From 7eaf1aa4ed7b2349129c5e941dd05b424818a3cd Mon Sep 17 00:00:00 2001 From: Olmo Maldonado Date: Tue, 31 Mar 2026 15:15:44 -0700 Subject: [PATCH] Update pnpm version and use frozen lockfile Update pnpm to v10.33.0 and enable `--frozen-lockfile` for dependency installations in CI workflows and local commands. This ensures reproducible builds and faster installs by skipping integrity checks. Also update npm to v11.11.1 and adjust workspace settings for pnpm. --- .github/workflows/eval.yaml | 7 +++++-- .github/workflows/js.yaml | 7 +++++-- CLAUDE.md | 6 +++--- Makefile | 2 +- mise.toml | 3 ++- package.json | 2 +- pnpm-workspace.yaml | 8 ++++++++ 7 files changed, 25 insertions(+), 10 deletions(-) diff --git a/.github/workflows/eval.yaml b/.github/workflows/eval.yaml index 15b1277..80035a0 100644 --- a/.github/workflows/eval.yaml +++ b/.github/workflows/eval.yaml @@ -28,11 +28,14 @@ jobs: with: node-version: 22 - - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 + - name: Setup pnpm + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 + with: + version: 10.33.0 - name: Install Dependencies id: install - run: pnpm install + run: pnpm install --frozen-lockfile - name: Build packages id: build diff --git a/.github/workflows/js.yaml b/.github/workflows/js.yaml index 1ac13a4..da03f4f 100644 --- a/.github/workflows/js.yaml +++ b/.github/workflows/js.yaml @@ -29,8 +29,11 @@ jobs: uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: ${{ matrix.node-version }} - - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 - - run: pnpm install + - name: Setup pnpm + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 + with: + version: 10.33.0 + - run: pnpm install --frozen-lockfile - run: pnpm run test env: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} diff --git a/CLAUDE.md b/CLAUDE.md index d17cb16..3853737 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -11,9 +11,9 @@ Autoevals is a dual-language library (TypeScript + Python) for evaluating AI mod ### TypeScript (in root directory) ```bash -pnpm install # Install dependencies -pnpm run build # Build JS (outputs to jsdist/) -pnpm run test # Run all JS tests with vitest +pnpm install --frozen-lockfile # Install dependencies +pnpm run build # Build JS (outputs to jsdist/) +pnpm run test # Run all JS tests with vitest pnpm run test -- js/llm.test.ts # Run single test file pnpm run test -- -t "test name" # Run specific test by name ``` diff --git a/Makefile b/Makefile index ea25a3e..af6c06e 100644 --- a/Makefile +++ b/Makefile @@ -41,4 +41,4 @@ test-py: source env.sh && python3 -m pytest test-js: - pnpm install && pnpm run test + pnpm install --frozen-lockfile && pnpm run test diff --git a/mise.toml b/mise.toml index 56de0c1..2f9748c 100644 --- a/mise.toml +++ b/mise.toml @@ -9,4 +9,5 @@ _.python.venv = { path = "venv", create = true, uv_create_args = ['--seed']} _.file = ".env" [tools] -pnpm = "10.26.2" +pnpm = "10.33.0" +npm = "11.11.1" diff --git a/package.json b/package.json index 7f82577..e283ed4 100644 --- a/package.json +++ b/package.json @@ -55,5 +55,5 @@ "zod": "^3.25.76", "zod-to-json-schema": "^3.24.6" }, - "packageManager": "pnpm@10.26.2" + "packageManager": "pnpm@10.33.0" } diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index a145757..706a93a 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -6,3 +6,11 @@ ignoredBuiltDependencies: - duckdb - esbuild - msw + +strictDepBuilds: true +blockExoticSubdeps: true +trustPolicy: no-downgrade +# Ignore the check for packages published more than 30 days ago (pnpm 10.27+) +# Useful for older packages that pre-date provenance support +trustPolicyIgnoreAfter: 43200 # minutes (30 days) +minimumReleaseAge: 20160 # 2 weeks (in minutes)