--- issue: 106 title: "Backend: dual lockfiles (yarn.lock + package-lock.json) diverge" severity: medium domain: Dependencies labels: [backend, ci-cd, dependencies] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Backend: dual lockfiles (yarn.lock + package-lock.json) diverge **Severity:** medium **Domain:** Dependencies **Labels:** backend, ci-cd, dependencies ## Description `backend/package.json:117` has both `yarn.lock` and `package-lock.json` in the repo, and they are not kept in sync. CI and production use npm; the `packageManager` field references yarn. The two lockfiles represent different resolved dependency trees, so local yarn installs and CI npm installs can diverge. ## Options 1. Standardize on npm + `package-lock.json` (matches CI/prod), delete `yarn.lock`, fix `Dockerfile.dev`. 2. Standardize on yarn (matches `packageManager` field), make CI use yarn. 3. Keep both but regenerate and pin. ## Recommendation Pick one (npm matches prod/CI), delete the other lockfile, align Dockerfiles, and regenerate. ## Affected Files - `backend/package.json` - `backend/yarn.lock` - `backend/package-lock.json` - `backend/Dockerfile.dev` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-55