AI Eval Dependency Monitoring for QA Teams
I treat AI eval dependency monitoring like browser dependency monitoring now. PromptFoo 0.121.19 landed on npm on 14 July 2026, DeepEval 4.1.1 landed on PyPI on 16 July 2026, and a green eval pipeline that does not notice those changes is not a QA signal. It is a blind spot with a nice dashboard.
This guide shows how I build a release watch around PromptFoo, DeepEval, and CI so QA teams catch eval-tool drift before it changes release confidence. The goal is simple: when the eval tool moves, your tests should create evidence, not vibes.
Table of Contents
- Why AI Eval Dependency Monitoring Matters
- What Changed This Week: PromptFoo 0.121.19 and DeepEval 4.1.1
- The Failure Modes QA Teams Miss
- Release Watch Architecture for AI QA
- PromptFoo and DeepEval CI Example
- Build a Test Impact Matrix
- India Career Context for SDETs
- A 7-Step Rollout Plan
- Key Takeaways
- FAQ
Contents
Why AI Eval Dependency Monitoring Matters
Frontend teams already understand this problem
No serious frontend team upgrades Playwright, Cypress, React, or a browser version without reading release notes and running a focused smoke suite. The same rule must apply to LLM evaluation tools. If PromptFoo changes provider behavior, assertions, caching, red-team checks, or config parsing, your pass rate can move even when your product did not.
The data says these are no longer toy packages. The npm registry reported 1,679,539 PromptFoo downloads in the last month for the period 18 June 2026 to 17 July 2026. GitHub lists PromptFoo with 23,393 stars and the repository was pushed on 18 July 2026. DeepEval is also active: PyPI lists DeepEval 4.1.1, and GitHub lists confident-ai/deepeval with 16,941 stars.
AI tests have more moving parts than web tests
A Playwright test usually fails because of app behavior, selector drift, timing, test data, or infrastructure. An LLM eval can also fail because of model output variance, judge prompt drift, metric implementation, retrieval context, embedding changes, provider throttling, or a test framework upgrade. That extra surface area makes release awareness non-negotiable.
I see teams add PromptFoo or DeepEval to CI, celebrate the first green build, and then forget the toolchain. Three weeks later the same suite starts giving a different score. Nobody knows whether the product got worse, the judge changed, a dependency moved, or the dataset became stale.
The QA question is not “which eval tool is best?”
The better question is: “Can I explain why the eval score changed?” If the answer is no, your gate is weak. A gate that blocks releases without explaining the cause creates noise. A gate that passes releases without noticing tool drift creates false confidence.
If you are new to LLM eval frameworks, start with the ScrollTest comparison guide: PromptFoo vs DeepEval: QA Guide for LLM Tests. This article assumes you already have at least one eval suite running and want to make it production-safe.
What Changed This Week: PromptFoo 0.121.19 and DeepEval 4.1.1
PromptFoo release data
The npm registry shows PromptFoo latest as 0.121.19. Full npm metadata records 0.121.17 on 16 June 2026, 0.121.18 on 8 July 2026, and 0.121.19 on 14 July 2026. That is exactly the release cadence that QA teams should watch: not panic, not ignore, but measure impact.
PromptFoo documents CI usage in its CI/CD integration guide. That matters because the intended operating model is not “run evals manually on Friday.” It is a versioned test step in the same pipeline where you run API checks, smoke tests, accessibility checks, and security scans.
DeepEval release data
PyPI metadata shows DeepEval 4.0.9 uploaded on 10 July 2026, 4.1.0 uploaded on 12 July 2026, and 4.1.1 uploaded on 16 July 2026. The DeepEval quickstart positions it as an LLM evaluation framework with a short path from install to assertions. That is good for adoption, but fast adoption increases the need for controlled upgrades.
DeepEval and PromptFoo serve different workflows. PromptFoo fits prompt, model, and red-team comparison work. DeepEval fits Python-heavy metric-driven tests and dataset evaluation. Many QA teams will use both. That means one product release may depend on two eval tools, two package managers, two release feeds, and at least one model provider.
Why this week is a useful signal
I am not claiming these specific versions are risky. I am saying their release pattern proves AI QA needs dependency monitoring. If your organization would create an upgrade ticket for Selenium 4.46.0 or a Chrome major version, it should create the same type of ticket for PromptFoo and DeepEval.
