Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit a072411

Browse filesBrowse files
kovanaduh95
kovan
authored and
aduh95
committed
doc: remove spawn with shell example from bat/cmd section
Remove the suggestion to use child_process.spawn() with the shell option set for running .bat and .cmd files on Windows. Passing arguments through spawn with shell: true is deprecated (DEP0190) due to shell injection risks. Keep the exec() and direct cmd.exe spawn alternatives. Fixes: #58735 PR-URL: #62243 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Stefan Stojanovic <stefan.stojanovic@janeasystems.com>
1 parent 5ed5474 commit a072411
Copy full SHA for a072411

1 file changed

+5-12Lines changed: 5 additions & 12 deletions

File tree

Expand file treeCollapse file tree
Open diff view settings
Filter options
Expand file treeCollapse file tree
Open diff view settings
Collapse file

‎doc/api/child_process.md‎

Copy file name to clipboardExpand all lines: doc/api/child_process.md
+5-12Lines changed: 5 additions & 12 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -120,23 +120,19 @@ however, `.bat` and `.cmd` files are not executable on their own without a
120120
terminal, and therefore cannot be launched using [`child_process.execFile()`][].
121121
When running on Windows, `.bat` and `.cmd` files can be invoked by:
122122

123-
* using [`child_process.spawn()`][] with the `shell` option set, or
123+
* using [`child_process.spawn()`][] with the `shell` option set (not recommended, see [DEP0190][]), or
124124
* using [`child_process.exec()`][], or
125125
* spawning `cmd.exe` and passing the `.bat` or `.cmd` file as an argument
126-
(which is what the `shell` option and [`child_process.exec()`][] do).
126+
(which is what [`child_process.exec()`][] does internally).
127127

128128
In any case, if the script filename contains spaces, it needs to be quoted.
129129

130130
```cjs
131131
const { exec, spawn } = require('node:child_process');
132132

133-
// 1. child_process.spawn() with the shell option set
134-
const myBat = spawn('my.bat', { shell: true });
135-
136-
// 2. child_process.exec()
137133
exec('my.bat', (err, stdout, stderr) => { /* ... */ });
138134

139-
// 3. spawning cmd.exe and passing the .bat or .cmd file as an argument
135+
// Or, spawning cmd.exe directly:
140136
const bat = spawn('cmd.exe', ['/c', 'my.bat']);
141137

142138
// If the script filename contains spaces, it needs to be quoted
@@ -146,13 +142,9 @@ exec('"my script.cmd" a b', (err, stdout, stderr) => { /* ... */ });
146142
```mjs
147143
import { exec, spawn } from 'node:child_process';
148144

149-
// 1. child_process.spawn() with the shell option set
150-
const myBat = spawn('my.bat', { shell: true });
151-
152-
// 2. child_process.exec()
153145
exec('my.bat', (err, stdout, stderr) => { /* ... */ });
154146

155-
// 3. spawning cmd.exe and passing the .bat or .cmd file as an argument
147+
// Or, spawning cmd.exe directly:
156148
const bat = spawn('cmd.exe', ['/c', 'my.bat']);
157149

158150
// If the script filename contains spaces, it needs to be quoted
@@ -2364,6 +2356,7 @@ Therefore, this feature requires opting in by setting the
23642356
or [`child_process.fork()`][].
23652357

23662358
[Advanced serialization]: #advanced-serialization
2359+
[DEP0190]: deprecations.md#dep0190-passing-args-to-nodechild_process-execfilespawn-with-shell-option
23672360
[Default Windows shell]: #default-windows-shell
23682361
[HTML structured clone algorithm]: https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Structured_clone_algorithm
23692362
[Shell requirements]: #shell-requirements

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.