Skip to content

[deps] Vault: Update inquirer to v12 #15019

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[deps] Vault: Update inquirer to v12 #15019

wants to merge 1 commit into from
+204 −175

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented May 31, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
inquirer (source) 8.2.6 -> 12.11.1 age confidence

Release Notes

SBoudrias/Inquirer.js (inquirer)

v12.11.1

Compare Source

  • [Node 18 compat] Downgraded to mute-stream@​2 to maintain Node 18 compatibility.
  • [Typescript] Allow passing a Partial<{ ... }> type as pre-filled answers.

v12.11.0

Compare Source

  • feat @inquirer/input: Now support simple RegExp validation with pattern/patternError.
  • fix @inquirer/editor: Fix typo s/waitForUseInput/waitForUserInput
  • Bump dependencies

v12.10.0

Compare Source

  • New design for the keys help tip. Themable/localizable with theme.style.keysHelpTip.
  • Re-introduce option to match up/down actions with vim or emacs keybindings. Enable with theme.keybindings

v12.9.6

Compare Source

  • Reduce number of transitive dependencies

v12.9.5

Compare Source

  • Fix #​1834: (rawlist) Allows specifying numbers as explicit keys of option within the list.

v12.9.4

Compare Source

  • fix: Remove "easter-egg" vim/emacs bindings conflicting with the type-to-search feature.

v12.9.3

Compare Source

  • Fix Unix yes not properly being processed by the confirm prompt. (yes | node confirm-script.js)

v12.9.2

Compare Source

  • Make @types/node an optional peer dependency.

v12.9.1

Compare Source

  • Replace external-editor dependency with new @inquirer/external-editor. This remove the vulnerable tmp transitive dependency from the dependency tree.

v12.9.0

Compare Source

  • Search prompt: New instructions config to allow localizing the help tips.

v12.8.2

Compare Source

  • Fix #​1786 select prompt with indexMode: number theme option didn't properly calculate the items indexes if separators where present in between choices.

v12.8.1

Compare Source

  • Fixes: a transitive dependency (run-aysnc) loaded devDependencies unexpectedly. This is now fixed upstream. Rel #​1791

v12.8.0

Compare Source

  • Select prompt: When pressing a number key, we'll ignore separators in counting the index of the item to jump to.
  • Checkbox prompt: When pressing a number key, we'll ignore separators in counting the index of the item to select.

v12.7.0

Compare Source

-input prompt: New prefill option to control if the default value is editable inline or only after pressing tab.

v12.6.3

Compare Source

  • Fix #​1743: pagination logic of the select, checkbox and search prompts was fully rewritten to handle edge cases around rendering multi-line choices and pointer positioning.

v12.6.2

Compare Source

  • Chore: dependencies bump

v12.6.1

Compare Source

  • Fix #​1741: Issue with SIGINT in some scenarios leaving promises unsettled on exit.
  • Fix: Remove monorepo related dependencies from all artifacts published to npm. This removes non-standard version specifiers like workspace:* from the public npm packages.

v12.6.0

Compare Source

  • Feat(@​inquirer/select): Added an instructions option allowing to customize the messages in the help tips.
  • Feat(@​inquirer/rawlist): Arrow keys will now cycle through the option, just like the @inquirer/select prompt. Also added a loop option to control the list loop behaviour when reaching the boundaries.

v12.5.2

Compare Source

  • README: Add new sponsor
  • Chore: dependency updates

v12.5.1

Compare Source

v12.5.0

Compare Source

  • Feat (select): Introduce theme.indexMode to control displaying an index prefix in front of each choice. (defaults to hidden)
  • Fix (select): Improve search when number keys are pressed

v12.4.3

Compare Source

  • Fix an issue where inquirer would throw if Node is ran with the new --frozen-intrinsics flag.

v12.4.2

Compare Source

v12.4.1

Compare Source

  • Mark @types/node as an optional peer dependency across all packages.

