Skip to content

Conflict between child_process API guidance and DEP0190 #58735

New issue
New issue
Open
#58739
Open
Conflict between child_process API guidance and DEP0190#58735
#58739
Labels
docIssues and PRs related to the documentations.
@ericcornelissen

Description

@ericcornelissen
ericcornelissen
opened on Jun 16, 2025

Affected URL(s)

https://nodejs.org/docs/latest-v24.x/api/child_process.html#spawning-bat-and-cmd-files-on-windows

Description of the problem

The suggestions here include using spawn with shell: true, however doing so is deprecated with DEP0190. This conflicting messaging is confusing and makes this difficult-to-use-safely API even more confusing to use for non-experts.

I don't know what the right call is here. My guess is that DEP0190 was created to nudge people away from using spawn with shell: true by either using it safely or explicitly using the insecure exec command. Since the only alternative in the documentation is exec I'd suggest removing the suggestion to use spawn with shell: true entirely.

Activity

ericcornelissen
added
docIssues and PRs related to the documentations.
on Jun 16, 2025
ericcornelissen
mentioned this on Jun 16, 2025
juanarbol

juanarbol commented on Jun 16, 2025

@juanarbol
juanarbol
on Jun 16, 2025
Member

Nice catch.

Can you send a PR fixing this? :)

ericcornelissen

ericcornelissen commented on Jun 17, 2025

@ericcornelissen
ericcornelissen
on Jun 17, 2025
Author

Can do 👍

ericcornelissen
added a commit that references this issue on Jun 17, 2025

doc: update "Spawning `.bat` and `.cmd` files on Windows" section

5f86525
ericcornelissen
linked a pull request that will close this issue on Jun 17, 2025
Knagis

Knagis commented on Jun 19, 2025

@Knagis
Knagis
on Jun 19, 2025 · edited by Knagis

But exec doesn't have stdio option, so it isn't a proper replacement.

ericcornelissen

ericcornelissen commented on Jun 19, 2025

@ericcornelissen
ericcornelissen
on Jun 19, 2025 · edited by ericcornelissen
Author

Interesting point, execSync does have that option, tho I guess using the sync version might not always be desirable... Could it be added to the exec API?

Knagis

Knagis commented on Jun 25, 2025

@Knagis
Knagis
on Jun 25, 2025

See #58763 (comment) - turns out that spawn accepts the command line arguments directly in the command parameter, and args array can be omitted. So that likely is the best option for the docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    docIssues and PRs related to the documentations.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @ericcornelissen@Knagis@juanarbol

      Issue actions
        Conflict between `child_process` API guidance and DEP0190 · Issue #58735 · nodejs/node