chore: remove redundant anthropic sdk override#940
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9769016e5f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "version": "0.98.0", | ||
| "resolved": "https://registry.npmjs.org/@anthropic-ai/sdk/-/sdk-0.98.0.tgz", | ||
| "integrity": "sha512-N7aXtCvC5g6T1Y4V29lJjceu/zTkVkIZF0jdBvagr0TRFHuKeImffalGWEfqZKrvjH+IQbzJWw6TmSmUzrlMgg==", | ||
| "version": "0.97.1", |
There was a problem hiding this comment.
After the override is removed, @anthropic-ai/claude-agent-sdk still declares @anthropic-ai/sdk as ^0.93.0, which is not satisfied by this top-level 0.97.1 entry, so the lockfile now needs a nested SDK entry (or the override restored). I checked this workflow with npm's ci command (npm ci --help describes it as a clean install) in a temp copy of this commit: it now reports Missing: @anthropic-ai/sdk@ from lock file in addition to the pre-existing gcp-metadata issue, while the parent commit did not report the Anthropic SDK error. This will keep clean installs/CI broken even after the existing lockfile issue is fixed.
Useful? React with 👍 / 👎.
Without the @anthropic-ai/sdk override, the lockfile needs a nested entry to satisfy @anthropic-ai/claude-agent-sdk's ^0.93.0 requirement alongside the top-level 0.97.1 used transitively by promptfoo. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6dafc0f7d9
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| "node": ">=18" | ||
| } | ||
| }, | ||
| "node_modules/mongoose/node_modules/mongodb": { |
There was a problem hiding this comment.
The lockfile edit around the mongoose subtree drops node_modules/mongoose/node_modules/gcp-metadata, but node_modules/mongoose/node_modules/mongodb still declares gcp-metadata as a peerOptional dependency, which makes npm ci treat the lockfile as out of sync. I verified this on this commit (npm ci --dry-run --ignore-scripts --no-audit --no-fund) and it fails with Missing: gcp-metadata@ from lock file, while the parent commit succeeds, so this change introduces a reproducible clean-install/CI break.
Useful? React with 👍 / 👎.
2 participants
Summary
@anthropic-ai/sdkoverridepackage-lock.jsonto resolve the transitive SDK back to0.97.1uuidoverride intactWhy
^0.95.0to^0.97.0promptfoo@0.121.12already brings in@anthropic-ai/sdk@0.97.1without the override@anthropic-ai/sdk@0.97.1and@anthropic-ai/sdk@0.93.0, andpnpm audit --jsonreported 0 vulnerabilitiesNotes
npmlockfile regeneration in this environment was affected by a machine-level dependency cooldown (before=in npm config), so the lockfile change here is the minimal equivalent resolution already demonstrated by Renovate and the clean pnpm audit.