fix(evals/promptfoo): upgrade promptfoo to 0.121.4 and drop overrides#1163
Merged
fix(evals/promptfoo): upgrade promptfoo to 0.121.4 and drop overrides#1163
Conversation
Bump promptfoo from 0.121.3 → 0.121.4 and regenerate the lockfile. The new release naturally pulls patched versions of every transitive dep that was previously pinned via an override, so the entire `overrides` block can go. Clears 4 open Dependabot alerts against `evals/promptfoo/package-lock.json`: | # | Package | GHSA | Severity | |---|---|---|---| | 11 | mathjs | GHSA-jvff-x2qm-6286 | high | | 10 | basic-ftp | GHSA-6v7q-wjvx-w8wg | high | | 9 | axios | GHSA-3p68-rc4w-qgx5 | critical | | 8 | basic-ftp | GHSA-chqc-8p9q-pq6q | high | Root cause: #1158 added `axios` and `basic-ftp` overrides but the lockfile was never regenerated, so the committed lockfile still had `axios@1.14.0` and `basic-ftp@5.2.0`. The `basic-ftp: >=5.2.1` range also still allowed the vulnerable 5.2.1 per alert #10, and there was no override at all for mathjs. Resolved versions in the regenerated lockfile: | Package | Was | Now | |---|---|---| | @anthropic-ai/sdk | 0.81.0 | 0.82.0 | | axios | 1.14.0 | 1.15.0 | | basic-ftp | 5.2.0 | 5.2.2 | | mathjs | 15.1.1 | 15.2.0 | | hono | 4.12.12 | 4.12.12 | | @hono/node-server | 1.19.13 | 1.19.13 | No nested/duplicate copies of axios, basic-ftp, or mathjs remain in the lockfile. Verification: - `npm audit` → 0 vulnerabilities - `deno run scripts/audit_deps.ts` → "No known vulnerabilities found" (scanned 1064 packages across deno.lock + promptfoo lockfile) - `deno fmt --check`, `deno lint`, `deno check` — clean No code changes required. The eval entry script calls `npx promptfoo eval` — a stable CLI surface — and a patch bump (0.121.3 → 0.121.4) is not expected to change it. Engine requirement unchanged (`^20.20.0 || >=22.22.0`); CI uses Node 24. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
Blocking Issues
None.
Suggestions
None.
Clean, well-scoped security fix. Verified:
- package.json: promptfoo bumped 0.121.3 → 0.121.4,
overridesblock correctly removed (the new promptfoo version resolves patched transitive deps natively) - Vulnerable packages resolved: axios 1.14.0 → 1.15.0, basic-ftp 5.2.0 → 5.2.2, mathjs 15.1.1 → 15.2.0 — all at patched versions
- No duplicate/nested copies of the previously-vulnerable packages in the lockfile
- Scope is limited to
evals/promptfoo/— no production code changes, nosrc/changes - Lockfile churn is expected from dropping the
overridesblock (npm re-dedupes the tree) - DDD review not applicable — no domain code changes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
promptfooinevals/promptfoo/from 0.121.3 → 0.121.4 and regeneratepackage-lock.jsonoverridesblock — promptfoo 0.121.4 naturally resolves to patched versions of every transitive dep we were pinningWhat this closes
Clears 4 open Dependabot alerts against
evals/promptfoo/package-lock.json:Root cause
#1158 added
axiosandbasic-ftpto theoverridesblock but the lockfile was never regenerated — the committed lockfile onmainstill hadaxios@1.14.0andbasic-ftp@5.2.0. Additionally:basic-ftp: >=5.2.1range still allowed 5.2.1, which is itself vulnerable per alert Ensure CI Can Post To PR #10.mathjs(alert feat: add type describe command and fix terminal output issues #11, published Apr 10).Resolved versions in the regenerated lockfile
@anthropic-ai/sdkaxiosbasic-ftpmathjshono@hono/node-serverVerified no nested/duplicate copies of axios, basic-ftp, or mathjs in the lockfile.
Scope
This is a transitive-dep refresh via a promptfoo patch bump — not a production code change. Blast radius is limited to the skill-trigger eval harness that runs in CI. No production swamp code imports from
evals/promptfoo/.The lockfile diff is large (~1100 lines added / ~1700 removed) because dropping the
overridesblock lets npm re-dedupe the tree. Reviewers should focus onpackage.jsonand theaxios/basic-ftp/mathjs/@anthropic-ai/sdkentries in the lockfile — everything else is dedupe churn.Test plan
npm install --prefix evals/promptfoosucceeds cleanlynpm audit→ 0 vulnerabilitiesdeno run --allow-read --allow-net=api.osv.dev --allow-env scripts/audit_deps.ts→ No known vulnerabilities found (scanned 1064 packages acrossdeno.lock+evals/promptfoo/package-lock.json)deno fmt --check✓deno lint✓deno check✓ (1021 files).github/workflows/ci.yml) reads the pinned version viajqfrompackage.json— no hardcoded version to updatescripts/eval_skill_triggers_promptfoo.tscallsnpx promptfoo eval— stable CLI, unchanged by a patch bump^20.20.0 || >=22.22.0); CI uses Node 24🤖 Generated with Claude Code