node-external-editor icon indicating copy to clipboard operation
node-external-editor copied to clipboard
verified publisher icon mrkmg

Package depends on an outdated version of tmp library

Open electrical opened this issue 4 months ago • 2 comments

Since this package hasn't been updated for the past 5 years, it hasn't updated any of the dependencies. Due to a vulnerability in the tmp library being used, it should be updated. See https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6 for more details.

electrical avatar Aug 07 '25 10:08 electrical

Noticed that too :(

PR #21 is open since 2019 PR #23 is open since 2021

And there is also Issue #27 since 2021

So I don't have much hope for an official resolution.

Edit:

// in the meantime have in `package.json`:
"overrides": {
  "tmp": "^0.2.4"
}
// stolen from #23 :p

WyvernIXTL avatar Aug 07 '25 13:08 WyvernIXTL

This package not being maintained anymore, and being a core dependency of Inquirer, I went ahead and forked it over at https://www.npmjs.com/package/@inquirer/external-editor - I've maintained Inquirer for >12 years and its one of the most popular package on npm; so I think that project is trustworthy new owner.

It drops tmp in favor of node built-in, the interface for the v1 release is backward compatible to ensure an easy drop-in replacement for folks running into the CVE issue. (v2 onward could contain breaking changes as I modernize the codebase and simplify the interface)

SBoudrias avatar Aug 09 '25 16:08 SBoudrias