fix: upgrade @inquirer/prompts to ^8 to resolve CVE-2025-54798

[thedoc31]

Summary

• Bumps @inquirer/prompts from ^5 to ^8, removing the tmp <=0.2.3 transitive dependency chain that carries CVE-2025-54798 (GHSA-52f5-9888-hmc6): arbitrary temp file/dir write via symlink in the dir parameter (CVSS 2.5 Low)
• Adds moduleNameMapper in Jest config + test/__mocks__/oclif-table.js to fix a pre-existing list.test.js suite failure caused by string-width@8.x using the /v regex flag, which Jest 29's VM module sandbox cannot parse

Vulnerability chain resolved

tmp <=0.2.3  (CVE-2025-54798)
  └── external-editor
        └── @inquirer/editor <=4.2.15
              └── @inquirer/prompts <=6.0.1  ← was ^5, now ^8

@inquirer/prompts@8 dropped @inquirer/editor entirely, removing the whole chain. npm audit reports 0 vulnerabilities after this change.

Compatibility

Only input and confirm are used in this codebase — both call signatures are unchanged through v6, v7, and v8. The project already has "type": "module" and engines: ">=20.0.0", satisfying v8's requirements.

Test plan

• npm audit — 0 vulnerabilities
• 471/471 tests pass (32/32 suites), including the previously failing list.test.js

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!