v12.4.0

Compare Source

  • Added new shortcut config to the checkbox prompt. Allows to customize or disable shortcut keys for select all and invert selection.

v12.3.3

Compare Source

v12.3.2

Compare Source

v12.3.1

Compare Source

v12.3.0

Compare Source

  • Checkbox prompt: re-added support for an array of default to be provided listing pre-checked checkboxes. This is a legacy interface brought back given this feature removal was an involuntary breaking change during the v12 release. The preferred interface is to provide the checked property to choices { value: 'bar', checked: true }.

v12.2.0

Compare Source

v12.1.0

Compare Source

v12.0.1

Compare Source

v12.0.0

Compare Source

  • @types/node is now only a peerDependencies. This reduces the install size of inquirer dramatically for folks not using Typescript. It's unlikely to break your builds if you used TS already, if it does run npm install --dev @&#8203;types/node/yarn add --dev @&#8203;types/node.

v11.1.0

Compare Source

  • Now exports base utility Typescript types: import type { Question, DistinctQuestion, Answers } from 'inquirer';

You should use as follow to keep the inference working properly:

const questions = [
    { ... }
] as const satisfies Question[];
// If you're not using inquirer plugins, `Question` could alternatively be replaced by `DistinctQuestion` for stricter checks.

v11.0.2

Compare Source

  • Fix #​1555: when behaviour changed unexpectedly when returning a falsy value.

v11.0.1

Compare Source

v11.0.0

Compare Source

No technical breaking changes; but we changed the style of the question prefix once the answer is provided. Once a question is answer, the prefix becomes a tick mark (previously it was the same ? as when the prompt is idle.)

This is theme-able, and so can be overwritten to with theme.prefix.

v10.2.2

Compare Source

  • Fix the filter option not working.
  • The signal: AbortSignal didn't work with class based prompts (OSS plugins.) Now it should work consistently with legacy style prompts.

v10.2.1

Compare Source

  • Fix expand prompt being broken if a Separator was in the choices array.

v10.2.0

Compare Source

  • Includes various fixes & new features to the different built-in prompts
  • Fix: Major rework of the Typescript types. Hoping to reduce the amount of finicky type errors (or wrong types) you might've ran into.

v10.1.8

Compare Source

v10.1.7

Compare Source

v10.1.6

Compare Source

v10.1.5

Compare Source

v10.1.4

Compare Source

v10.1.3

Compare Source

v10.1.2

Compare Source

  • Fix broken backward compatibility issues with v9. Choice objects without value should default to use name as the value. Note: Please don't rely on this weird behaviour, but we fixed it since it was an unintended breaking change.

v10.1.1

Compare Source

v10.1.0

Compare Source

  • Adds the new { type: 'search' } prompt.

v10.0.4

Compare Source

v10.0.3

Compare Source

  • Fix: Re-added missing short on select and checkbox prompt.
  • Fix: Remove type requiring a close method on prompt class instances (it wasn't required.)

v10.0.2

Compare Source

v10.0.1

Compare Source

v10.0.0

Compare Source

  • Re-implemented with Typescript.
  • Adding CJS support (now inquirer is publishes a dual-build CJS/ESM.)
  • All core prompts are now coming from @inquirer/prompt.
  • Custom prompts now should be implemented with @inquirer/core. Custom prompts built on [email protected] will keep working, but should plan a migration.
  • inquirer.ui.BottomBar is deleted.

My expectation is that this release should be a drop-in replacement for people using inquirer.prompt() and built-ins 🤞🏻. Please open an issue on Github if you run into issues migrating; it's a large rewrite and there might be a few sharp edges to cut! Hope you'll like this new release.

v9.3.8

Compare Source

v9.3.7

Compare Source

v9.3.6

Compare Source

v9.3.5

Compare Source

  • Fix issue with plugins relying on internal inquirer packages file structure.

v9.3.4

Compare Source

v9.3.3

Compare Source

v9.3.2

Compare Source

v9.3.1

Compare Source

  • Fix risk of prototype injection.

v9.3.0

Compare Source

  • Replace chalk with picolors (in 9.3.2 went to yoctocolors to stay with Sindre's packages and reduce amount of provenance.)
  • Drop many dependencies in favour of native functions when possible.

