child_process: disallow args in execFile/spawn when shell option is true #57199

DanielVenable · 2025-02-24T20:18:56Z

This will make it throw an error when args are passed to execFile or
spawn when the shell option is true. The reason for this is that when it
accepts args, it gives the false impression that the args are escaped while
really they are just concatenated. This makes it easy to introduce bugs
and security vulnerabilities.

This will break any code that relies on passing args to execFile or
spawn with { shell: true }.

Fixes: #57143

codecov · 2025-02-24T22:02:44Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 90.22%. Comparing base (922ce9d) to head (180b40a).
Report is 25 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #57199      +/-   ##
==========================================
- Coverage   90.23%   90.22%   -0.02%     
==========================================
  Files         629      629              
  Lines      184939   184948       +9     
  Branches    36232    36233       +1     
==========================================
- Hits       166885   166870      -15     
- Misses      11011    11023      +12     
- Partials     7043     7055      +12

Files with missing lines	Coverage Δ
lib/child_process.js	`97.74% <100.00%> (+0.01%)`	⬆️

... and 44 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

RafaelGSS

This is a semver-major change as it will break people current using the args approach (even being ignored).

I'm not sure if we want to change the API in those situations. I think adding a process.emitWarning could be safer approach in this situation (also semver-major)

aduh95

Let's add an entry in deprecation.md since we're effectively deprecating it

nodejs-github-bot · 2025-02-27T13:16:39Z

CI: https://ci.nodejs.org/job/node-test-pull-request/65461/

doc/api/deprecations.md

test/parallel/test-child-process-execfile.js

mohd-akram · 2025-03-09T15:42:01Z

Thank you @DanielVenable for creating this PR. What's the update on this? It would be good to get this into Node.js 24 as the freeze is in a couple of weeks.

PR-URL: #57389 Refs: #57199 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jason Zhang <xzha4350@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

Accepting `args` gives the false impression that the args are escaped while really they are just concatenated. This makes it easy to introduce bugs and security vulnerabilities.

aduh95 · 2025-03-19T10:25:23Z

@DanielVenable I've rebased to fix the git conflicts. I've also pushed 7a04435 to fix the implementation, PTAL.

…`execFile`

aduh95 · 2025-03-19T10:26:58Z

/cc @nodejs/tsc since this is semver-major

DanielVenable · 2025-03-19T16:45:21Z

@aduh95 LGTM

doc/api/child_process.md

mcollina

lgtm

This would be breaking :(.

nodejs-github-bot · 2025-03-21T13:30:06Z

CI: https://ci.nodejs.org/job/node-test-pull-request/65867/

nodejs-github-bot · 2025-03-21T16:15:22Z

Landed in 1b5b019

PR-URL: #57389 Refs: #57199 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jason Zhang <xzha4350@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

