Skip to content

fix: add shell: true to spawnSync on Windows for .cmd launcher#291

Closed
ayu-exorcist wants to merge 1 commit into
colbymchenry:mainfrom
ayu-exorcist:fix-win32-spawn-einval
Closed

fix: add shell: true to spawnSync on Windows for .cmd launcher#291
ayu-exorcist wants to merge 1 commit into
colbymchenry:mainfrom
ayu-exorcist:fix-win32-spawn-einval

Conversation

@ayu-exorcist
Copy link
Copy Markdown

@ayu-exorcist ayu-exorcist commented May 22, 2026

Node.js spawnSync requires shell: true when executing .cmd batch files on Windows; without it the npm thin-installer shim throws EINVAL when running codegraph -v (or any command) via npm i -g or npx.

Fixes #289

@ayu-exorcist
fix: add shell: true to spawnSync on Windows for .cmd launcher
6ede6a3 
Node.js spawnSync requires shell: true when executing .cmd batch files
on Windows; without it the npm thin-installer shim throws EINVAL.

Resolves #289
Copilot AI review requested due to automatic review settings May 22, 2026 02:19
Copilot AI reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Fixes a Windows install/runtime failure when invoking Codegraph via npm/npx by adjusting how the npm shim spawns the bundled executable, and documents the fix in the changelog.

Changes:

  • Run spawnSync with shell: true on Windows to allow executing .cmd files.
  • Add a changelog entry describing the Windows EINVAL fix and linking the related issue.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
scripts/npm-shim.js Adjusts spawnSync options to use a shell on Windows so .cmd invocation works.
CHANGELOG.md Documents the Windows EINVAL fix and references issue #289.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread scripts/npm-shim.js
}

var res = childProcess.spawnSync(binPath, process.argv.slice(2), { stdio: 'inherit' });
var res = childProcess.spawnSync(binPath, process.argv.slice(2), { stdio: 'inherit', shell: process.platform === 'win32' });
Comment thread CHANGELOG.md
Comment on lines +63 to 70
### Fixed
- **Windows `EINVAL` via npm/npx.** The thin-installer shim used `spawnSync` to
launch the bundled `codegraph.cmd` on Windows, which throws `EINVAL` when
`shell: true` is omitted (Node.js requires a shell to execute `.cmd` batch
files). Windows installs via `npm i -g` or `npx` now work. Resolves
[#289](https://github.com/colbymchenry/codegraph/issues/289).

## [0.9.1] - 2026-05-21
@ayu-exorcist ayu-exorcist mentioned this pull request May 22, 2026
Closed
@colbymchenry
Copy link
Copy Markdown
Owner

colbymchenry commented May 22, 2026

Thanks a lot for this @ayu-exorcist — your diagnosis is spot on, and you caught the .cmd/EINVAL root cause exactly right. 🙏

We ended up fixing this in #292 (now merged, shipping in 0.9.2) with a slightly different approach, so I'm closing this one as superseded.

Why we didn't go with shell: true: on Windows, spawnSync with shell: true and an args array doesn't auto-quote the arguments — it concatenates them into a cmd.exe command line. That breaks as soon as a path or arg contains a space (e.g. C:\Users\me\My Project) or a shell metacharacter, and routing user-supplied args back through cmd.exe re-opens part of the very injection surface the CVE-2024-27980 hardening (the thing throwing EINVAL) was added to close.

Instead, #292 skips the .cmd entirely on Windows and spawns the bundled node.exe directly against the app entry (lib/dist/bin/codegraph.js) — which is exactly what the .cmd does internally, so there's no behavior change and no shell involved at all. It's verified end-to-end against a real win32-x64 bundle (npm install + codegraph init -i/status on the bundled Node 24).

Really appreciate you taking the time to report and fix this — hope to see more PRs from you. 🙌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

EINVAL

3 participants

@ayu-exorcist @colbymchenry