Skip to content

Avoid Node.js DEP0190 warning by using string form for prepublish command #1188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rzhao271 merged 2 commits into from
Aug 6, 2025
Merged

Avoid Node.js DEP0190 warning by using string form for prepublish command #1188

rzhao271 merged 2 commits into from
Aug 6, 2025
+6 −3

Conversation

@tgrospic
Copy link
Contributor

@tgrospic tgrospic commented Jul 29, 2025

What this PR does

  • Fixes the Node.js DEP0190 deprecation warning:

    [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities...

  • Replaces the deprecated pattern:

    spawn(tool, ['run', 'vscode:prepublish'], { shell: true, ... });

    with the safe and supported string form:

    spawn(`${tool} run vscode:prepublish`, { shell: true, ... });

Why this matters

Why this is safe

  • The tool value is controlled (npm or yarn), no user input is involved.
  • The command is static and cannot be exploited.
  • This form fully avoids the DEP0190 warning in all supported Node.js versions.

Additional improvements

  • Extracts the command string into a prepublish variable for reuse in both logging and execution.
  • Improves readability without changing behavior.

@vs-code-engineering vs-code-engineering bot added this to the August 2025 milestone Aug 4, 2025
@benibenj benibenj enabled auto-merge August 5, 2025 08:48
@benibenj benibenj closed this Aug 5, 2025
auto-merge was automatically disabled August 5, 2025 08:48

Pull request was closed

@benibenj benibenj reopened this Aug 5, 2025
@rzhao271 rzhao271 merged commit 6b0b21d into microsoft:main Aug 6, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DonJayamanne DonJayamanne DonJayamanne approved these changes

@benibenj benibenj benibenj approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

August 2025

Development

Successfully merging this pull request may close these issues.

4 participants

@tgrospic @DonJayamanne @benibenj @rzhao271