Skip to content

chore(deps): Bump @inquirer/prompts from 7.10.1 to 8.3.0#18

Closed
dependabot[bot] wants to merge 38 commits intomainfrom
dependabot/npm_and_yarn/inquirer/prompts-8.3.0
Closed

chore(deps): Bump @inquirer/prompts from 7.10.1 to 8.3.0#18
dependabot[bot] wants to merge 38 commits intomainfrom
dependabot/npm_and_yarn/inquirer/prompts-8.3.0

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 2, 2026

Bumps @inquirer/prompts from 7.10.1 to 8.3.0.

Release notes

Sourced from @​inquirer/prompts's releases.

@​inquirer/prompts@​8.3.0

  • Fix: Keypresses happening before a prompt is rendered are now ignored.
  • Fix (checkbox): Element who're both checked and disabled are now always included in the returned array.
  • Feat (select/checkbox): Cursor will now hover disabled options of the list; but they still cannot be interacted with. This prevents the cursor jumping ahead in ways that can be confusing.
  • Feat: various new theme options to make all prompts content localizable.

Finally, see our new @inquirer/i18n package!

@​inquirer/prompts@​8.2.1

  • chore: Switch wrap-ansi with fast-wrap-ansi

@​inquirer/prompts@​8.2.0

  • feat(search): Add support for default.
  • feat(rawlist): Add support for description of choices. That information is displayed under the list when the choice is highlighted.
  • Bump dependencies

@​inquirer/prompts@​8.1.0

  • Feat: rawlist now supports default option.
  • Fix: select now infer return type properly when passing a choices array of string literals.

@​inquirer/prompts@​8.0.2

  • Fix Typescript not discovering types when moduleResolution is set to commonjs (you probably want to fix that in your project if it's still in your tsconfig)

@​inquirer/prompts@​8.0.0

Release Notes

🚨 Breaking Changes

This is a major release that modernizes the codebase for Node.js ≥ 20.

ESM Only - No More CommonJS Support

Impact: All packages are now ESM-only. CommonJS imports are no longer supported.

If you're on modern Node versions (≥ 20), this should be transparent and have no impact.

Node.js Version Requirement

Minimum Node.js version is now 20.x

Node.js versions below 20 are no longer supported. Please upgrade to Node.js 20 or later.

Node min versions: >=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0

Deprecated APIs Removed

The following deprecated APIs have been removed after being deprecated in previous releases:

list prompt alias removed (affects inquirer package only)

... (truncated)

Commits
  • 526eca2 chore: Publish new release
  • 60d02c4 docs(@​inquirer/prompts): highlight auto-detected locale in i18n section (#2011)
  • f773d21 feat(@​inquirer/prompts-i18n) New i18n package with first set of localization ...
  • dd52bbe feat: allow cursor to land on disabled choices (#2008)
  • 64622ed feat(@​inquirer/testing): add nextRender() to unit test render API (#2010)
  • 32ed010 refactor(@​inquirer/select,@​inquirer/checkbox): clean up disabled choice rende...
  • b23a483 fix(@​inquirer/checkbox): include disabled+checked items in the answer
  • fd40b43 fix(@​inquirer/core): discard keystrokes buffered before prompt creation
  • fd001c1 chore: Publish new release
  • 260d7eb fix(@​inquirer/testing): handle SWC-style namespace objects and missing option...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

girste and others added 30 commits March 1, 2026 14:19
@girste
first commit
ed76cd5 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
feat: parse DEPS block inside PROJECT
e267621 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
feat: auto-create state, vault and .gitignore on validate
95c019a 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
feat: vault redesign, state CHECKS, SECRETS parsing
e1f03f1 
- vault.py rewrite: status file (SET/UNSET) vs encrypted blob separation
  - vault_[name].enth = human-readable SET/UNSET status, gitignored, no values
  - ~/.enthropic/[name].secrets = Fernet encrypted JSON blob (AES-128-CBC + HMAC-SHA256)
  - ~/.enthropic/[name].key = encryption key, chmod 600, never in repo
  - set_secret / delete_secret / list_keys / export_env API
- parser.py: SECRETS block parsing, EnthSpec.secrets field
- state.py: CHECKS section derived from LANG + DEPS in spec
- cli.py: validate auto-regenerates vault from SECRETS on every run
  vault commands pass secret_names for status refresh after mutations

