated build output that was never meant to be checked.

 

^{Reviewed by Cursor Bugbot for commit ab5348a. Configure here.}

[j0ntz]

Valid observation — dropping .eslintignore means only eslint.config.mjs's ignores apply. In practice lib/ and the generated types.* are produced by prepare, which ignore-scripts=true currently suppresses, so they are not present during npm run verify in CI. Flagging to the author to mirror the old excludes (lib/, types.js|mjs|js.flow, android/src/main/assets/) in the flat config if eslint . begins picking up build output; not changing it in this review pass.