appwrite-cli relies on vulnerable inquirer packages #212
Description
👟 Reproduction steps
Installing the latest version of appwrite-cli (10.2.3) brings in a dependency on inquirer and inquirer-search-list. While it is using the latest versions of both of these packages, these are both outdated - in particular, inquirer-search-list has not been updated in 5 years, and is bringing in a dependency on the tmp package with a known vulnerability.
Ideally, appwrite-cli would be updated to use the new format @inquirer/prompts packages, which are the newer, modern versions of this library.
👍 Expected behavior
npm audit runs without displaying any errors in any dependency chain of the appwrite-cli package.
👎 Actual Behavior
Running npm audit displays the following:
$ npm audit
# npm audit report
tmp <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
fix available via `npm audit fix --force`
Will install appwrite-cli@5.0.5, which is a breaking change
node_modules/tmp
external-editor >=1.1.1
Depends on vulnerable versions of tmp
node_modules/external-editor
inquirer 3.0.0 - 8.2.6 || 9.0.0 - 9.3.7
Depends on vulnerable versions of external-editor
node_modules/inquirer-search-list/node_modules/inquirer
inquirer-search-list *
Depends on vulnerable versions of inquirer
node_modules/inquirer-search-list
appwrite-cli >=6.0.0-rc.1
Depends on vulnerable versions of inquirer-search-list
node_modules/appwrite-cli
5 low severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Unfortunately, following the advice to run npm audit fix --force causes appwrite-cli to be downgraded to 5.0.5, an extremely old (and incompatible) version.
🎲 Appwrite version
Version 1.8.x
💻 Operating system
Linux
🧱 Your Environment
No response
👀 Have you spent some time to check if this issue has been raised before?
- I checked and didn't find similar issue
🏢 Have you read the Code of Conduct?
- I have read the Code of Conduct