forge icon indicating copy to clipboard operation
forge copied to clipboard
verified publisher icon electron

sudo-prompt is unmaintained and deprecated

Open jayvdb opened this issue 11 months ago • 7 comments

Pre-flight checklist

  • [x] I have read the contribution documentation for this project.
  • [x] I agree to follow the code of conduct that this project uses.
  • [x] I have searched the issue tracker for a feature request that matches the one I want to file, without success.

Problem description

I think it is fairly common security best practise to avoid dependencies that are unmaintained / deprecated.

https://www.npmjs.com/package/sudo-prompt is marked deprecated with "Author message": Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

All versions are deprecated at https://www.npmjs.com/package/sudo-prompt?activeTab=versions

Its repo https://github.com/jorangreef/sudo-prompt was archived on Sep 24, 2021

There are no vulns listed against it at https://osv.dev/list?q=sudo-prompt&ecosystem=

and none of the old issues at https://github.com/jorangreef/sudo-prompt/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen scream CVE.

Proposed solution

Replace sudo-prompt with an alternative.

Alternatives considered

Interestingly https://github.com/electron/forge/issues/58 proposed an alternative, but it was rejected.

Additional information

No response

jayvdb avatar Jan 17 '25 00:01 jayvdb

The alternative from #58 was rejected for missing macOS support, which the linked issue is still open. So that's still not a viable alternative.

There's no reason why we can't use sudo-prompt for the time being while it still works for what we use it, if no one comes up with a workable alternative.

malept avatar Jan 17 '25 01:01 malept

Does this suggest that it was yanked by NPM themselves, and not the author?

Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

If so, that sounds bad.

jayvdb avatar Jan 17 '25 01:01 jayvdb

I forked electron-sudo, enhanced it with typescript and added NixOS support.

https://github.com/danielmain/electron-sudo-universal

Until electron-forge does not update its dependencies you can use this workaround in your package.json:

  "overrides": {
    "electron-sudo": "git+ssh://[email protected]/danielmain/electron-sudo-universal.git#main"
  }

danielmain avatar Feb 15 '25 16:02 danielmain

@expo maintains their own fork of sudo-prompt without the deprecated util functions.

gerardbalaoro avatar Mar 18 '25 03:03 gerardbalaoro

Thanks for the context @gerardbalaoro! I see VSCode has their own fork as well.

erickzhao avatar Mar 18 '25 03:03 erickzhao

Does this suggest that it was yanked by NPM themselves, and not the author?

@jayvdb

No, I marked sudo-prompt as read-only on GitHub some years back, and I only recently deprecated the package fully on NPM—deprecated simply means deprecated.

The reason being that between Electron and VSCode using sudo-prompt, the support burden for me was becoming too high.

Before marking read-only, I asked the Microsoft VSCode team to take over the repo officially, to transfer it to them, but they said they "didn't have the resources" at the time. Since deprecating, I believe they did fork, thankfully!

jorangreef avatar Jun 03 '25 03:06 jorangreef

Thanks a million for the additional context @jorangreef! 🙇

erickzhao avatar Jun 05 '25 06:06 erickzhao