Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inquirer package is very old #300

Open
ttonyh opened this issue Feb 12, 2018 · 7 comments
Open

Inquirer package is very old #300

ttonyh opened this issue Feb 12, 2018 · 7 comments

Comments

@ttonyh
Copy link

ttonyh commented Feb 12, 2018

Looks like Vorpal is using 0.11.0 version of Inquirer, which is now at 5.1.0. Please consider updating.
@exactmultiple3425
Copy link

agree, I need that editor config, moreover, they provide a way to cancel prompt

@milesj
Copy link
Contributor

milesj commented Feb 14, 2018

I upgrade inquirer in the 2.0 branch, which wasn't too difficult. If someone wants to backport and submit a PR, that would be helpful. a3ea141

@cking
Copy link

cking commented May 10, 2018

https://nodesecurity.io/advisories/577

the referenced version of inquirer (that is 5 years old btw) is using version 3 of lodash. which has been nodesecurity'ed.
AKA everyone who tries to use vorpal is seeing this now:

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ 811eaa981b4fe6a41bbae5238cd0c6d47b8ff6bd93f819a9fb0251719c7… │
│               │ [dev]                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ 811eaa981b4fe6a41bbae5238cd0c6d47b8ff6bd93f819a9fb0251719c7… │
│               │ > inquirer > lodash                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[!] 1 vulnerability found - Packages audited: 284 (284 dev, 0 optional)
    Severity: 1 low

Not very nice message if I would say so myself.

@leaanthony
Copy link

This is affecting other projects such as moleculer.

@exactmultiple3425
Copy link

@leaanthony This project is dead already, I wouldn't recommend anyone to build something new upon it.

@leaanthony
Copy link

What do you mean? Last commit was 11 Jun.

@RWOverdijk
Copy link

Yeah it could use an update. The examples also no longer work. Is anyone doing this yet or it this still open?

@byCedric byCedric mentioned this issue Oct 27, 2018
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@milesj @cking @RWOverdijk @ttonyh @leaanthony @exactmultiple3425