Skip to content

Bump @inquirer/prompts to 7.9.0 and version to 1.0.4 #488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 29, 2025
Merged

Bump @inquirer/prompts to 7.9.0 and version to 1.0.4 #488

merged 4 commits into from
Oct 29, 2025

Conversation

Copy link
Contributor

Copilot AI commented Oct 29, 2025
edited
Loading

@inquirer/prompts@^5.3.8 transitively depends on the unmaintained external-editor@3.1.0, which pulls in the vulnerable tmp@0.0.33 package.

Changes

  • Updated @inquirer/prompts from ^5.3.8 to ^7.9.0 in packages/cli/package.json
  • Bumped package version from 1.0.3 to 1.0.4
  • Updated yarn.lock with new dependency resolutions

Impact

Version 7.x uses @inquirer/editor@4.2.21@inquirer/external-editor@1.0.2, which has no tmp dependency. The vulnerable dependency chain is completely eliminated from the CLI package.

The API for input, select, and confirm functions used by the CLI remains unchanged.

Original prompt

This section details on the original issue you should resolve

<issue_title>Bump @inquirer/prompts to 7 to remove vulnerable tmp@0.0.33 sub-dependency</issue_title>
<issue_description>Hi Reflag team,

A small request to update @inquirer/prompts in the dependencies for the @reflag/cli package, since the current version (@inquirer/prompts@5.5.0) has a dependency to a package that isn't maintained anymore (external-editor) which includes a vulnerable dependency (tmp@0.0.33).

Thanks in advance 🙏 </issue_description>

<agent_instructions>Update @inquirer/prompts to 7.9.0</agent_instructions>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits October 29, 2025 08:45
@Swiftwork
Update @inquirer/prompts to 7.9.0 to remove vulnerable tmp@0.0.33
09d463d 
Co-authored-by: Swiftwork <455178+Swiftwork@users.noreply.github.com>
@Swiftwork
Use caret range for @inquirer/prompts version
d1ad040 
Co-authored-by: Swiftwork <455178+Swiftwork@users.noreply.github.com>
Copilot AI changed the title [WIP] Update @inquirer/prompts to version 7.9.0 to remove vulnerability Bump @inquirer/prompts to 7.9.0 to remove vulnerable tmp@0.0.33 sub-dependency Oct 29, 2025
Copilot AI requested a review from Swiftwork October 29, 2025 08:50
Copilot finished work on behalf of Swiftwork October 29, 2025 08:50
@Swiftwork
Copy link
Contributor

Swiftwork commented Oct 29, 2025

Tested locally

@Swiftwork Swiftwork marked this pull request as ready for review October 29, 2025 09:18
@Swiftwork
Copy link
Contributor

Swiftwork commented Oct 29, 2025

@copilot Bump version number and run yarn install

@Swiftwork
Bump version to 1.0.4
56a8f5e 
Co-authored-by: Swiftwork <455178+Swiftwork@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Oct 29, 2025

@copilot Bump version number and run yarn install

Done in 56a8f5e. Bumped version from 1.0.3 to 1.0.4 and ran yarn install.

Copilot AI changed the title Bump @inquirer/prompts to 7.9.0 to remove vulnerable tmp@0.0.33 sub-dependency Bump @inquirer/prompts to 7.9.0 and version to 1.0.4 Oct 29, 2025
Copilot AI requested a review from Swiftwork October 29, 2025 09:26
Copilot finished work on behalf of Swiftwork October 29, 2025 09:26
@Swiftwork Swiftwork enabled auto-merge October 29, 2025 09:46
@Swiftwork Swiftwork disabled auto-merge October 29, 2025 10:41
@Swiftwork Swiftwork enabled auto-merge October 29, 2025 10:41
@Swiftwork Swiftwork requested review from Copilot and pavkam October 29, 2025 10:41
Copilot AI reviewed Oct 29, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR upgrades the @inquirer/prompts package from version ^5.3.8 to ^7.9.0 in the CLI package. This is a major version bump that brings updated dependencies and new peer dependency requirements.

  • Bumped package version from 1.0.3 to 1.0.4
  • Updated @inquirer/prompts from ^5.3.8 to ^7.9.0 along with all its transitive dependencies

Reviewed Changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
packages/cli/package.json Updated @inquirer/prompts dependency version from ^5.3.8 to ^7.9.0 and bumped package version to 1.0.4
yarn.lock Updated lockfile entries for @inquirer/* packages and their dependencies to reflect the major version upgrade

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Swiftwork Swiftwork added this pull request to the merge queue Oct 29, 2025
Merged via the queue into main with commit e97e399 Oct 29, 2025
12 of 13 checks passed
@Swiftwork Swiftwork deleted the copilot/update-inquirer-prompts-to-7-9-0 branch October 29, 2025 11:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pavkam pavkam pavkam approved these changes

+1 more reviewer

@Swiftwork Swiftwork Swiftwork approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@Swiftwork Swiftwork

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bump @inquirer/prompts to 7 to remove vulnerable tmp@0.0.33 sub-dependency

3 participants

@Swiftwork @pavkam