Convert to npm#21
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 0bed030. Configure here.
| - "12" | ||
| install: | ||
| - yarn install --frozen-lockfile | ||
| - npm ci |
There was a problem hiding this comment.
Travis Node twelve breaks npm ci
High Severity
Travis still targets Node 12, whose bundled npm cannot install from a package-lock.json with lockfileVersion 3. The install step now uses npm ci, and the lockfile is no longer gitignored, so CI is likely to fail on the install phase.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 0bed030. Configure here.
There was a problem hiding this comment.
Fixed in 9a10cba: bumped Travis node_js from 12 to 18, so the bundled npm supports package-lock.json lockfileVersion 3 and npm ci installs successfully on CI.
| - "12" | ||
| install: | ||
| - yarn install --frozen-lockfile | ||
| - npm ci |
There was a problem hiding this comment.
🔒 Agentic Security Review
Severity: HIGH
Switching CI from Yarn with --ignore-scripts true to npm ci removes install-script hardening, so dependency lifecycle scripts can now execute during install.
Impact: A compromised or malicious package in the lockfile can run arbitrary commands in CI before build/test steps, which can tamper outputs or exfiltrate CI-accessible secrets.
There was a problem hiding this comment.
Why did this one change?
/slop:
This is the inverse of the other ignore-scripts findings: moving CI from yarn --ignore-scripts true to npm ci does re-enable dependency lifecycle scripts during install. That is standard npm ci behavior and an accepted consequence of the yarn→npm migration; dependency provenance is governed at the registry/lockfile level rather than by install-script suppression here.
socket fix --all --range-style preserve --minimum-release-age 7d --no-major-updates
2 participants
Note
Low Risk
Tooling and CI only—no runtime library or native build logic changes in this diff.
Overview
Migrates the React Native library from Yarn to npm for installs and CI.
Adds a root
.npmrcwithlegacy-peer-depsandignore-scripts(replacing.yarnrc’signore-scripts)..gitignoreno longer ignorespackage-lock.jsonso the npm lockfile is committed..travis.ymlrunsnpm ciandnpm run lint/prepare, adds Node 18, and drops the frozen Yarn install path in favor of npm (per the updated pipeline).Reviewed by Cursor Bugbot for commit 9a10cba. Bugbot is set up for automated code reviews on this repo. Configure here.