Skip to content

Bump tmp and inquirer#4

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-b3187a7a52
Open

Bump tmp and inquirer#4
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-b3187a7a52

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown
Contributor

Removes tmp. It's no longer used after updating ancestor dependency inquirer. These dependencies need to be updated together.

Removes tmp

Updates inquirer from 6.2.0 to 14.0.2

Release notes

Sourced from inquirer's releases.

inquirer@14.0.2

  • Fix security warnings in external-editor

inquirer@14.0.1

  • Rolled back mute-stream dependency from v4 to v3 to undo breaking compatible engines.
  • Added tooling to prevent regression of the above in the future. This surfaced our min engines already enforced a higher limit, so adjusted the explicit limits to match the current state.

inquirer@14.0.0

  • Fix (breaking): Inquirer will now throw when encountering non-registered prompt. Prior to this fix, Inquirer would default to type: 'input' in such cases - this behaviour was misleading and made it harder to detect broken code when not using Typescript.
  • Feat: Read env variable INQUIRER_KEYBINDINGS to enable vim or emacs keybindings; making this a user preference instead of a library author preference. One caveat is doing so disable the search feature in the select prompt. Syntax: INQUIRER_KEYBINDINGS=vim,emacs.
  • Fix: Line wraps would sometime cause the cursor to be mispositioned relative to the input.
  • Chore: Dropped the rxjs dependency in favor of a lightweight internal Observable implementation. The package is much smaller for most users now.
  • Chore: Bump dependencies.

inquirer@13.4.3

  • Fix: Windows rendering bug
  • Fix: Preserve exact literal types in choices array (Typescript only)
  • Fix: Allow input default value to be of type undefined (Typescript only)
  • Bump dependencies

inquirer@13.4.2

  • Fix: some Windows terminals would freeze and not react to keypresses.

inquirer@13.4.1

  • Improve expand prompt type inferrence.

inquirer@13.4.0

  • Feat: Added a loading message while validating editor prompt input.
  • Type improvement: Better type inference with checkbox, search and expand prompts.
  • Fix: editor prompt not always properly handling editor path on windows.

inquirer@13.3.2

  • Fix broken 1.3.1 release process.

inquirer@13.2.5

What's Changed

... (truncated)

Commits
  • bfd8710 chore: Publish new release
  • 55cc5f3 feat: add reusable package lint CLI
  • 3af9ed0 test(inquirer): capture prompt runner output
  • 4381857 fix(@​inquirer/input): remove stale lint suppression
  • 45df331 fix(@​inquirer/external-editor): harden editor temp files
  • adef323 chore: limit CI token permissions
  • b43359d chore: Publish new release
  • 24ecae2 chore: fix yarn.lock
  • b078d97 fix: validate package engine compatibility
  • 3a49f9f chore(deps-dev): Bump oxfmt in the formatting group (#2143)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 17, 2026
@joostfaassen

Copy link
Copy Markdown
Member

🤖 Dependabot PR processing skill — risk assessment

Acting on behalf of Joost Faassen.

Decision

Do not merge automatically — assessed risk: high

What changed

Title Bump tmp and inquirer
Semver major (6.2.014.0.2)
Files (2) package-lock.json, package.json
Diff size +456 / −215

Why this was not merged automatically

  1. This looks like a major semver jump (6.2.014.0.2).
  2. Major dependency upgrades can introduce breaking API or runtime changes.
  3. Left open for human review.

Checks considered

  • Pull request is mergeable with a clean merge state
  • No failing / timed-out / cancelled required checks observed
  • Diff inspected for manifests/lockfiles only vs unexpected paths
  • Package/path screened against sensitive dependency patterns

Automated assessment by the Dependabot PR processing skill. Detail stays in this comment; the merge commit message is kept short on purpose.

@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-b3187a7a52 branch from fc0ae77 to 3c5e331 Compare July 17, 2026 13:42
@joostfaassen

Copy link
Copy Markdown
Member

🤖 Dependabot PR processing skill — risk assessment

Acting on behalf of Joost Faassen.

Decision

Do not merge automatically — assessed risk: high

What changed

Title Bump tmp and inquirer
Semver major (6.2.014.0.2)
Files (2) package-lock.json, package.json
Diff size +377 / −231

Why this was not merged automatically

  1. This looks like a major semver jump (6.2.014.0.2).
  2. Major dependency upgrades can introduce breaking API or runtime changes.
  3. Left open for human review.

Checks considered

  • Pull request is mergeable with a clean merge state
  • No failing / timed-out / cancelled required checks observed
  • Diff inspected for manifests/lockfiles only vs unexpected paths
  • Package/path screened against sensitive dependency patterns

Automated assessment by the Dependabot PR processing skill. Detail stays in this comment; the merge commit message is kept short on purpose.

1 similar comment
@joostfaassen

Copy link
Copy Markdown
Member

🤖 Dependabot PR processing skill — risk assessment

Acting on behalf of Joost Faassen.

Decision

Do not merge automatically — assessed risk: high

What changed

Title Bump tmp and inquirer
Semver major (6.2.014.0.2)
Files (2) package-lock.json, package.json
Diff size +377 / −231

Why this was not merged automatically

  1. This looks like a major semver jump (6.2.014.0.2).
  2. Major dependency upgrades can introduce breaking API or runtime changes.
  3. Left open for human review.

Checks considered

  • Pull request is mergeable with a clean merge state
  • No failing / timed-out / cancelled required checks observed
  • Diff inspected for manifests/lockfiles only vs unexpected paths
  • Package/path screened against sensitive dependency patterns

Automated assessment by the Dependabot PR processing skill. Detail stays in this comment; the merge commit message is kept short on purpose.

Removes [tmp](https://github.com/raszi/node-tmp). It's no longer used after updating ancestor dependency [inquirer](https://github.com/SBoudrias/Inquirer.js). These dependencies need to be updated together.


Removes `tmp`

Updates `inquirer` from 6.2.0 to 14.0.2
- [Release notes](https://github.com/SBoudrias/Inquirer.js/releases)
- [Commits](https://github.com/SBoudrias/Inquirer.js/compare/inquirer@6.2.0...inquirer@14.0.2)

---
updated-dependencies:
- dependency-name: inquirer
  dependency-version: 14.0.2
  dependency-type: direct:production
- dependency-name: tmp
  dependency-version:
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-b3187a7a52 branch from 3c5e331 to 63b1af0 Compare July 17, 2026 13:59
@joostfaassen

Copy link
Copy Markdown
Member

🤖 Dependabot PR processing skill — risk assessment

Acting on behalf of Joost Faassen.

Decision

Do not merge automatically — assessed risk: high

What changed

Title Bump tmp and inquirer
Semver major (6.2.014.0.2)
Files (2) package-lock.json, package.json
Diff size +376 / −231

Why this was not merged automatically

  1. This looks like a major semver jump (6.2.014.0.2).
  2. Major dependency upgrades can introduce breaking API or runtime changes.
  3. Left open for human review.

Checks considered

  • Pull request is mergeable with a clean merge state
  • No failing / timed-out / cancelled required checks observed
  • Diff inspected for manifests/lockfiles only vs unexpected paths
  • Package/path screened against sensitive dependency patterns

Automated assessment by the Dependabot PR processing skill. Detail stays in this comment; the merge commit message is kept short on purpose.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant