Skip to content

Commit 083418f

Browse files
authored
fix: resolve Node 24+ spawn deprecation warning (DEP0190) (#1130)
When using spawn with shell: true, passing args as a separate array causes a deprecation warning in Node 24+: 'Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.' This commit fixes the issue by joining the command and args into a single command string before passing to spawn, which is the recommended pattern for shell: true usage. Fixes #1102
1 parent 13c3fc9 commit 083418f

File tree

3 files changed

+13
-13
lines changed

3 files changed

+13
-13
lines changed

apps/generator-cli/src/app/services/pass-through.service.spec.ts

Lines changed: 5 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -178,8 +178,7 @@ describe('PassThroughService', () => {
178178
await program.parseAsync([name, ...argv], { from: 'user' });
179179
expect(childProcess.spawn).toHaveBeenNthCalledWith(
180180
1,
181-
'docker run --rm -v "/foo/bar:/local" openapitools/openapi-generator-cli:v4.2.1',
182-
[name, ...argv],
181+
`docker run --rm -v "/foo/bar:/local" openapitools/openapi-generator-cli:v4.2.1 ${name} ${argv.join(' ')}`,
183182
{
184183
stdio: 'inherit',
185184
shell: true,
@@ -192,8 +191,7 @@ describe('PassThroughService', () => {
192191
await program.parseAsync([name, ...argv], { from: 'user' });
193192
expect(childProcess.spawn).toHaveBeenNthCalledWith(
194193
1,
195-
'java -jar "/some/path/to/4.2.1.jar"',
196-
[name, ...argv],
194+
`java -jar "/some/path/to/4.2.1.jar" ${name} ${argv.join(' ')}`,
197195
{
198196
stdio: 'inherit',
199197
shell: true,
@@ -206,8 +204,7 @@ describe('PassThroughService', () => {
206204
await program.parseAsync([name, ...argv], { from: 'user' });
207205
expect(childProcess.spawn).toHaveBeenNthCalledWith(
208206
1,
209-
'java java-opt-1=1 -jar "/some/path/to/4.2.1.jar"',
210-
[name, ...argv],
207+
`java java-opt-1=1 -jar "/some/path/to/4.2.1.jar" ${name} ${argv.join(' ')}`,
211208
{
212209
stdio: 'inherit',
213210
shell: true,
@@ -227,8 +224,7 @@ describe('PassThroughService', () => {
227224
`java -cp "${[
228225
'/some/path/to/4.2.1.jar',
229226
'../some/custom.jar',
230-
].join(cpDelimiter)}" org.openapitools.codegen.OpenAPIGenerator`,
231-
[name, ...argv],
227+
].join(cpDelimiter)}" org.openapitools.codegen.OpenAPIGenerator ${name} ${argv.join(' ')}`,
232228
{
233229
stdio: 'inherit',
234230
shell: true,
@@ -303,8 +299,7 @@ describe('PassThroughService', () => {
303299
it('spawns the correct process', () => {
304300
expect(childProcess.spawn).toHaveBeenNthCalledWith(
305301
1,
306-
'java -jar "/some/path/to/4.2.1.jar"',
307-
cmd.split(' '),
302+
`java -jar "/some/path/to/4.2.1.jar" ${cmd}`,
308303
{ stdio: 'inherit', shell: true }
309304
);
310305
});

apps/generator-cli/src/app/services/pass-through.service.ts

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -85,8 +85,11 @@ export class PassThroughService {
8585

8686
public passThrough = (cmd: Command) => {
8787
const args = [cmd.name(), ...cmd.args];
88+
// Join command and args into a single string to avoid Node 24+ deprecation warning
89+
// DEP0190: passing args to spawn with shell: true concatenates without escaping
90+
const fullCommand = [this.cmd(), ...args].join(' ');
8891

89-
spawn(this.cmd(), args, {
92+
spawn(fullCommand, {
9093
stdio: 'inherit',
9194
shell: true,
9295
}).on('exit', process.exit);

apps/generator-cli/src/app/services/version-manager.service.ts

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -134,7 +134,8 @@ export class VersionManagerService {
134134
async remove(versionName: string) {
135135
if (this.configService.useDocker) {
136136
await new Promise<void>((resolve) => {
137-
spawn('docker', ['rmi', this.getDockerImageName(versionName)], {
137+
// Use single command string to avoid Node 24+ deprecation warning (DEP0190)
138+
spawn(`docker rmi ${this.getDockerImageName(versionName)}`, {
138139
stdio: 'inherit',
139140
shell: true,
140141
}).on('exit', () => resolve());
@@ -151,7 +152,8 @@ export class VersionManagerService {
151152

152153
if (this.configService.useDocker) {
153154
await new Promise<void>((resolve) => {
154-
spawn('docker', ['pull', this.getDockerImageName(versionName)], {
155+
// Use single command string to avoid Node 24+ deprecation warning (DEP0190)
156+
spawn(`docker pull ${this.getDockerImageName(versionName)}`, {
155157
stdio: 'inherit',
156158
shell: true,
157159
}).on('exit', () => resolve());

0 commit comments

Comments
 (0)