Package Health Score

92 / 100

security
No known security issues
popularity
Popular
maintenance
Healthy
community
Active

Explore Similar Packages

Security

No known security issues

All security vulnerabilities belong to production dependencies of direct and indirect packages.

Security and license risk for significant versions

Version			Vulnerabilities	License Risk
0.89.3	\|	09/2024	0 C 0 H 0 M 0 L	0 H 0 M 0 L
0.88.0	\|	09/2024	0 C 0 H 0 M 0 L	0 H 0 M 0 L
0.85.2	\|	09/2024	0 C 0 H 0 M 0 L	0 H 0 M 0 L
0.38.0	\|	01/2024	0 C 0 H 0 M 0 L	0 H 0 M 0 L
0.37.1	\|	01/2024	0 C 0 H 0 M 0 L	0 H 0 M 0 L

License

MIT

Security Policy

Is your project affected by vulnerabilities?

Scan your projects for vulnerabilities. Fix quickly with automated fixes. Get started with Snyk for free.

Get started free

Popularity

Popular

Weekly Downloads (12,761)

GitHub Stars: 4.19K
Forks: 307
Contributors: 110

Direct Usage Popularity

The npm package promptfoo receives a total of 12,761 downloads a week. As such, we scored promptfoo popularity level to be Popular.

Based on project statistics from the GitHub repository for the npm package promptfoo, we found that it has been starred 4,194 times.

Downloads are calculated as moving averages for a period of the last 12 months, excluding weekends and known missing data points.

Community

Active

Readme.md: Yes
Contributing.md: Yes
Code of Conduct: No
Contributors: 110
Funding: Yes

A good and healthy external contribution signal for promptfoo project, which invites more than one hundred open source maintainers to collaborate on the repository.

We found a way for you to contribute to the project! Looks like promptfoo is missing a Code of Conduct.

Embed Package Health Score Badge

Maintenance

Healthy

Commit Frequency

Open Issues: 99
Open PR: 22
Last Release: 1 day ago
Last Commit: 4 days ago

Further analysis of the maintenance status of promptfoo based on released npm versions cadence, the repository activity, and other data points determined that its maintenance is Healthy.

We found that promptfoo demonstrates a positive version release cadence with at least one new version released in the past 3 months.

As a healthy sign for on-going project maintenance, we found that the GitHub repository had at least 1 pull request or issue interacted with by the community.

Keep your project healthy

Check your package.json

Ensure all the packages you're using are healthy and well-maintained

Snyk Vulnerability Scanner

Get health score & security insights directly in your IDE

Package

Node.js Compatibility: >=18.0.0

Age: 1 year
Dependencies: 51 Direct
Versions: 203
Install Size: 7.62 MB
Dist-tags: 1
# of Files: 1.01K
Maintainers: 3
TS Typings: No

promptfoo has more than a single and default latest tag published for the npm package. This means, there may be other tags available for this package, such as next to indicate future releases, or stable to indicate stable releases.

Readme

promptfoo: test your LLM app locally

MIT license

promptfoo is a tool for testing, evaluating, and red-teaming LLM apps.

With promptfoo, you can:

Build reliable prompts, models, and RAGs with benchmarks specific to your use-case
Secure your apps with automated red teaming and pentesting
Speed up evaluations with caching, concurrency, and live reloading
Score outputs automatically by defining metrics
Use as a CLI, library, or in CI/CD
Use OpenAI, Anthropic, Azure, Google, HuggingFace, open-source models like Llama, or integrate custom API providers for any LLM API

The goal: test-driven LLM development instead of trial-and-error.

npx promptfoo@latest init

» View full documentation «

promptfoo produces matrix views that let you quickly evaluate outputs across many prompts and inputs:

prompt evaluation matrix - web viewer

It works on the command line too:

Prompt evaluation

It also produces high-level vulnerability and risk reports:

gen ai red team

Why choose promptfoo?

There are many different ways to evaluate prompts. Here are some reasons to consider promptfoo:

Developer friendly: promptfoo is fast, with quality-of-life features like live reloads and caching.
Battle-tested: Originally built for LLM apps serving over 10 million users in production. Our tooling is flexible and can be adapted to many setups.
Simple, declarative test cases: Define evals without writing code or working with heavy notebooks.
Language agnostic: Use Python, Javascript, or any other language.
Share & collaborate: Built-in share functionality & web viewer for working with teammates.
Open-source: LLM evals are a commodity and should be served by 100% open-source projects with no strings attached.
Private: This software runs completely locally. The evals run on your machine and talk directly with the LLM.

Workflow

Start by establishing a handful of test cases - core use cases and failure cases that you want to ensure your prompt can handle.

As you explore modifications to the prompt, use promptfoo eval to rate all outputs. This ensures the prompt is actually improving overall.

As you collect more examples and establish a user feedback loop, continue to build the pool of test cases.

Usage - evals

To get started, run this command:

npx promptfoo@latest init

This will create a promptfooconfig.yaml placeholder in your current directory.

