Convert from yarn to npm

[peachbits]

CHANGELOG

Does this branch warrant an entry to the CHANGELOG?

• Yes
• No

Dependencies

none

Description

none

---

Note

Low Risk
Tooling and documentation only; no runtime or application logic changes.

Overview
Switches the repo’s documented and CI workflow from Yarn to npm as the primary package manager.

CI & install behavior: Travis now runs npm run verify instead of yarn verify. A new .npmrc sets legacy-peer-deps=true for installs. .yarnrc is removed, and package-lock.json is no longer gitignored so the npm lockfile can be committed.

Docs: README.md and a historical CHANGELOG.md entry now reference npm install, npm run prepare, npm run verify, npm run fix, and npm run start instead of the equivalent yarn commands.

^{Reviewed by Cursor Bugbot for commit b308c04. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​babel/​runtime@​7.23.1 ⏵ 7.26.10	+1	+2
	base-x@​4.0.0 ⏵ 4.0.1	+1	+16	+1
	rollup@​2.79.1 ⏵ 2.80.0	-11	+22
	webpack@​5.89.0 ⏵ 5.104.1	-1	+4
	mocha@​10.1.0 ⏵ 10.6.0	+1		+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm caniuse-lite is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/webpack@5.104.1 → npm/@babel/core@7.23.0 → npm/@babel/plugin-transform-runtime@7.22.15 → npm/@babel/preset-env@7.22.20 → npm/caniuse-lite@1.0.30001793 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001793. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm caniuse-lite is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/webpack@5.104.1 → npm/@babel/core@7.23.0 → npm/@babel/plugin-transform-runtime@7.22.15 → npm/@babel/preset-env@7.22.20 → npm/caniuse-lite@1.0.30001793 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001793. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm caniuse-lite is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/webpack@5.104.1 → npm/@babel/core@7.23.0 → npm/@babel/plugin-transform-runtime@7.22.15 → npm/@babel/preset-env@7.22.20 → npm/caniuse-lite@1.0.30001793 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001793. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm caniuse-lite is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/webpack@5.104.1 → npm/@babel/core@7.23.0 → npm/@babel/plugin-transform-runtime@7.22.15 → npm/@babel/preset-env@7.22.20 → npm/caniuse-lite@1.0.30001793 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001793. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm node-forge is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/webpack-dev-server@4.15.2 → npm/node-forge@1.4.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-forge@1.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm rollup is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/rollup@2.80.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rollup@2.80.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm workerpool is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/mocha@10.6.0 → npm/workerpool@6.5.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/workerpool@6.5.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 99862f5. Configure here.}

[j0ntz]

Approving — review threads are settled (the remaining open thread, where present, has a pending note to answer or address before merging) and real CI is green; block-wip-pr clears once the fixups are squashed.