feat: versync now uses execFile rather than exec to launch children

exec launches a shell. It is generally wasteful to launch a shell, and it may lead to bizarre results because the parameters passed to git are subject to interpretation by the shell. BREAKING CHANGE: the switch from exec to execFile *could* in theory cause some usages of versync that previously worked to now fail. I'd expect the likelihood of such occurence to be extremely small because attempts to take advantage of the shell interpretation provided by exec would most likely fail in other ways. (E.g. putting quotes in a version number would make semver checks fail.)
lddubeau · Nov 20, 2019 · b30783c · b30783c
1 parent 2eaa90b
commit b30783c
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/index.js b/index.js
@@ -1,6 +1,6 @@
 "use strict";
 
-const { exec } = require("child_process");
+const { execFile } = require("child_process");
 const fs = require("fs-extra");
 const path = require("path");
 const semver = require("semver");
@@ -53,11 +53,12 @@ class ExecutionError extends Error {
 exports.ExecutionError = ExecutionError;
 
 
-function execAsync(command, options) {
+function execFileAsync(command, args) {
   return new Promise((resolve, reject) => {
-    exec(command, options, (err, stdout, stderr) => {
+    execFile(command, args, (err, stdout, stderr) => {
       if (err) {
-        reject(new ExecutionError(`${command} failed`, err, stderr, stdout));
+        reject(new ExecutionError(`${command} ${args.join(" ")} failed`, err,
+                                  stderr, stdout));
         return;
       }
 
@@ -69,7 +70,6 @@ function execAsync(command, options) {
   });
 }
 
-
 /**
  * Get a list of sources to process. This list includes by default
  * ``package.json``. It also includes the files specified by the
@@ -468,14 +468,14 @@ in ${sources.join(", ").bold}.`);
     for (const source of sources) {
       // We do not want to run these adds in parallel.
       // eslint-disable-next-line no-await-in-loop
-      await execAsync(`git add ${source}`);
+      await execFileAsync("git", ["add", source]);
     }
   }
 
   async _commitSourcesAndCreateTag(version) {
     await this._addSources();
-    await execAsync(`git commit -m 'v${version}'`);
-    await execAsync(`git tag v${version}`);
+    await execFileAsync("git", ["commit", "-m", `v${version}`]);
+    await execFileAsync("git", ["tag", `v${version}`]);
     this._emitMessage(`Files have been committed and tag \
 ${`v${version}`.bold.green} was created.`);
   }