Update npm dependencies to latest versions#2
Conversation
Co-authored-by: OzzyCzech <105520+OzzyCzech@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the repository’s release tooling dependency and switches the project from Yarn’s lockfile to npm’s lockfile format.
Changes:
- Bump
npdevDependency from^10.2.0to^11.0.2. - Remove
yarn.lockand introduce an npm-generatedpackage-lock.json(lockfileVersion 3).
Reviewed changes
Copilot reviewed 1 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Updates the sole devDependency (np) used by the release script. |
| yarn.lock | Removes Yarn v1 lockfile as part of migrating to npm. |
| package-lock.json | Adds npm lockfile to replace yarn.lock and pin dependency resolution. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -23,6 +23,6 @@ | |||
| "email": "roman@ozana.cz" | |||
| }, | |||
There was a problem hiding this comment.
Upgrading to np@^11.0.2 raises the minimum toolchain requirements (per the resolved package metadata, np requires Node >= 20 and some transitive deps require Node >= 20.17). Without an explicit engines.node (or equivalent documentation), npm install / npm run release can start failing unexpectedly for contributors/CI on older Node versions.
| }, | |
| }, | |
| "engines": { | |
| "node": ">=20.17.0" | |
| }, |
| "devDependencies": { | ||
| "np": "^10.2.0" | ||
| "np": "^11.0.2" | ||
| } |
There was a problem hiding this comment.
Since this PR migrates the repo from Yarn to npm (and generates a v3 package-lock.json), consider adding a packageManager field in package.json to pin the expected npm version. This helps prevent contributors from regenerating the lockfile with a different npm version/format and reduces churn in future dependency updates.
| } | |
| }, | |
| "packageManager": "npm@9.0.0" |
Bumps the sole devDependency and migrates the lockfile from Yarn to npm.
Changes
package.json:np^10.2.0→^11.0.2yarn.lock→package-lock.json: replaced with npm-generated lockfile (lockfileVersion 3)Notes
npm auditreports 6 low-severity vulnerabilities innp's transitive chain (listr-input → inquirer → external-editor → tmp). These are dev-only, not shipped in the published package, and the only automated fix would downgradenpto2.16.1— a non-starter. This is an upstream issue innp@11.0.2.Original prompt
This pull request was created from Copilot chat.
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.