Skip to content

chore(deps): bump inquirer from 12.11.1 to 13.1.0#1

Merged
fank merged 1 commit intomainfrom
dependabot/npm_and_yarn/inquirer-13.1.0
Dec 22, 2025
Merged

chore(deps): bump inquirer from 12.11.1 to 13.1.0#1
fank merged 1 commit intomainfrom
dependabot/npm_and_yarn/inquirer-13.1.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Dec 22, 2025

Bumps inquirer from 12.11.1 to 13.1.0.

Release notes

Sourced from inquirer's releases.

inquirer@13.1.0

  • Feat: rawlist now supports default option.
  • Fix: select now infer return type properly when passing a choices array of string literals.

inquirer@13.0.2

  • Fix Typescript not discovering types when moduleResolution is set to commonjs (you probably want to fix that in your project if it's still in your tsconfig)

inquirer@13.0.0

Release Notes

🚨 Breaking Changes

This is a major release that modernizes the codebase for Node.js ≥ 20.

ESM Only - No More CommonJS Support

Impact: All packages are now ESM-only. CommonJS imports are no longer supported.

If you're on modern Node versions (≥ 20), this should be transparent and have no impact.

Node.js Version Requirement

Minimum Node.js version is now 20.x

Node.js versions below 20 are no longer supported. Please upgrade to Node.js 20 or later.

Node min versions: >=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0

Deprecated APIs Removed

The following deprecated APIs have been removed after being deprecated in previous releases:

list prompt alias removed (affects inquirer package only)

The list alias has been removed from the inquirer package. This only impacts users of the legacy inquirer package, not users of @inquirer/prompts or individual prompt packages.

// ❌ No longer available (inquirer package only)
import inquirer from 'inquirer';
const answer = await inquirer.prompt([
  { type: 'list', name: 'choice', message: 'Pick one:', choices: ['a', 'b'] }
]);
// ✅ Use 'select' instead
import inquirer from 'inquirer';
const answer = await inquirer.prompt([
{ type: 'select', name: 'choice', message: 'Pick one:', choices: ['a', 'b'] }
]);

... (truncated)

Commits
  • 7eedd8e chore: Publish new release
  • 23201ba feat(@​inquirer/rawlist) Add support for default
  • 8713b89 fix(@​inquirer/select) Review default typing to no infer valid value
  • d05ce35 fix(@​inquirer/testing): preserve Value type inference in render()
  • cfef911 fix(@​inquirer/select): infer Value type from string[] choices
  • 6dda7b6 feat(@​inquirer/core): Add shift to KeypressEvent
  • 24ec7ee Chore(deps): Bump type-fest from 5.3.0 to 5.3.1 in the types group
  • 3759e85 Chore(deps-dev): Bump turbo from 2.6.1 to 2.6.3 in the build group
  • 9c72429 chore: Publish new release
  • e874a21 fix: Refresh yarn setup. Fixes #1902
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump inquirer from 12.11.1 to 13.1.0
ee06b6f 
Bumps [inquirer](https://github.com/SBoudrias/Inquirer.js) from 12.11.1 to 13.1.0.
- [Release notes](https://github.com/SBoudrias/Inquirer.js/releases)
- [Commits](https://github.com/SBoudrias/Inquirer.js/compare/inquirer@12.11.1...inquirer@13.1.0)

---
updated-dependencies:
- dependency-name: inquirer
  dependency-version: 13.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Dec 22, 2025

Labels

The following labels could not be found: dependencies, javascript. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@fank fank added dependencies Pull requests that update a dependency file javascript Pull requests that update JavaScript code labels Dec 22, 2025
@fank
Copy link
Copy Markdown
Member

fank commented Dec 22, 2025

Requires manual review: Major version bump detected (inquirer 12.11.1→13.1.0).

@fank fank merged commit c878719 into main Dec 22, 2025
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/inquirer-13.1.0 branch December 22, 2025 12:22
fank added a commit that referenced this pull request Apr 11, 2026
@fank
ci: set explicit contents: read permissions on workflows
890cb40 
Addresses CodeQL alerts #1, #3, #9 (actions/missing-workflow-permissions).
Both workflows only need read access to the repo contents, so the minimal
permissions block is set at the workflow level.
@fank fank mentioned this pull request Apr 11, 2026
Merged
3 tasks
fank added a commit that referenced this pull request Apr 11, 2026
@fank
fix: address CodeQL security alerts (#70)
0a4e992 
* ci: set explicit contents: read permissions on workflows

Addresses CodeQL alerts #1, #3, #9 (actions/missing-workflow-permissions).
Both workflows only need read access to the repo contents, so the minimal
permissions block is set at the workflow level.

* fix: use exact-match check for git SSH rewrite config value

The installers were using .includes('https://github.com/') to check the
output of `git config --get url.git@github.com:.insteadOf`. That output
is either empty or exactly the value we set ourselves, so exact match
is both more correct and silences CodeQL's
js/incomplete-url-substring-sanitization rule.

Addresses CodeQL alerts #5, #6, #7, #8 across atl, discord, esq, and
n8n installers.

* fix(grafanactl): redact secrets from runConfig error messages

runConfig threw errors containing the full args joined — for
`config set contexts.X.grafana.password <value>` that embedded the
plaintext password in error.message, which was then logged by the
outer catch handler.

Add a redactSensitiveArgs helper that replaces any value whose
preceding key matches .token / .password / .secret / .apikey with
<redacted> before building the error message.

Addresses CodeQL alert #4 (js/clear-text-logging, error severity).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update JavaScript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fank