Error: spawnSync npm.cmd EINVAL #59210
Description
Node.js v24.1.0
TLDR: How could I run npm install or similar commands on Windows without seeing warnings?
When you do this on Windows:
child_process.spawnSync('npm.cmd', ['-v'], { stdio: 'inherit' })You will get an error:
Error: spawnSync npm.cmd EINVAL
And I know this was used to fix a CVE, where executing a batch file breaks the promise about all args are properly quoted without leading to attacks.
The "fix" was adding shell: true so that authors must know this command will be unsafe and it is better to only pass in authored strings.
However, in Node.js 24 there is a warning poping out about using shell: true is unsafe.
> child_process.spawnSync('npm.cmd', ['-v'], { stdio: 'inherit', shell: true })
11.3.0
{
status: 0,
signal: null,
output: [ null, null, null ],
pid: 16548,
stdout: null,
stderr: null
}
> (node:15964) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.Disclaimer: In most of the cases the shell commands are controlled by myself (or say the code author, not user). So the author knows the command will be safe since all input strings are predictable. If an attacker could modify the source code to construct arbitrary strings, he would also be able to run any code without even using the batch file escaping hack.
Currently, I see no easy way to escape from that warning.
Related issue: #52554
Possible ways to escape:
- Capture the stderr stream, so that users won't see it...
- Use
spawnSync('cmd.exe', ['/d', '/s', '/c', 'npm -v'])since this is not.cmd... However it may require extra code to escape strings which in the end does the same as the one in the source code of Node.js.