CVE-2025-54798 in `tmp` via `inquirer` and `external-editor`

[s100]

The latest version of codeceptjs at the time of writing is version 3.7.3...

• which has a production dependency on inquirer@8.2.6...
• which has a production dependency on external-editor@^3.0.3, which in practice resolves to external-editor@3.1.0...
• which has a production dependency on tmp@^0.0.33, which resolves to tmp@0.0.33...
• which has CVE-2025-54798 in it.

tmp is patched as of tmp@0.2.4, which means that external-editor needs to upgrade. Unfortunately external-editor is not maintained and no new version has appeared for about six years. This in turn means that inquirer must stop using external-editor. inquirer has indeed done this as of inquirer@8.2.7. So now codeceptjs must upgrade from inquirer@8.2.6 to inquirer@8.2.7.