Fix Node.js deprecation warnings about passing args to child_process

nex3 · nex3 · commit 3de6601b8187 · 2025-10-31T06:59:03.000-07:00
diff --git a/bin/sass.ts b/bin/sass.ts
@@ -2,25 +2,31 @@
 
 import * as child_process from 'child_process';
 import * as path from 'path';
+
 import {compilerCommand} from '../lib/src/compiler-path';
 
 // TODO npm/cmd-shim#152 and yarnpkg/berry#6422 - If and when the package
 // managers support it, we should make this a proper shell script rather than a
 // JS wrapper.
 
 try {
-  child_process.execFileSync(
-    compilerCommand[0],
-    [...compilerCommand.slice(1), ...process.argv.slice(2)],
-    {
-      // Node blocks launching .bat and .cmd without a shell due to CVE-2024-27980
-      shell: ['.bat', '.cmd'].includes(
-        path.extname(compilerCommand[0]).toLowerCase(),
-      ),
-      stdio: 'inherit',
-      windowsHide: true,
-    },
-  );
+  let command = compilerCommand[0];
+  let args = [...compilerCommand.slice(1), ...process.argv.slice(2)];
+  const options: child_process.ExecFileSyncOptions = {
+    stdio: 'inherit',
+    windowsHide: true,
+  };
+
+  // Node forbids launching .bat and .cmd without a shell due to CVE-2024-27980,
+  // and DEP0190 forbids passing an argument list *with* shell: true. To work
+  // around this, we have to manually concatenate the arguments.
+  if (['.bat', '.cmd'].includes(path.extname(command).toLowerCase())) {
+    command = `${command} ${args.join(' ')}`;
+    args = [];
+    options.shell = true;
+  }
+
+  child_process.execFileSync(command, args, options);
 } catch (error) {
   if (error.code) {
     throw error;
diff --git a/lib/src/compiler/async.ts b/lib/src/compiler/async.ts
@@ -2,7 +2,8 @@
 // MIT-style license that can be found in the LICENSE file or at
 // https://opensource.org/licenses/MIT.
 
-import {spawn} from 'child_process';
+import * as child_process from 'child_process';
+
 import {Observable} from 'rxjs';
 import {takeUntil} from 'rxjs/operators';
 
@@ -36,21 +37,28 @@ const initFlag = Symbol();
 /** An asynchronous wrapper for the embedded Sass compiler */
 export class AsyncCompiler {
   /** The underlying process that's being wrapped. */
-  private readonly process = spawn(
-    compilerCommand[0],
-    [...compilerCommand.slice(1), '--embedded'],
-    {
+  private readonly process = (() => {
+    let command = compilerCommand[0];
+    let args = [...compilerCommand.slice(1), '--embedded'];
+    const options: child_process.SpawnOptions = {
       // Use the command's cwd so the compiler survives the removal of the
       // current working directory.
       // https://github.com/sass/embedded-host-node/pull/261#discussion_r1438712923
       cwd: path.dirname(compilerCommand[0]),
-      // Node blocks launching .bat and .cmd without a shell due to CVE-2024-27980
-      shell: ['.bat', '.cmd'].includes(
-        path.extname(compilerCommand[0]).toLowerCase(),
-      ),
       windowsHide: true,
-    },
-  );
+    };
+
+    // Node forbids launching .bat and .cmd without a shell due to CVE-2024-27980,
+    // and DEP0190 forbids passing an argument list *with* shell: true. To work
+    // around this, we have to manually concatenate the arguments.
+    if (['.bat', '.cmd'].includes(path.extname(command).toLowerCase())) {
+      command = `${command} ${args!.join(' ')}`;
+      args = [];
+      options.shell = true;
+    }
+
+    return child_process.spawn(command, args, options);
+  })();
 
   /** The next compilation ID. */
   private compilationId = 1;
@@ -73,17 +81,17 @@ export class AsyncCompiler {
 
   /** The buffers emitted by the child process's stdout. */
   private readonly stdout$ = new Observable<Buffer>(observer => {
-    this.process.stdout.on('data', buffer => observer.next(buffer));
+    this.process.stdout!.on('data', buffer => observer.next(buffer));
   }).pipe(takeUntil(this.exit$));
 
   /** The buffers emitted by the child process's stderr. */
   private readonly stderr$ = new Observable<Buffer>(observer => {
-    this.process.stderr.on('data', buffer => observer.next(buffer));
+    this.process.stderr!.on('data', buffer => observer.next(buffer));
   }).pipe(takeUntil(this.exit$));
 
   /** Writes `buffer` to the child process's stdin. */
   private writeStdin(buffer: Buffer): void {
-    this.process.stdin.write(buffer);
+    this.process.stdin!.write(buffer);
   }
 
   /** Guards against using a disposed compiler. */
@@ -190,7 +198,7 @@ export class AsyncCompiler {
   async dispose(): Promise<void> {
     this.disposed = true;
     await Promise.all(this.compilations);
-    this.process.stdin.end();
+    this.process.stdin!.end();
     await this.exit$;
   }
 }
diff --git a/lib/src/compiler/sync.ts b/lib/src/compiler/sync.ts
@@ -36,21 +36,28 @@ const initFlag = Symbol();
 /** A synchronous wrapper for the embedded Sass compiler */
 export class Compiler {
   /** The underlying process that's being wrapped. */
-  private readonly process = new SyncChildProcess(
-    compilerCommand[0],
-    [...compilerCommand.slice(1), '--embedded'],
-    {
+  private readonly process = (() => {
+    let command = compilerCommand[0];
+    let args = [...compilerCommand.slice(1), '--embedded'];
+    const options: child_process.SpawnOptions = {
       // Use the command's cwd so the compiler survives the removal of the
       // current working directory.
       // https://github.com/sass/embedded-host-node/pull/261#discussion_r1438712923
       cwd: path.dirname(compilerCommand[0]),
-      // Node blocks launching .bat and .cmd without a shell due to CVE-2024-27980
-      shell: ['.bat', '.cmd'].includes(
-        path.extname(compilerCommand[0]).toLowerCase(),
-      ),
       windowsHide: true,
-    },
-  );
+    };
+
+    // Node forbids launching .bat and .cmd without a shell due to CVE-2024-27980,
+    // and DEP0190 forbids passing an argument list *with* shell: true. To work
+    // around this, we have to manually concatenate the arguments.
+    if (['.bat', '.cmd'].includes(path.extname(command).toLowerCase())) {
+      command = `${command} ${args!.join(' ')}`;
+      args = [];
+      options.shell = true;
+    }
+
+    return new SyncChildProcess(command, args, options);
+  })();
 
   /** The next compilation ID. */
   private compilationId = 1;
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "sass-embedded",
-  "version": "1.93.2",
+  "version": "1.93.3-dev",
   "protocol-version": "3.2.0",
   "compiler-version": "1.93.2",
   "description": "Node.js library that communicates with Embedded Dart Sass using the Embedded Sass protocol",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "sass-embedded",`
`3`		`- "version": "1.93.2",`
	`3`	`+ "version": "1.93.3-dev",`
`4`	`4`	`"protocol-version": "3.2.0",`
`5`	`5`	`"compiler-version": "1.93.2",`
`6`	`6`	`"description": "Node.js library that communicates with Embedded Dart Sass using the Embedded Sass protocol",`