STR:

Set up a Windows developer environment in a VM if needed: Install git, Node.js, clone the repo and install the project dependencies.

Install nvm-windows and git. Open Powershell. I also had to call Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser because otherwise npm ci below would fail and point to https://go.microsoft.com/fwlink/?LinkID=135170 (for a VM Unrestricted is okay; if this is not a throw-away system, consider -Scope Process instead).

nvm install 22
nvm use 22

git clone https://github.com/mozilla/web-ext

cd web-ext
npm ci

npm run build

.\node_modules\.bin\mocha .\tests\functional\test.cli.run.js

The test fails with EINVAL being reported by spawn. This is because the test uses a .bat file to launch Node.js:

... and Node.js stopped supporting that in spawn unless shell: true is passed:

• CVE-2024-27980 (more info: BatBadBut: https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/)
• https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2
• Command run failed with error : spawn EINVAL nodejs/node#52554

We should replace this mechanism of loading the script with something else.

This is currently not failing in our CI, because we use Node.js versions that predate the breaking change in Node.js: we use 18.19.0 and 20.11.0, according to