chore: clean up npm run scripts to make prod the default

[dylanjeffers]

Summary

• npm run web is now the default and runs the web client against production (replaces web:prod)
• npm run web:dev is renamed to npm run web:local (running against local services)
• npm run web:stage is removed
• npm run mobile is unchanged (already the prod-targeting default)
• Updated CLAUDE.md and README.md to reference the new script names

The start:dev / start:stage / start:prod scripts inside packages/web are kept as-is so that desktop:dev / desktop:stage / desktop:prod continue to work.

Test plan

• npm run web starts the web client against prod
• npm run web:local starts the web client against local services
• npm run web:stage and npm run web:prod no longer resolve at the root
• npm run mobile still starts Metro as before
• desktop:dev / desktop:stage / desktop:prod still work
• Search the repo turns up no remaining references to web:dev / web:stage / web:prod

🤖 Generated with Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: d582356

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​babel/​plugin-proposal-class-static-block@​7.21.0
	npm/​@​babel/​preset-typescript@​7.28.5 ⏵ 7.22.15				+2
	npm/​@​babel/​plugin-transform-runtime@​7.29.0 ⏵ 7.18.2			+1	+2
	npm/​@​babel/​helper-compilation-targets@​7.28.6 ⏵ 7.27.1	+1		+1
	npm/​@​audius/​fetch-nft@​0.2.8
	npm/​@​babel/​plugin-transform-react-jsx@​7.21.0
	npm/​@​babel/​template@​7.27.1
	npm/​@​audius/​hedgehog@​3.0.0-alpha.1
	npm/​@​babel/​preset-env@​7.22.15
	npm/​@​atlaskit/​pragmatic-drag-and-drop@​1.7.7
	npm/​@​audius/​stems@​0.3.10
	npm/​@​babel/​helper-module-transforms@​7.28.6 ⏵ 7.27.1	+1		+1
	npm/​@​babel/​parser@​7.27.1
	npm/​@​babel/​compat-data@​7.29.0 ⏵ 7.27.1
	npm/​@​babel/​runtime@​7.28.6 ⏵ 7.18.3		-1
	npm/​@​babel/​generator@​7.27.1
	npm/​@​babel/​traverse@​7.27.1
	npm/​@​babel/​helpers@​7.28.6 ⏵ 7.27.1	+1
	npm/​@​babel/​core@​7.29.0 ⏵ 7.23.7	+1			+2
	npm/​@​babel/​types@​7.27.1
	npm/​@​bravemobile/​react-native-code-push@​12.3.2
	npm/​@​apollo/​client@​3.3.7
	npm/​@​amplitude/​node@​1.9.2
	npm/​@​atlaskit/​pragmatic-drag-and-drop-react-beautiful-dnd-migration@​0.17.7
	npm/​@​amplitude/​analytics-browser@​2.11.9
	npm/​@​amplitude/​plugin-session-replay-browser@​1.8.2
	npm/​@​amplitude/​analytics-react-native@​1.4.11