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
fix: parser handles PROJECT with inline identifier
808e242 
'PROJECT myname' sets NAME as default if not overridden by NAME sub-key.
Backward compatible — bare 'PROJECT' still works.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
rewrite: Rust CLI replaces Python implementation
dd9eb88 
Single binary, zero runtime dependencies.
- parser.rs: .enth DSL parser → EnthSpec struct
- validator.rs: 13 validation rules
- state.rs: state file generation with CHECKS section
- vault.rs: ChaCha20-Poly1305 encryption (~/.enthropic/)
- context.rs: AI context block generation
- main.rs: clap CLI (validate, context, state, vault commands)

Python package (enthropic/) and pyproject.toml removed.
Release binary: 1.2MB, no install prerequisites.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
feat: TUI branding + setup/new/build commands
7da5e60 
- tui.rs: 🧠 pink ASCII header (slant font) on every command
  pink accent color256(218), consistent print_success/error/info helpers
- global_config.rs: BYOK API key storage encrypted in ~/.enthropic/global.keys
  supports anthropic, openai, openrouter providers
- setup.rs: guided API key wizard (dialoguer select + hidden password input)
- new_wizard.rs: interactive .enth creation (name, lang, arch, entities, layers, secrets)
  auto-validates and creates state/vault/.gitignore on completion
- build_cmd.rs: AI chat REPL — loads spec+state as system context, interactive loop
  supports anthropic/openai/openrouter, maintains conversation history

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
feat: self-spec + pink color fix
22f9180 
- enthropic.enth: spec for enthropic-tools itself (dogfooding)
  LAYERS: CLI / CORE / STORAGE / AI
  FLOWS: setup, new_project, build_session
  contracts on vault_entry (never plaintext), ai_session (requires valid spec)
- tui.rs: color256(219) — soft pink/rose

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
add SVG banner, fix setup to fetch live models from provider APIs
5d134b8 
- fetch models from Anthropic/OpenAI/OpenRouter APIs after key entry
- OpenRouter models are public (no key needed to list)
- fallback to manual input if fetch fails
- removed all hardcoded model names

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
docs: expand README with vault/state examples and security model table
b62278f 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
fix: keep user in flow after setup and build with no spec
511cb3e 
- setup: after saving config, ask 'Create a new project now?'
- build: if no .enth found, offer to create one instead of exiting

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
feat: rebuild build as spec consultant
4c9f09c 
- build is now an AI-driven spec creation session, not a coding REPL
- AI asks questions, flags missing pieces, outputs complete .enth
- type 'save' to validate and write spec to disk with state/vault files
- if existing spec found, offers to refine or start fresh
- spec is the output, not the input

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
fix: custom help screen, exit confirmation, better build layout
b30ff47 
- enthropic (no args) shows styled help screen instead of clap error
- build: exit requires confirmation to prevent accidental quit
- build: dot divider between exchanges, cleaner session header
- build: API errors show message and stay in loop (don't crash)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
chore: CI/CodeQL workflows, MIT license, governance files
2d326e4 
- .github/workflows/ci.yml: cargo fmt, clippy, build, test, cargo-audit
- .github/workflows/codeql.yml: weekly + on-push Rust analysis
- LICENSE: MIT
- SECURITY.md: security model table, disclosure process
- CONTRIBUTING.md: contribution guidelines grounded in spec
- Cargo.toml: license, description, repository metadata
- tui.rs: tagline updated to 'true spec-driven development'
- README: badges (CI, CodeQL, license, Rust), updated build description

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
style: cargo fmt
f281b99 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
feat: MCP server (enthropic serve) + Dockerfile
045df2c 
- src/mcp.rs: MCP 2024-11-05 stdio server
  - tools: read_spec, get_context, validate_spec, spec_summary
  - JSON-RPC over stdin/stdout, newline-delimited
- main.rs: 'enthropic serve' command + help screen entry
- Dockerfile: multi-stage alpine build, ENTRYPOINT = serve
- README: MCP setup for Claude Desktop + Docker, tool table

