CVE-2025-54798 in `tmp` via `inquirer` and `external-editor`

The latest version of `codeceptjs` at the time of writing is [version 3.7.3](https://github.com/codeceptjs/CodeceptJS/releases/tag/3.7.3)...

* which has a [production dependency on `inquirer@8.2.6`](https://github.com/codeceptjs/CodeceptJS/blob/233838e779942d8065117c9d0d71edaf7b92b64a/package.json#L101)...
* which has [a production dependency on `external-editor@^3.0.3`](https://github.com/SBoudrias/Inquirer.js/blob/30ec0483de28849e56bd6b9b61daaabf8edea16f/packages/inquirer/package.json#L46), which in practice resolves to `external-editor@3.1.0`...
* which [has a production dependency on `tmp@^0.0.33`](https://github.com/mrkmg/node-external-editor/blob/4da6e30e31e18da0f8ab65eba38340865ca40cdf/package.json#L31), which resolves to `tmp@0.0.33`...
* which has [CVE-2025-54798](https://nvd.nist.gov/vuln/detail/CVE-2025-54798) in it.

`tmp` is patched as of `tmp@0.2.4`, which means that `external-editor` needs to upgrade. Unfortunately `external-editor` is [not maintained](https://github.com/mrkmg/node-external-editor/issues/32) and no new version has appeared for about six years. This in turn means that `inquirer` must stop using `external-editor`. `inquirer` has indeed done this as of `inquirer@8.2.7`. So now `codeceptjs` must upgrade from `inquirer@8.2.6` to `inquirer@8.2.7`.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

CVE-2025-54798 in `tmp` via `inquirer` and `external-editor` #5074

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

CVE-2025-54798 in tmp via inquirer and external-editor #5074

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

CVE-2025-54798 in `tmp` via `inquirer` and `external-editor` #5074