Convert package manager from yarn to npm

[j0ntz]

CHANGELOG

Does this branch warrant an entry to the CHANGELOG?

• Yes
• No

changed: Migrate package manager from yarn to npm.

Dependencies

none

This PR does not depend on any other PR. See the discovery map in the Description: the gui consumes its Edge dependencies as published npm packages, so the in-flight dep-repo conversions do not block this change.

Requirements

If you have made any visual changes to the GUI. Make sure you have:

• Tested on iOS device
• Tested on Android device
• Tested on small-screen device (iPod Touch)
• Tested on large-screen device (tablet)

No visual GUI changes (toolchain only). Verified on an iOS simulator instead: cold npm ci from the new lockfile, a full iOS build through the standard path, and YOLO auto-login landing in the funded wallet list. Proof screenshots are attached in a comment below.

Description

Asana task

Migrates edge-react-gui from yarn to npm. The repo was yarn-locked (yarn.lock present, package-lock.json removed upstream); this converts the lockfile and everything that assumed yarn.

What changed:

• Replace yarn.lock with a freshly generated package-lock.json (cold npm install on current develop, not a stale copy).
• package.json: resolutions to overrides, drop the yarn and yarn-deduplicate devDeps, bump patch-package to ^8, set packageManager to npm@11.15.0, and change the fix script to npm dedupe.
• .npmrc: add ignore-scripts=true (preserving the prior .yarnrc --ignore-scripts true behavior) and legacy-peer-deps=true so npm tolerates the same peer-dep conflicts yarn classic did. Remove .yarnrc.
• Convert yarn invocations to npm in .travis.yml, Jenkinsfile, scripts/prepare.sh, webpack.config.js, and the developer docs (README.md, AGENTS.md, docs/MAESTRO.md). Remove the yarn global-install step from maestro.sh.

The shared harness tooling detects the package manager by lockfile, so replacing yarn.lock with package-lock.json flips all of it to npm automatically.

Discovery map (Matt / peachbits yarn-to-npm conversions across EdgeApp):

• None are merged yet; roughly 18 conversion PRs are open (edge-core-js, edge-currency-accountbased, edge-exchange-plugins, edge-currency-plugins, edge-login-ui-rn, edge-currency-monero, react-native-zcash, react-native-piratechain, react-native-zano, edge-info-server, updot, and shared libs biggystring, disklet, yaob, react-native-patina, react-native-airship, react-native-mymonero-core).
• The gui consumes every Edge dependency as a published npm package (edge-core-js ^2.44.0, edge-currency-accountbased ^4.82.0, edge-exchange-plugins ^2.46.0, etc.), so the dep-internal package-manager conversions do not block the gui's own migration. None were found to block install, build, or run empirically.
• No Edge-owned gui dependency required its own conversion folded into this PR.

Prior art: the conversion mirrors a previous npm-migration commit, regenerated cold against current develop so the lockfile matches today's dependency tree.

Test evidence (iOS simulator, npm path, cold):

• npm ci from the committed package-lock.json: clean, 2586 packages.
• npm run prepare and npm run prepare.ios (pod install, 177 pods) succeed under npm.
• iOS app builds and installs through the standard build path with the npm-assembled node_modules.
• App boots, YOLO auto-login lands in the funded wallet list (total balance and funded BTC/ZANO/Fantom wallets visible), and Buy renders a live exchange-rate quote. Screenshots attached below.
• tsc, eslint, and jest pass under npm.

---

Note

Medium Risk
Tooling and lockfile changes affect every install and CI build; .npmrc and overrides can shift resolved dependency versions, though scope is build/dev infrastructure rather than app logic.

Overview
Migrates the repo from Yarn to npm by committing a fresh package-lock.json (and dropping yarn.lock), pinning packageManager to npm@11.15.0, moving Yarn resolutions to npm overrides, and replacing yarn-specific dev tooling (yarn, yarn-deduplicate) with npm equivalents (npm dedupe, updated patch-package).

