Skip to content

[BUG] Inquirer has upstream vulnerability CVE-2025-54798 #957

Description

@JoepKockelkorn

⚠️ Important Notice

Please differentiate the bug

This repository is not responsible for the actual code generation. If you have problems with the code generation, please open the bug at OpenAPITools/openapi-generator.

Please also check if the bug is already known before you open a new bug.


🐛 Bug Report:

Describe the bug

The current version of @openapitools/openapi-generator-cli depends on version 8.2.6 of inquirer which has a upstream vulnerability in it (CVE-2025-54798). Please update inquirer.

Steps to Reproduce

Steps to reproduce the behavior:

  1. Install version 2.21.4 of @openapitools/openapi-generator-cli
  2. See output in terminal:
➜ npm audit
# npm audit report

tmp  <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
fix available via `npm audit fix --force`
Will install @openapitools/openapi-generator-cli@0.0.6, which is a breaking change
node_modules/tmp
  external-editor  >=1.1.1
  Depends on vulnerable versions of tmp
  node_modules/external-editor
    inquirer  3.0.0 - 8.2.6 || 9.0.0 - 9.3.7
    Depends on vulnerable versions of external-editor
    node_modules/@openapitools/openapi-generator-cli/node_modules/inquirer
      @openapitools/openapi-generator-cli  >=0.0.7-3.0.0
      Depends on vulnerable versions of inquirer
      node_modules/@openapitools/openapi-generator-cli

Expected behavior

No vulnerability is found.

Screenshots

Image

Operation System (please complete the following information):

  • OS: MacOS
  • Version 15.5 (24F74)

Package System (please complete the following information):

  • Manager: npm
  • Version 10.9.2

Additional context

None.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions