Package housekeeping: bundler compatibility, build hygiene, dependency maintenance

[nachogarcia]

Package housekeeping: bundler compatibility, build hygiene, dependency maintenance

1. Temml breaks with Vite/esbuild

Temml produces empty output when pre-bundled by Vite. esbuild's optimizer sees the ~1,061 defineSymbol() and defineMacro() calls as dead code and removes them, leaving the symbol/macro lookup tables empty at runtime.

The package.json has no sideEffects field, so bundlers have no signal that these module-level initialization calls must be preserved.

Fix: Add "sideEffects": true to package.json.

2. Dual lockfiles (yarn + npm)

The repo tracks both yarn.lock and package-lock.json, plus .yarnrc.yml and a packageManager: "yarn@3.3.1" field. Scripts reference yarn (e.g. yarn lint, yarn build). This causes confusion for contributors and dependency drift between the two.

Fix: Standardize on npm — remove yarn artifacts, replace yarn with npm run in scripts.

3. dist/ committed to git

The 13 build artifacts in dist/ are all generated by npm run dist (Rollup + Terser + copyfiles). Tracking them inflates the repo, creates noisy diffs, and can cause merge conflicts. Publishing is unaffected because dist/ is in the "files" field.

Fix: Add dist/ to .gitignore, untrack existing files, add a prepublishOnly script to guarantee npm publish always builds fresh, and ensure utils/copyfiles.js creates dist/ on a fresh clone.

4. Dead dependency and deprecated repo URL

• esm (v3.2.25) is listed in devDependencies but never imported anywhere
• The repository URL uses git://, which GitHub disabled in 2022

Fix: Remove esm, change URL to https://.

5. No automated dependency updates

No Dependabot or Renovate configuration exists. Dependency updates are entirely manual.

Fix: Add .github/dependabot.yml for weekly npm update PRs.