Semver-Major Commits: buffer: * (SEMVER-MAJOR) make `buflen` in integer range (zhenweijin) #51821 build: * (SEMVER-MAJOR) bump supported macOS version to 13.5 (Michaël Zasso) #57115 * (SEMVER-MAJOR) increase minimum Xcode version to 16.1 (Michaël Zasso) #56824 * (SEMVER-MAJOR) link V8 with atomic library (Michaël Zasso) #55014 * (SEMVER-MAJOR) remove support for ppc 32-bit (Michaël Zasso) #55014 * (SEMVER-MAJOR) reset embedder string to "-node.0" (Michaël Zasso) #55014 child_process: * (SEMVER-MAJOR) deprecate passing `args` to `spawn` and `execFile` (Daniel Venable) #57199 deps: * (SEMVER-MAJOR) V8: cherry-pick f915fa4c9f41 (Olivier Flückiger) #55014 * (SEMVER-MAJOR) V8: cherry-pick 0d5d6e71bbb0 (Yagiz Nizipli) #55014 * (SEMVER-MAJOR) V8: cherry-pick 0c11feeeca4a (Michaël Zasso) #55014 * (SEMVER-MAJOR) define V8_PRESERVE_MOST as no-op on Windows (Stefan Stojanovic) #55014 * (SEMVER-MAJOR) always define V8_NODISCARD as no-op (Michaël Zasso) #55014 * (SEMVER-MAJOR) fix FP16 bitcasts.h (Stefan Stojanovic) #55014 * (SEMVER-MAJOR) patch V8 to support compilation with MSVC (StefanStojanovic) #55014 * (SEMVER-MAJOR) patch V8 to avoid duplicated zlib symbol (Michaël Zasso) #55014 * (SEMVER-MAJOR) disable V8 concurrent sparkplug compilation (Michaël Zasso) #55014 * (SEMVER-MAJOR) always define V8_EXPORT_PRIVATE as no-op (Michaël Zasso) #55014 * (SEMVER-MAJOR) update V8 to 13.0.245.25 (Michaël Zasso) #55014 * (SEMVER-MAJOR) upgrade npm to 11.0.0 (npm team) #56274 * (SEMVER-MAJOR) update undici to 7.0.0 (Node.js GitHub Bot) #56070 fs: * (SEMVER-MAJOR) remove ability to call truncate with fd (Yagiz Nizipli) #57567 * (SEMVER-MAJOR) remove `fs.F_OK`, `fs.R_OK`, `fs.W_OK`, `fs.X_OK` (Livia Medeiros) #55862 * (SEMVER-MAJOR) deprecate passing invalid types in `fs.existsSync` (Carlos Espa) #55753 * (SEMVER-MAJOR) runtime deprecate `fs.F_OK`, `fs.R_OK`, `fs.W_OK`, `fs.X_OK` (Livia Medeiros) #49686 * (SEMVER-MAJOR) remove `dirent.path` (Antoine du Hamel) #55548 lib: * (SEMVER-MAJOR) remove obsolete Cipher export (James M Snell) #57266 * (SEMVER-MAJOR) unexpose six process bindings (Michaël Zasso) #57149 * (SEMVER-MAJOR) make ALS default to AsyncContextFrame (Stephen Belanger) #55552 * (SEMVER-MAJOR) runtime deprecate SlowBuffer (Rafael Gonzaga) #55175 net: * (SEMVER-MAJOR) make _setSimultaneousAccepts() end-of-life deprecated (Yagiz Nizipli) #57550 repl: * (SEMVER-MAJOR) runtime deprecate instantiating without new (Aviv Keller) #54869 src: * (SEMVER-MAJOR) update GetForegroundTaskRunner override (Etienne Pierre-doray) #55014 * (SEMVER-MAJOR) update NODE_MODULE_VERSION to 134 (Michaël Zasso) #55014 * (SEMVER-MAJOR) drop --experimental-permission in favour of --permission (Rafael Gonzaga) #56240 * (SEMVER-MAJOR) add async context frame to AsyncResource (Gerhard Stöbich) #56082 * (SEMVER-MAJOR) nuke deprecated and un-used enum members in `OptionEnvvarSettings` (Juan José) #53079 stream: * (SEMVER-MAJOR) catch and forward error from dest.write (jakecastelli) #55270 test: * (SEMVER-MAJOR) disable fast API call count checks (Michaël Zasso) #55014 test_runner: * (SEMVER-MAJOR) remove promises returned by t.test() (Colin Ihrig) #56664 * (SEMVER-MAJOR) remove promises returned by test() (Colin Ihrig) #56664 * (SEMVER-MAJOR) automatically wait for subtests to finish (Colin Ihrig) #56664 timers: * (SEMVER-MAJOR) check for immediate instance in clearImmediate (Gürgün Dayıoğlu) #57069 * (SEMVER-MAJOR) set several methods EOL (Yagiz Nizipli) #56966 tls: * (SEMVER-MAJOR) remove deprecated tls.createSecurePair (Jonas) #57361 * (SEMVER-MAJOR) make server.prototype.setOptions end-of-life (Yagiz Nizipli) #57339 tools: * (SEMVER-MAJOR) update V8 gypfiles for 13.0 (Michaël Zasso) #55014 url: * (SEMVER-MAJOR) expose urlpattern as global (Jonas) #56950 * (SEMVER-MAJOR) runtime deprecate url.parse (Yagiz Nizipli) #55017 zlib: * (SEMVER-MAJOR) deprecate classes usage without `new` (Yagiz Nizipli) #55718 PR-URL: TBD

