Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

security fixes #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aleks-pro wants to merge 3 commits into
base: master
Choose a base branch
Loading
from
Open

security fixes #12

aleks-pro wants to merge 3 commits into from

Conversation

@aleks-pro
Copy link

@aleks-pro aleks-pro commented Dec 22, 2025

  1. package-lock.json added
  2. npm install -> npm ci
  3. vulnerable dependencies fixed

Copilot AI review requested due to automatic review settings December 22, 2025 14:46
Copilot AI reviewed Dec 22, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements security fixes by adding package-lock.json, switching from npm install to npm ci in CI/CD, and updating vulnerable dependencies (inquirer 6.2.0→^13.1.0, eslint 5.8.0→^9.39.2).

Key changes:

  • Added package-lock.json with lockfileVersion 3
  • Updated inquirer from 6.2.0 to ^13.1.0 (major version jump)
  • Updated eslint from 5.8.0 to ^9.39.2 (dev dependency, major version jump)
  • Changed repository URL from inikulin/publish-please to DevExpress/publish-please

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated 2 comments.

File Description
package.json Updated inquirer and eslint to newer versions; updated repository URL
package-lock.json Added new lockfile with all dependencies locked to specific versions
.gitignore Removed package-lock.json exclusion to track it in version control
.github/workflows/publish.yml Changed from npm install to npm ci for deterministic builds

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

package.json
"cp-sugar": "1.0.0",
"elegant-status": "1.1.0",
"inquirer": "6.2.0",
"inquirer": "^13.1.0",
Copy link

Copilot AI Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The inquirer package has been updated from version 6.2.0 to ^13.1.0, which is a major version jump (7 major versions). This change introduces significant breaking changes as inquirer version 13 requires Node.js version 20.12.0 or later (as seen in package-lock.json line 1901), but the package.json still specifies "node": ">=6.0.0" in the engines field. This mismatch will cause installation failures on older Node versions that are still technically supported according to package.json.

Copilot uses AI. Check for mistakes.
package.json
"cp-sugar": "1.0.0",
"elegant-status": "1.1.0",
"inquirer": "6.2.0",
"inquirer": "^13.1.0",
Copy link

Copilot AI Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The mute-stream dependency (used by inquirer 13.1.0) requires Node.js version 20.17.0 or 22.9.0 or later (line 4424 in package-lock.json), which is even more restrictive than inquirer's requirement. This further conflicts with the package.json engines field that specifies "node": ">=6.0.0".

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aleks-pro
Morty Proxy This is a proxified and sanitized view of the page, visit original site.