From 7eaf1aa4ed7b2349129c5e941dd05b424818a3cd Mon Sep 17 00:00:00 2001 From: Olmo Maldonado Date: Tue, 31 Mar 2026 15:15:44 -0700 Subject: [PATCH] Update pnpm version and use frozen lockfile Update pnpm to v10.33.0 and enable `--frozen-lockfile` for dependency installations in CI workflows and local commands. This ensures reproducible builds and faster installs by skipping integrity checks. Also update npm to v11.11.1 and adjust workspace settings for pnpm. --- .github/workflows/eval.yaml | 7 +++++-- .github/workflows/js.yaml | 7 +++++-- CLAUDE.md | 6 +++--- Makefile | 2 +- mise.toml | 3 ++- package.json | 2 +- pnpm-workspace.yaml | 8 ++++++++ 7 files changed, 25 insertions(+), 10 deletions(-) diff --git a/.github/workflows/eval.yaml b/.github/workflows/eval.yaml index 15b1277f..80035a00 100644 --- a/.github/workflows/eval.yaml +++ b/.github/workflows/eval.yaml @@ -28,11 +28,14 @@ jobs: with: node-version: 22 - - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 + - name: Setup pnpm + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 + with: + version: 10.33.0 - name: Install Dependencies id: install - run: pnpm install + run: pnpm install --frozen-lockfile - name: Build packages id: build diff --git a/.github/workflows/js.yaml b/.github/workflows/js.yaml index 1ac13a49..da03f4f0 100644 --- a/.github/workflows/js.yaml +++ b/.github/workflows/js.yaml @@ -29,8 +29,11 @@ jobs: uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: ${{ matrix.node-version }} - - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 - - run: pnpm install + - name: Setup pnpm + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 + with: + version: 10.33.0 + - run: pnpm install --frozen-lockfile - run: pnpm run test env: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} diff --git a/CLAUDE.md b/CLAUDE.md index d17cb16a..38537375 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -11,9 +11,9 @@ Autoevals is a dual-language library (TypeScript + Python) for evaluating AI mod ### TypeScript (in root directory) ```bash -pnpm install # Install dependencies -pnpm run build # Build JS (outputs to jsdist/) -pnpm run test # Run all JS tests with vitest +pnpm install --frozen-lockfile # Install dependencies +pnpm run build # Build JS (outputs to jsdist/) +pnpm run test # Run all JS tests with vitest pnpm run test -- js/llm.test.ts # Run single test file pnpm run test -- -t "test name" # Run specific test by name ``` diff --git a/Makefile b/Makefile index ea25a3e2..af6c06e9 100644 --- a/Makefile +++ b/Makefile @@ -41,4 +41,4 @@ test-py: source env.sh && python3 -m pytest test-js: - pnpm install && pnpm run test + pnpm install --frozen-lockfile && pnpm run test diff --git a/mise.toml b/mise.toml index 56de0c1d..2f9748c4 100644 --- a/mise.toml +++ b/mise.toml @@ -9,4 +9,5 @@ _.python.venv = { path = "venv", create = true, uv_create_args = ['--seed']} _.file = ".env" [tools] -pnpm = "10.26.2" +pnpm = "10.33.0" +npm = "11.11.1" diff --git a/package.json b/package.json index 7f82577a..e283ed47 100644 --- a/package.json +++ b/package.json @@ -55,5 +55,5 @@ "zod": "^3.25.76", "zod-to-json-schema": "^3.24.6" }, - "packageManager": "pnpm@10.26.2" + "packageManager": "pnpm@10.33.0" } diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index a1457579..706a93a7 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -6,3 +6,11 @@ ignoredBuiltDependencies: - duckdb - esbuild - msw + +strictDepBuilds: true +blockExoticSubdeps: true +trustPolicy: no-downgrade +# Ignore the check for packages published more than 30 days ago (pnpm 10.27+) +# Useful for older packages that pre-date provenance support +trustPolicyIgnoreAfter: 43200 # minutes (30 days) +minimumReleaseAge: 20160 # 2 weeks (in minutes)