Skip to content

Convert to npm#449

Open
peachbits wants to merge 5 commits into
masterfrom
convert-to-npm
Open

Convert to npm#449
peachbits wants to merge 5 commits into
masterfrom
convert-to-npm

Conversation

@peachbits

@peachbits peachbits commented May 26, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown
Contributor

Note

Low Risk
Documentation, CI, and package-manager config only; no changes to runtime or plugin logic.

Overview
This PR migrates the repo from Yarn to npm for install, verify, and local dev workflows.

CI now runs npm run verify instead of yarn verify. A new .npmrc sets legacy-peer-deps=true, and .yarnrc is removed. .gitignore no longer ignores package-lock.json, so npm’s lockfile can be committed.

README and docs/currency-integration.md update dev-server instructions from yarn start to npm run start.

Reviewed by Cursor Bugbot for commit 86b6c4f. Bugbot is set up for automated code reviews on this repo. Configure here.

convert-to-npm and others added 3 commits June 2, 2026 10:19
@peachbits peachbits changed the title Convert yarn → npm + Socket security upgrades + @edge.app fork aliases Convert to npm Jun 2, 2026
@j0ntz

j0ntz commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

CI status: Travis is red, failing at the test step of verify (prepare/lint/types pass; Bugbot is clean). Verified from the build log:

TypeError [ERR_UNKNOWN_FILE_EXTENSION]: Unknown file extension ".ts"test/common/fees/calcMinerFeePerByte.spec.ts

Same root cause as EdgeApp/disklet#45 — after the npm conversion mocha isn't loading the TypeScript register, so .ts specs can't be imported. The mocha .ts loader needs wiring up.

@j0ntz

j0ntz commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Applied in 332e586. Pinned get-func-name to 2.0.2 via npm overrides. The lock had resolved the broken ESM-only get-func-name@2.0.1, which chai (CommonJS) can't require → mocha falls back to import() of the .ts specs → ERR_UNKNOWN_FILE_EXTENSION. Verified on Node 18 (matching this PR's CI): npm ci in sync + npm run verify green (1215 passing). Flagging since this is my change on your branch — please review.

cursor[bot]
cursor Bot reviewed Jun 9, 2026
View reviewed changes
Comment thread .npmrc
@@ -0,0 +1 @@
legacy-peer-deps=true

@cursor cursor Bot Jun 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Agentic Security Review
Severity: HIGH

The npm migration removed the previous install-script hardening (--ignore-scripts true in Yarn) without adding the npm equivalent. As a result, lifecycle scripts from third-party/transitive packages will run automatically during dependency install.

This creates a supply-chain execution boundary regression: a compromised dependency can execute commands in CI/dev install contexts and potentially access environment secrets or alter build outputs.

Fix in Cursor Fix in Web

Reviewed by Cursor Security Reviewer for commit 86b6c4f. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@peachbits @j0ntz