After editing the prompts and variables to your liking, run the eval command to kick off an evaluation:

npx promptfoo@latest eval

Usage - red teaming/pentesting

Run this command:

npx promptfoo@latest redteam init

This will ask you questions about what types of vulnerabilities you want to find and walk you through running your first scan.

Configuration

The YAML configuration format runs each prompt through a series of example inputs (aka "test case") and checks if they meet requirements (aka "assert").

See the Configuration docs for a detailed guide.

prompts:
  - file://prompt1.txt
  - file://prompt2.txt
providers:
  - openai:gpt-4o-mini
  - ollama:llama3.1:70b
tests:
  - description: 'Test translation to French'
    vars:
      language: French
      input: Hello world
    assert:
      - type: contains-json
      - type: javascript
        value: output.length &lt; 100

  - description: 'Test translation to German'
    vars:
      language: German
      input: How's it going?
    assert:
      - type: llm-rubric
        value: does not describe self as an AI, model, or chatbot
      - type: similar
        value: was geht
        threshold: 0.6 # cosine similarity

Supported assertion types

See Test assertions for full details.

Deterministic eval metrics

Assertion Type	Returns true if...
`equals`	output matches exactly
`contains`	output contains substring
`icontains`	output contains substring, case insensitive
`regex`	output matches regex
`starts-with`	output starts with string
`contains-any`	output contains any of the listed substrings
`contains-all`	output contains all list of substrings
`icontains-any`	output contains any of the listed substrings, case insensitive
`icontains-all`	output contains all list of substrings, case insensitive
`is-json`	output is valid json (optional json schema validation)
`contains-json`	output contains valid json (optional json schema validation)
`is-sql`	output is valid sql
`contains-sql`	output contains valid sql
`is-xml`	output is valid xml
`contains-xml`	output contains valid xml
`javascript`	provided Javascript function validates the output
`python`	provided Python function validates the output
`webhook`	provided webhook returns `{pass: true}`
`rouge-n`	Rouge-N score is above a given threshold
`levenshtein`	Levenshtein distance is below a threshold
`latency`	Latency is below a threshold (milliseconds)
`perplexity`	Perplexity is below a threshold
`cost`	Cost is below a threshold (for models with cost info such as GPT)
`is-valid-openai-function-call`	Ensure that the function call matches the function's JSON schema
`is-valid-openai-tools-call`	Ensure that all tool calls match the tools JSON schema

Model-assisted eval metrics

Assertion Type	Method
similar	Embeddings and cosine similarity are above a threshold
classifier	Run LLM output through a classifier
llm-rubric	LLM output matches a given rubric, using a Language Model to grade output
answer-relevance	Ensure that LLM output is related to original query
context-faithfulness	Ensure that LLM output uses the context
context-recall	Ensure that ground truth appears in context
context-relevance	Ensure that context is relevant to original query
factuality	LLM output adheres to the given facts, using Factuality method from OpenAI eval
model-graded-closedqa	LLM output adheres to given criteria, using Closed QA method from OpenAI eval
moderation	Make sure outputs are safe
select-best	Compare multiple outputs for a test case and pick the best one

Every test type can be negated by prepending not-. For example, not-equals or not-regex.

Tests from spreadsheet

Some people prefer to configure their LLM tests in a CSV. In that case, the config is pretty simple:

prompts:
  - file://prompts.txt
providers:
  - openai:gpt-4o-mini
tests: file://tests.csv

See example CSV.

Command-line

If you're looking to customize your usage, you have a wide set of parameters at your disposal.

Option	Description
`-p, --prompts`	Paths to prompt files, directory, or glob
`-r, --providers`	One of: openai:chat, openai:completion, openai:model-name, localai:chat:model-name, localai:completion:model-name. See [API providers][providers-docs]
`-o, --output

FAQs

What is promptfoo?

LLM eval & testing toolkit. Visit Snyk Advisor to see a full health score report for promptfoo, including popularity, security, maintenance & community analysis.

Is promptfoo popular?

The npm package promptfoo receives a total of 12,761 weekly downloads. As such, promptfoo popularity was classified as a popular. Visit the popularity section on Snyk Advisor to see the full health analysis.

Is promptfoo well maintained?

We found that promptfoo demonstrated a healthy version release cadence and project activity. It has a community of 110 open source contributors collaborating on the project. See the full package health analysis to learn more about the package maintenance status.

Is promptfoo safe to use?

The npm package promptfoo was scanned for known vulnerabilities and missing license, and no issues were found. Thus the package was deemed as safe to use. See the full health analysis review.

Last updated on 20 September-2024, at 13:28 (UTC).

Build a secure application checklist

Select a recommended open source package

Minimize your risk by selecting secure & well maintained open source packages

DONE

Scan your app for vulnerabilities

Scan your application to find vulnerabilities in your: source code, open source dependencies, containers and configuration files

SCAN NOW

Fix identified vulnerabilities

Easily fix your code by leveraging automatically generated PRs

AUTO FIX

Monitor for new issues

New vulnerabilities are discovered every day. Get notified if your application is affected

MONITOR APP