Semver-Major Commits: buffer: * (SEMVER-MAJOR) make `buflen` in integer range (zhenweijin) #51821 build: * (SEMVER-MAJOR) bump supported macOS version to 13.5 (Michaël Zasso) #57115 * (SEMVER-MAJOR) increase minimum Xcode version to 16.1 (Michaël Zasso) #56824 * (SEMVER-MAJOR) link V8 with atomic library (Michaël Zasso) #55014 * (SEMVER-MAJOR) remove support for ppc 32-bit (Michaël Zasso) #55014 * (SEMVER-MAJOR) reset embedder string to "-node.0" (Michaël Zasso) #55014 child_process: * (SEMVER-MAJOR) deprecate passing `args` to `spawn` and `execFile` (Daniel Venable) #57199 deps: * (SEMVER-MAJOR) V8: cherry-pick f915fa4c9f41 (Olivier Flückiger) #55014 * (SEMVER-MAJOR) V8: cherry-pick 0d5d6e71bbb0 (Yagiz Nizipli) #55014 * (SEMVER-MAJOR) V8: cherry-pick 0c11feeeca4a (Michaël Zasso) #55014 * (SEMVER-MAJOR) define V8_PRESERVE_MOST as no-op on Windows (Stefan Stojanovic) #55014 * (SEMVER-MAJOR) always define V8_NODISCARD as no-op (Michaël Zasso) #55014 * (SEMVER-MAJOR) fix FP16 bitcasts.h (Stefan Stojanovic) #55014 * (SEMVER-MAJOR) patch V8 to support compilation with MSVC (StefanStojanovic) #55014 * (SEMVER-MAJOR) patch V8 to avoid duplicated zlib symbol (Michaël Zasso) #55014 * (SEMVER-MAJOR) disable V8 concurrent sparkplug compilation (Michaël Zasso) #55014 * (SEMVER-MAJOR) always define V8_EXPORT_PRIVATE as no-op (Michaël Zasso) #55014 * (SEMVER-MAJOR) update V8 to 13.0.245.25 (Michaël Zasso) #55014 * (SEMVER-MAJOR) upgrade npm to 11.0.0 (npm team) #56274 * (SEMVER-MAJOR) update undici to 7.0.0 (Node.js GitHub Bot) #56070 fs: * (SEMVER-MAJOR) remove ability to call truncate with fd (Yagiz Nizipli) #57567 * (SEMVER-MAJOR) remove `fs.F_OK`, `fs.R_OK`, `fs.W_OK`, `fs.X_OK` (Livia Medeiros) #55862 * (SEMVER-MAJOR) deprecate passing invalid types in `fs.existsSync` (Carlos Espa) #55753 * (SEMVER-MAJOR) runtime deprecate `fs.F_OK`, `fs.R_OK`, `fs.W_OK`, `fs.X_OK` (Livia Medeiros) #49686 * (SEMVER-MAJOR) remove `dirent.path` (Antoine du Hamel) #55548 lib: * (SEMVER-MAJOR) remove obsolete Cipher export (James M Snell) #57266 * (SEMVER-MAJOR) unexpose six process bindings (Michaël Zasso) #57149 * (SEMVER-MAJOR) make ALS default to AsyncContextFrame (Stephen Belanger) #55552 * (SEMVER-MAJOR) runtime deprecate SlowBuffer (Rafael Gonzaga) #55175 net: * (SEMVER-MAJOR) make _setSimultaneousAccepts() end-of-life deprecated (Yagiz Nizipli) #57550 repl: * (SEMVER-MAJOR) runtime deprecate instantiating without new (Aviv Keller) #54869 src: * (SEMVER-MAJOR) update GetForegroundTaskRunner override (Etienne Pierre-doray) #55014 * (SEMVER-MAJOR) update NODE_MODULE_VERSION to 134 (Michaël Zasso) #55014 * (SEMVER-MAJOR) drop --experimental-permission in favour of --permission (Rafael Gonzaga) #56240 * (SEMVER-MAJOR) add async context frame to AsyncResource (Gerhard Stöbich) #56082 * (SEMVER-MAJOR) nuke deprecated and un-used enum members in `OptionEnvvarSettings` (Juan José) #53079 stream: * (SEMVER-MAJOR) catch and forward error from dest.write (jakecastelli) #55270 test: * (SEMVER-MAJOR) disable fast API call count checks (Michaël Zasso) #55014 test_runner: * (SEMVER-MAJOR) remove promises returned by t.test() (Colin Ihrig) #56664 * (SEMVER-MAJOR) remove promises returned by test() (Colin Ihrig) #56664 * (SEMVER-MAJOR) automatically wait for subtests to finish (Colin Ihrig) #56664 timers: * (SEMVER-MAJOR) check for immediate instance in clearImmediate (Gürgün Dayıoğlu) #57069 * (SEMVER-MAJOR) set several methods EOL (Yagiz Nizipli) #56966 tls: * (SEMVER-MAJOR) remove deprecated tls.createSecurePair (Jonas) #57361 * (SEMVER-MAJOR) make server.prototype.setOptions end-of-life (Yagiz Nizipli) #57339 tools: * (SEMVER-MAJOR) update V8 gypfiles for 13.0 (Michaël Zasso) #55014 url: * (SEMVER-MAJOR) expose urlpattern as global (Jonas) #56950 * (SEMVER-MAJOR) runtime deprecate url.parse (Yagiz Nizipli) #55017 zlib: * (SEMVER-MAJOR) deprecate classes usage without `new` (Yagiz Nizipli) #55718 PR-URL: #57609

PR-URL: #57389 Refs: #57199 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jason Zhang <xzha4350@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

Accepting `args` gives the false impression that the args are escaped while really they are just concatenated. This makes it easy to introduce bugs and security vulnerabilities. PR-URL: #57199 Fixes: #57143 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>