ScrollTest already covered the broader release-watch pattern in AI Eval Release Watch for QA Teams. This post turns that idea into a concrete implementation: package checks, smoke evals, impact matrix, and CI evidence.
The Failure Modes QA Teams Miss
Metric drift
Metric drift happens when the score changes because the measurement changed. That can be a library implementation change, a judge prompt change, a model-provider behavior change, or a new default. The product may be fine. The score may still move from 0.82 to 0.74.
Metric drift is dangerous because dashboards make it look objective. A number with two decimal places feels scientific. But if the evaluation method changed under the hood, the number is only useful when you record the tool version next to it.
Dataset drift
Dataset drift happens when your golden examples no longer represent production. A chatbot that handled 40 refund questions in January may now face 90 pricing, privacy, and cancellation questions in July. The eval tool can be perfect and still miss the real risk because the dataset is stale.
I keep a “last refreshed” timestamp in every eval dataset. If a dataset has not changed in 30 days, it gets a review ticket. If support tickets, sales objections, or production logs changed in that period, stale eval data becomes a release risk.
Provider drift
Provider drift is the hidden one. Your test might call GPT, Claude, Gemini, or a local model. A provider can change safety behavior, latency, output style, tool-call behavior, or token limits. The eval framework may only be the messenger.
The fix is not to freeze everything forever. The fix is to capture enough metadata to explain a change: model name, provider, prompt hash, dataset version, eval tool version, and run timestamp.
CI drift
CI drift shows up when evals pass on one runner and fail on another. Environment variables differ. Node or Python versions differ. Secrets rotate. Network latency changes. A tiny timeout change makes a judge call fail and your release gate turns red.
For AI evals, I treat the CI environment as part of the test artifact. Record Node, Python, package lock hash, model provider, and runner image. When a failure appears, this metadata saves hours.
Release Watch Architecture for AI QA
The minimum useful system
You do not need a platform to start. You need a small release watcher that checks npm, PyPI, and GitHub once per day. It compares the current version against the last known version, creates a ticket or Slack message when something changes, and triggers a focused eval smoke run.
A minimum useful release watch has five outputs:
- Package name and ecosystem, for example
promptfooon npm. - Previous version and current version.
- Release date or upload timestamp.
- Linked source URL, not copied release gossip.
- Test impact recommendation: ignore, smoke, full eval, or block upgrade.
What I store for every eval run
The run record is more important than the chart. I store the exact versions because a future debugging session depends on them. A good run record includes:
promptfoo_versionordeepeval_versionnode_versionandpython_versionmodel_providerandmodel_nameprompt_hashanddataset_hashmetric_name, threshold, and score- CI run URL and commit SHA
How to decide impact
Not every patch release needs a full regression. I use a simple rule: release notes plus package metadata decide the starting risk, then a smoke eval confirms the real risk. If the tool changed assertion behavior, provider support, config parsing, security checks, caching, or scoring, run a deeper suite.
If the release is only documentation or internal build work, run a five-case smoke and move on. The key is to make the decision visible. Silent upgrades are the enemy.
PromptFoo and DeepEval CI Example
Check versions before tests run
Here is a TypeScript script I use as the shape for an npm and PyPI release check. In a real repo, commit the last known versions in JSON and let CI compare them on every scheduled run.
// scripts/check-ai-eval-releases.ts
import { writeFileSync } from "node:fs";
type PackageState = {
name: string;
ecosystem: "npm" | "pypi";
currentVersion: string;
sourceUrl: string;
};
async function getPromptFoo(): Promise<PackageState> {
const res = await fetch("https://registry.npmjs.org/promptfoo/latest");
if (!res.ok) throw new Error(`npm lookup failed: ${res.status}`);
const json = await res.json();
return {
name: "promptfoo",
ecosystem: "npm",
currentVersion: json.version,
sourceUrl: "https://registry.npmjs.org/promptfoo/latest",
};
}
async function getDeepEval(): Promise<PackageState> {
const res = await fetch("https://pypi.org/pypi/deepeval/json");
if (!res.ok) throw new Error(`PyPI lookup failed: ${res.status}`);
const json = await res.json();
return {
name: "deepeval",
ecosystem: "pypi",
currentVersion: json.info.version,
sourceUrl: "https://pypi.org/pypi/deepeval/json",
};
}
const state = [await getPromptFoo(), await getDeepEval()];
writeFileSync("ai-eval-release-state.json", JSON.stringify(state, null, 2));
console.table(state);
Run it with one command:
npx tsx scripts/check-ai-eval-releases.ts
Run a PromptFoo smoke after version movement
PromptFoo works well when you want to compare prompts, providers, and expected behavior from a config file. Keep the smoke suite small. Five examples are enough to catch obvious breakage after a tool upgrade.
