Skip to content

🚨 [security] Update inquirer 8.2.0 → 13.1.0 (major) #128

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
depfu wants to merge 1 commit into from
Closed

🚨 [security] Update inquirer 8.2.0 → 13.1.0 (major) #128

depfu wants to merge 1 commit into from

Conversation

@depfu
Copy link
Contributor

@depfu depfu bot commented Dec 14, 2025

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ inquirer (8.2.0 → 13.1.0) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ ansi-regex (indirect, 5.0.1 → 6.2.2) · Repo

Security Advisories 🚨

🚨 Inefficient Regular Expression Complexity in chalk/ansi-regex

ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.

Proof of Concept

import ansiRegex from 'ansi-regex';
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = "\u001B["+";".repeat(i*10000);
    ansiRegex().test(attack_str)
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

The ReDOS is mainly due to the sub-patterns [[\\]()#;?]* and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*

Release Notes

6.2.2

6.2.0

  • Support colon separated parameters to control sequences (#62) df7d75f

v6.1.0...v6.2.0

6.1.0

  • Match cursorSave and cursorRestore escape codes (#45) 02fa893
  • Fix: Handle all valid ST characters (#58) 9cba40d

v6.0.1...v6.1.0

6.0.1

Fixes

  • Fix ReDoS in certain cases (#37)
    You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools.

v6.0.0...v6.0.1

Thank you @yetingli for the patch and reproduction case!

6.0.0

Breaking

v5.0.0...v6.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ chardet (indirect, 0.7.0 → 2.1.1) · Repo

Release Notes

2.1.1

2.1.1 (2025-10-29)

Bug Fixes

  • safe buffer alocation (dd9b1cd)
  • sample size handling, build and release (#117) (9a42ceb)

2.1.0

2.1.0 (2025-02-24)

Features

2.0.0

2.0.0 (2023-09-28)

Bug Fixes

Features

  • add strict input check allowing only byte arrays as inputs (#87) (#90) (b9ff1b2)

BREAKING CHANGES

  • From this release, only instances of Array with numeric values <= 255 are accepted
    as inputs. No strings or anything else except shapes like Buffer or Uint8Array.

1.6.0

1.6.0 (2023-06-16)

Features

1.5.1

1.5.1 (2023-01-05)

Bug Fixes

  • types: Export AnalyseResult and DetectResult types (1472a8b)

1.5.0

1.5.0 (2022-10-09)

Features

  • allow position offset as option (a169cc5)

1.4.0

1.4.0 (2021-10-19)

Features

  • Language detection improvements (d0e93bb)

1.3.0

1.3.0 (2020-09-25)

Features

  • Make it work in browser (1b40042)

1.2.2

1.2.2 (2020-09-23)

Bug Fixes

  • Make npm package smaller (abde2b2)

1.2.1

1.2.1 (2020-07-06)

Bug Fixes

  • change Shift-JIS mime name to Shift_JIS (d00c8cd)

1.2.0

1.2.0 (2020-07-02)

Features

  • Make type definitions compatible with browser (79457df)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ cli-width (indirect, 3.0.0 → 4.1.0) · Repo · Changelog

Release Notes

4.1.0 (from changelog)

Features

  • ts types and test against node 18 and 20 (bc2884f)

4.0.0 (from changelog)

⚠ BREAKING CHANGES

  • drop support for node < 12

Bug Fixes

  • drop support for node < 12 (50fcd88)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ emoji-regex (indirect, 8.0.0 → 10.6.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ iconv-lite (indirect, 0.4.24 → 0.7.1) · Repo · Changelog

Release Notes

0.7.1

What's Changed

🚀 Improvements

Other changes

New Contributors

Full Changelog: v0.7.0...v0.7.1

0.7.0

🐞 Bug fixes

  • Handle split surrogate pairs when encoding utf8 - by @yosion-p and @ashtuchkin in #282:

    Handle a case where streaming utf8 encoder (converting js strings -> buffers) encounters
    surrogate pairs split between chunks (last character of one chunk is high surrogate and first
    character of the next chunk is a low surrogate).

  • Avoid false positives in encodingExists by using objects without a prototype - by @bjohansebas in #328

    The encodingExists method could return incorrect results if the lookup matched properties inherited
    from the prototype of the object that stores the encodings, such as constructor and others. This change
    replaces that object with one that has no prototype, ensuring that only explicitly defined valid encodings
    in the library are considered. In addition, the fix is applied to the internal cache system to avoid the same
    kind of false positives

🚀 Improvements

  • Make explicit that decode() method supports Uint8Array input - by @jardicc in #271
  • Remove compatibility check for StringDecoder.end method - by @bjohansebas in #331

Other changes

New Contributors

Full Changelog: pillarjs/iconv-lite@v0.6.3...v0.7.0

0.6.3 (from changelog)

  • Fix HKSCS encoding to prefer Big5 codes if both Big5 and HKSCS codes are possible (#264)

0.6.2 (from changelog)

  • Support Uint8Array-s decoding without conversion to Buffers, plus fix an edge case.

0.6.1 (from changelog)

  • Support Uint8Array-s directly when decoding (#246, by @gyzerok)
  • Unify package.json version ranges to be strictly semver-compatible (#241)
  • Fix minor issue in UTF-32 decoder's endianness detection code.

0.6.0 (from changelog)

  • Updated 'gb18030' encoding to :2005 edition (see whatwg/encoding#22).
  • Removed iconv.extendNodeEncodings() mechanism. It was deprecated 5 years ago and didn't work in recent Node versions.
  • Reworked Streaming API behavior in browser environments to fix #204. Streaming API will be excluded by default in browser packs, saving ~100Kb bundle size, unless enabled explicitly using iconv.enableStreamingAPI(require('stream')).
  • Updates to development environment & tests:
    • Added ./test/webpack private package to test complex new use cases that need custom environment. It's tested as a separate job in Travis CI.
    • Updated generation code for the new EUC-KR index file format from Encoding Standard.
    • Removed Buffer() constructor in tests (#197 by @gabrielschulhof).

