Replacement of listr with a maintained library?

[megg-nudata]

Listr seems to no longer be being maintained and there's a vulnerability in a nested dependency that's used in several places - ansi-regex (see GHSA-93q8-gq69-wqmw). Is there any intention to replace this with a different library that's being maintained? listr2 appears to be a maintained replacement, though I haven't tested it myself.

[simonhaenisch]

Hey, could you please be more specific about how this vulnerability could actually be abused? listr is only used in the CLI version of md-to-pdf anyway, and the only user-provided input is the filename(s) that go into the task title... so if anything, you might be able to ReDoS yourself with very complex file names.

npm's auditing is very noisy, and a lot of times the vulnerability is irrelevant to the project, because either it's a dev dependency, or the vulnerable part of the API isn't even used in the project.

I haven't had any issues with listr, and there has been some progress on the repo a few months back (just no release yet). Don't really have time to replace it but if someone wants to make a PR, I'd be happy to take a look at it.

[megg-nudata]

It's mostly just an internal corporate policy that requires any vulnerable dependencies be updated that's the reason why I'm inquiring. I'll delve further into this on my end. Thanks for the reply!