Remove --shell option where unsafe to use

This provides a more comprehensive and safe fix for CVE-2025-64756, by
making the `--shell` option fully nonfunctional on systems where it is
not known to be safe.

Re: GHSA-5j98-mcp5-4vw2
Re: CVE-2025-64756

Author: isaacs

README.md

@@ -435,11 +435,11 @@ share the previously loaded cache.
   is used as the starting point for absolute patterns that start
   with `/`, (but not drive letters or UNC paths on Windows).
 
-    To start absolute and non-absolute patterns in the same path,
-    you can use `{root:''}`. However, be aware that on Windows
-    systems, a pattern like `x:/*` or `//host/share/*` will
-    _always_ start in the `x:/` or `//host/share` directory,
-    regardless of the `root` setting.
+  To start absolute and non-absolute patterns in the same path,
+  you can use `{root:''}`. However, be aware that on Windows
+  systems, a pattern like `x:/*` or `//host/share/*` will
+  _always_ start in the `x:/` or `//host/share` directory,
+  regardless of the `root` setting.
 
 > [!NOTE] This _doesn't_ necessarily limit the walk to the
 > `root` directory, and doesn't affect the cwd starting point
@@ -664,7 +664,6 @@ share the previously loaded cache.
 > already be added before its ancestor, if multiple or braced
 > patterns are used.
 
-
 ## Glob Primer
 
 Much more information about glob pattern expansion can be found

changelog.md

@@ -1,12 +1,18 @@
 # changeglob
 
+## 12
+
+- Remove the unsafe `--shell` option. The `--shell` option is now
+  ONLY supported on known shells where the behavior can be
+  implemented safely.
+
 ## 11.1
 
 [GHSA-5j98-mcp5-4vw2](https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2)
 
 - Add the `--shell` option for the command line, with a warning
   that this is unsafe. (It will be removed in v12.)
-- Add the `--cmd-arg`/`-g` as a way to *safely* add positional
+- Add the `--cmd-arg`/`-g` as a way to _safely_ add positional
   arguments to the command provided to the CLI tool.
 - Detect commands with space or quote characters on known shells,
   and pass positional arguments to them safely, avoiding

src/bin.mts

@@ -357,10 +357,7 @@ try {
     const { SHELL = 'unknown' } = process.env
     const shellBase = basename(SHELL)
     const knownShells = ['sh', 'ksh', 'zsh', 'bash', 'fish']
-    if (
-      (shell || /[ "']/.test(cmd)) &&
-      knownShells.includes(shellBase)
-    ) {
+    if ((shell || /[ "']/.test(cmd)) && knownShells.includes(shellBase)) {
       const cmdWithArgs = `${cmd} "\$${shellBase === 'fish' ? 'argv' : '@'}"`
       if (shellBase !== 'fish') {
         cmdArg.unshift(SHELL)
@@ -370,13 +367,13 @@ try {
     } else {
       if (shell) {
         process.emitWarning(
-          'The --shell option is unsafe, and will be removed. To pass ' +
+          'The --shell option is not supported on this system. To pass ' +
             'positional arguments to the subprocess, use -g/--cmd-arg instead.',
-          'DeprecationWarning',
+          'UnsupportedWarning',
           'GLOB_SHELL',
         )
       }
-      stream.on('end', () => foregroundChild(cmd, cmdArg, { shell }))
+      stream.on('end', () => foregroundChild(cmd, cmdArg))
     }
   }
 } catch (e) {

test/bin.ts

@@ -11,11 +11,7 @@ const { version } = JSON.parse(
 )
 const bin = fileURLToPath(new URL('../dist/esm/bin.mjs', import.meta.url))
 
-const foregroundChildCalls: [
-  string,
-  string[],
-  undefined | SpawnOptions,
-][] = []
+const foregroundChildCalls: [string, string[]][] = []
 let mockForegroundChildAwaiting: undefined | Promise<void> = undefined
 let resolveMockForegroundChildAwaiting: undefined | (() => void) =
   undefined
@@ -30,7 +26,10 @@ const mockForegroundChild = {
     resolveMockForegroundChildAwaiting?.()
     resolveMockForegroundChildAwaiting = undefined
     mockForegroundChildAwaiting = undefined
-    foregroundChildCalls.push([cmd, args, options])
+    if (options !== undefined) {
+      throw new Error('should not pass in spawn opts')
+    }
+    foregroundChildCalls.push([cmd, args])
   },
 }
 t.beforeEach(() => (foregroundChildCalls.length = 0))
@@ -148,7 +147,6 @@ t.test('append positional args safely to shell in fish', async t => {
         'a/x.y',
         'a/b/z.y',
       ],
-      undefined,
     ],
   ])
 })
@@ -183,13 +181,12 @@ t.test('UNSAFE positional args with --shell', async t => {
     'foreground-child': mockForegroundChild,
   })
   await p
-  t.strictSame(foregroundChildCalls, [
-    [c, ['a/x.y', 'a/b/z.y'], { shell: true }],
-  ])
+  t.strictSame(foregroundChildCalls, [[c, ['a/x.y', 'a/b/z.y']]])
   t.strictSame(warnings, [
     [
-      'The --shell option is unsafe, and will be removed. To pass positional arguments to the subprocess, use -g/--cmd-arg instead.',
-      'DeprecationWarning',
+      'The --shell option is not supported on this system. To pass ' +
+        'positional arguments to the subprocess, use -g/--cmd-arg instead.',
+      'UnsupportedWarning',
       'GLOB_SHELL',
     ],
   ])
@@ -238,7 +235,6 @@ t.test('safe positional args with --cmd-arg/-g', async t => {
     [
       c,
       ['-p', 'process.argv.map(s=>s.toUpperCase())', 'a/x.y', 'a/b/z.y'],
-      { shell: false },
     ],
   ])
   t.strictSame(warnings, [])