EdgeApp · peachbits · May 26, 2026 · Jun 2, 2026 · Jun 2, 2026 · Jun 2, 2026
diff --git a/.gitignore b/.gitignore
@@ -8,7 +8,6 @@
 # Package managers:
 node_modules/
 npm-debug.log
-package-lock.json
 yarn-error.log
 
 # Editors:

diff --git a/.npmrc b/.npmrc
@@ -0,0 +1 @@
+legacy-peer-deps=true
diff --git a/.travis.yml b/.travis.yml
@@ -3,4 +3,4 @@ language: node_js
 node_js:
   - 18
 script:
-  - yarn verify
+  - npm run verify
diff --git a/.yarnrc b/.yarnrc
diff --git a/README.md b/README.md
@@ -40,7 +40,7 @@ The bundle located in `dist/edge-currency-plugins.js` will automatically registe
 <script src='https://example.com/app/dist/edge-currency-plugins.js'>
 ```
 
-If you want to debug this project, run `yarn start` to start a Webpack server,
+If you want to debug this project, run `npm run start` to start a Webpack server,
 and then adjust your script URL to http://localhost:8084/edge-currency-plugins.js.
 
 ### React Native
@@ -59,7 +59,7 @@ import { pluginUri, makePluginIo } from "edge-currency-plugins";
 />;
 ```
 
-To debug this project, run `yarn start` to start a Webpack server, and then use `debugUri` instead of `pluginUri`.
+To debug this project, run `npm run start` to start a Webpack server, and then use `debugUri` instead of `pluginUri`.
 
 ## How to Contribute
 

diff --git a/docs/currency-integration.md b/docs/currency-integration.md
@@ -64,7 +64,7 @@ sorting when placing the new currency plugin info in the `all` object.
 
 ### 3. Test the new currency plugin
 
-Run the Webpack dev-server with `yarn start` and leverage the `debugUri` in
+Run the Webpack dev-server with `npm run start` and leverage the `debugUri` in
 your application to quickly iterate while debugging/developing.
 
 ### 4. Submit a pull request
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		legacy-peer-deps=true
cursor Bot Jun 9, 2026 Copy link Copy Markdown Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. 🔒 Agentic Security Review Severity: HIGH The npm migration removed the previous install-script hardening (`--ignore-scripts true` in Yarn) without adding the npm equivalent. As a result, lifecycle scripts from third-party/transitive packages will run automatically during dependency install. This creates a supply-chain execution boundary regression: a compromised dependency can execute commands in CI/dev install contexts and potentially access environment secrets or alter build outputs. ^{Reviewed by Cursor Security Reviewer for commit 86b6c4f. Configure here.}