Skip to content

security: migrate from yarn to npm and resolve 15 security vulnerabilities#78

Merged
Connor Power (connorpower) merged 3 commits intomasterfrom
cp/security-patching
Mar 10, 2026
Merged

security: migrate from yarn to npm and resolve 15 security vulnerabilities#78
Connor Power (connorpower) merged 3 commits intomasterfrom
cp/security-patching

Conversation

@connorpower
Copy link
Member

@connorpower Connor Power (connorpower) commented Mar 7, 2026

Closes SPO-79
Closes SPO-80
Closes SPO-81
Closes SPO-82
Closes SPO-86
Closes SPO-94
Closes SPO-100
Closes SPO-103
Closes SPO-104
Closes SPO-105
Closes SPO-106
Closes SPO-107
Closes SPO-108
Closes SPO-109
Closes SPO-110

Summary

  • Migrated from yarn to npm across the root project and the vite-typescript example. This gives us better support for security patching via npm audit fix and overrides (replacing yarn's resolutions), allowing us to directly resolve Dependabot alerts for transitive dependencies.
  • Resolved all high/critical Dependabot security alerts by updating vulnerable transitive dependencies (minimatch, serialize-javascript, etc.) through npm overrides.
  • Updated CI workflow (.github/workflows/ci.yml) to use npm commands instead of yarn.
  • Switched example app from yarn link: protocol to npm-compatible file: protocol for local dependencies.

Why npm?

Yarn's resolutions field has limited support for patching nested transitive dependencies flagged by Dependabot/GitHub security alerts. npm's overrides provides more granular control over the dependency tree, making it significantly easier to address security vulnerabilities without waiting for upstream package updates.

@connorpower @claude
fix: resolve all high/critical Dependabot alerts by migrating from ya…
9b0d267 
…rn to npm

Yarn v1 lacks tooling to bump transitive dependency versions — there is
no equivalent of `npm audit fix`. The only mechanism (resolutions) is
limited and cannot handle exact-pinned transitive deps or scoped version
ranges reliably. This made security patching a recurring manual burden.

Switching to npm gives us `npm audit fix` for automated transitive dep
patching, `overrides` for the remaining edge cases, and consistency with
other Ditto JS repositories (e.g. quickstart).

Changes:
- Delete yarn.lock files, generate package-lock.json via npm install
- Replace yarn `resolutions` with npm `overrides` in root package.json
- Add overrides for serialize-javascript (7.0.4) and minimatch (9.0.9)
  via prettier-eslint path
- Update example app link: protocol from yarn-only `link:` to `file:`
- Update CI workflow from yarn to npm commands

Resolves 18 Dependabot alerts (all high/critical). Remaining are 5 low
severity (elliptic via karma-typescript) that require a breaking major
downgrade to fix.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI reviewed Mar 7, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Migrates the repo from Yarn to npm to improve vulnerability remediation (via npm audit fix + overrides) and to update CI/example app workflows accordingly.

Changes:

  • Replaced Yarn resolutions with npm overrides for vulnerable transitive dependencies.
  • Updated the Vite TypeScript example to use npm-compatible local dependency specifiers (file:).
  • Updated GitHub Actions CI to run npm commands instead of Yarn.

Reviewed changes

Copilot reviewed 3 out of 7 changed files in this pull request and generated 3 comments.

File Description
package.json Removes Yarn resolutions and adds npm overrides for transitive dependency patching.
examples/vite-typescript-example/package.json Switches local dependency protocol to file: and adds npm overrides.
.github/workflows/ci.yml Replaces Yarn commands with npm equivalents in CI.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Connor Power (connorpower) and others added 2 commits March 7, 2026 14:53
@connorpower @claude
fix: address PR review feedback on security patching migration
74e1498 
- Add engines.node >= 20 constraint to align with serialize-javascript@7.0.4
- Use npm ci instead of npm install in CI for reproducible builds
- Switch example app react/react-dom/@dittolive/ditto to semver ranges

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@connorpower @claude
fix: update example lockfile to match package.json dependency changes
4c96bd9 
The lockfile still referenced the old file: paths for react/react-dom,
causing npm ci to fail in CI due to version mismatch.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@connorpower Connor Power (connorpower) changed the title fix: migrate from yarn to npm to resolve security vulnerabilities security: migrate from yarn to npm and resolve 15 security vulnerabilities Mar 8, 2026
phatblat
Ben Chatelain (phatblat) approved these changes Mar 9, 2026
View reviewed changes
Copy link
Member

@phatblat Ben Chatelain (phatblat) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ✅

@connorpower Connor Power (connorpower) merged commit 6635328 into master Mar 10, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@phatblat Ben Chatelain (phatblat) phatblat approved these changes

@alycda Alyssa Evans (alycda) Awaiting requested review from alycda

@danielhenrymantilla Daniel Henry-Mantilla (danielhenrymantilla) Awaiting requested review from danielhenrymantilla

Assignees

@connorpower Connor Power (connorpower)

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@connorpower @phatblat