Skip to content

fix(all): shell option usage on child_process.spawn calls #2708

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Nov 26, 2025
Merged

fix(all): shell option usage on child_process.spawn calls #2708

merged 10 commits into from
Nov 26, 2025
+38 −96

Conversation

@gabrielmfern
Copy link
Member

@gabrielmfern gabrielmfern commented Nov 25, 2025
edited by cubic-dev-ai bot
Loading

shell: true runs the command you input using the shell from the system, but it doesn't sanitize the arguments you pass to the shell meaning it can be unsafe, so Node.js starts warning from version 24 onwards like

image

This pull request simply replaces all of those usages with all the arguments as a raw string, or using nypm to install dependencies and run scripts, which also makes our code cleaner.

Summary by cubic

Updated child_process.spawn usage to avoid unsafe shell argument handling and reduce Node v24 warnings by switching to nypm helpers and safer command execution. Preview server scripts now use single command strings with shell and import.meta.dirname for reliable paths.

  • Bug Fixes
    • create-email tests: replaced shell calls with nypm (installDependencies, runScript), switched to import.meta.dirname, used process.execPath; updated tsconfig to nodenext (moduleResolution and module); added nypm devDependency.
    • preview-server build/dev: swapped args arrays for single command strings (pnpm next build/dev), and switched to import.meta.dirname; updated tsconfig to esnext and included .mts.
    • react-email build: removed custom spawn logic; use nypm installDependencies and runScript('build'); typed packageManager as PackageManagerName.

Written for commit 032309b. Summary will update automatically on new commits.

@gabrielmfern gabrielmfern self-assigned this Nov 25, 2025
@changeset-bot
Copy link

changeset-bot bot commented Nov 25, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 032309b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel
Copy link

vercel bot commented Nov 25, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
react-email Ready Ready Preview Comment Nov 26, 2025 7:56pm
react-email-demo Ready Ready Preview Comment Nov 26, 2025 7:56pm

@gabrielmfern gabrielmfern requested review from a team and joaopcm and removed request for a team November 25, 2025 13:53
@pkg-pr-new
Copy link

pkg-pr-new bot commented Nov 25, 2025
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/resend/react-email/create-email@2708

npm i https://pkg.pr.new/resend/react-email/@react-email/preview-server@2708

npm i https://pkg.pr.new/resend/react-email@2708

commit: 032309b

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Nov 25, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 issues found across 8 files

Prompt for AI agents (all 2 issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/preview-server/scripts/build-preview-server.mts">

<violation number="1" location="packages/preview-server/scripts/build-preview-server.mts:5">
Spawning node_modules/.bin/next directly breaks on Windows because the .cmd shim is never selected; resolve to next.cmd (or use process.execPath) so the build still runs on win32.</violation>
</file>

<file name="packages/create-email/src/index.spec.ts">

<violation number="1" location="packages/create-email/src/index.spec.ts:44">
Type-check test now invokes the repo’s TypeScript binary instead of the generated project’s, so missing TypeScript dependencies in the starter will go undetected.</violation>
</file>

Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR

@gabrielmfern gabrielmfern force-pushed the fix/usages-of-shell-true branch from fc9ac4c to b4da70a Compare November 26, 2025 18:28
@socket-security
Copy link

socket-security bot commented Nov 26, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​types/​normalize-path@​3.0.21001005479100
Added@​types/​mime-types@​2.1.41001006581100
Added@​radix-ui/​react-toggle@​1.1.10991006799100
Added@​radix-ui/​react-slot@​1.2.31001006998100
Added@​radix-ui/​react-collapsible@​1.1.12991007099100
Added@​radix-ui/​react-toggle-group@​1.1.11991007099100
Added@​radix-ui/​react-tabs@​1.1.13991007099100
Added@​types/​prompts@​2.4.91001007080100
Added@​radix-ui/​react-dropdown-menu@​2.1.16991007199100
Added@​radix-ui/​react-popover@​1.1.15991007199100
Added@​types/​react-dom@​19.0.11001007294100
Added@​radix-ui/​react-tooltip@​1.2.8991007299100
Added@​radix-ui/​react-tabs@​1.1.2991007399100
Added@​radix-ui/​react-select@​2.2.6991007499100
Added@​types/​prismjs@​1.26.51001007480100
Added@​types/​html-to-text@​9.0.41001007480100
Added@​types/​babel__core@​7.20.51001007580100
Added@​types/​css-tree@​2.3.101001007582100
Added@​types/​shelljs@​0.8.151001007581100
Added@​types/​fs-extra@​11.0.11001007680100
Added@​types/​babel__traverse@​7.20.71001007681100
Added@​responsive-email/​react-email@​0.0.4791008377100
Added@​types/​react@​19.0.11001008096100
Addedclsx@​2.1.11001009680100
Added@​radix-ui/​colors@​3.0.01001008185100
Added@​types/​node@​22.14.11001008195100
Addedclassnames@​2.5.110010010082100
Addedcss-tree@​3.1.010010010083100
Added@​vercel/​analytics@​1.5.099100838570
Addedvite@​6.4.1961008399100
Addedautoprefixer@​10.4.211001009286100
Addedconf@​15.0.29910010087100
Addedcommander@​13.1.010010010087100
See 8 more rows in the dashboard

View full report

@gabrielmfern gabrielmfern force-pushed the fix/usages-of-shell-true branch from c96e840 to 0a4a3c9 Compare November 26, 2025 18:40
@gabrielmfern
Copy link
Member Author

gabrielmfern commented Nov 26, 2025

@cubic-dev-ai review this PR

@cubic-dev-ai
Copy link
Contributor

cubic-dev-ai bot commented Nov 26, 2025

@cubic-dev-ai review this PR

@gabrielmfern I've started the AI code review. It'll take a few minutes to complete.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Nov 26, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 8 files

Prompt for AI agents (all 1 issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/create-email/tsconfig.json">

<violation number="1" location="packages/create-email/tsconfig.json:7">
TypeScript 5.8.3 (the version used by this package) does not support the `&quot;node20&quot;` module target, so the new compiler option makes `tsc` fail with TS6046.</violation>
</file>

Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR

@gabrielmfern gabrielmfern merged commit 53c0a90 into canary Nov 26, 2025
15 of 17 checks passed
@gabrielmfern gabrielmfern deleted the fix/usages-of-shell-true branch November 26, 2025 20:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@joaopcm joaopcm joaopcm approved these changes

Assignees

@gabrielmfern gabrielmfern

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gabrielmfern @joaopcm