Semver-Major Commits: buffer: * (SEMVER-MAJOR) make `buflen` in integer range (zhenweijin) #51821 build: * (SEMVER-MAJOR) bump supported macOS version to 13.5 (Michaël Zasso) #57115 * (SEMVER-MAJOR) increase minimum Xcode version to 16.1 (Michaël Zasso) #56824 * (SEMVER-MAJOR) link V8 with atomic library (Michaël Zasso) #55014 * (SEMVER-MAJOR) remove support for ppc 32-bit (Michaël Zasso) #55014 * (SEMVER-MAJOR) reset embedder string to "-node.0" (Michaël Zasso) #55014 child_process: * (SEMVER-MAJOR) deprecate passing `args` to `spawn` and `execFile` (Daniel Venable) #57199 deps: * (SEMVER-MAJOR) V8: cherry-pick f915fa4c9f41 (Olivier Flückiger) #55014 * (SEMVER-MAJOR) V8: cherry-pick 0d5d6e71bbb0 (Yagiz Nizipli) #55014 * (SEMVER-MAJOR) V8: cherry-pick 0c11feeeca4a (Michaël Zasso) #55014 * (SEMVER-MAJOR) define V8_PRESERVE_MOST as no-op on Windows (Stefan Stojanovic) #55014 * (SEMVER-MAJOR) always define V8_NODISCARD as no-op (Michaël Zasso) #55014 * (SEMVER-MAJOR) fix FP16 bitcasts.h (Stefan Stojanovic) #55014 * (SEMVER-MAJOR) patch V8 to support compilation with MSVC (StefanStojanovic) #55014 * (SEMVER-MAJOR) patch V8 to avoid duplicated zlib symbol (Michaël Zasso) #55014 * (SEMVER-MAJOR) disable V8 concurrent sparkplug compilation (Michaël Zasso) #55014 * (SEMVER-MAJOR) always define V8_EXPORT_PRIVATE as no-op (Michaël Zasso) #55014 * (SEMVER-MAJOR) update V8 to 13.0.245.25 (Michaël Zasso) #55014 * (SEMVER-MAJOR) upgrade npm to 11.0.0 (npm team) #56274 * (SEMVER-MAJOR) update undici to 7.0.0 (Node.js GitHub Bot) #56070 fs: * (SEMVER-MAJOR) remove ability to call truncate with fd (Yagiz Nizipli) #57567 * (SEMVER-MAJOR) remove `fs.F_OK`, `fs.R_OK`, `fs.W_OK`, `fs.X_OK` (Livia Medeiros) #55862 * (SEMVER-MAJOR) deprecate passing invalid types in `fs.existsSync` (Carlos Espa) #55753 * (SEMVER-MAJOR) runtime deprecate `fs.F_OK`, `fs.R_OK`, `fs.W_OK`, `fs.X_OK` (Livia Medeiros) #49686 * (SEMVER-MAJOR) remove `dirent.path` (Antoine du Hamel) #55548 lib: * (SEMVER-MAJOR) remove obsolete Cipher export (James M Snell) #57266 * (SEMVER-MAJOR) unexpose six process bindings (Michaël Zasso) #57149 * (SEMVER-MAJOR) make ALS default to AsyncContextFrame (Stephen Belanger) #55552 * (SEMVER-MAJOR) runtime deprecate SlowBuffer (Rafael Gonzaga) #55175 net: * (SEMVER-MAJOR) make _setSimultaneousAccepts() end-of-life deprecated (Yagiz Nizipli) #57550 repl: * (SEMVER-MAJOR) runtime deprecate instantiating without new (Aviv Keller) #54869 src: * (SEMVER-MAJOR) update GetForegroundTaskRunner override (Etienne Pierre-doray) #55014 * (SEMVER-MAJOR) update NODE_MODULE_VERSION to 134 (Michaël Zasso) #55014 * (SEMVER-MAJOR) drop --experimental-permission in favour of --permission (Rafael Gonzaga) #56240 * (SEMVER-MAJOR) add async context frame to AsyncResource (Gerhard Stöbich) #56082 * (SEMVER-MAJOR) nuke deprecated and un-used enum members in `OptionEnvvarSettings` (Juan José) #53079 stream: * (SEMVER-MAJOR) catch and forward error from dest.write (jakecastelli) #55270 test: * (SEMVER-MAJOR) disable fast API call count checks (Michaël Zasso) #55014 test_runner: * (SEMVER-MAJOR) remove promises returned by t.test() (Colin Ihrig) #56664 * (SEMVER-MAJOR) remove promises returned by test() (Colin Ihrig) #56664 * (SEMVER-MAJOR) automatically wait for subtests to finish (Colin Ihrig) #56664 timers: * (SEMVER-MAJOR) check for immediate instance in clearImmediate (Gürgün Dayıoğlu) #57069 * (SEMVER-MAJOR) set several methods EOL (Yagiz Nizipli) #56966 tls: * (SEMVER-MAJOR) remove deprecated tls.createSecurePair (Jonas) #57361 * (SEMVER-MAJOR) make server.prototype.setOptions end-of-life (Yagiz Nizipli) #57339 tools: * (SEMVER-MAJOR) update V8 gypfiles for 13.0 (Michaël Zasso) #55014 url: * (SEMVER-MAJOR) expose urlpattern as global (Jonas) #56950 * (SEMVER-MAJOR) runtime deprecate url.parse (Yagiz Nizipli) #55017 zlib: * (SEMVER-MAJOR) deprecate classes usage without `new` (Yagiz Nizipli) #55718 PR-URL: #57609

PR-URL: #57389 Refs: #57199 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jason Zhang <xzha4350@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

Accepting `args` gives the false impression that the args are escaped while really they are just concatenated. This makes it easy to introduce bugs and security vulnerabilities. PR-URL: #57199 Fixes: #57143 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>

