Files
promptfoo--promptfoo/docs/agents/dependency-management.md
T
wehub-resource-sync 0d3cb498a3
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Waiting to run
Test and Publish Multi-arch Docker Image / test (push) Waiting to run
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Blocked by required conditions
CI / Shell Format Check (push) Waiting to run
CI / Check Ruby (3.4) (push) Waiting to run
CI / CI Config (push) Waiting to run
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Blocked by required conditions
CI / Build on Node ${{ matrix.node }} (push) Blocked by required conditions
CI / Style Check (push) Waiting to run
CI / Generate Assets (push) Waiting to run
CI / Check Python (3.14) (push) Waiting to run
CI / Check Python (3.9) (push) Waiting to run
CI / Build Docs (push) Waiting to run
CI / Code Scan Action (push) Waiting to run
CI / Site tests (push) Waiting to run
CI / webui tests (push) Waiting to run
CI / Run Integration Tests (push) Waiting to run
CI / Run Smoke Tests (push) Waiting to run
CI / Go Tests (push) Waiting to run
CI / Share Test (push) Waiting to run
CI / Redteam (Production API) (push) Waiting to run
CI / Redteam (Staging API) (push) Waiting to run
CI / GitHub Actions Lint (push) Waiting to run
CI / Check Ruby (3.0) (push) Waiting to run
release-please / release-please (push) Waiting to run
release-please / build (push) Blocked by required conditions
release-please / publish-npm (push) Blocked by required conditions
release-please / publish-npm-backfill (push) Waiting to run
release-please / docker (push) Blocked by required conditions
release-please / publish-code-scan-action (push) Blocked by required conditions
release-please / attest-code-scan-action (push) Blocked by required conditions
Validate Renovate Config / Validate Renovate Configuration (push) Waiting to run
chore: import upstream snapshot with attribution
2026-07-13 13:24:08 +08:00

3.1 KiB

Dependency Management

Safe Update Workflow

Use --target minor for safe minor/patch updates only:

# Check all three locations for available updates
npx npm-check-updates --target minor              # Root
npx npm-check-updates --target minor --cwd site   # Site workspace
npx npm-check-updates --target minor --cwd src/app # App workspace

# Apply updates with -u flag
npx npm-check-updates --target minor -u
npx npm-check-updates --target minor -u --cwd site
npx npm-check-updates --target minor -u --cwd src/app

# Install and verify
npm install
npm run build && npm test && npm run lint && npm run format:check

# Check version consistency (required by CI)
npx check-dependency-version-consistency

Critical Rules

  1. Version consistency across workspaces - All workspaces must use the same version of shared dependencies. CI enforces this via check-dependency-version-consistency.

  2. Update examples/ - 20+ package.json files in examples/ are user-facing; keep them current when updating dependencies.

  3. Run npm audit - Use npm audit or npm run audit:fix to check for security vulnerabilities across all workspaces. Do not let npm audit fix lockfile drift ride along with an unrelated change; ship audit-driven updates as their own PR.

  4. If updates fail - Revert the problematic package and keep the current version. Don't force incompatible updates.

  5. Test before committing - Always run npm run build && npm test after updating dependencies.

Major Updates

# See available major updates (don't apply automatically)
npx npm-check-updates --target latest

# Major updates often require code changes - evaluate each carefully

Major updates require careful evaluation:

  • Check the changelog for breaking changes
  • Look for migration guides
  • Test thoroughly before merging

Workspaces

The project uses npm workspaces. Updates must be checked in all three locations:

  • Root (/) - Core library dependencies
  • Site (/site) - Documentation site (Docusaurus)
  • App (/src/app) - Web UI (React/Vite)

Working on Renovate Branches

Renovate force-pushes its branches whenever main changes or someone comments @renovate rebase. Any manual commit you add may be overwritten without warning.

  • Push fixes quickly and expect them to survive only until the next Renovate rebase.
  • For non-trivial manual work on a Renovate-managed dependency, create a sibling branch off the Renovate branch and open a separate PR that Renovate will not touch.
  • On a major-version Renovate PR, read the upstream changelog, run gap analysis on our matching provider/integration and its docs, then test end-to-end with real evals (npm run local -- eval -c <example>.yaml --no-cache -o output.json, adding --env-file .env when credentials are needed and the file exists) before deciding whether the upgrade needs code changes.

Useful Commands

# Fix security vulnerabilities in all workspaces
npm run audit:fix

# Check for outdated packages
npm outdated

# See why a package is installed
npm explain <package-name>

# Check for unused dependencies
npm run depcheck