0.5.2 (from changelog)

  • Added iconv.getEncoder() and iconv.getDecoder() methods to typescript definitions (#229).
  • Fixed semver version to 6.1.2 to support Node 8.x (by @Tanandara).
  • Capped iconv version to 2.x as 3.x has dropped support for older Node versions.
  • Switched from instanbul to c8 for code coverage.

0.5.1 (from changelog)

  • Added cp720 encoding (#221, by @kr-deps)
  • (minor) Changed Changelog.md formatting to use h2.

0.5.0 (from changelog)

  • Added UTF-32 encoding, both little-endian and big-endian variants (UTF-32LE, UTF32-BE). If endianness is not provided for decoding, it's deduced automatically from the stream using a heuristic similar to what we use in UTF-16. (great work in #216 by @kshetline)
  • Several minor updates to README (#217 by @oldj, plus some more)
  • Added Node versions 10 and 12 to Travis test harness.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mute-stream (indirect, 0.0.8 → 3.0.0) · Repo · Changelog

Release Notes

3.0.0

3.0.0 (2025-10-22)

⚠️ BREAKING CHANGES

  • align to npm 11 node engine range (#94)

Bug Fixes

Chores

2.0.0

2.0.0 (2024-09-24)

⚠️ BREAKING CHANGES

  • mute-stream now supports node ^18.17.0 || >=20.5.0

Bug Fixes

Chores

1.0.0

1.0.0 (2022-12-12)

⚠️ BREAKING CHANGES

  • this package is now compatible with the following semver range for node: ^14.17.0 || ^16.13.0 || >=18.0.0

Features

Bug Fixes

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rxjs (indirect, 7.5.4 → 7.8.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ signal-exit (indirect, 3.0.7 → 4.1.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ string-width (indirect, 4.2.3 → 7.2.0) · Repo

Release Notes

7.2.0

v7.1.0...v7.2.0

7.1.0

v7.0.0...v7.1.0

7.0.0

Breaking

Improvements

v6.1.0...v7.0.0

6.1.0

v6.0.0...v6.1.0

6.0.0

Breaking

Improvements

v5.1.2...v6.0.0

5.1.2

v5.1.1...v5.1.2

5.1.1

  • Fix incorrect default for ambiguousIsNarrow option 483baa1

v5.1.0...v5.1.1

5.1.0

v5.0.1...v5.1.0

5.0.1

v5.0.0...v5.0.1

5.0.0

Breaking

v4.2.2...v5.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ strip-ansi (indirect, 6.0.1 → 7.1.2) · Repo

Release Notes

7.1.2

v7.1.0...v7.1.2

7.1.0

v7.0.1...v7.1.0

7.0.1

v7.0.0...v7.0.1

7.0.0

Breaking

v6.0.0...v7.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tslib (indirect, 2.3.1 → 2.8.1) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 @​inquirer/ansi (added, 2.0.2)

🆕 @​inquirer/checkbox (added, 5.0.3)

🆕 @​inquirer/confirm (added, 6.0.3)

🆕 @​inquirer/core (added, 11.1.0)

🆕 @​inquirer/editor (added, 5.0.3)

🆕 @​inquirer/expand (added, 5.0.3)

🆕 @​inquirer/external-editor (added, 2.0.2)

🆕 @​inquirer/figures (added, 2.0.2)

🆕 @​inquirer/input (added, 5.0.3)

🆕 @​inquirer/number (added, 4.0.3)

🆕 @​inquirer/password (added, 5.0.3)

🆕 @​inquirer/prompts (added, 8.1.0)

🆕 @​inquirer/rawlist (added, 5.1.0)

🆕 @​inquirer/search (added, 4.0.3)

🆕 @​inquirer/select (added, 5.0.3)

🆕 @​inquirer/type (added, 4.0.2)

🆕 get-east-asian-width (added, 1.4.0)

🆕 wrap-ansi (added, 9.0.2)

🗑️ ansi-escapes (removed)

🗑️ base64-js (removed)

🗑️ bl (removed)

🗑️ buffer (removed)

🗑️ cli-cursor (removed)

🗑️ cli-spinners (removed)

🗑️ clone (removed)

🗑️ defaults (removed)

🗑️ escape-string-regexp (removed)

🗑️ external-editor (removed)

🗑️ figures (removed)

🗑️ ieee754 (removed)

🗑️ inherits (removed)

🗑️ is-fullwidth-code-point (removed)

🗑️ is-interactive (removed)

🗑️ is-unicode-supported (removed)

🗑️ lodash (removed)

🗑️ log-symbols (removed)

🗑️ mimic-fn (removed)

🗑️ onetime (removed)

🗑️ ora (removed)

🗑️ os-tmpdir (removed)

🗑️ readable-stream (removed)

🗑️ restore-cursor (removed)

🗑️ safe-buffer (removed)

🗑️ string_decoder (removed)

🗑️ through (removed)

🗑️ tmp (removed)

🗑️ type-fest (removed)

🗑️ util-deprecate (removed)

🗑️ wcwidth (removed)

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Dec 14, 2025
@depfu depfu bot mentioned this pull request Dec 14, 2025
Closed
@depfu
Copy link
Contributor Author

depfu bot commented Jan 12, 2026

Closed in favor of #129.

@depfu depfu bot closed this Jan 12, 2026
@depfu depfu bot deleted the depfu/update/npm/inquirer-13.1.0 branch January 12, 2026 19:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

depfu

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant