fix(installer): Windows npm launcher EINVAL on modern Node (#289)#292
Merged
Conversation
The npm thin-installer shim spawned the per-platform bundle's `.cmd` launcher directly. Modern Node on Windows refuses to spawn `.cmd`/`.bat` without `shell: true` (the CVE-2024-27980 hardening), so every `codegraph` command failed with `spawnSync …\codegraph.cmd EINVAL` (seen on Node 24). On Windows the shim now invokes the bundled `node.exe` against the app entry point directly, bypassing the `.cmd` (and avoiding the arg-quoting pitfalls of `shell: true`). Unix is unchanged. Validated end-to-end against a real win32-x64 bundle: `npm install` of the packed tarballs + `codegraph init -i`/`status` run on the bundled Node 24. Also cuts release 0.9.2, rolling up the pending Drupal, zero-config, config-removal, Hermes-installer, and symlink-security changes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 22, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
On Windows,
npm i -g @colbymchenry/codegraphfollowed by anycodegraphcommand fails with:The npm thin-installer shim (
scripts/npm-shim.js) located the per-platform bundle andspawnSync'd its.cmdlauncher directly. Modern Node on Windows refuses to spawn.cmd/.batfiles withoutshell: true(the CVE-2024-27980 hardening) — it throwsEINVAL. The reporter is on Node v24.11.0. Closes #289.Fix
On Windows the shim now resolves the bundle's
node.exeand the app entry (lib/dist/bin/codegraph.js) and spawns those directly, bypassing the.cmd. This mirrors exactly what the.cmddoes and avoidsshell: true(which doesn't auto-quote array args on Windows and widens the injection surface). The unix path (a shell-script launcher) is unchanged.Validation
Verified end-to-end on Windows (host Node v22.22.0) against a real win32-x64 bundle built via
build-bundle.sh(official Node v24.16.0 runtime + compiled app + prod deps), packed withnpm pack, andnpm installed from the tarballs into a clean dir:codegraph init -i(repro)spawnSync …codegraph.cmd EINVALcodegraph statusBackend: node:sqlite - built-in (full WAL)The
statusline confirms the bundled Node 24 ran (node:sqlitedoesn't exist on the host's Node 22), proving the shim launchednode.exe, not the.cmd.Release
Cuts 0.9.2, rolling up everything pending since v0.9.1: Drupal 8/9/10/11 support, zero-config indexing, the breaking config-surface removal, the Hermes Agent installer target, and the symlink-marker security fix. Changelog and
package.json/package-lock.jsonbumped. (npm publish is still gated behind the manual Release workflow — not triggered here.)🤖 Generated with Claude Code