Semver-Major Commits: buffer: * (SEMVER-MAJOR) make `buflen` in integer range (zhenweijin) #51821 build: * (SEMVER-MAJOR) bump supported macOS version to 13.5 (Michaël Zasso) #57115 * (SEMVER-MAJOR) increase minimum Xcode version to 16.1 (Michaël Zasso) #56824 * (SEMVER-MAJOR) link V8 with atomic library (Michaël Zasso) #55014 * (SEMVER-MAJOR) remove support for ppc 32-bit (Michaël Zasso) #55014 * (SEMVER-MAJOR) reset embedder string to "-node.0" (Michaël Zasso) #55014 child_process: * (SEMVER-MAJOR) deprecate passing `args` to `spawn` and `execFile` (Daniel Venable) #57199 deps: * (SEMVER-MAJOR) V8: cherry-pick f915fa4c9f41 (Olivier Flückiger) #55014 * (SEMVER-MAJOR) V8: cherry-pick 0d5d6e71bbb0 (Yagiz Nizipli) #55014 * (SEMVER-MAJOR) V8: cherry-pick 0c11feeeca4a (Michaël Zasso) #55014 * (SEMVER-MAJOR) define V8_PRESERVE_MOST as no-op on Windows (Stefan Stojanovic) #55014 * (SEMVER-MAJOR) always define V8_NODISCARD as no-op (Michaël Zasso) #55014 * (SEMVER-MAJOR) fix FP16 bitcasts.h (Stefan Stojanovic) #55014 * (SEMVER-MAJOR) patch V8 to support compilation with MSVC (StefanStojanovic) #55014 * (SEMVER-MAJOR) patch V8 to avoid duplicated zlib symbol (Michaël Zasso) #55014 * (SEMVER-MAJOR) disable V8 concurrent sparkplug compilation (Michaël Zasso) #55014 * (SEMVER-MAJOR) always define V8_EXPORT_PRIVATE as no-op (Michaël Zasso) #55014 * (SEMVER-MAJOR) update V8 to 13.0.245.25 (Michaël Zasso) #55014 * (SEMVER-MAJOR) upgrade npm to 11.0.0 (npm team) #56274 * (SEMVER-MAJOR) update undici to 7.0.0 (Node.js GitHub Bot) #56070 fs: * (SEMVER-MAJOR) remove ability to call truncate with fd (Yagiz Nizipli) #57567 * (SEMVER-MAJOR) remove `fs.F_OK`, `fs.R_OK`, `fs.W_OK`, `fs.X_OK` (Livia Medeiros) #55862 * (SEMVER-MAJOR) deprecate passing invalid types in `fs.existsSync` (Carlos Espa) #55753 * (SEMVER-MAJOR) runtime deprecate `fs.F_OK`, `fs.R_OK`, `fs.W_OK`, `fs.X_OK` (Livia Medeiros) #49686 * (SEMVER-MAJOR) remove `dirent.path` (Antoine du Hamel) #55548 lib: * (SEMVER-MAJOR) remove obsolete Cipher export (James M Snell) #57266 * (SEMVER-MAJOR) unexpose six process bindings (Michaël Zasso) #57149 * (SEMVER-MAJOR) make ALS default to AsyncContextFrame (Stephen Belanger) #55552 * (SEMVER-MAJOR) runtime deprecate SlowBuffer (Rafael Gonzaga) #55175 net: * (SEMVER-MAJOR) make _setSimultaneousAccepts() end-of-life deprecated (Yagiz Nizipli) #57550 repl: * (SEMVER-MAJOR) runtime deprecate instantiating without new (Aviv Keller) #54869 src: * (SEMVER-MAJOR) update GetForegroundTaskRunner override (Etienne Pierre-doray) #55014 * (SEMVER-MAJOR) update NODE_MODULE_VERSION to 134 (Michaël Zasso) #55014 * (SEMVER-MAJOR) drop --experimental-permission in favour of --permission (Rafael Gonzaga) #56240 * (SEMVER-MAJOR) add async context frame to AsyncResource (Gerhard Stöbich) #56082 * (SEMVER-MAJOR) nuke deprecated and un-used enum members in `OptionEnvvarSettings` (Juan José) #53079 stream: * (SEMVER-MAJOR) catch and forward error from dest.write (jakecastelli) #55270 test: * (SEMVER-MAJOR) disable fast API call count checks (Michaël Zasso) #55014 test_runner: * (SEMVER-MAJOR) remove promises returned by t.test() (Colin Ihrig) #56664 * (SEMVER-MAJOR) remove promises returned by test() (Colin Ihrig) #56664 * (SEMVER-MAJOR) automatically wait for subtests to finish (Colin Ihrig) #56664 timers: * (SEMVER-MAJOR) check for immediate instance in clearImmediate (Gürgün Dayıoğlu) #57069 * (SEMVER-MAJOR) set several methods EOL (Yagiz Nizipli) #56966 tls: * (SEMVER-MAJOR) remove deprecated tls.createSecurePair (Jonas) #57361 * (SEMVER-MAJOR) make server.prototype.setOptions end-of-life (Yagiz Nizipli) #57339 tools: * (SEMVER-MAJOR) update V8 gypfiles for 13.0 (Michaël Zasso) #55014 url: * (SEMVER-MAJOR) expose urlpattern as global (Jonas) #56950 * (SEMVER-MAJOR) runtime deprecate url.parse (Yagiz Nizipli) #55017 zlib: * (SEMVER-MAJOR) deprecate classes usage without `new` (Yagiz Nizipli) #55718 PR-URL: #57609

PR-URL: nodejs#57389 Refs: nodejs#57199 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jason Zhang <xzha4350@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

