Skip to content

Commit 823f08c

Browse files
authored
fix: spawn EINVAL on Windows with script-shell configured (#42)
1 parent 74ebffe commit 823f08c

File tree

1 file changed

+14
-0
lines changed

1 file changed

+14
-0
lines changed

index.js

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -241,6 +241,20 @@ function runCmd_ (cmd, pkg, env, wd, opts, stage, unsafe, uid, gid, cb_) {
241241
conf.windowsVerbatimArguments = true
242242
}
243243

244+
// Spawning .bat and .cmd files on Windows requires the "shell" option to
245+
// spawn to be set. Otherwise spawn will throw with EINVAL.
246+
//
247+
// https://nodejs.org/api/child_process.html#spawning-bat-and-cmd-files-on-windows
248+
// https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2
249+
//
250+
// The shell option is security sensitive. It should make sense for this
251+
// usecase since scripts in package.json intentionally run on the shell.
252+
// Avoiding setting the shell option in all cases to preserve existing
253+
// behavior on non-Windows platforms.
254+
if (process.platform === 'win32' && customShell && (customShell.endsWith('.bat') || customShell.endsWith('.cmd'))) {
255+
conf.shell = true
256+
}
257+
244258
opts.log.verbose('lifecycle', logid(pkg, stage), 'PATH:', env[PATH])
245259
opts.log.verbose('lifecycle', logid(pkg, stage), 'CWD:', wd)
246260
opts.log.silly('lifecycle', logid(pkg, stage), 'Args:', [shFlag, cmd])

0 commit comments

Comments
 (0)