cli: CVE with transitive dependency `tmp`

[blimmer]

Description

cdktf-cli transitively depends on tmp via inqurier:

> npm ls tmp
test-cdkcli@1.0.0 /private/tmp/test-cdkcli
└─┬ cdktf-cli@0.21.0
  └─┬ @inquirer/prompts@2.3.1
    └─┬ @inquirer/editor@1.2.15
      └─┬ external-editor@3.1.0
        └── tmp@0.0.33

tmp versions <= 0.2.3 trigger a warning in dependabot: GHSA-52f5-9888-hmc6

This has been fixed upstream in inquirer: SBoudrias/Inquirer.js#1802

However, the current version of inquirer is pinned back at 2.x:

terraform-cdk/packages/cdktf-cli/package.json

Line 46 in a36c83b

"@inquirer/prompts": "2.3.1",

References

• GHSA-52f5-9888-hmc6

Help Wanted

• I'm interested in contributing a fix myself

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[rcollette]

This issue affects FedRAMP deployment environments. As a low level issue, it is expected to be resolved in 120 days.