[Security] `@turbo/gen` dependency vulnerability issue

[SohelIslamImran]

Verify canary release

• I verified that the issue exists in the latest Turborepo canary release.

Link to code that reproduces this issue

npm audit | bun audit

Which canary version will you have in your reproduction?

2.5.6

Environment information

CLI:
   Version: 2.5.6
   Path to executable: /Users/sohelislamimran/Development/kuno-frontend/node_modules/turbo-darwin-arm64/bin/turbo
   Daemon status: Not running
   Package manager: bun

Platform:
   Architecture: aarch64
   Operating system: macos
   WSL: false
   Available memory (MB): 2856
   Available CPU cores: 12
                                                                         Environment:
   CI: None                                                                 Terminal (TERM): xterm-ghostty                                           Terminal program (TERM_PROGRAM): ghostty                                 Terminal program version (TERM_PROGRAM_VERSION): 1.1.3                   Shell (SHELL): /bin/zsh                                                  stdin: false

Expected behavior

The version of the inquirer package @turbo/gen is being used, which has a security issue in the npm audit. They already addressed the issue SBoudrias/Inquirer.js#1802

Please update the version of the package to the latest to fix it.

bun audit v1.2.21 (7c45ed97)
tmp  <=0.2.3
  @turbo/gen › inquirer › external-editor › tmp
  low: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6

1 vulnerabilities (1 low)

Actual behavior

1 vulnerabilities in dependency

To Reproduce

npm audit | bun audit

Additional context

No response

[SohelIslamImran]

Overriding the version of inquirer to latest version fix the issue.

  "overrides": {
    "inquirer": "12.9.4"
  }