You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is important to note that there has been a breaking change for Windows users who utilize child_process.spawn and child_process.spawnSync. Node.js will now error with EINVAL if a .bat or .cmd file is passed to child_process.spawn and child_process.spawnSync without the shell option set. If the input to spawn/spawnSync is sanitized, users can now pass { shell: true } as an option to prevent the occurrence of EINVALs errors.
Until {shell: true} is passed as an option, the childProcess.spawnSync call in index.js will encounter error EINVAL and return null.
The text was updated successfully, but these errors were encountered:
Please update in light of the April 2024 Node.js security patch Command injection via args parameter of child_process.spawn without shell option enabled on Windows (CVE-2024-27980).
Until
{shell: true}is passed as an option, thechildProcess.spawnSynccall inindex.jswill encounter errorEINVALand returnnull.The text was updated successfully, but these errors were encountered: