inquirer — Greenflagged

A collection of common interactive command line user interfaces.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sboudriasmischahruyadorno

Keywords

answeranswersaskbaseclicommandcommand-lineconfirmenquirergenerategeneratorhyperinputinquireinquirerinterfaceitermjavascriptmenunodenodejspromptpromptlypromptsquestionreadlinescaffoldscaffolderscaffoldingstdinstdoutterminalttyuiyeomanyozsh

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:mute-stream	AI (phantom-deps): mute-stream is explicitly declared in package.json; phantom-dep finding is a false positive for this package.	ai	2026/04/22
dependencies	unvetted-dep:readline2	AI (dependencies): readline2 is a well-known readline wrapper by the same author (sboudrias); its use in inquirer is expected and stable across versions.	ai	2026/04/22
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require is an intentional design pattern in Inquirer.js for loading registered prompt types; values come from an internal registry, not arbitrary user input. Stable false positive for this package.	ai	2026/04/22
dependencies	unvetted-dep:charm	AI (dependencies): charm is a legitimate terminal manipulation library; its use in inquirer (an interactive CLI prompt package) is expected and benign across all versions.	ai	2026/04/22
dependencies	unvetted-dep:@types/mute-stream	AI (dependencies): @types/mute-stream is the TypeScript type definitions for mute-stream, a direct runtime dep of inquirer. Its inclusion is intentional and benign for this package.	ai	2026/04/22
phantom-deps	phantom-dep:@types/mute-stream	AI (phantom-deps): Type definitions are framework-scoped and loaded by convention; not a phantom dependency issue.	ai	2026/04/22
provenance	missing-githead	AI (provenance): The package.json for this version actually contains a gitHead field; the finding appears to be a false positive. Stable for this well-established package.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): New deps (ora, rxjs, wrap-ansi, @inquirer/external-editor) are all established packages appropriate for CLI UI library.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): New maintainer addition in active project; no evidence of compromise and publisher has strong track record.	ai	2026/04/22
dependencies	unvetted-dep:external-editor	AI (dependencies): external-editor is a legitimate utility for spawning external editors in CLI tools, a documented dependency of inquirer.	ai	2026/04/22
dependencies	unvetted-dep:figures	AI (dependencies): figures is an established package for terminal symbols; stable dependency for inquirer's CLI UI.	ai	2026/04/22
dependencies	unvetted-dep:rx	AI (dependencies): rx is a legitimate RxJS v4 library, a long-standing dependency of inquirer; no security concern.	ai	2026/04/22
dependencies	unvetted-dep:ansi-escapes	AI (dependencies): ansi-escapes is a stable, widely-used ANSI escape code utility; unvetted status is expected for utility libraries.	ai	2026/04/22
dependencies	unvetted-dep:rxjs	AI (dependencies): rxjs is a well-established reactive library with millions of weekly downloads; its use in inquirer is expected and benign.	ai	2026/04/21
dependencies	unvetted-dep:run-async	AI (dependencies): run-async is a small, well-known utility; its use in inquirer is longstanding and expected.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance by years; no provenance is expected and stable for this package.	ai	2026/04/21

Versions (showing 51 of 234)

View all versions

Version	Deps	Published
14.0.1	6 / 4	2026-05-29
14.0.0	6 / 4	2026-05-25
13.4.3	7 / 3	2026-05-10
13.4.2	7 / 3	2026-04-19
13.4.1	7 / 3	2026-04-07
13.4.0	7 / 3	2026-04-06
13.3.2	7 / 3	2026-03-15
13.3.1	7 / 3	2026-03-15
13.3.0	7 / 3	2026-02-22
13.2.5	7 / 3	2026-02-16
13.2.4	7 / 3	2026-02-14
13.2.3	7 / 3	2026-02-14
13.2.2	7 / 3	2026-01-28
13.2.1	7 / 3	2026-01-20
13.2.0	7 / 3	2026-01-11
13.1.0	7 / 3	2025-12-13
13.0.2	7 / 3	2025-12-02
13.0.1	7 / 3	2025-11-17
13.0.0	7 / 3	2025-11-16
12.11.1	7 / 4	2025-11-12
12.11.0	7 / 4	2025-11-08
12.10.0	7 / 4	2025-10-13
12.9.6	7 / 4	2025-09-14
12.9.5	7 / 4	2025-09-14
12.9.4	7 / 4	2025-08-24
12.9.3	7 / 4	2025-08-17
12.9.2	7 / 4	2025-08-13
12.9.1	7 / 4	2025-08-08
12.9.0	7 / 4	2025-07-28
12.8.2	7 / 4	2025-07-21
12.8.1	7 / 4	2025-07-21
12.8.0	7 / 4	2025-07-20
12.7.0	7 / 4	2025-07-01
12.6.3	7 / 4	2025-05-25
12.6.2	7 / 4	2025-05-23
12.6.1	7 / 4	2025-05-10
12.6.0	7 / 4	2025-04-24
12.5.2	7 / 4	2025-04-03
12.5.1	7 / 4	2025-04-03
12.5.0	7 / 4	2025-03-15
12.4.3	7 / 4	2025-03-08
12.4.2	7 / 4	2025-02-15
12.4.1	7 / 4	2025-02-02
12.4.0	7 / 4	2025-02-02
12.3.3	7 / 4	2025-01-28
12.3.2	7 / 4	2025-01-13
12.3.1	7 / 4	2025-01-11
12.3.0	7 / 4	2024-12-20
12.2.0	7 / 4	2024-12-07
12.1.0	7 / 4	2024-11-11
12.0.1	7 / 4	2024-10-25