.npmrc now sets ignore-scripts=true (same behavior as the old .yarnrc) and legacy-peer-deps=true so installs behave like Yarn classic on peer conflicts. CI and scripts (.travis.yml, Jenkinsfile, prepare paths, maestro.sh) call npm ci, npm run …, and npm test instead of yarn. Contributor docs (README.md, AGENTS.md, docs/MAESTRO.md) and the unreleased CHANGELOG describe npm as the only supported package manager.

The iOS Podfile.lock diff reflects dependency bumps pulled in when the tree was resolved under npm (Edge native modules such as edge-core-js, react-native-zcash, etc.), not a separate feature change.

^{Reviewed by Cursor Bugbot for commit 349f156. Bugbot is set up for automated code reviews on this repo. Configure here.}

[j0ntz]

📸 Test evidence (npm build, iOS sim)

agent proof 1215650443774301 01 npm build wallet list

agent proof 1215650443774301 02 npm build buy quote

Captured by the agent's in-app test run (build-and-test).

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	react-native-custom-tabs@​0.1.8 ⏵ 0.1.8
	react-native-store-review@​0.4.3 ⏵ 0.4.3
	react-native-patina@​0.2.0
	updot@​1.1.7 ⏵ 1.2.0	+39		+3	+9
	@​edge.app/​drupe@​0.0.6 ⏵ 0.2.0	-10		+1	+2
	edge-currency-accountbased@​4.82.0 ⏵ 4.83.0	-5
	react-native-airship@​0.3.0
	edge-info-server@​3.10.0 ⏵ 3.12.0	-6			-1
	yaob@​0.4.0
	react-native-zano@​0.2.8 ⏵ 0.3.0				+6
	biggystring@​4.2.3 ⏵ 4.3.0				+6
	edge-exchange-plugins@​2.46.0 ⏵ 2.48.0	+3			-1
	edge-currency-plugins@​3.9.0 ⏵ 3.10.0	+8			-2
	edge-core-js@​2.44.0 ⏵ 2.45.0	+6			-3
	disklet@​0.6.0
	edge-currency-monero@​2.2.0 ⏵ 2.3.0				-2
	react-native-piratechain@​0.5.25 ⏵ 0.6.0	+1		+1	-2
	edge-login-ui-rn@​3.35.8 ⏵ 3.36.0	+2			-1
	react-native-zcash@​0.11.0 ⏵ 0.12.0	+1			+5
	patch-package@​6.4.7 ⏵ 8.0.1			+1
	base-x@​4.0.0 ⏵ 4.0.1	+1	+16	+1
	react-native-reanimated@​3.19.1 ⏵ 3.19.5	+2		+1	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Publisher changed: npm @edge.app/drupe is now published by mattdpiche Author: mattdpiche From: package-lock.json → npm/@edge.app/drupe@0.2.0 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@edge.app/drupe@0.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @ethersproject/providers is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/edge-exchange-plugins@2.48.0 → npm/@ethersproject/providers@5.7.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethersproject/providers@5.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm edge-info-server is now published by mattdpiche Author: mattdpiche From: package-lock.json → npm/edge-info-server@3.12.0 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/edge-info-server@3.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm react-native-airship is now published by mattdpiche Author: mattdpiche From: package-lock.json → npm/react-native-airship@0.3.0 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/react-native-airship@0.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm react-native-patina is now published by mattdpiche Author: mattdpiche From: package-lock.json → npm/react-native-patina@0.2.0 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/react-native-patina@0.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm stream-json is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/edge-currency-accountbased@4.83.0 → npm/stream-json@1.9.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/stream-json@1.9.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm updot is now published by mattdpiche Author: mattdpiche From: package-lock.json → npm/updot@1.2.0 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/updot@1.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm yaob is now published by mattdpiche Author: mattdpiche From: package-lock.json → npm/yaob@0.4.0 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yaob@0.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm @edge.app/x-cleaners Location: Package overview From: package-lock.json → npm/edge-info-server@3.12.0 → npm/@edge.app/x-cleaners@0.1.0 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@edge.app/x-cleaners@0.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm @fioprotocol/fiosdk Location: Package overview From: package-lock.json → npm/edge-currency-accountbased@4.83.0 → npm/@fioprotocol/fiosdk@1.10.3 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@fioprotocol/fiosdk@1.10.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm hashes-grs Location: Package overview From: package-lock.json → npm/edge-currency-plugins@3.10.0 → npm/hashes-grs@1.2.0 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hashes-grs@1.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm react-native-zcash Location: Package overview From: package-lock.json → npm/react-native-zcash@0.12.0 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/react-native-zcash@0.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm updot Location: Package overview From: package-lock.json → npm/updot@1.2.0 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/updot@1.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