Semver-Major Commits: buffer: * (SEMVER-MAJOR) make `buflen` in integer range (zhenweijin) #51821 build: * (SEMVER-MAJOR) bump supported macOS version to 13.5 (Michaël Zasso) #57115 * (SEMVER-MAJOR) increase minimum Xcode version to 16.1 (Michaël Zasso) #56824 * (SEMVER-MAJOR) link V8 with atomic library (Michaël Zasso) #55014 * (SEMVER-MAJOR) remove support for ppc 32-bit (Michaël Zasso) #55014 * (SEMVER-MAJOR) reset embedder string to "-node.0" (Michaël Zasso) #55014 child_process: * (SEMVER-MAJOR) deprecate passing `args` to `spawn` and `execFile` (Daniel Venable) #57199 deps: * (SEMVER-MAJOR) V8: cherry-pick f915fa4c9f41 (Olivier Flückiger) #55014 * (SEMVER-MAJOR) V8: cherry-pick 0d5d6e71bbb0 (Yagiz Nizipli) #55014 * (SEMVER-MAJOR) V8: cherry-pick 0c11feeeca4a (Michaël Zasso) #55014 * (SEMVER-MAJOR) define V8_PRESERVE_MOST as no-op on Windows (Stefan Stojanovic) #55014 * (SEMVER-MAJOR) always define V8_NODISCARD as no-op (Michaël Zasso) #55014 * (SEMVER-MAJOR) fix FP16 bitcasts.h (Stefan Stojanovic) #55014 * (SEMVER-MAJOR) patch V8 to support compilation with MSVC (StefanStojanovic) #55014 * (SEMVER-MAJOR) patch V8 to avoid duplicated zlib symbol (Michaël Zasso) #55014 * (SEMVER-MAJOR) disable V8 concurrent sparkplug compilation (Michaël Zasso) #55014 * (SEMVER-MAJOR) always define V8_EXPORT_PRIVATE as no-op (Michaël Zasso) #55014 * (SEMVER-MAJOR) update V8 to 13.0.245.25 (Michaël Zasso) #55014 * (SEMVER-MAJOR) upgrade npm to 11.0.0 (npm team) #56274 * (SEMVER-MAJOR) update undici to 7.0.0 (Node.js GitHub Bot) #56070 fs: * (SEMVER-MAJOR) remove ability to call truncate with fd (Yagiz Nizipli) #57567 * (SEMVER-MAJOR) remove `fs.F_OK`, `fs.R_OK`, `fs.W_OK`, `fs.X_OK` (Livia Medeiros) #55862 * (SEMVER-MAJOR) deprecate passing invalid types in `fs.existsSync` (Carlos Espa) #55753 * (SEMVER-MAJOR) runtime deprecate `fs.F_OK`, `fs.R_OK`, `fs.W_OK`, `fs.X_OK` (Livia Medeiros) #49686 * (SEMVER-MAJOR) remove `dirent.path` (Antoine du Hamel) #55548 lib: * (SEMVER-MAJOR) remove obsolete Cipher export (James M Snell) #57266 * (SEMVER-MAJOR) unexpose six process bindings (Michaël Zasso) #57149 * (SEMVER-MAJOR) make ALS default to AsyncContextFrame (Stephen Belanger) #55552 * (SEMVER-MAJOR) runtime deprecate SlowBuffer (Rafael Gonzaga) #55175 net: * (SEMVER-MAJOR) make _setSimultaneousAccepts() end-of-life deprecated (Yagiz Nizipli) #57550 repl: * (SEMVER-MAJOR) runtime deprecate instantiating without new (Aviv Keller) #54869 src: * (SEMVER-MAJOR) update GetForegroundTaskRunner override (Etienne Pierre-doray) #55014 * (SEMVER-MAJOR) update NODE_MODULE_VERSION to 134 (Michaël Zasso) #55014 * (SEMVER-MAJOR) drop --experimental-permission in favour of --permission (Rafael Gonzaga) #56240 * (SEMVER-MAJOR) add async context frame to AsyncResource (Gerhard Stöbich) #56082 * (SEMVER-MAJOR) nuke deprecated and un-used enum members in `OptionEnvvarSettings` (Juan José) #53079 stream: * (SEMVER-MAJOR) catch and forward error from dest.write (jakecastelli) #55270 test: * (SEMVER-MAJOR) disable fast API call count checks (Michaël Zasso) #55014 test_runner: * (SEMVER-MAJOR) remove promises returned by t.test() (Colin Ihrig) #56664 * (SEMVER-MAJOR) remove promises returned by test() (Colin Ihrig) #56664 * (SEMVER-MAJOR) automatically wait for subtests to finish (Colin Ihrig) #56664 timers: * (SEMVER-MAJOR) check for immediate instance in clearImmediate (Gürgün Dayıoğlu) #57069 * (SEMVER-MAJOR) set several methods EOL (Yagiz Nizipli) #56966 tls: * (SEMVER-MAJOR) remove deprecated tls.createSecurePair (Jonas) #57361 * (SEMVER-MAJOR) make server.prototype.setOptions end-of-life (Yagiz Nizipli) #57339 tools: * (SEMVER-MAJOR) update V8 gypfiles for 13.0 (Michaël Zasso) #55014 url: * (SEMVER-MAJOR) expose urlpattern as global (Jonas) #56950 * (SEMVER-MAJOR) runtime deprecate url.parse (Yagiz Nizipli) #55017 zlib: * (SEMVER-MAJOR) deprecate classes usage without `new` (Yagiz Nizipli) #55718 PR-URL: #57609

