I don’t see an alternative: “DeprecationWarning: Passing args to a child process with shell option true …”

[rauschma]

Node.js Version

v24.0.1

NPM Version

11.3.0

Operating System

macOS Sequoia 15.3.2

Subsystem

child_process

Description

When using child_process.spawnSync() with an Array of arguments, I’m getting this warning:

DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.

I don’t see a simple way around that:

• Command and arguments are passed to my function as an Array.
• I can do my own concatenation but how is that any better than what Node.js is doing?
• If I set shell:false then, e.g., I can’t invoke npx <some-package>.

Minimal Reproduction

No response

Output

No response

Before You Submit

• I have looked for issues that already exist before submitting this
• My issue follows the guidelines in the README file, and follows the 'How to ask a good question' guide at https://stackoverflow.com/help/how-to-ask

[avivkeller]

The deprecation is https://nodejs.org/api/deprecations.html#DEP0190, so you can disable it with --disable-warning=DEP0190

But, if you show your code, we can see why the deprecation is occurring you do can make the code future proof.

[avivkeller]

Hey, did the answer above resolve your problem? If not, can you provide more information?

[rauschma]

Ah, I only just now saw the second line of your initial reply. Alas, that doesn’t help me.

My input:

["npx", "ts-expect-error", "--unexpected-errors", "main.ts"]

• I want to run that as a shell command. Needed in the following project (which creates files and calls external tools with them): https://github.com/rauschma/markcheck
• I wouldn’t want to suppress warnings. If there is no other solution, I’d create a single-string shell command myself. But, as mentioned, that’s not safer than what Node.js does.

[joshualip-plaudit]

As a follow-on to this, because you cannot set stdio on exec, there isn't an alternative to passing args to spawn.

[lifeisfoo]

Another example when shell: true is required is to enable file globbing from the shell.

spawn("ls", ["*.mjs"], { shell: true });

Any workaround for this?

[alcuadrado]

I believe the alternative would be to pass the entire command to spawn. Like

spawn("ls *.mjs", { shell: true });

in the example above