Bug Description:
Building or running a Theia application with Node.js 24 emits two deprecation warnings.
1. DEP0190 — args passed to a child process with shell: true
(node:XXXXX) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
Source: dev-packages/application-manager/src/application-process.ts, which passes a non-empty args array together with shell: true.
This fires during theia build / theia rebuild on Node 24. I understand that shell: true is intentional for resolving Windows .cmd binaries, and that Node's own guidance here is in tension (see nodejs/node#58735). Perhaps then the way forward is to spawn with shell: true and a single command string built from the args instead of the separate args array, as per this discussion.
2. DEP0169 — legacy url.parse()
(node:XXXXX) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead.
@theia/core's ws-origin-validator.ts was already migrated to new URL() in 1.73.0 (via #17701), but these backend sites still call the legacy url.parse() on master:
packages/mini-browser/src/node/mini-browser-ws-validator.ts
packages/plugin-ext/src/main/node/plugin-service.ts
packages/plugin-ext/src/main/node/plugin-http-resolver.ts
packages/filesystem/src/node/download/file-download-endpoint.ts
These fire at backend startup and/or when the relevant features (mini-browser, webview/plugin host, file download) are exercised under Node 24.
Steps to Reproduce:
- Use Node.js 24.x.
- Build a Theia app (
theia build, or theia rebuild) → observe the [DEP0190] warning.
- Start the backend (
theia start) and/or exercise the mini-browser, a webview/plugin, or a file download → observe the [DEP0169] warning(s). Running with --trace-deprecation points at the files listed above.
Additional Information
- Operating System: macOS Tahoe 26.5.1
- Theia Version: 1.72.3
Bug Description:
Building or running a Theia application with Node.js 24 emits two deprecation warnings.
1.
DEP0190— args passed to a child process withshell: trueSource:
dev-packages/application-manager/src/application-process.ts, which passes a non-empty args array together withshell: true.This fires during
theia build/theia rebuildon Node 24. I understand thatshell: trueis intentional for resolving Windows.cmdbinaries, and that Node's own guidance here is in tension (see nodejs/node#58735). Perhaps then the way forward is tospawnwithshell: trueand a single command string built from the args instead of the separate args array, as per this discussion.2.
DEP0169— legacyurl.parse()@theia/core'sws-origin-validator.tswas already migrated tonew URL()in 1.73.0 (via #17701), but these backend sites still call the legacyurl.parse()onmaster:packages/mini-browser/src/node/mini-browser-ws-validator.tspackages/plugin-ext/src/main/node/plugin-service.tspackages/plugin-ext/src/main/node/plugin-http-resolver.tspackages/filesystem/src/node/download/file-download-endpoint.tsThese fire at backend startup and/or when the relevant features (mini-browser, webview/plugin host, file download) are exercised under Node 24.
Steps to Reproduce:
theia build, ortheia rebuild) → observe the[DEP0190]warning.theia start) and/or exercise the mini-browser, a webview/plugin, or a file download → observe the[DEP0169]warning(s). Running with--trace-deprecationpoints at the files listed above.Additional Information