chore: migrate from yarn to npm and resolve security advisories#29
Merged
Conversation
added 2 commits
June 8, 2026 20:56
Convert all three packages (root, server, client) from yarn to npm and reduce vulnerabilities by upgrading dependencies. Vulnerability counts: - server: 36 -> 0 - client: 491 (incl. 40 critical) -> 66 (0 critical) - root: -> 0 Dependency fixes: - server: drop unused uuid; bump http-proxy-middleware v2->v3 (named export import), nodemon v2->v3; convert resolutions to overrides and add transitive pins. - client: bump axios 0.21->1.x (CSRF); override trim to fix the react-markdown/remark-parse ReDoS; pin styled-components to v5 (open >=4.4.1 range otherwise resolved to a breaking v6). - root: remove vestigial server file dependency that pulled server's dev tooling (and its advisories) into the root install. Code changes required by the bumps: - session.ts: narrow cookie type for newer @types/express-session. - Demo5.tsx: remove dead tap option (removed in Leaflet 1.9). - regenerate client snapshots (styled-components 5.3.11 drops empty @media blocks). Tooling: convert root scripts, husky hooks, Dockerfiles, README and .dockerignore to npm; track package-lock.json and ignore yarn.lock; add client/.npmrc (legacy-peer-deps); bump Dockerfile.prod client builder off node:14.4 so npm understands modern lockfiles and overrides. Remaining 66 client advisories are dev-only build tooling (webpack 4, jest 26, stylelint 13) that require a major build-chain migration.
ts-node 9 crashes against the typescript 4.9.x that npm resolves (the resolveTypeReferenceDirective signature changed in TS 4.7), breaking the dev server (npm start / docker-compose). ts-node 10 supports modern TypeScript. Production is unaffected (it compiles with tsc and runs the emitted JS).
The backend's IRMA_SERVER_URL was unset in docker-compose, so config.ts fell back to http://localhost:8080 — which inside the be container is the container itself, not the irma service (ECONNREFUSED). Set IRMA_SERVER_URL=http://irma:8080 on the be service for the server-to-server API calls. The URL the Yivi app/browser scans stays on the irma service's --url flag (defaults to localhost:8080, overridable to a LAN IP via the shell IRMA_SERVER_URL), so the two roles no longer collide.
![dobby-coder[bot]](https://avatars.githubusercontent.com/in/3365457?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code review
Stage 1's findings describe a different PR (yarn-to-npm migration touching Dockerfile.prod, client/.npmrc, Map.spec.tsx) — none of those files appear in this diff, which extracts styled-components into client/src/components/LocalAsc/LocalAsc.tsx. Stage 1 findings are not applicable here.
One real bug in client/src/components/Demo2/Demo2.tsx at the merge-resolved branch around the !isOver18 && isPostcodeInArea case: the first <AscLocal.RedAlert is unclosed (followed immediately by );) and the same else if branch is duplicated right below with the actual props. The first stub branch needs to be deleted — as-is the file won't compile.
Rule compliance
No rules available to check (~/dobby-memory/ not present).
v3 emits a deprecation warning and is scheduled for removal in December 2026. v4 runs on the Node.js 24 runtime. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Bump anchore/scan-action to v7.4.0 and fail the build on fixable critical vulnerabilities. Pin both scan and upload-sarif actions to commit SHAs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
rubenhensen
approved these changes
Jun 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Migrates all three packages (root,
server,client) from yarn to npm and reduces security vulnerabilities by upgrading dependencies.Vulnerability counts
Dependency fixes
uuid; bumphttp-proxy-middlewarev2→v3 (and fix the import to the named export),nodemonv2→v3; convert yarnresolutions→npmoverridesand add transitive pins.axios0.21→1.x (high-severity CSRF, production-facing); overridetrimto fix thereact-markdown→remark-parseReDoS without a risky v4→v10 rewrite; pinstyled-componentsto v5 (the open>=4.4.1range otherwise resolved to a breaking v6 under npm).server: file:serverdependency that pulled server's dev tooling (and its advisories) into the root install.Code changes required by the bumps
server/src/loaders/session.ts— narrow thecookietype for the newer@types/express-session(now a union with a function).client/.../Demo5.tsx— remove the deadtapoption (removed in Leaflet 1.9).@mediablocks.Tooling conversion
pre-commit/pre-push),Dockerfile.prod,server/Dockerfile,client/Dockerfile, README and.dockerignoreconverted to npm..gitignorenow trackspackage-lock.jsonand ignoresyarn.lock.client/.npmrc(legacy-peer-deps=true).Dockerfile.prodclient builder offnode:14.4(npm 6 can't read modern lockfiles/overrides).Verification
serverbuild (tsc + tscpaths) andclientbuild (webpack prod).Map/Demo5suite crashes are pre-existing on the original yarn setup — a jest 26 / Node worker issue, not introduced here).Dockerfile.prodDocker build end-to-end; final image contains/server/app.js, productionnode_modules, and the built/client.Remaining work
The remaining 66 client advisories are all dev-only build tooling (webpack 4, webpack-dev-server 3, jest 26, stylelint 13) that don't ship in the production bundle. Clearing them requires a major build-chain migration (webpack 5 / jest 30 / stylelint 17), which is out of scope here to keep the app building and tests green.