(node:79383) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated. #108
Description
Prerequisites
Please answer the following questions for yourself before submitting an issue.
- I am running the latest version
- I checked the documentation and found no answer
- I checked to make sure that this issue has not already been filed
Current Behavior
Since I updated to node 24, I get warnings:
(node:79383) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
Failure Information (for bugs)
Steps to Reproduce
❯ pnpm install
Lockfile is up to date, resolution step is skipped
Already up to date
. prepare$ husky
└─ Done in 50ms
Done in 1.8s using pnpm v10.22.0
❯ si
📦 pnpm install
(node:80559) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
(Use `node --trace-deprecation ...` to show where the warning was created)
Lockfile is up to date, resolution step is skipped
Already up to date
. prepare$ husky
└─ Done in 52ms
Done in 2.4s using pnpm v10.22.0
(node:80551) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
(Use `node --trace-deprecation ...` to show where the warning was created)
❯ NODE_OPTIONS='--trace-deprecation' si
📦 pnpm install
(node:80765) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
at normalizeSpawnArguments (node:child_process:644:15)
at spawn (node:child_process:789:13)
at runCommand (file:///home/ptandler/.local/share/mise/installs/npm-swpm/2.6.0/lib/node_modules/swpm/src/helpers/cmds.js:61:19)
at file:///home/ptandler/.local/share/mise/installs/npm-swpm/2.6.0/lib/node_modules/swpm/src/cli/swpm.js:69:1
Lockfile is up to date, resolution step is skipped
Already up to date
. prepare$ husky
└─ Done in 45ms
Done in 1.7s using pnpm v10.22.0
(node:80757) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
at normalizeSpawnArguments (node:child_process:644:15)
at spawnSync (node:child_process:870:8)
at spreadCommand (file:///home/ptandler/.local/share/mise/installs/npm-swpm/2.6.0/lib/node_modules/swpm/src/helpers/cmds.js:80:19)
at file:///home/ptandler/.local/share/mise/installs/npm-swpm/2.6.0/lib/node_modules/swpm/src/alias/si.js:4:1
at ModuleJob.run (node:internal/modules/esm/module_job:377:25)
at async onImport.tracePromise.__proto__ (node:internal/modules/esm/loader:671:26)
at async asyncRunEntryPointWithESMLoader (node:internal/modules/run_main:101:5)
Context
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.
- swpm Version: 2.6.0
- node Version: 24.11.1
- Package Manager: pnpm
- Package Manager Version: 10.22.0
- Operating System: Ubuntu 22.04