fix: update dependencies to address security issue in @babel/runtime < 7.26.10

[jdalrymple]

What:

Modernized project dependencies and resolved deprecated packages, peer dependency warnings, and security vulnerabilities.

Why:

• The codecov package was deprecated with a migration plan in place
• Multiple peer dependency warnings were causing noise during installation
• Security audit identified 2 low-severity vulnerabilities in transitive dependencies
• node-fetch dependency was unnecessary given Node.js 22's native fetch support
• ES module compatibility issues were causing test failures after package updates

How:

Dependency Updates:

• Removed deprecated codecov package and updated CircleCI config to use official codecov orb
• Removed unnecessary node-fetch dependency, now using Node.js 22's native fetch
• Removed typescript dev dependency (not needed for pure JS project)
• Added pnpm override for tmp@>=0.2.4 to resolve security vulnerability

Configuration Changes:

• Updated Jest config to support ES modules with --experimental-vm-modules flag
• Added transformIgnorePatterns for prettier compatibility
• Modified test script to use NODE_OPTIONS environment variable

Code Updates:

• Fixed inquirer v12 compatibility by using require('inquirer').default
• Fixed lint errors (curly braces, logical assignment warnings)
• Updated test snapshots to reflect prettier formatting changes
• Fixed conditional logic in test files to avoid ESLint warnings

Infrastructure Updates:

• Updated CircleCI to use Node.js 22.14 (from 16.17.0) to match engine requirements
• Migrated CI from yarn to pnpm to match project package manager
• Added pnpm installation step to CircleCI workflow
• Removed obsolete .yvmrc file (Yarn version specification no longer needed)

Checklist:

• Documentation
• Tests
• Ready to be merged
• Added myself to contributors table

[jdalrymple]

I know this was a huge overhaul, but would love to get the cli tool up to date 🙏

[jdalrymple]

Bump 🙏

[lwasser]

cool - i didn't know about pnpm!!

[lwasser]

we moved from yarn --> npm for the documentation i wonder if we should use this over in that repo too?

[JoshuaKGoldberg]

Although I personally love pnpm and use it in all my projects (template: create-typescript-app), switching this CLI from a previous package manager to pnpm is a big change. If we want to do that (+1 from me) it should be in a separate PR than a smaller "update dependencies" one.

[jdalrymple]

Makes sense!

[lwasser]

@all-contributors please add @jdalrymple for security, bug

[allcontributors]

@lwasser

I've put up a pull request to add @jdalrymple! 🎉

[lwasser]

hey @jdalrymple thank you for this - this is a BIG PR!!

We have been working on reviving this project and I do have merge permissions but i'm trying to use them carefully as we all get up to speed on this project. Do you have the capacity to split this out into small pieces?

I am doing updates such as dependabot etc as well. if you are willing to work with us, implementing this in several smaller pr's would be greatly appreciated!

[lwasser]

i don't think i have access to circle ci so let me dig into that first. if this could be it's own pr we can merge it quickly as is

[lwasser]

maybe one pr for circle ci
one pr for linting
one pr for deps.

i am still trying to figure out how deployment is setup here. And where tests run.

lemme know how that sounds. I appreciate your help!!

[JoshuaKGoldberg]

🙌 I appreciate the initiative! There are quite a few unrelated changes in this PR ranging from stylistic tweaks in other files to a full swap of the package manager. +1 to lwasser's suggestion to have one PR per thing. That makes things much more reviewable. And if one item is blocked, that doesn't block the other items. Thanks!

[JoshuaKGoldberg]

Although I personally love pnpm and use it in all my projects (template: create-typescript-app), switching this CLI from a previous package manager to pnpm is a big change. If we want to do that (+1 from me) it should be in a separate PR than a smaller "update dependencies" one.

[JoshuaKGoldberg]

Moving from node-fetch to the global fetch is also a bigger change than just bumping @babel/runtime. node-fetch isn't quite a drop-in replacement for fetch. fetch is more spec/standards-compliant.

[JoshuaKGoldberg]

[Style] Unrelated change - this isn't a problem on its own, but with all the other unrelated changes makes this PR harder to review.

[jdalrymple]

Hey folks - I know this is a gigantor PR haha, i think in the process of updating the dep, I got ahead of myself cleaning up things i saw along the way.

I can split it into multiple PRs for sure. Ill start with the CI updates and pick the next piece after that. Ill keep this PR open for now just to keep a reference of the direction we were trying to go in.

Thanks for following up on everything 🙏 !!

[lwasser]

Thank you so much for breaking it up. We really appreciate it. It is taking us some time to get up to speed as this is a large project and we are still gaining access to accounts! Happy to review pr's as they come in. I did merge one dependabot update so you may need to rebase. We can expect ci to fail for now - i'm going to migrate us over to github actions soon.

…

Message ID: ***@***.***>

[jdalrymple]

Applied this here: #396