• edge-currency-accountbased@4.83.0

View full report

[j0ntz]

Tested against the npm-converted dependency PRs (tarball build)

Since the dep conversions are not published yet, I verified this gui migration against the actual npm-converted dependency code, not just the currently-published packages. I tarballed every unmerged gui-relevant convert-to-npm PR, built them into this branch, and ran the build + login.

Method

For each dep PR: checked out the PR head, npm ci, ran the repo's own build (npm run prepare), then npm pack. Installed all 17 resulting tarballs into this gui worktree as file: dependencies (test scaffolding only, reverted afterward; nothing here is committed to this PR). Then ran tsc, npm run prepare (plugin bundles), built the full app JS bundle via Metro, and launched the app on an iOS simulator.

Dep PRs tarballed (17)

edge-core-js#723, edge-currency-accountbased#1054, edge-currency-plugins#449, edge-exchange-plugins#454, edge-currency-monero#103, edge-login-ui-rn#294, edge-info-server#153, biggystring#24, disklet#45, yaob#35, react-native-airship#43, react-native-patina#10, react-native-mymonero-core#16, react-native-piratechain#21, react-native-zano#13, react-native-zcash#66, updot#2.

Results

• tsc: 0 errors against all 17 converted deps.
• npm run prepare: the webpack core/swap/currency plugin bundles compiled successfully.
• Full app JS bundle built via Metro: HTTP 200, ~36.7 MB, no module-resolution errors (the entire converted-dep graph bundles into the app).
• App boots and YOLO auto-login lands in the funded wallet list. Screenshot attached in the comment below.

Conclusion: this gui npm migration builds and runs against the npm-converted versions of all its Edge dependencies, not only the published ones.

Honest caveats

• Two dep PR branches predate the gui's current pinned version and were force-installed via file: to test them anyway: react-native-zcash 0.10.7 (gui pins ^0.11.0) and react-native-patina 0.1.5 (gui pins ^0.1.6). Their conversions still built and bundled.
• edge-core-js: its type-declaration build step failed in the local sandbox (an EBADARCH spawn error on the type-gen tool, not a conversion defect), so the published 2.44.0 type artifacts (types.js/.mjs/.flow, content-identical and package-manager-independent) were grafted in to let the plugin bundle compile. The converted edge-core-js library itself was built from the PR branch and consumed.
• The gui's local patches/react-native-mymonero-core+0.3.4.patch (an Android jni.cpp patch) did not apply cleanly to the converted tarball. It is Android-only and irrelevant to this iOS verification, but that patch will likely need a refresh when the mymonero-core conversion lands.
• Native modules were not recompiled. The conversions are package-manager-only and do not change native code, so the existing native binary is compatible with the converted-dep JS bundle (where the conversions actually live); the runtime test exercised the converted-dep JavaScript served over Metro.

[j0ntz]

📸 Converted-dep tarball build: wallet list

agent proof 1215650443774301 03 converted deps wallet list

Captured by the agent's in-app test run (build-and-test).

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

Want fixes drafted automatically? Bugbot Autofix can create code changes for findings. A team admin can enable Autofix in the Cursor dashboard.

^{Reviewed by Cursor Bugbot for commit 349f156. Configure here.}

[j0ntz]

@SocketSecurity ignore npm/edge-currency-accountbased@4.83.0

Accepting this HTTP-dependency alert. edge-currency-accountbased@4.83.0 transitively pulls @zano-project/zano-utils-js from a first-party EdgeApp release tarball. This dependency is pre-existing on develop (the same tarball is pinned in develop's yarn.lock); it is only re-surfaced here because the yarn to npm conversion regenerates the lockfile as package-lock.json, which Socket scans as a new manifest. No new third-party code is introduced by this PR.