No impact expected, but it's a large changes in dependencies. Let us know if you run into any issues upgrading!

v9.2.23

Compare Source

v9.2.22

Compare Source

  • editor prompt: Fixed compatibility issue between default and waitUserInput options. #​1405

v9.2.21

Compare Source

v9.2.20

Compare Source

v9.2.19

Compare Source

v9.2.18

Compare Source

  • On windows, we will now use unicode characters whenever possible

v9.2.17

Compare Source

v9.2.16

Compare Source

v9.2.15

Compare Source

v9.2.14

Compare Source

v9.2.13

Compare Source

v9.2.12

Compare Source

v9.2.11

Compare Source

v9.2.10

Compare Source

v9.2.9

Compare Source

  • Modified lodash imports to help with tree-shaking
  • Replace unmaintained through dependency (only affect users of the old bottom bar)

v9.2.8

Compare Source

v9.2.7

Compare Source

v9.2.6

Compare Source

v9.2.5

Compare Source

v9.2.4

Compare Source

v9.2.3

Compare Source

v9.2.2

Compare Source

v9.2.1

Compare Source

v9.2.0

Compare Source

v9.1.5

Compare Source

v9.1.4

Compare Source

Fix issue with the default value disappearing from prompt.

v9.1.3

Compare Source

v9.1.2

Compare Source

v9.1.1

Compare Source

v9.1.0

Compare Source

v9.0.2

Compare Source

v9.0.1

Compare Source

v9.0.0

Compare Source

Inquirer is now a native Node ECMAScript module. This will require your Node runtime to support es modules, and your app to be an es module. Node documentation over here: https://nodejs.org/api/esm.html#modules-ecmascript-modules

If you cannot migrate, please remember you can keep using the v8.x release line until you're ready.

v8.2.7

Compare Source

Configuration

📅 Schedule: Branch creation - "every 2nd week starting on the 2 week of the year before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested review from a team and shane-melton May 31, 2025 07:39
@Hinton Hinton requested review from a team as code owners May 31, 2025 07:54
@github-actions
Copy link
Contributor

github-actions bot commented May 31, 2025
edited
Loading

Logo
Checkmarx One – Scan Summary & Detailsce5d7ef9-51c0-4a21-972b-c35d7e59bc3c

New Issues (2)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
MEDIUM Insecure_Storage_of_Sensitive_Data /apps/cli/src/tools/send/commands/receive.command.ts: 77
detailsThe application takes sensitive, personal data password, found at line 77 of /apps/cli/src/tools/send/commands/receive.command.ts, and stores it ...
ID: 9A0DG6UzQBy%2FAGyrmzMO%2FIjygRo%3D
Attack Vector
MEDIUM Insecure_Storage_of_Sensitive_Data /apps/cli/src/tools/send/commands/receive.command.ts: 173
detailsThe application takes sensitive, personal data password, found at line 173 of /apps/cli/src/tools/send/commands/receive.command.ts, and stores it...
ID: JngX0BF51o22XmrIDmdT1psedr0%3D
Attack Vector
Fixed Issues (6)