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
fix: resolve all clippy warnings; add Rust security & quality workflows
011c797 
- add cargo-deny check (license, advisories, bans, sources) with deny.toml
- add MSRV job (Rust 1.75) to CI
- add OpenSSF Scorecard workflow (publishes to GitHub Security tab)
- add SLSA level 3 provenance workflow (triggered on release)
- add Trivy security scan (filesystem + Docker image → SARIF)
- add cargo-geiger unsafe code audit
- set rust-version = "1.75" in Cargo.toml
- update README badges: Scorecard, SLSA, Security Scan, Rust 1.75+

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
chore: add Dependabot for Cargo and GitHub Actions
fa76caa 
Weekly PRs on Monday — max 5 open at a time.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
ci: add dedicated Rust lint workflow
bbc1c57 
- rustfmt: formatting check (separate job)
- clippy: errors on correctness/suspicious/complexity/perf,
  warns on pedantic/nursery (visibility without blocking)
- docs: cargo doc --no-deps with -D warnings (rustdoc clean)
- Lint badge added to README

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
fix: scorecard token, pin trivy version, reorder README badges
998ced8 
- scorecard: add repo_token (fixes 'invalid repo path' error)
- security-scan: pin trivy to 0.28.0 (drop unstable @master)
- security-scan: remove cargo-geiger (compile time too slow for CI)
- README: license + rust-version badges moved to bottom

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
ci: retrigger workflows after cancelling dependabot queue
b45bafc 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
fix: rustls for musl compat, drop -D warnings from pedantic lints, up…
237d905 
…date trivy action

- reqwest: switch to rustls-tls + default-features=false (no OpenSSL dep)
  fixes Docker build on alpine/musl
- lint.yml: remove -D warnings so pedantic/nursery stay as warnings not errors
  (127 clippy errors were all uninlined_format_args from pedantic)
- security-scan: bump trivy-action 0.28.0 → 0.30.0

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
fix: resolve all clippy pedantic/nursery warnings
2ddb769 
- let_else: rewrite if-let-else-return as let-else in build_cmd.rs
- items_after_statements: move use/struct before statements in build_cmd.rs, mcp.rs, new_wizard.rs
- needless_pass_by_value: id: Value → id: &Value in all mcp.rs handlers
- or_fun_call: unwrap_or → unwrap_or_else in main.rs and mcp.rs
- format_collect: push_str+format! → writeln! in new_wizard.rs
- option_if_let_else: map_or/map_or_else in parser.rs, mcp.rs, main.rs
- too_many_lines: #[allow] on legitimately large build/wizard/validator fns
- unnecessary_wraps: generate_vault_file returns String instead of Result<String>
- literal_string_with_formatting_args: change {version} placeholder in context.rs

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
chore: update all dependencies, fix MSRV 1.80
7f98da5 
- colored 2 → 3 (MSRV 1.80, removes lazy_static)
- rand 0.8 → 0.10 (thread_rng() → rand::fill(), remove unused import)
- indicatif 0.17 → 0.18
- console 0.15 → 0.16
- MSRV bumped 1.75 → 1.80 in Cargo.toml and CI
- dependabot.yml: ignore MSRV rust-toolchain pin
- tui: const fn for dimmed() and bold_white()

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
chore: bump GitHub Actions to latest major versions
1b9d62d 
- actions/checkout v4 → v6
- github/codeql-action v3 → v4
- actions/upload-artifact v4 → v7
- EmbarkStudios/cargo-deny-action v1 → v2

Supersedes Dependabot PRs #1 #3 #4 #5.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
ci: add auto-labeler for issues and PRs
437de0c 
Labels: ci, dependencies, parser, spec, mcp, security, docker, documentation

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
fix: resolve CI failures - MSRV, licenses, trivy install
9addac1 
- Bump MSRV 1.80 → 1.85: cpufeatures 0.3.0 requires edition2024
  (stabilized in Rust 1.85); update both Cargo.toml and CI job
- deny.toml: add MPL-2.0 (webpki-roots 1.0.x) and Unicode-3.0
  to license allowlist; cargo-deny licenses was FAILED without these
- security-scan.yml: replace aquasecurity/trivy-action@0.30.0
  (broken install.sh) with direct GitHub release download; pin to
  trivy 0.61.0, install via curl into /usr/local/bin, run manually

