[BUG] Inquirer has upstream vulnerability CVE-2025-54798

[JoepKockelkorn]

⚠️ Important Notice

Please differentiate the bug

This repository is not responsible for the actual code generation. If you have problems with the code generation, please open the bug at OpenAPITools/openapi-generator.

Please also check if the bug is already known before you open a new bug.

---

🐛 Bug Report:

Describe the bug

The current version of @openapitools/openapi-generator-cli depends on version 8.2.6 of inquirer which has a upstream vulnerability in it (CVE-2025-54798). Please update inquirer.

Steps to Reproduce

Steps to reproduce the behavior:

1. Install version 2.21.4 of @openapitools/openapi-generator-cli
2. See output in terminal:

➜ npm audit
# npm audit report

tmp  <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
fix available via `npm audit fix --force`
Will install @openapitools/openapi-generator-cli@0.0.6, which is a breaking change
node_modules/tmp
  external-editor  >=1.1.1
  Depends on vulnerable versions of tmp
  node_modules/external-editor
    inquirer  3.0.0 - 8.2.6 || 9.0.0 - 9.3.7
    Depends on vulnerable versions of external-editor
    node_modules/@openapitools/openapi-generator-cli/node_modules/inquirer
      @openapitools/openapi-generator-cli  >=0.0.7-3.0.0
      Depends on vulnerable versions of inquirer
      node_modules/@openapitools/openapi-generator-cli

Expected behavior

No vulnerability is found.

Screenshots

Operation System (please complete the following information):

• OS: MacOS
• Version 15.5 (24F74)

Package System (please complete the following information):

• Manager: npm
• Version 10.9.2

Additional context

None.

[wing328]

Please update inquirer.

I wonder if you can file a PR to do so. Thank you 🙏

[jase88]

The CVE is also present in a subtree of nx

#960