# promptfooconfig.yaml
prompts:
- "Answer the support question with policy-safe steps: {{question}}"
providers:
- id: openai:gpt-4.1-mini
tests:
- vars:
question: "Can I cancel my subscription after renewal?"
assert:
- type: contains
value: "cancel"
- type: not-contains
value: "guaranteed refund"
- vars:
question: "Give me the shortest setup command."
assert:
- type: javascript
value: output.length < 500
npx promptfoo@0.121.19 eval -c promptfooconfig.yaml --output eval-results.json
Run a DeepEval metric check in Python
DeepEval fits teams that prefer Python tests and named metrics. Pin the version, run a tiny smoke, and store the score with the dependency versions.
# tests/test_answer_relevancy.py
from deepeval import assert_test
from deepeval.test_case import LLMTestCase
from deepeval.metrics import AnswerRelevancyMetric
def test_support_answer_relevancy():
test_case = LLMTestCase(
input="How do I reset my password?",
actual_output="Go to Account Settings, choose Security, and click Reset Password.",
)
metric = AnswerRelevancyMetric(threshold=0.7)
assert_test(test_case, [metric])
python -m pip install "deepeval==4.1.1"
pytest tests/test_answer_relevancy.py -q
Put it in GitHub Actions
A scheduled workflow gives you early warning without waiting for a product release. I like 07:00 IST for dependency watch because the team sees the signal before standup.
name: ai-eval-release-watch
on:
schedule:
- cron: "30 1 * * *" # 07:00 IST
workflow_dispatch:
jobs:
eval-release-watch:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: "22"
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- run: npm ci
- run: npx tsx scripts/check-ai-eval-releases.ts
- run: npx promptfoo@0.121.19 eval -c promptfooconfig.yaml --output promptfoo-smoke.json
- run: python -m pip install "deepeval==4.1.1" pytest
- run: pytest tests/test_answer_relevancy.py -q
If you already run eval gates, connect this to the pattern in AI QA Portfolio Project: Build an Eval CI Gate. The release watch decides when to run extra evidence. The gate decides whether the build can ship.
Build a Test Impact Matrix
The four risk buckets
A test impact matrix keeps the discussion practical. It stops the team from arguing about tool popularity and forces one question: what should we retest because this dependency changed?
| Change type | Example signal | QA action |
|---|---|---|
| Config parsing | PromptFoo config schema or provider option changes | Run config validation plus five prompt tests |
| Metric behavior | DeepEval metric, threshold, or judge behavior changes | Run baseline dataset and compare score distribution |
| Provider integration | Model adapter, API parameter, or auth change | Run provider smoke across every model used in CI |
| Security or red-team checks | New jailbreak, policy, or vulnerability checks | Run red-team subset and review new failures manually |
Numbered triage flow
Here is the triage flow I use when an eval tool version changes:
- Read the official source: npm, PyPI, GitHub, or vendor docs.
- Classify the change into config, metric, provider, security, or docs-only.
- Run the five-case smoke suite pinned to the new version.
- Compare against the last green baseline with the old version.
- If the score moved by more than your tolerance, run the full eval dataset.
- Attach the diff, version numbers, and CI link to the release ticket.
- Upgrade the lock file only after the evidence is reviewed.
What not to automate
Do not auto-accept a new eval score just because CI is green. For AI tests, human review still matters when the failure is ambiguous. A QA engineer should read the failing examples, not just the average score.
This is where the failure-classification habit helps. If you do not separate product bug, prompt drift, retrieval issue, and dataset gap, every failure becomes “AI is flaky.” That label is lazy and expensive. Use the ScrollTest guide on AI Test Failure Classification when you need a clean taxonomy.
India Career Context for SDETs
This skill shows senior ownership
In India, many QA engineers still sell themselves as Selenium, API testing, or manual plus automation. That is not enough for AI-heavy product teams. A senior SDET who can design eval gates, monitor tool releases, and explain score drift has a stronger story in interviews.
For ₹25-40 LPA SDET and QA lead roles, the interview is less about “can you write one test?” and more about “can you own release confidence?” AI eval dependency monitoring is a concrete answer. You can show the workflow, the CI file, the run artifacts, and the decision matrix.
