I don’t see an alternative: “DeprecationWarning: Passing args to a child process with shell option true …”

[rauschma]

Node.js Version

v24.0.1

NPM Version

11.3.0

Operating System

macOS Sequoia 15.3.2

Subsystem

child_process

Description

When using child_process.spawnSync() with an Array of arguments, I’m getting this warning:

DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.

I don’t see a simple way around that:

• Command and arguments are passed to my function as an Array.
• I can do my own concatenation but how is that any better than what Node.js is doing?
• If I set shell:false then, e.g., I can’t invoke npx <some-package>.

Minimal Reproduction

No response

Output

No response

Before You Submit

• I have looked for issues that already exist before submitting this
• My issue follows the guidelines in the README file, and follows the 'How to ask a good question' guide at https://stackoverflow.com/help/how-to-ask

[avivkeller]

The deprecation is https://nodejs.org/api/deprecations.html#DEP0190, so you can disable it with --disable-warning=DEP0190

But, if you show your code, we can see why the deprecation is occurring you do can make the code future proof.

[avivkeller]

Hey, did the answer above resolve your problem? If not, can you provide more information?

[rauschma]

Ah, I only just now saw the second line of your initial reply. Alas, that doesn’t help me.

My input:

["npx", "ts-expect-error", "--unexpected-errors", "main.ts"]

• I want to run that as a shell command. Needed in the following project (which creates files and calls external tools with them): https://github.com/rauschma/markcheck
• I wouldn’t want to suppress warnings. If there is no other solution, I’d create a single-string shell command myself. But, as mentioned, that’s not safer than what Node.js does.

[joshualip-plaudit]

As a follow-on to this, because you cannot set stdio on exec, there isn't an alternative to passing args to spawn.

[lifeisfoo]

Another example when shell: true is required is to enable file globbing from the shell.

spawn("ls", ["*.mjs"], { shell: true });

Any workaround for this?

[alcuadrado]

I believe the alternative would be to pass the entire command to spawn. Like

spawn("ls *.mjs", { shell: true });

in the example above

[trevorstr]

I just started getting this warning, and I am not sure why. I am not using spawn() anywhere in my code.

Maybe one of the dependencies in my project is using it, but I'm not sure how I would go about figuring that out. How do I know what line is triggering the deprecation warning?

[trevorstr]

I just noticed the warning mentions the --trace-deprecation option. :)

[trevorstr]

So in my scenario, I am using various modules from the Azure SDK. One class I'm using in particular is the AzureCliCredential class. It appears that this module is calling an external process, using the deprecated functionality.

../node_modules/@azure/identity/dist/commonjs/credentials/azureCliCredential.js:53:41

I'm currently using @azure/identity version 4.8.0.

[adligo]

As far as I can tell, the solution with the concatenated string as the command doesn't work for me in my slink.ts.adligo.org project, as it sets the statusCode (status) to null when it should be zero. I need the statusCode (status) to be zero in order to tell if the command executed successfully!

    if (spawnSyncReturns.status != 0) {
      throw new Error('The command ' + cmdWithArgs + ' in dir \n\t' + options.cwd + ' \n\t Failed with exit code: ' + spawnSyncReturns.status);
    }

I'm adding a separate bug report for this.