fix: lock promptfoo transitive dependencies to prevent CI breakage (#1115)

## Summary

- Add `package.json` + `package-lock.json` in `evals/promptfoo/` to lock
the full promptfoo dependency tree, preventing transitive dependency
breakage like the `@asamuzakjp/css-color@5.1.5` incident ([#1110
comment](#1110 (comment)))
- The eval script now runs `npm ci` before invoking promptfoo instead of
`npx -y promptfoo@0.121.3`
- Extended `scripts/audit_deps.ts` to scan the npm lockfile for
vulnerabilities alongside `deno.lock`
- Updated the CI outdated-deps check to read the version from
`package.json` via `jq`

## Test Plan

- All existing tests pass (4174 passed)
- `deno check`, `deno lint`, `deno fmt --check` all pass
- Verified `npm ci && npx promptfoo --version` works correctly in
`evals/promptfoo/`
- Verified audit script picks up packages from both `deno.lock` (99) and
`package-lock.json` (984)
- Confirmed `css-color@5.1.5` reproduces the `ERR_REQUIRE_ASYNC_MODULE`
error and `5.1.6` (locked in our lockfile) does not

Closes #1110

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: stack72

.github/workflows/ci.yml

@@ -107,10 +107,10 @@ jobs:
 
       - name: Check for outdated npm dependencies
         run: |
-          pinned=$(grep -o 'promptfoo@[0-9.]*' scripts/eval_skill_triggers_promptfoo.ts | head -1 | cut -d@ -f2)
+          pinned=$(jq -r '.dependencies.promptfoo' evals/promptfoo/package.json)
           latest=$(npm view promptfoo version 2>/dev/null)
           if [ "$pinned" != "$latest" ]; then
-            echo "::warning::promptfoo is outdated: pinned $pinned, latest $latest — update scripts/eval_skill_triggers_promptfoo.ts"
+            echo "::warning::promptfoo is outdated: pinned $pinned, latest $latest — update evals/promptfoo/package.json and run npm install to regenerate the lockfile"
           else
             echo "promptfoo $pinned is up to date"
           fi

.gitignore

@@ -32,3 +32,4 @@ CLAUDE.local.md
 resources/deno/
 /scripts/dist
 evals/promptfoo/results.json
+evals/promptfoo/node_modules/

deno.json

@@ -3,7 +3,7 @@
   "version": "0.1.0",
   "license": "AGPL-3.0-only",
   "exports": "./main.ts",
-  "workspace": ["packages/client", "packages/testing"],
+  "workspace": ["packages/client", "packages/testing", "evals/promptfoo"],
   "tasks": {
     "dev": "deno run --unstable-bundle --allow-read --allow-write --allow-env --allow-run --allow-sys main.ts",
     "test": "deno test --unstable-bundle --allow-read --allow-write --allow-env --allow-run --allow-net --allow-sys",
@@ -60,6 +60,7 @@
     ".agents/",
     "workflows/",
     ".vault-test-vault/",
-    "resources/"
+    "resources/",
+    "evals/"
   ]
 }