@inquirer/external-editor is vulnerable to Path traversal
38
Low Risk
The package previously created temp files and launched an external editor in ways that could allow path escaping from the intended temp location and/or unsafe command interpretation. The fix creates a dedicated temporary directory (mkdtempSync) and always places the temp file under it (then recursively cleans it up), and it hardens editor process launching by disabling shell execution (shell: false) and handling spawn errors.
You are affected if you are using a version that falls within the vulnerable range.
@inquirer/external-editor is vulnerable to Path traversal in versions 0.0.1 - 3.0.2.
Upgrade the @inquirer/external-editor library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant