Skip to content

Fix Node 24-specific deprecation warning#90

Merged
sindresorhus merged 7 commits intomainfrom
node-24
May 8, 2025
Merged

Fix Node 24-specific deprecation warning#90
sindresorhus merged 7 commits intomainfrom
node-24

Conversation

@ehmicky
Copy link
Collaborator

@ehmicky ehmicky commented May 8, 2025
edited
Loading

Fixes #89.

After merging this PR, I am going to create a similar one for Execa, if that sounds with you?

ehmicky
ehmicky commented May 8, 2025
View reviewed changes
package.json
"ava": "^6.1.3",
"c8": "^10.1.2",
"get-node": "^15.0.1",
"log-process-errors": "^12.0.1",
Copy link
Collaborator Author

@ehmicky ehmicky May 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deprecation warnings do not make tests fail, which is why we missed it. This dev dependency will ensure tests fail instead.

It also shows more verbose logs when that happens.

Before:

  ✔ options › options.env augments process.env
(node:23634) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
(Use `node --trace-deprecation ...` to show where the warning was created)
  ✔ options › options.preferLocal undefined does not run local npm binaries (209ms)

After:

  Unhandled rejection in test/options.js

  test/options.js:41

   40: const testArgv0 = async (t, shell) => {                                       
   41:   const {stdout} = await spawn(...nodePrintArgv0, {argv0: testString, shell});
   42:   t.is(stdout, shell ? process.execPath : testString);                        

  DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
  This promise was rejected but not handled.

  › This promise was rejected but not handled.
  › spawnSubprocess (file://source/spawn.js:17:20)
  › async getResult (file://source/result.js:5:19)
  › async testArgv0 (file://test/options.js:41:19)

  ✘ test/options.js exited with a non-zero exit code: 1

Disclaimer: this is my own library but it's been around for 7 years, and this is only added as a dev dependency.

ehmicky
ehmicky commented May 8, 2025
View reviewed changes
source/spawn.js
// So we do want users to pass array of arguments even with `shell: true`, but we also want to avoid any warning.
const concatenateShell = (file, commandArguments, options) => options.shell && commandArguments.length > 0
? [[file, ...commandArguments].join(' '), [], options]
: [file, commandArguments, options];
Copy link
Collaborator Author

@ehmicky ehmicky May 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the Node.js source code, this should be doing exactly what Node.js is doing. So this is not breaking, and should have no changes except for not showing the deprecation warning anymore. So this can be a patch release.

Also, when Node.js does remove support altogether, this won't impact us anymore.

@sindresorhus
Copy link
Owner

sindresorhus commented May 8, 2025

After merging this PR, I am going to create a similar one for Execa, if that sounds with you?

👍

@sindresorhus sindresorhus merged commit 0b0be55 into main May 8, 2025
12 checks passed
@sindresorhus sindresorhus deleted the node-24 branch May 8, 2025 16:01
@ehmicky ehmicky mentioned this pull request May 8, 2025
Merged
@fisker fisker mentioned this pull request May 9, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Node.js v24 warning

2 participants

@ehmicky @sindresorhus