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm @amplitude/session-replay-browser is 100.0% likely to have a medium risk anomaly Notes: This is a session-replay / DOM-capture library that intentionally collects detailed page state (DOM, canvas bitmaps, user interactions), persists them locally, compresses, and sends them to Amplitude session-replay endpoints. The behavior is expected for such SDKs. The primary security concern is privacy/data exfiltration: if misconfigured or used without user consent, the library can capture sensitive inputs and page content. No evidence of traditional malware (reverse shell, arbitrary remote code execution, eval-based payloads) was found in the provided fragment. Recommendations: only use from trusted package sources, ensure masking/ignore selectors are tightly configured (especially for inputs and sensitive CSS selectors), review remote config behavior (it fetches sampling/privacy config), consider privacy/legal implications (consent), and monitor network endpoints and API keys. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@amplitude/plugin-session-replay-browser@1.8.2 → npm/@amplitude/session-replay-browser@1.15.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@amplitude/session-replay-browser@1.15.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @ampproject/remapping is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard SourceMap remapping mechanism. There is no inherent malicious behavior or backdoor within the shown fragment. The only potential risk lies in the use of the user-supplied loader callback, which could be misused by a project integrating this library. If the loader is trusted and sandboxed, the code poses no evident security threats. Overall, the security risk is moderate due to loader trust requirements. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/core@7.23.7 → npm/@ampproject/remapping@2.2.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ampproject/remapping@2.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @ampproject/remapping is 100.0% likely to have a medium risk anomaly Notes: The code is a conventional, loader-driven Source Map remapping utility. It exhibits a legitimate trust boundary at the loader. No intrinsic malware present; security concerns hinge on loader trust and content exposure. Recommend reviewing loader implementations and ensuring options properly redact or restrict sourcesContent when distributing SourceMaps. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/core@7.23.7 → npm/@ampproject/remapping@2.2.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ampproject/remapping@2.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @apollo/protobufjs is 100.0% likely to have a medium risk anomaly Notes: The analyzed code segment is a standard RPC service wrapper (protobufjs style) with conventional input validation, encoding/decoding, event emission, and end handling. No malicious behavior is evident, and there are no observable security vulnerabilities beyond ordinary library-level error handling. It does not exhibit data exfiltration, backdoors, or other anti-security patterns. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@apollo/protobufjs@1.2.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@apollo/protobufjs@1.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @audius/hedgehog is 100.0% likely to have a medium risk anomaly Notes: The source code contains hardcoded sensitive credentials and cryptographic material that are directly exported, posing a high security risk if used in production or published publicly. There is no evidence of malware or obfuscation, but the insecure practice of embedding plaintext passwords and keys in source code can lead to credential leakage and compromise. It is strongly recommended to remove hardcoded secrets, implement secure credential management, and restrict exposure of sensitive data. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@audius/hedgehog@3.0.0-alpha.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@audius/hedgehog@3.0.0-alpha.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly Notes: The analyzed code fragment is a standard Babel core error handling and code-frame rendering utility. It reads internal node and code data to produce informative errors but does not perform any suspicious network activity, data exfiltration, or backdoor behavior. The observed behavior is typical for a compiler/transpiler component and, in this isolated context, does not indicate malicious activity. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/core@7.23.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.23.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment implements a conventional file transformation entry point with no evident malicious behavior or hard-coded secrets. Security concerns depend on the downstream transformation logic (run) and configuration loading (loadConfig). The code maintains safe control flow (null config handling) and avoids arbitrary code execution within this scope. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/core@7.23.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.23.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/helper-module-transforms is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, static-code transformation utility used in Babel to ensure proper behavior of ES module bindings after transforms. There is no evidence of malicious behavior, data leakage, or external communications within this fragment. It operates purely on AST-level transformations consistent with module import/export handling. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/helper-module-transforms@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-transforms@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/helpers is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment is a conventional Babel/TypeScript-style decorators runtime (applyDecs) responsible for applying decorators to class members and managing metadata and initializers. There is no evidence of malware, backdoors, or external data leakage within this module. While complex, the code behaves as a metadata-driven decorator processor and should be considered low risk when used as intended. Downstream risks depend on the decorators provided by consumers, not this utility itself. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/helpers@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helpers@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/plugin-syntax-typescript is 100.0% likely to have a medium risk anomaly Notes: The code is a standard Babel plugin fragment that configures syntax support for TypeScript by manipulating parser plugins. There is no malicious logic, no data exfiltration, and no unsafe operations. It appears to be a legitimate helper for enabling TypeScript syntax in Babel pipelines. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/preset-typescript@7.22.15 → npm/@babel/plugin-syntax-typescript@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/plugin-syntax-typescript@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/runtime is 100.0% likely to have a medium risk anomaly Notes: The module implements a legitimate Babel runtime polyfill for named capture groups, using established patterns (WeakMap, prototype inheritance, lazy initialization) to augment RegExp results and substitutions. No evidence of malicious activity, data leakage, or external communication. Overall security risk is low but the code warrants standard review for potential debugging complexity due to prototype and factory redefinition. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/runtime@7.18.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/runtime@7.18.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @bravemobile/react-native-code-push is 75.0% likely to have a medium risk anomaly Notes: The fragment represents a standard, legitimate OTA update mechanism for React Native, with normal update orchestration, user prompts, retry/rollback, and status reporting. There is no obvious malicious behavior or backdoor within this code fragment. The main security considerations relate to the integrity and authenticity of updates, secure transport, and the security of the native bridge implementation. Overall risk is moderate due to remote updates, but not due to internal malicious code in this snippet. Confidence: 0.75 Severity: 0.55 From: package-lock.json → npm/@bravemobile/react-native-code-push@12.3.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@bravemobile/react-native-code-push@12.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The code appears to be a standard, well-scoped progress-event utility used to report progress (upload/download) to a consumer listener. It reads input from the event object and computes metrics, then forwards a structured payload to a listener. A minor data exposure risk exists due to passing the raw event object to the listener; mitigations include sanitizing the payload or removing the event object before emission. Overall security risk remains modest, with malware likelihood negligible in this isolated module. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/axios@1.7.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.7.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, self-contained throttling transformer designed for Axios-like streaming workflows. It throttles data output based on maxRate and timeWindow, preserves data integrity by splitting chunks when necessary, and emits optional progress telemetry. No malicious activity or data leakage is detected in this fragment. Security risk remains moderate due to throttling complexity and potential misconfiguration in real deployments, but the module itself does not introduce obvious security flaws. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/axios@1.7.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.7.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm got is 100.0% likely to have a medium risk anomaly Notes: The analyzed code fragment is a standard part of a HTTP client wrapper (Got) with typical features: option normalization, hooks, error mapping, proxies for handlers, pagination, and streaming. There is no evidence of malicious behavior (no data exfiltration, backdoors, environment-variable abuse, or covert network connections) within this isolated module. Security risk is low for this fragment, assuming the core implementation and extension ecosystem are trustworthy. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/got@11.8.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/got@11.8.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm semver is 100.0% likely to have a medium risk anomaly Notes: No malicious behavior detected. This is a legitimate SemVer utility implementation handling version validation, range filtering, and optional increments. Security risk is low for this code fragment; obfuscated indicators are absent. Overall malice likelihood is negligible. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/preset-env@7.22.15 → npm/@babel/plugin-proposal-class-static-block@7.21.0 → npm/@babel/helper-compilation-targets@7.27.1 → npm/@babel/preset-typescript@7.22.15 → npm/@babel/core@7.23.7 → npm/semver@6.3.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/semver@6.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[github-actions]

🌐 Web preview ready

Preview URL: https://audius-web-preview-pr-14274.audius.workers.dev

Unique preview for this PR (deployed from this branch).
Workflow run