Files
wehub-resource-sync 0d3cb498a3
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:24:08 +08:00

90 lines
3.1 KiB
Markdown

# Dependency Management
## Safe Update Workflow
Use `--target minor` for safe minor/patch updates only:
```bash
# Check all three locations for available updates
npx npm-check-updates --target minor # Root
npx npm-check-updates --target minor --cwd site # Site workspace
npx npm-check-updates --target minor --cwd src/app # App workspace
# Apply updates with -u flag
npx npm-check-updates --target minor -u
npx npm-check-updates --target minor -u --cwd site
npx npm-check-updates --target minor -u --cwd src/app
# Install and verify
npm install
npm run build && npm test && npm run lint && npm run format:check
# Check version consistency (required by CI)
npx check-dependency-version-consistency
```
## Critical Rules
1. **Version consistency across workspaces** - All workspaces must use the same version of shared dependencies. CI enforces this via `check-dependency-version-consistency`.
2. **Update examples/** - 20+ package.json files in examples/ are user-facing; keep them current when updating dependencies.
3. **Run `npm audit`** - Use `npm audit` or `npm run audit:fix` to check for security vulnerabilities across all workspaces. Do not let `npm audit fix` lockfile drift ride along with an unrelated change; ship audit-driven updates as their own PR.
4. **If updates fail** - Revert the problematic package and keep the current version. Don't force incompatible updates.
5. **Test before committing** - Always run `npm run build && npm test` after updating dependencies.
## Major Updates
```bash
# See available major updates (don't apply automatically)
npx npm-check-updates --target latest
# Major updates often require code changes - evaluate each carefully
```
Major updates require careful evaluation:
- Check the changelog for breaking changes
- Look for migration guides
- Test thoroughly before merging
## Workspaces
The project uses npm workspaces. Updates must be checked in all three locations:
- Root (`/`) - Core library dependencies
- Site (`/site`) - Documentation site (Docusaurus)
- App (`/src/app`) - Web UI (React/Vite)
## Working on Renovate Branches
Renovate force-pushes its branches whenever `main` changes or someone comments
`@renovate rebase`. Any manual commit you add may be overwritten without warning.
- Push fixes quickly and expect them to survive only until the next Renovate rebase.
- For non-trivial manual work on a Renovate-managed dependency, create a sibling
branch off the Renovate branch and open a separate PR that Renovate will not touch.
- On a major-version Renovate PR, read the upstream changelog, run gap analysis on
our matching provider/integration and its docs, then test end-to-end with real evals
(`npm run local -- eval -c <example>.yaml --no-cache -o output.json`, adding
`--env-file .env` when credentials are needed and the file exists)
before deciding whether the upgrade needs code changes.
## Useful Commands
```bash
# Fix security vulnerabilities in all workspaces
npm run audit:fix
# Check for outdated packages
npm outdated
# See why a package is installed
npm explain <package-name>
# Check for unused dependencies
npm run depcheck
```