Convert to npm#21
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 0bed030. Configure here.
| - "12" | ||
| install: | ||
| - yarn install --frozen-lockfile | ||
| - npm ci |
There was a problem hiding this comment.
Travis Node twelve breaks npm ci
High Severity
Travis still targets Node 12, whose bundled npm cannot install from a package-lock.json with lockfileVersion 3. The install step now uses npm ci, and the lockfile is no longer gitignored, so CI is likely to fail on the install phase.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 0bed030. Configure here.
| - "12" | ||
| install: | ||
| - yarn install --frozen-lockfile | ||
| - npm ci |
There was a problem hiding this comment.
🔒 Agentic Security Review
Severity: HIGH
Switching CI from Yarn with --ignore-scripts true to npm ci removes install-script hardening, so dependency lifecycle scripts can now execute during install.
Impact: A compromised or malicious package in the lockfile can run arbitrary commands in CI before build/test steps, which can tamper outputs or exfiltrate CI-accessible secrets.
1 participant
Note
Low Risk
Only package-manager config and Travis install/scripts change; no application or native runtime logic in this diff.
Overview
This PR finishes moving the repo from Yarn to npm for installs and CI.
.gitignoreno longer ignorespackage-lock.json, so the npm lockfile is versioned..npmrcis added withlegacy-peer-deps=trueandignore-scripts=true(replacing.yarnrc, which is removed)..travis.ymlnow runsnpm cion install andnpm run lint/npm run prepareinstead of the frozenyarnequivalents.Reviewed by Cursor Bugbot for commit c476006. Bugbot is set up for automated code reviews on this repo. Configure here.