Skip to content

Fix Node 24 security warning#1215

Merged
codykaup merged 3 commits intomainfrom
cody/cap-3598-shell-true-causes-security-warning-in-node-2441
Oct 24, 2025
Merged

Fix Node 24 security warning#1215
codykaup merged 3 commits intomainfrom
cody/cap-3598-shell-true-causes-security-warning-in-node-2441

Conversation

@codykaup
Copy link
Copy Markdown
Contributor

@codykaup codykaup commented Oct 21, 2025
edited by chromatic-ci-bot
Loading

Fixes #1208

On Node v24+, there's a new warning that appears:

DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.

This is caused by us using shell: true when running shell commands. Thankfully, this was fixed in execa v9.5.3 so we simply need to upgrade to fix the warning.

In addition to that, execaCommand is now deprecated and will be removed in v10+ (ref). To avoid those issues in the future, I went ahead and swapped our usage of execaCommand with execa which is roughly similar. The biggest difference is we need to parse the command string into an array before calling execa.

📦 Published PR as canary version: 13.3.3--canary.1215.18784607811.0

✨ Test out this PR locally via:

npm install chromatic@13.3.3--canary.1215.18784607811.0
# or 
yarn add chromatic@13.3.3--canary.1215.18784607811.0

@codykaup codykaup self-assigned this Oct 21, 2025
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Oct 21, 2025
edited
Loading

📦 Package Size: 5720 KB
⚠️ Compared to main: +92 KB 7c3f508 (5628 KB)

@codykaup codykaup added release Auto: Create a `latest` release when merged patch Auto: Increment the patch version when merged labels Oct 21, 2025
@codykaup codykaup force-pushed the cody/cap-3598-shell-true-causes-security-warning-in-node-2441 branch from b0062e2 to 9aab540 Compare October 21, 2025 21:36
@codecov
Copy link
Copy Markdown

codecov bot commented Oct 21, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.64%. Comparing base (7c3f508) to head (5b685c3).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1215      +/-   ##
==========================================
+ Coverage   71.62%   71.64%   +0.01%     
==========================================
  Files         204      204              
  Lines        7631     7636       +5     
  Branches     1366     1366              
==========================================
+ Hits         5466     5471       +5     
  Misses       2143     2143              
  Partials       22       22

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@codykaup codykaup force-pushed the cody/cap-3598-shell-true-causes-security-warning-in-node-2441 branch 4 times, most recently from 929d193 to 6c3ba37 Compare October 22, 2025 16:53
@codykaup codykaup marked this pull request as ready for review October 22, 2025 17:34
@codykaup codykaup requested a review from a team October 22, 2025 17:34
justin-thurman
justin-thurman approved these changes Oct 23, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@justin-thurman justin-thurman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I ran a build locally, working as expected. 👍

@codykaup codykaup force-pushed the cody/cap-3598-shell-true-causes-security-warning-in-node-2441 branch from 6c3ba37 to 5b685c3 Compare October 23, 2025 18:44
@codykaup codykaup added this pull request to the merge queue Oct 24, 2025
Merged via the queue into main with commit 4e3f944 Oct 24, 2025
32 of 33 checks passed
@codykaup codykaup deleted the cody/cap-3598-shell-true-causes-security-warning-in-node-2441 branch October 24, 2025 15:33
@chromatic-ci-bot
Copy link
Copy Markdown
Collaborator

chromatic-ci-bot commented Oct 24, 2025

🚀 PR was released in v13.3.2 🚀

@chromatic-ci-bot chromatic-ci-bot added the released Verdict: This issue/pull request has been released label Oct 24, 2025
@ghengeveld ghengeveld mentioned this pull request Nov 12, 2025
Merged
@codykaup codykaup mentioned this pull request Mar 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justin-thurman justin-thurman justin-thurman approved these changes

Assignees

@codykaup codykaup

Labels

patch Auto: Increment the patch version when merged release Auto: Create a `latest` release when merged released Verdict: This issue/pull request has been released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

shell: true causes security warning in Node 24.4.1

3 participants

@codykaup @chromatic-ci-bot @justin-thurman