search

dthree / vorpal

Node's framework for interactive CLIs
http://vorpal.js.org
MIT License
5.63k stars 278 forks source link

Inquirer package is very old #300

Open ttonyh opened 6 years ago

ttonyh commented 6 years ago

Looks like Vorpal is using 0.11.0 version of Inquirer, which is now at 5.1.0. Please consider updating.

joseph1125 commented 6 years ago

agree, I need that editor config, moreover, they provide a way to cancel prompt

milesj commented 6 years ago

I upgrade inquirer in the 2.0 branch, which wasn't too difficult. If someone wants to backport and submit a PR, that would be helpful. https://github.com/dthree/vorpal/commit/a3ea141233ca4cc81e8a19a061b763315663b8ed

cking commented 6 years ago

https://nodesecurity.io/advisories/577

the referenced version of inquirer (that is 5 years old btw) is using version 3 of lodash. which has been nodesecurity'ed. AKA everyone who tries to use vorpal is seeing this now:

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ 811eaa981b4fe6a41bbae5238cd0c6d47b8ff6bd93f819a9fb0251719c7… │
│               │ [dev]                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ 811eaa981b4fe6a41bbae5238cd0c6d47b8ff6bd93f819a9fb0251719c7… │
│               │ > inquirer > lodash                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[!] 1 vulnerability found - Packages audited: 284 (284 dev, 0 optional)
    Severity: 1 low

Not very nice message if I would say so myself.

leaanthony commented 5 years ago

This is affecting other projects such as moleculer.

joseph1125 commented 5 years ago

@leaanthony This project is dead already, I wouldn't recommend anyone to build something new upon it.

leaanthony commented 5 years ago

What do you mean? Last commit was 11 Jun.

RWOverdijk commented 5 years ago

Yeah it could use an update. The examples also no longer work. Is anyone doing this yet or it this still open?