I don't understand your fix. The fix should be adding the implicit dependencies as devDependencies, but you're not doing that.

As of this instance, this works with yarn, and not with npm, so unless you fix this precise issue, this PR can't be merged.

Adding Yarn to the devDependencies does not work 100% because while the installation would probably work (I haven't tested it myself) npm i would have ignored the yarn.lock file resulting in a potentially different install. The same applies to my solution.

Contrary to what its name indicates the prepublish script is run both before publishing and after installing which has caused so much confusion that it is being deprecated.

However, while Npm users will probably not be aware of the lock-file issue and this dismiss it, Yarn users probably would and, if any issue arises on installation, they might easily fix it by falling back to Npm since everyone has Npm while non-Yarn users would simply be stuck.

The full solution would be to provide both yarn and npm lock files as suggested in this comment within a long standing conversation about this issue.

Anyway, in-house usage and world-wide adoption require two different criteria and, whatever your internal preferences, Npm is best for the wider audience. None of this affects library users, just contributors.