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
fix: add CDLA-Permissive-2.0 to cargo-deny license allowlist
f9b2837 
webpki-roots 1.0.6 uses CDLA-Permissive-2.0 for the Mozilla
certificate store data (not MPL-2.0 as expected).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
fix: install trivy via apt repo instead of curl|tar pipe
061f69d 
The GitHub release download via curl pipe was truncating
(gzip: unexpected end of file). Use the official Aqua Security
apt repository instead - more reliable in GitHub Actions runners.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
fix: correct OpenSSF Scorecard badge URL casing
5fa3b6d 
The Scorecard API is case-sensitive. Org is stored as 'Enthropic-spec'
(capital E) — lowercase 'enthropic-spec' returns 404.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
girste and others added 8 commits March 1, 2026 23:21
@girste
security: pin all actions to SHA, add permissions, bump deps
3f0336b 
- Pin all GitHub Actions to full commit SHA (supply chain security)
  Resolves 37 Scorecard Pinned-Dependencies alerts
- Add permissions: read-all at top level of all workflows;
  move elevated permissions to job level where needed
  Resolves 4 Scorecard Token-Permissions alerts
- Bump ossf/scorecard-action 2.4.0 → 2.4.3 (closes PR #12)
- Bump dialoguer 0.11 → 0.12 (closes PR #11)
- CodeQL cleartext-logging alerts dismissed as false positive:
  #62 (key name only, not value) and #63 (vault export is
  intentionally designed to print secrets to stdout)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
fix: pin Dockerfile base images to SHA digests
5af7316 
Resolves Scorecard Pinned-Dependencies alerts #36 and #61.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
docs: add tooling roadmap section
47f2720 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
docs: expand roadmap to per-item list format
0c40821 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
ci: add path filters and concurrency groups to all workflows
ea3236c 
CI, Lint, CodeQL, Security Scan only trigger on code/config changes.
Docs-only commits skip all heavy workflows.
Concurrency groups cancel outdated runs on rapid pushes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
feat: rewrite CLI from Rust to TypeScript
d61d2b3 
Complete rewrite of enthropic-tools from Rust to TypeScript (Node.js ESM).
Identical CLI UX, same vault encryption wire format (ChaCha20Poly1305),
same MCP stdio protocol and tools.

- Runtime: Rust binary → Node.js 20+ / TypeScript 5
- Package: Cargo.toml → package.json + tsconfig.json
- Deps: commander, chalk, @inquirer/prompts, ora, @noble/ciphers
- Removed: Cargo.toml, Cargo.lock, deny.toml, src/*.rs

- parser: support multiline ENTITY block (indented one-per-line)
- build: AI responds in the user's language
- new wizard: ask AI-guided vs manual at start; manual shows SPEC.md link
- navigation: home menu after each command instead of abrupt exit

- ci.yml: Node.js build/typecheck/lint/audit
- lint.yml: ESLint + tsc --noEmit
- codeql.yml: language javascript, correct init→build→analyze order
- slsa.yml: bundle via ncc, same SLSA Level 3 provenance
- security-scan.yml / scorecard.yml: unchanged logic, SHA comments fixed
- dependabot.yml: cargo → npm ecosystem
- labeler.yml: glob patterns updated to .ts / package.json

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@girste
fix: incorporate remote improvements (concurrency groups, roadmap, TS…
1e35758 
… badge)

- Add concurrency groups + cancel-in-progress to all 5 workflows
- Add detailed roadmap (v0.1-v0.5+) to README
- Replace Rust 1.85+ badge with Node.js 20+ badge

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@dependabot
chore(deps): Bump @inquirer/prompts from 7.10.1 to 8.3.0
e55d78c 
Bumps [@inquirer/prompts](https://github.com/SBoudrias/Inquirer.js) from 7.10.1 to 8.3.0.
- [Release notes](https://github.com/SBoudrias/Inquirer.js/releases)
- [Commits](https://github.com/SBoudrias/Inquirer.js/compare/@inquirer/prompts@7.10.1...@inquirer/prompts@8.3.0)

---
updated-dependencies:
- dependency-name: "@inquirer/prompts"
  dependency-version: 8.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@girste girste closed this Mar 2, 2026
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Mar 2, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot bot deleted the dependabot/npm_and_yarn/inquirer/prompts-8.3.0 branch March 2, 2026 20:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@girste