TCS or Infosys experience can still translate
If you come from a service company background, do not hide it. Convert it. You already understand release calendars, dependency approvals, and production support pressure. Add PromptFoo, DeepEval, and model-provider metadata to that base. Now you sound like someone who can support an AI product team, not just execute test cases.
A portfolio project beats another certificate
Build a public repo called ai-eval-release-watch. Add the TypeScript checker, one PromptFoo smoke, one DeepEval smoke, and one GitHub Actions schedule. Record two sample version changes in a markdown report. That single repo gives you a better interview artifact than a generic “AI testing” certificate.
If you want a structured path, see AI Quality Engineer Roadmap: PromptFoo + DeepEval. Use the roadmap, but add this release-watch project as proof that you can operate evals after day one.
A 7-Step Rollout Plan
Week 1: make the invisible visible
Start with visibility. Do not change your release gate yet. Add version capture to the eval output. Print PromptFoo, DeepEval, Node, Python, model, and dataset hash in every run. This is boring work, but it makes future debugging possible.
Week 2: add release checks
Add npm and PyPI checks to a scheduled CI workflow. The workflow should create an artifact even when nothing changed. A daily “no change” record proves the watcher is alive.
Week 3: connect smoke evals
When the watcher finds a new version, run a five-case PromptFoo smoke and a one-test DeepEval smoke. Keep these tests stable. Do not use your most complex agent workflow here. The purpose is dependency signal, not full product validation.
Week 4: add the impact matrix
Create a small markdown matrix in the repo. Each dependency change gets one row: version, source URL, risk bucket, smoke result, owner, and decision. This becomes your audit trail.
Week 5: add full eval escalation
Define a tolerance. For example, if smoke score drops by more than 5 percentage points or any safety assertion fails, run the full dataset. Do not debate this during an incident. Decide it before the incident.
Week 6: report in release language
Translate eval results for engineering managers. “PromptFoo upgraded from 0.121.18 to 0.121.19; five-case smoke passed; no full eval required” is clear. “AI tests passed” is not enough.
Week 7: review failures with examples
Every failed eval must include at least one failing input, actual output, expected behavior, and classification. Without examples, the team cannot tell whether it is a product issue, a prompt issue, or a toolchain issue.
Key Takeaways
AI eval dependency monitoring is now part of serious QA ownership. PromptFoo 0.121.19 and DeepEval 4.1.1 are useful reminders that the tools under your release gate keep moving.
- Record eval tool versions in every run, not only in package locks.
- Watch npm, PyPI, and GitHub sources directly; do not depend on social posts.
- Use a five-case smoke suite after dependency movement.
- Classify changes into config, metric, provider, security, or docs-only buckets.
- For SDETs, this is a strong portfolio project because it proves release ownership.
My practical recommendation: create one scheduled workflow this week. Check PromptFoo latest, check DeepEval latest, run two small evals, and write the result to a markdown artifact. That is enough to move from “we use AI testing tools” to “we operate AI testing tools.”
FAQ
What is AI eval dependency monitoring?
AI eval dependency monitoring is the practice of tracking changes in LLM evaluation tools, model providers, datasets, and CI environments so score changes can be explained. For QA teams, it means PromptFoo, DeepEval, model names, prompt hashes, and dataset hashes are part of the test evidence.
Should I use PromptFoo or DeepEval for this?
Use both if your workflow needs both. PromptFoo is strong for prompt and provider comparison from config. DeepEval is strong for Python metric tests and dataset evaluation. The release-watch pattern is the same: pin versions, watch sources, run smoke evals, and record evidence.
Do patch releases need full regression testing?
No. A patch release should trigger review, not panic. Start with official metadata and a small smoke suite. Escalate to full regression only when the change touches metrics, provider integrations, config parsing, security checks, or when smoke results move beyond your tolerance.
How many smoke tests are enough?
Five stable examples are enough for dependency smoke in most teams. Use one happy path, one refusal or safety case, one long context case, one format case, and one business-critical policy case. Full product coverage belongs in the main eval suite.
How do I explain this in an SDET interview?
Show the repo. Explain that you check npm and PyPI versions daily, run PromptFoo and DeepEval smoke suites on version movement, classify failures, and attach CI evidence to upgrade decisions. That sounds like release ownership, not tool tourism.
