Merge pull request #2462 from alphagov/use-inquirer-prompts

Migrate to use `@inquirer/confirm`

Author: 36degrees

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Fixes
+
+- [#2462: Update from inquirer 8.2.6 to @inquirer/confirm 5.1.15 to address a vulnerability in tmp](https://github.com/alphagov/govuk-prototype-kit/pull/2462)
+
 ## 13.18.0
 
 ### New features

lib/usage-data.js

@@ -4,7 +4,7 @@ const os = require('os')
 const path = require('path')
 
 // npm dependencies
-const inquirer = require('inquirer')
+const { default: confirm } = require('@inquirer/confirm')
 const universalAnalytics = require('universal-analytics')
 const { v4: uuidv4 } = require('uuid')
 const ansiColors = require('ansi-colors')
@@ -50,14 +50,15 @@ function setUsageDataConfig (usageDataConfig) {
 
 // Ask for permission to track data
 // returns a Promise with the user's answer
-function askForUsageDataPermission () {
-  return inquirer.prompt([{
-    name: 'usageData',
-    message: USAGE_DATA_PROMPT,
-    type: 'confirm',
-    when: () => process.stdout.isTTY,
-    default: false
-  }]).then(answers => answers.usageData)
+async function askForUsageDataPermission () {
+  if (process.stdout.isTTY) {
+    return confirm({
+      message: USAGE_DATA_PROMPT,
+      default: false
+    })
+  }
+
+  return false
 }
 
 function startTracking (usageDataConfig) {

lib/usage-data.test.js

@@ -0,0 +1,77 @@
+const { askForUsageDataPermission } = require('./usage-data')
+
+jest.mock('@inquirer/confirm')
+
+const { default: confirm } = require('@inquirer/confirm')
+
+describe('askForUsageDataPermission', () => {
+  afterEach(() => {
+    jest.resetAllMocks()
+  })
+
+  describe('when in an interactive shell', () => {
+    // We can't use jest.replaceProperty here because in a non-TTY environment
+    // the isTTY property doesn't exist on process.stdout, and Jest will only
+    // replace existing properties.
+    let originalTTY
+
+    beforeAll(() => {
+      originalTTY = process.stdout.isTTY
+      process.stdout.isTTY = true
+    })
+
+    afterAll(() => {
+      process.stdout.isTTY = originalTTY
+    })
+
+    it('asks the user for confirmation', () => {
+      askForUsageDataPermission()
+
+      expect(confirm).toHaveBeenCalledTimes(1)
+      expect(confirm).toHaveBeenCalledWith({
+        default: false,
+        message: expect.stringContaining(
+          'Do you give permission for the kit to send anonymous usage data?'
+        )
+      })
+    })
+
+    it('returns true if the user accepts tracking', async () => {
+      confirm.mockResolvedValue(true)
+
+      expect(await askForUsageDataPermission()).toBe(true)
+    })
+
+    it('returns false if the user does not accept tracking', async () => {
+      confirm.mockResolvedValue(false)
+
+      expect(await askForUsageDataPermission()).toBe(false)
+    })
+  })
+
+  describe('when in a non-interactive shell', () => {
+    // We can't use jest.replaceProperty here because in a non-TTY environment
+    // the isTTY property doesn't exist on process.stdout, and Jest will only
+    // replace existing properties.
+    let originalTTY
+
+    beforeAll(() => {
+      originalTTY = process.stdout.isTTY
+      process.stdout.isTTY = undefined
+    })
+
+    afterAll(() => {
+      process.stdout.isTTY = originalTTY
+    })
+
+    it('does not ask the user for confirmation', () => {
+      askForUsageDataPermission()
+
+      expect(confirm).not.toHaveBeenCalled()
+    })
+
+    it('returns false', async () => {
+      expect(await askForUsageDataPermission()).toBe(false)
+    })
+  })
+})

lib/utils/index.js

@@ -7,7 +7,7 @@ const semver = require('semver')
 const { existsSync } = require('fs')
 
 // npm dependencies
-const inquirer = require('inquirer')
+const { default: confirm } = require('@inquirer/confirm')
 const portScanner = require('portscanner')
 const { marked } = require('marked')
 
@@ -108,12 +108,10 @@ function findAvailablePort (callback) {
       console.error('ERROR: Port ' + port + ' in use - you may have another prototype running.\n')
 
       // Ask user if they want to change port
-      inquirer.prompt([{
-        name: 'changePort',
-        message: 'Change to an available port?',
-        type: 'confirm'
-      }]).then(answers => {
-        if (answers.changePort) {
+      confirm({
+        message: 'Change to an available port?'
+      }).then(changePort => {
+        if (changePort) {
           // User answers yes
           port = availablePort