vorpal icon indicating copy to clipboard operation
vorpal copied to clipboard

Published 20 hours ago verified publisher icon dthree

Inquirer package is very old

Open ttonyh opened this issue 7 years ago • 7 comments

Looks like Vorpal is using 0.11.0 version of Inquirer, which is now at 5.1.0. Please consider updating.

ttonyh avatar Feb 12 '18 23:02 ttonyh

agree, I need that editor config, moreover, they provide a way to cancel prompt

joseph1125 avatar Feb 14 '18 08:02 joseph1125

I upgrade inquirer in the 2.0 branch, which wasn't too difficult. If someone wants to backport and submit a PR, that would be helpful. https://github.com/dthree/vorpal/commit/a3ea141233ca4cc81e8a19a061b763315663b8ed

milesj avatar Feb 14 '18 18:02 milesj

https://nodesecurity.io/advisories/577

the referenced version of inquirer (that is 5 years old btw) is using version 3 of lodash. which has been nodesecurity'ed. AKA everyone who tries to use vorpal is seeing this now:

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ 811eaa981b4fe6a41bbae5238cd0c6d47b8ff6bd93f819a9fb0251719c7… │
│               │ [dev]                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ 811eaa981b4fe6a41bbae5238cd0c6d47b8ff6bd93f819a9fb0251719c7… │
│               │ > inquirer > lodash                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[!] 1 vulnerability found - Packages audited: 284 (284 dev, 0 optional)
    Severity: 1 low

Not very nice message if I would say so myself.

cking avatar May 10 '18 12:05 cking

This is affecting other projects such as moleculer.

leaanthony avatar Aug 02 '18 01:08 leaanthony

@leaanthony This project is dead already, I wouldn't recommend anyone to build something new upon it.

joseph1125 avatar Aug 02 '18 01:08 joseph1125

What do you mean? Last commit was 11 Jun.

leaanthony avatar Aug 07 '18 07:08 leaanthony

Yeah it could use an update. The examples also no longer work. Is anyone doing this yet or it this still open?

RWOverdijk avatar Sep 26 '18 12:09 RWOverdijk