Convert to npm#24
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| "lodash@^4": "^4.18.1", | ||
| "serialize-javascript@^6": "^7.0.5", | ||
| "flatted@^2": "^3.4.2", | ||
| "micromatch@^4": "^4.0.8" |
There was a problem hiding this comment.
Mocha forced serialize-javascript seven
Medium Severity
The overrides entry forces serialize-javascript to 7.0.5, which requires Node >=20. However, mocha@10.6.0 depends on serialize-javascript@^6.0.2 and supports Node >=14. This version mismatch can cause npm test to fail on Node versions 14-19.
Reviewed by Cursor Bugbot for commit e060008. Configure here.
| @@ -0,0 +1 @@ | |||
| legacy-peer-deps=true | |||
There was a problem hiding this comment.
Incompatible TypeScript ESLint versions
Medium Severity
Adding legacy-peer-deps=true lets npm install succeed while the lockfile keeps @typescript-eslint/eslint-plugin at 3.8.0 (peer @typescript-eslint/parser ^3.0.0) alongside @typescript-eslint/parser 2.34.0. With type-aware parserOptions.project in .eslintrc.json, lint-staged / npm run lint can fail or mis-handle TypeScript despite a green install.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit e060008. Configure here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 3 total unresolved issues (including 2 from previous reviews).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 4a0931a. Configure here.
| @@ -0,0 +1,2 @@ | |||
| legacy-peer-deps=true | |||
| ignore-scripts=true | |||
There was a problem hiding this comment.
Publish skips build via scripts
High Severity
Project .npmrc sets ignore-scripts=true, and npm honors that for npm publish / npm pack, so the root prepare script (husky install && npm run build) does not run before packing. Published files point at lib/*, but lib/ is gitignored and only produced by build, so a publish from a clean tree can ship without compiled main / types artifacts.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 4a0931a. Configure here.
1 participant
CHANGELOG
Does this branch warrant an entry to the CHANGELOG?
Dependencies
noneDescription
noneNote
Low Risk
Tooling-only change; main caveat is install behavior (
ignore-scripts, overrides) affecting hooks/build onnpm install, not runtime library logic.Overview
This PR migrates the repo from Yarn to npm by adding a committed
package-lock.json, removing.yarnrc, and introducing.npmrcwithlegacy-peer-deps=trueandignore-scripts=true(the latter mirrors the old Yarn ignore-scripts setting).package.jsonupdates the runtime depbn.jsto^4.12.3, bumpsmochato^10.6.0, dropsbabel-cli, and movesbabel-eslintto^10.1.0. Newoverridespin transitive versions (babel-eslint,lodash,serialize-javascript,flatted,micromatch) for a reproducible npm tree.There are no changes to library source under
src/—only install and devDependency tooling.Reviewed by Cursor Bugbot for commit 4a0931a. Bugbot is set up for automated code reviews on this repo. Configure here.