node-external-editor icon indicating copy to clipboard operation
node-external-editor copied to clipboard
verified publisher icon mrkmg

Outdated tmp dependency uses deprecated node internals

Open nunico opened this issue 4 years ago • 1 comments

Right now, I'm getting a lot of deprecation warnings on cli programs using inquirer which depends on external-editor. This is due to an outdated version of tmp which there's already a PR: #23

Please consider merging the PR since there are people like me working on node projects and have set NODE_PENDING_DEPRECATION=1 where we will see all of those warnings and want the tools we use not to use deprecated and/or internal APIs.

Here is an example using bitwarden-cli:

❯ node --trace-deprecation $(which bw) -- status
(node:25078) [DEP0111] DeprecationWarning: process.binding() is deprecated. Please use public APIs instead.
    at Object.<anonymous> (/usr/local/Cellar/bitwarden-cli/1.17.1/libexec/lib/node_modules/@bitwarden/cli/node_modules/tmp/lib/tmp.js:16:20)
    at Module._compile (internal/modules/cjs/loader.js:1063:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1092:10)
    at Module.load (internal/modules/cjs/loader.js:928:32)
    at Function.Module._load (internal/modules/cjs/loader.js:769:14)
    at Module.require (internal/modules/cjs/loader.js:952:19)
    at require (internal/modules/cjs/helpers.js:88:18)
    at Object.<anonymous> (/usr/local/Cellar/bitwarden-cli/1.17.1/libexec/lib/node_modules/@bitwarden/cli/node_modules/external-editor/main/index.js:13:13)
    at Module._compile (internal/modules/cjs/loader.js:1063:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1092:10)

Cheers!

nunico avatar Jul 27 '21 09:07 nunico

This package not being maintained anymore, and being a core dependency of Inquirer, I went ahead and forked it over at https://www.npmjs.com/package/@inquirer/external-editor - I've maintained Inquirer for >12 years and its one of the most popular package on npm; so I think that project is trustworthy new owner.

It drops tmp in favor of node built-in, the interface for the v1 release is backward compatible to ensure an easy drop-in replacement for folks running into the CVE issue. (v2 onward could contain breaking changes as I modernize the codebase and simplify the interface)

SBoudrias avatar Aug 09 '25 16:08 SBoudrias