Semver-Major Commits: buffer: * (SEMVER-MAJOR) make `buflen` in integer range (zhenweijin) #51821 build: * (SEMVER-MAJOR) bump supported macOS version to 13.5 (Michaël Zasso) #57115 * (SEMVER-MAJOR) increase minimum Xcode version to 16.1 (Michaël Zasso) #56824 * (SEMVER-MAJOR) link V8 with atomic library (Michaël Zasso) #55014 * (SEMVER-MAJOR) remove support for ppc 32-bit (Michaël Zasso) #55014 * (SEMVER-MAJOR) reset embedder string to "-node.0" (Michaël Zasso) #55014 child_process: * (SEMVER-MAJOR) deprecate passing `args` to `spawn` and `execFile` (Daniel Venable) #57199 deps: * (SEMVER-MAJOR) V8: cherry-pick f915fa4c9f41 (Olivier Flückiger) #55014 * (SEMVER-MAJOR) V8: cherry-pick 0d5d6e71bbb0 (Yagiz Nizipli) #55014 * (SEMVER-MAJOR) V8: cherry-pick 0c11feeeca4a (Michaël Zasso) #55014 * (SEMVER-MAJOR) define V8_PRESERVE_MOST as no-op on Windows (Stefan Stojanovic) #55014 * (SEMVER-MAJOR) always define V8_NODISCARD as no-op (Michaël Zasso) #55014 * (SEMVER-MAJOR) fix FP16 bitcasts.h (Stefan Stojanovic) #55014 * (SEMVER-MAJOR) patch V8 to support compilation with MSVC (StefanStojanovic) #55014 * (SEMVER-MAJOR) patch V8 to avoid duplicated zlib symbol (Michaël Zasso) #55014 * (SEMVER-MAJOR) disable V8 concurrent sparkplug compilation (Michaël Zasso) #55014 * (SEMVER-MAJOR) always define V8_EXPORT_PRIVATE as no-op (Michaël Zasso) #55014 * (SEMVER-MAJOR) update V8 to 13.0.245.25 (Michaël Zasso) #55014 * (SEMVER-MAJOR) upgrade npm to 11.0.0 (npm team) #56274 * (SEMVER-MAJOR) update undici to 7.0.0 (Node.js GitHub Bot) #56070 fs: * (SEMVER-MAJOR) remove ability to call truncate with fd (Yagiz Nizipli) #57567 * (SEMVER-MAJOR) deprecate passing invalid types in `fs.existsSync` (Carlos Espa) #55753 * (SEMVER-MAJOR) runtime deprecate `fs.F_OK`, `fs.R_OK`, `fs.W_OK`, `fs.X_OK` (Livia Medeiros) #49686 * (SEMVER-MAJOR) remove `dirent.path` (Antoine du Hamel) #55548 lib: * (SEMVER-MAJOR) remove obsolete Cipher export (James M Snell) #57266 * (SEMVER-MAJOR) unexpose six process bindings (Michaël Zasso) #57149 * (SEMVER-MAJOR) make ALS default to AsyncContextFrame (Stephen Belanger) #55552 * (SEMVER-MAJOR) runtime deprecate SlowBuffer (Rafael Gonzaga) #55175 net: * (SEMVER-MAJOR) make _setSimultaneousAccepts() end-of-life deprecated (Yagiz Nizipli) #57550 repl: * (SEMVER-MAJOR) runtime deprecate instantiating without new (Aviv Keller) #54869 src: * (SEMVER-MAJOR) update GetForegroundTaskRunner override (Etienne Pierre-doray) #55014 * (SEMVER-MAJOR) update NODE_MODULE_VERSION to 134 (Michaël Zasso) #55014 * (SEMVER-MAJOR) drop --experimental-permission in favour of --permission (Rafael Gonzaga) #56240 * (SEMVER-MAJOR) add async context frame to AsyncResource (Gerhard Stöbich) #56082 * (SEMVER-MAJOR) nuke deprecated and un-used enum members in `OptionEnvvarSettings` (Juan José) #53079 stream: * (SEMVER-MAJOR) catch and forward error from dest.write (jakecastelli) #55270 test: * (SEMVER-MAJOR) disable fast API call count checks (Michaël Zasso) #55014 test_runner: * (SEMVER-MAJOR) remove promises returned by t.test() (Colin Ihrig) #56664 * (SEMVER-MAJOR) remove promises returned by test() (Colin Ihrig) #56664 * (SEMVER-MAJOR) automatically wait for subtests to finish (Colin Ihrig) #56664 timers: * (SEMVER-MAJOR) check for immediate instance in clearImmediate (Gürgün Dayıoğlu) #57069 * (SEMVER-MAJOR) set several methods EOL (Yagiz Nizipli) #56966 tls: * (SEMVER-MAJOR) remove deprecated tls.createSecurePair (Jonas) #57361 * (SEMVER-MAJOR) make server.prototype.setOptions end-of-life (Yagiz Nizipli) #57339 tools: * (SEMVER-MAJOR) update V8 gypfiles for 13.0 (Michaël Zasso) #55014 url: * (SEMVER-MAJOR) expose urlpattern as global (Jonas) #56950 * (SEMVER-MAJOR) runtime deprecate url.parse (Yagiz Nizipli) #55017 zlib: * (SEMVER-MAJOR) deprecate classes usage without `new` (Yagiz Nizipli) #55718 PR-URL: #57609 Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>