Great job! The following issues were fixed in this Pull Request

Severity Issue Source File / Package
CRITICAL CVE-2025-7783 Npm-form-data-3.0.3
CRITICAL CVE-2025-7783 Npm-axios-1.10.0
LOW Angular_Usage_of_Unsafe_DOM_Sanitizer /libs/components/src/avatar/avatar.component.ts: 96
LOW CVE-2025-54798 Npm-tmp-0.0.33
LOW CVE-2025-54798 Npm-tmp-0.2.3
LOW CVE-2025-7339 Npm-on-headers-1.0.2

github-advanced-security[bot]
github-advanced-security bot found potential problems May 31, 2025
View reviewed changes
@sonarqubecloud
Copy link

sonarqubecloud bot commented May 31, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@codecov
Copy link

codecov bot commented May 31, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 41.20%. Comparing base (d86c918) to head (4434cdd).
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #15019   +/-   ##
=======================================
  Coverage   41.20%   41.20%           
=======================================
  Files        3543     3543           
  Lines      101912   101912           
  Branches    15282    15282           
=======================================
+ Hits        41988    41992    +4     
+ Misses      58159    58155    -4     
  Partials     1765     1765

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

mzieniukbw
mzieniukbw requested changes May 31, 2025
View reviewed changes
Copy link
Contributor

@mzieniukbw mzieniukbw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good from KM perspective, but Ctrl + C behaviour is different and now throws exception, that needs to be handled: https://www.npmjs.com/package/@inquirer/prompts#recipes

@bitwarden-bot bitwarden-bot changed the title [deps] Vault: Update inquirer to v12 [PM-22251] [deps] Vault: Update inquirer to v12 May 31, 2025
@bitwarden-bot
Copy link

bitwarden-bot commented May 31, 2025

Internal tracking:

audreyality
audreyality previously approved these changes Jun 2, 2025
View reviewed changes
djsmith85
djsmith85 previously approved these changes Jun 2, 2025
View reviewed changes
@gbubemismith gbubemismith dismissed stale reviews from djsmith85 and audreyality via 6f9030c August 18, 2025 17:04
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 18, 2025
View reviewed changes
apps/cli/src/tools/send/commands/receive.command.ts Outdated

// reattempt with new password
this.sendAccessRequest.password = await this.getUnlockedPassword(answer.password, key);
this.sendAccessRequest.password = await this.getUnlockedPassword(password, key);

Check warning

Code scanning / Checkmarx One

Insecure Storage of Sensitive Data

Insecure Storage of Sensitive Data
@gbubemismith gbubemismith force-pushed the renovate/inquirer-12.x branch from 6f9030c to cb92dfc Compare August 18, 2025 18:09
@gbubemismith gbubemismith requested review from a team as code owners August 18, 2025 18:10
@gbubemismith gbubemismith force-pushed the renovate/inquirer-12.x branch 3 times, most recently from 25cc12c to 668c0cf Compare August 19, 2025 21:08
@sonarqubecloud
Copy link

sonarqubecloud bot commented Aug 20, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

audreyality
audreyality previously approved these changes Aug 20, 2025
View reviewed changes
nick-livefront
nick-livefront previously approved these changes Aug 22, 2025
View reviewed changes
@renovate renovate bot dismissed stale reviews from nick-livefront and audreyality via a01a19a November 19, 2025 11:08
@renovate renovate bot force-pushed the renovate/inquirer-12.x branch from b6b9e50 to a01a19a Compare November 19, 2025 11:08
@renovate renovate bot changed the title [PM-22251] [deps] Vault: Update inquirer to v12 [deps] Vault: Update inquirer to v12 Nov 19, 2025
@renovate renovate bot force-pushed the renovate/inquirer-12.x branch from a01a19a to 4434cdd Compare November 19, 2025 22:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djsmith85 djsmith85 djsmith85 left review comments

@audreyality audreyality audreyality left review comments

@nick-livefront nick-livefront nick-livefront left review comments

@shane-melton shane-melton Awaiting requested review from shane-melton shane-melton was automatically assigned from bitwarden/team-vault-dev

@JaredSnider-Bitwarden JaredSnider-Bitwarden Awaiting requested review from JaredSnider-Bitwarden JaredSnider-Bitwarden was automatically assigned from bitwarden/team-auth-dev

@mzieniukbw mzieniukbw Awaiting requested review from mzieniukbw

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

major-update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@bitwarden-bot @djsmith85 @audreyality @nick-livefront @mzieniukbw