Is there an existing issue for this?
Current Behavior
The current bin links on Windows use a cmd, and and a ps1 script, this has a few side effects which aren't that nice to users of node on Windows:
- When launched by the cmd launcher script, you will get the dreaded ye olde "Terminate batch job (Y/N)" prompt, which is quite annoying.
- Scripts are not callable via
ExecuteProcess, requiring a shell to execute them, which can often be a source of security vulnerabilities in the form of shell injection attacks, and is not convenient, nor consistent with the behavior on POSIX operating systems.
- When a parent process invokes such a script and later tries to kill it via
TerminateProcess, only the shell will be killed, leaving an orphaned node process, which is, again, unlike what happens on POSIX operating systems when launched via a script with a shebang.
The Python ecosystem has developed a cleaver workaround for this issues by using a launcher executable that is appended with the path to the script it should execute.
This solves the problems in the following way:
- It is an exe, so no "Terminate batch job (Y/N)" even in cmd.
- It is an exe, so callable via regular
ExecuteProcess.
- It establishes a job around the child so that the child is killed on
TerminateProcess of the launcher.
It also includes some other handling for other edge cases/behaviors so everything is seamless.
The code for that is available here https://github.com/pypa/distlib/tree/master/PC (PSF licensed AFAIK)
Note that this effects npm (& Yarn/pnpm) itself, as well as any bin links for anything it installs.
Expected Behavior
For bin links in Windows to be as seamless as in POSIX operating system or when using Python & pip.
Steps To Reproduce
- Hit Ctrl-C while running a script from cmd using a bin link created by this package.
- Try to
ExecuteProcess such a bin link via the PATH. E.g. fry to ExecuteProcess npm itself.
- Launch some long running script and try to
TerminateProcess on the resulting PID, the script will be left running.
Environment
- npm: 9.2.0
- Node: 16.19.0
- OS: Windows 11 x64
- platform: PC
Is there an existing issue for this?
Current Behavior
The current bin links on Windows use a cmd, and and a ps1 script, this has a few side effects which aren't that nice to users of node on Windows:
ExecuteProcess, requiring a shell to execute them, which can often be a source of security vulnerabilities in the form of shell injection attacks, and is not convenient, nor consistent with the behavior on POSIX operating systems.TerminateProcess, only the shell will be killed, leaving an orphaned node process, which is, again, unlike what happens on POSIX operating systems when launched via a script with a shebang.The Python ecosystem has developed a cleaver workaround for this issues by using a launcher executable that is appended with the path to the script it should execute.
This solves the problems in the following way:
ExecuteProcess.TerminateProcessof the launcher.It also includes some other handling for other edge cases/behaviors so everything is seamless.
The code for that is available here https://github.com/pypa/distlib/tree/master/PC (PSF licensed AFAIK)
Note that this effects npm (& Yarn/pnpm) itself, as well as any bin links for anything it installs.
Expected Behavior
For bin links in Windows to be as seamless as in POSIX operating system or when using Python & pip.
Steps To Reproduce
ExecuteProcesssuch a bin link via thePATH. E.g. fry toExecuteProcessnpm itself.TerminateProcesson the resulting PID, the script will be left running.Environment