PR-URL: #57389 Refs: #57199 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jason Zhang <xzha4350@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

nodejs-github-bot added child_process Issues and PRs related to the child_process subsystem. needs-ci PRs that need a full CI run. labels Feb 24, 2025

DanielVenable force-pushed the child-process-disallow-args-when-shell-option-true branch from 162ab95 to e903326 Compare February 24, 2025 20:22

RafaelGSS added the semver-major PRs that contain breaking changes and should be released in the next major version. label Feb 25, 2025

RafaelGSS reviewed Feb 25, 2025

View reviewed changes

aduh95 reviewed Feb 26, 2025

View reviewed changes

RafaelGSS added deprecations Issues and PRs related to deprecations. request-ci Add this label to start a Jenkins CI on a PR. labels Feb 27, 2025

github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Feb 27, 2025

aduh95 reviewed Feb 27, 2025

View reviewed changes

doc/api/deprecations.md Outdated Show resolved Hide resolved

aduh95 reviewed Feb 27, 2025

View reviewed changes

doc/api/deprecations.md Outdated Show resolved Hide resolved

aduh95 reviewed Feb 27, 2025

View reviewed changes

test/parallel/test-child-process-execfile.js Outdated Show resolved Hide resolved

aduh95 mentioned this pull request Mar 9, 2025

doc: deprecate passing args to spawn and execFile #57389

Merged

DanielVenable and others added 2 commits March 19, 2025 11:07

child_process: deprecate passing args to spawn and execFile

281d896

Accepting `args` gives the false impression that the args are escaped while really they are just concatenated. This makes it easy to introduce bugs and security vulnerabilities.

fixup! child_process: deprecate passing args to spawn and execFile

7a04435

aduh95 force-pushed the child-process-disallow-args-when-shell-option-true branch from c885d04 to 7a04435 Compare March 19, 2025 10:23

fixup! fixup! child_process: deprecate passing args to spawn and …

180b40a

…`execFile`

anonrig approved these changes Mar 20, 2025

View reviewed changes

aduh95 approved these changes Mar 20, 2025

View reviewed changes

aduh95 reviewed Mar 20, 2025

View reviewed changes

doc/api/child_process.md Show resolved Hide resolved

aduh95 mentioned this pull request Mar 21, 2025

doc: remove deprecated pattern in child_process.md #57568

Merged

aduh95 added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. request-ci Add this label to start a Jenkins CI on a PR. labels Mar 21, 2025

This comment was marked as outdated.

Sign in to view

mcollina approved these changes Mar 21, 2025

View reviewed changes

jasnell approved these changes Mar 21, 2025

View reviewed changes

aduh95 added commit-queue Add this label to land a pull request using GitHub Actions. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. labels Mar 21, 2025

nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 21, 2025

nodejs-github-bot merged commit 1b5b019 into nodejs:main Mar 21, 2025
66 checks passed

RafaelGSS mentioned this pull request Mar 24, 2025

2025-04-23, Version 24.0.0 (Current) #57609

Open

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

child_process: disallow args in execFile/spawn when shell option is true #57199

child_process: disallow args in execFile/spawn when shell option is true #57199

DanielVenable commented Feb 24, 2025

codecov bot commented Feb 24, 2025 •

edited

Loading

RafaelGSS left a comment

aduh95 left a comment

nodejs-github-bot commented Feb 27, 2025

mohd-akram commented Mar 9, 2025

aduh95 commented Mar 19, 2025

aduh95 commented Mar 19, 2025

DanielVenable commented Mar 19, 2025

This comment was marked as outdated.

mcollina left a comment

nodejs-github-bot commented Mar 21, 2025

nodejs-github-bot commented Mar 21, 2025

child_process: disallow args in execFile/spawn when shell option is true #57199

child_process: disallow args in execFile/spawn when shell option is true #57199

Conversation

DanielVenable commented Feb 24, 2025

codecov bot commented Feb 24, 2025 • edited Loading

Codecov Report

RafaelGSS left a comment

Choose a reason for hiding this comment

aduh95 left a comment

Choose a reason for hiding this comment

nodejs-github-bot commented Feb 27, 2025

mohd-akram commented Mar 9, 2025

aduh95 commented Mar 19, 2025

aduh95 commented Mar 19, 2025

DanielVenable commented Mar 19, 2025

This comment was marked as outdated.

mcollina left a comment

Choose a reason for hiding this comment

nodejs-github-bot commented Mar 21, 2025

nodejs-github-bot commented Mar 21, 2025

codecov bot commented Feb 24, 2025 •

edited

Loading