fix: replace spawn shell option with explicit shell args to avoid Node.js DEP0190 warning

[afarber]

TLDR

Replaces spawn(command, { shell: true }) and spawn(command, [], { shell: true }) patterns with explicit spawn(shell, ['-c', command]) to eliminate Node.js DEP0190 deprecation warning.

Dive Deeper

Node.js 20+ introduced DEP0190 deprecation warning that triggers when passing an args array to child_process.spawn() with shell: true. The warning exists because arguments are only space-concatenated, not properly escaped, which can lead to shell injection vulnerabilities.

Before:

  spawn(command, [], { shell: true })
  spawn(command, { shell: true })

After:

  const shell = isWindows ? 'cmd.exe' : 'bash';
  const shellArgs = isWindows ? ['/c', command] : ['-c', command];
  spawn(shell, shellArgs);

This pattern was already used in shellExecutionService.ts for PTY spawning, so this PR applies the same approach consistently across all spawn calls.

Files changed:

• packages/cli/src/utils/handleAutoUpdate.ts - auto-update process spawning
• packages/cli/src/utils/sandbox.ts - proxy process spawning (macOS seatbelt and Docker)
• packages/core/src/services/shellExecutionService.ts - shell command execution

Reviewer Test Plan

1. Run with Node.js 20+ and --pending-deprecation flag to verify no DEP0190 warning appears:
   NODE_OPTIONS="--pending-deprecation --trace-warnings" npm run start
2. Execute shell commands via the CLI and verify they work correctly
3. On Windows, verify commands execute properly with cmd.exe /c

Testing Matrix

	🍏	🪟	🐧
npm run	yes	❓	yes
npx	❓	❓	❓
Docker	❓	❓	❓
Podman	❓	-	-
Seatbelt	❓	-	-

Linked issues / bugs

Fixes #1115

[afarber]

Successfully smoke tested on Ubuntu 25.04, do not see any deprecation warnings while running commands.

Ran with NODE_OPTIONS='--pending-deprecation' npm run start to verify no warnings appear.

[xuewenjie123]

@afarber thanks for your contribution！
I've been trying to reproduce the DEP0190 warning locally on the main branch (using Node.js v24 with --pending-deprecation), but I haven't been able to trigger it yet. It seems that spawn(cmd, [], { shell: true }) (with an empty args array) doesn't trigger the warning in my environment, whereas passing non-empty args does.

Did you encounter the warning in a specific scenario that I might be missing, or is this intended as a proactive fix to align with best practices? Just want to make sure I understand the context fully. Thanks again!"

[afarber]

Thanks for testing! I also tried to reproduce on macOS with Node v25 by using

git checkout main
npm run build
NODE_OPTIONS='--pending-deprecation --trace-deprecation' npm run start

on my Macbook and issuing the prompt "Run 'git log --oneline -10'" but no warning appeared (also tried ctrl+o):

The reason is that the current code uses the pattern:

  spawn(commandToExecute, [], { shell: 'bash' })

The entire command (e.g., "git log --oneline -10") is passed as a single string, always with an empty args array []. DEP0190 only triggers when the args array is non-empty, like:

  spawn("git", ["log", "--oneline"], { shell: true })  // This would warn

So the current implementation accidentally avoids the warning by putting everything in the command string.

This PR is still valuable as a proactive fix because:

1. It follows the Node.js recommended pattern: spawn('bash', ['-c', cmd])
2. It removes the confusing empty [] parameter
3. It aligns with the pattern already used for PTY spawning in the same file

The original issue reporter was on Windows with Node v24 - I have not tried that environment

[DennisYu07]

Is this better to use '/bin/sh' instead of 'bash' to avoid some conner case such as in Alpine it dose not have bash?