@inquirer/core — Greenflagged

Core Inquirer prompt API

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sboudriasmischah

Keywords

answeranswersaskbaseclicommandcommand-lineconfirmenquirergenerategeneratorhyperinputinquireinquirerinterfaceitermjavascriptmenunodenodejspromptpromptlypromptsquestionreadlinescaffoldscaffolderscaffoldingstdinstdoutterminalttyuiyeomanyozsh

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-dropped	AI (source-diff): Package ships only compiled dist/ output; source size drop is an artifact of the diff baseline, not a real stub/redirect replacement.	ai	2026/04/27
phantom-deps	phantom-dep:run-async	AI (phantom-deps): run-async is a declared runtime dependency used for async task execution; phantom-dep finding is a false positive for utility libraries.	ai	2026/04/27
dependencies	unvetted-dep:figures	AI (dependencies): figures is a well-known Sindre Sorhus package for terminal symbols; its use in a CLI prompt library is expected and benign.	ai	2026/04/24
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): @types/node is a TypeScript type package loaded by convention; not a real phantom dependency risk for this package.	ai	2026/04/23
phantom-deps	phantom-dep:@types/wrap-ansi	AI (phantom-deps): @types/wrap-ansi is a TypeScript type package; its presence as a declared but not directly imported dep is expected and benign.	ai	2026/04/23
phantom-deps	phantom-dep:@types/mute-stream	AI (phantom-deps): @types/mute-stream is a TypeScript type package; its presence as a declared but not directly imported dep is expected and benign.	ai	2026/04/23
dependencies	unvetted-dep:@types/wrap-ansi	AI (dependencies): @types/wrap-ansi is a TypeScript type definition package with no executable runtime code; it poses no security risk and is a stable dependency for this package.	ai	2026/04/23
dependencies	unvetted-dep:ansi-escapes	AI (dependencies): ansi-escapes is a legitimate, widely-used ANSI escape code utility; appropriate for a CLI prompt library.	ai	2026/04/23
phantom-deps	phantom-dep:@inquirer/figures	AI (phantom-deps): Same-org monorepo dependency; terminal figures/symbols for UI rendering.	ai	2026/04/23
phantom-deps	phantom-dep:fast-wrap-ansi	AI (phantom-deps): New dependency for ANSI text wrapping; legitimate utility for terminal output formatting.	ai	2026/04/23
phantom-deps	phantom-dep:cli-width	AI (phantom-deps): Legitimate runtime dependency for CLI width detection; indirectly used through package modules.	ai	2026/04/23
phantom-deps	phantom-dep:mute-stream	AI (phantom-deps): Legitimate runtime dependency for stream muting in terminal I/O; indirectly used.	ai	2026/04/23
phantom-deps	phantom-dep:signal-exit	AI (phantom-deps): Legitimate runtime dependency for signal handling; indirectly used through package modules.	ai	2026/04/23
phantom-deps	phantom-dep:@inquirer/ansi	AI (phantom-deps): Same-org monorepo dependency; core ANSI utilities for terminal rendering.	ai	2026/04/23
phantom-deps	phantom-dep:@inquirer/type	AI (phantom-deps): Same-org monorepo dependency; type definitions used by core prompt API.	ai	2026/04/23
publish-pattern	new-deps-added	AI (publish-pattern): Dependency swap from wrap-ansi to fast-wrap-ansi is a benign substitution by a trusted, long-standing publisher with a strong track record.	ai	2026/04/23
dependencies	unvetted-dep:cli-width	AI (dependencies): cli-width is a long-standing utility dependency of Inquirer.js; no security concern.	ai	2026/04/21
dependencies	unvetted-dep:mute-stream	AI (dependencies): mute-stream is a long-standing utility dependency of Inquirer.js; no security concern.	ai	2026/04/21
dependencies	unvetted-dep:@inquirer/figures	AI (dependencies): @inquirer/figures is a first-party package from the same Inquirer.js monorepo by sboudrias.	ai	2026/04/21
typosquat	typosquat.levenshtein:cors	AI (typosquat): Scoped package @inquirer/core in official Inquirer.js namespace; clearly distinct from unscoped 'cors'.	ai	2026/04/21
dependencies	unvetted-dep:@inquirer/type	AI (dependencies): @inquirer/type is a first-party type package from the same Inquirer.js monorepo by sboudrias.	ai	2026/04/21
dependencies	unvetted-dep:fast-wrap-ansi	AI (dependencies): fast-wrap-ansi is a minor utility dependency with a reasonable version constraint; no material risk.	ai	2026/04/21