fix(deps): bump @inquirer/prompts from 5.5.0 to 8.4.2

[dependabot]

Bumps @inquirer/prompts from 5.5.0 to 8.4.2.

Release notes

Sourced from @​inquirer/prompts's releases.

@​inquirer/prompts@​8.4.2

• Fix: some Windows terminals would freeze and not react to keypresses.

@​inquirer/prompts@​8.4.1

• Improve expand prompt type inferrence.

@​inquirer/prompts@​8.4.0

• Feat: Added a loading message while validating editor prompt input.
• Type improvement: Better type inference with checkbox, search and expand prompts.
• Fix: editor prompt not always properly handling editor path on windows.

@​inquirer/prompts@​8.3.2

• Fix broken 8.3.1 release process.

@​inquirer/prompts@​8.3.1

• Bump dependencies

@​inquirer/prompts@​8.3.0

• Fix: Keypresses happening before a prompt is rendered are now ignored.
• Fix (checkbox): Element who're both checked and disabled are now always included in the returned array.
• Feat (select/checkbox): Cursor will now hover disabled options of the list; but they still cannot be interacted with. This prevents the cursor jumping ahead in ways that can be confusing.
• Feat: various new theme options to make all prompts content localizable.

Finally, see our new @inquirer/i18n package!

@​inquirer/prompts@​8.2.1

• chore: Switch wrap-ansi with fast-wrap-ansi

@​inquirer/prompts@​8.2.0

• feat(search): Add support for default.
• feat(rawlist): Add support for description of choices. That information is displayed under the list when the choice is highlighted.
• Bump dependencies

@​inquirer/prompts@​8.1.0

• Feat: rawlist now supports default option.
• Fix: select now infer return type properly when passing a choices array of string literals.

@​inquirer/prompts@​8.0.2

• Fix Typescript not discovering types when moduleResolution is set to commonjs (you probably want to fix that in your project if it's still in your tsconfig)

@​inquirer/prompts@​8.0.0

Release Notes

🚨 Breaking Changes

This is a major release that modernizes the codebase for Node.js ≥ 20.

ESM Only - No More CommonJS Support

Impact: All packages are now ESM-only. CommonJS imports are no longer supported.

... (truncated)

Commits

• 35bda2a chore: Publish new release
• 98eee29 fix(lint): suppress no-unnecessary-type-parameters on parseJSON helper
• aba5965 chore(deps-dev): Bump @​types/node in the types group (#2088)
• db8fbf1 chore(deps-dev): Bump turbo from 2.9.5 to 2.9.6 in the build group (#2087)
• 3cdecf5 chore(deps-dev): Bump oxfmt in the formatting group (#2086)
• e370b57 chore(deps-dev): Bump the linting group with 5 updates (#2085)
• 2787267 chore(deps-dev): Bump the testing group with 3 updates (#2084)
• 0c55499 chore(deps-dev): Bump the formatting group with 2 updates (#2081)
• e7115d9 fix(@​inquirer/core): mute output after readline initialization (#2077)
• e5e14ab chore(deps): Bump dependabot/fetch-metadata from 2 to 3 (#2078)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cli-web-cli	Ready	Preview, Comment	Apr 27, 2026 11:06am

[ci-lockfile-regen]

Dependabot Fix Assessment

Package: `@inquirer/prompts` `5.5.0` → `8.4.2` (major)
Scope: runtime dependency
Workspace: root

What changed upstream

• In v6+, @inquirer/prompts prompts no longer return a CancelablePromise — they return a plain Promise<Value>. The .cancel() method was removed from the returned promise object.
• Cancellation is now handled by passing an AbortSignal via the context (second) argument: confirm(config, { signal }). Aborting the signal cancels the prompt.

Migration concerns checked

• Peer dependencies: OK
• Type changes: The Prompt<Value, Config> type now returns Promise<Value> (was CancelablePromise<Value>). Confirmed in node_modules/@inquirer/type/dist/*.d.ts.
• Config files: OK
• Module format: OK
• React compatibility: N/A
• Monorepo impact: OK — @inquirer/prompts is only used in the root package

What broke

• All CI checks: TypeScript compile error TS2339: Property 'cancel' does not exist on type 'Promise<boolean>' — src/hooks/command_not_found/prompt-utils.ts:27

What was fixed

• Passed the existing AbortSignal as the context argument to confirm(config, { signal }) so aborting the controller cancels the prompt.
• Replaced .then(() => confirmation.cancel()) with .then(() => ac.abort()) in the timeout chain.

Verification

• Build: ✅
• Lint: ✅
• Unit tests: ✅
• Web CLI tests: N/A (not applicable to this change)

Notes for reviewer

The abort flow is unchanged in semantics: the 10-second timeout fires → ac.abort() is called → the AbortSignal cancels the confirm prompt → the catch block returns false. When the user responds before the timeout, the finally block calls ac.abort() which cancels the pending setTimeout. Functionally identical to the old CancelablePromise.cancel() behaviour.

[ci-lockfile-regen]

Dependabot Fix Assessment

Package: `@inquirer/prompts` `5.5.0` → `8.4.2` (major bump — 3 major versions)
Scope: runtime dependency (`dependencies`)
Workspace: root

What changed upstream

• Breaking (v6+): confirm() and other prompts now return plain Promise<Value> instead of CancelablePromise. The .cancel() method no longer exists.
• New cancellation API: Pass { signal: AbortSignal } as the second argument to prompts to support cancellation via AbortController.
• Breaking (v8.0.0): ESM-only — no more CommonJS. Not a concern for this repo ("type": "module" already set).
• v8.3.0: Keypresses before a prompt renders are now ignored (no impact here).
• v8.4.2: Fix for Windows terminal freeze (no impact here).

Migration concerns checked

• Peer dependencies: OK — no new peer deps required
• Type changes: OK — Promise<boolean> vs CancelablePromise<boolean>; handled by removing .cancel() usage
• Config files: OK — no config file changes needed
• Module format: OK — repo is already ESM-only
• React compatibility: N/A — not a React ecosystem change
• Monorepo impact: OK — @inquirer/prompts is only used in the root package (src/hooks/command_not_found/prompt-utils.ts), not in packages/react-web-cli or examples/web-cli

What broke

• src/hooks/command_not_found/prompt-utils.ts: Called .cancel() on the CancelablePromise returned by confirm() to abort the 10-second timeout. In v8, confirm() returns a plain Promise, so .cancel() doesn't exist.

What was fixed

• Passed { signal } from an AbortController as the second argument to confirm().
• Replaced confirmation.cancel() with ac.abort() in the timer callback and finally block.
• No other files use @inquirer/prompts.

Verification

• Build: ✅ (pnpm prepare clean)
• Lint: ✅ (0 errors)
• Unit tests: ✅ (2295 passing)
• Web CLI tests: ✅ (57 passing)

Notes for reviewer

The CI failure in Web CLI E2E Tests — "should handle disconnection and reconnection gracefully" is not caused by this dependency bump. Analysis:

1. @inquirer/prompts is only used in the command_not_found hook, which runs only when a user types an unknown command.
2. The failing E2E test only types --version and help (both valid commands), so the @inquirer/prompts code path never executes during that test.
3. No changes were made to packages/react-web-cli or examples/web-cli.
4. The failure is a timing race: the React component sets componentConnectionStatus = "connected" based on a server message, but the underlying WebSocket's readyState has since transitioned out of OPEN before the test sends its next command. This is pre-existing reconnection timing flakiness unrelated to this PR.
5. The other three reconnection tests in the same suite all passed in that same CI run.