Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spawning some commands on windows fails with error EINVAL in Node 20 LTS (20.12.2) only #52681

Closed
RobertSandiford opened this issue Apr 25, 2024 · 17 comments
Closed

Spawning some commands on windows fails with error EINVAL in Node 20 LTS (20.12.2) only #52681

RobertSandiford opened this issue Apr 25, 2024 · 17 comments
Labels
child_process Issues and PRs related to the child_process subsystem. windows Issues and PRs related to the Windows platform.

Comments

@RobertSandiford
Copy link

RobertSandiford commented Apr 25, 2024
edited
Loading

Version

v20.12.2

Platform

Microsoft Windows NT 10.0.19045.0 x64

Subsystem

child_process

What steps will reproduce the bug?

node -e "const { spawn } = require('child_process'); const child = spawn('npm.cmd', ['--version'], { stdio: 'inherit' })"

How often does it reproduce? Is there a required condition?

100%

What is the expected behavior? Why is that the expected behavior?

Should print the npm version e.g. 10.2.0 to the console

What do you see instead?

node:internal/child_process:421
    throw new ErrnoException(err, 'spawn');
    ^

Error: spawn EINVAL
    at ChildProcess.spawn (node:internal/child_process:421:11)
    at spawn (node:child_process:761:9)
    at [eval]:1:59
    at runScriptInThisContext (node:internal/vm:209:10)
    at node:internal/process/execution:109:14
    at [eval]-wrapper:6:24
    at runScript (node:internal/process/execution:92:62)
    at evalScript (node:internal/process/execution:123:10)
    at node:internal/main/eval_string:51:3 {
  errno: -4071,
  code: 'EINVAL',
  syscall: 'spawn'
}

Node.js v20.12.2

Additional information

Tested and working in 20.12.1 (prior version).

I am able to run spawn('node', ['--version'], { stdio: 'inherit' }) without issue. But running node does not require the .cmd extension and errors with with it (ENOENT) in all tested version.

This appears to be an issue spawning commands that require the .cmd extension, I believe this is a windows only issue.

I tested also with pnpm.cmd and the behaviour is the same as with npm.cmd
@climba03003
Copy link
Contributor

climba03003 commented Apr 25, 2024
edited
Loading

It is intended behavior for the security patch CVE-2024-27980.
You must pass shell: true in the option on Windows environment if you need to spawn program ended with .bat or .cmd extension.

The patch is deployed in 18.20.2, 20.12.2, 21.17.3 and also 22.0.0
Details can be found on https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2

@RobertSandiford
Copy link
Author

RobertSandiford commented Apr 25, 2024
edited
Loading

It is intended behavior for the security patch CVE-2024-27980. You must pass shell: true in the option on Windows environment if you need to spawn program ended with .bat or .cmd extension.

The patch is deployed in 18.20.2, 20.12.2, 21.17.3 and also 22.0.0 Details can be found on https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2

Thanks.

The error message produced is disappointing - I could not find information on google.

@tsmaeder tsmaeder mentioned this issue Apr 25, 2024
Merged
1 task
@VoltrexKeyva VoltrexKeyva added child_process Issues and PRs related to the child_process subsystem. windows Issues and PRs related to the Windows platform. labels Apr 25, 2024
@ehmicky ehmicky mentioned this issue Apr 26, 2024
Closed
@lyswhut lyswhut mentioned this issue Apr 27, 2024
Closed
@czy88840616 czy88840616 mentioned this issue May 3, 2024
Merged
@t1m0thyj t1m0thyj mentioned this issue May 6, 2024
Merged
4 tasks
This was referenced May 9, 2024
Open
Open
@juanarbol
Copy link
Member

I'll proceed to close this issue as it is resolved in windows by providing the {shell: true} option as documented in the release

@eanders-ms eanders-ms mentioned this issue Jul 2, 2024
Merged
This was referenced Jul 15, 2024
Closed
Open
@EmmetBeachBum EmmetBeachBum mentioned this issue Jul 26, 2024
Open
@cliffAtOsaic
Copy link

cliffAtOsaic commented Aug 2, 2024
edited
Loading

The documentation states "users can now pass { shell: true } as an option to prevent the occurrence of EINVALs errors".

My question is what process do I pass that to and how do I pass that parameter?

I tried yarn config set shell true but that didn't fix the error.

I see this error when I execute yarn yarn-audit-fix or npx yarn-audit-fix

@RobertSandiford
Copy link
Author

The documentation states "users can now pass { shell: true } as an option to prevent the occurrence of EINVALs errors".

My question is what process do I pass that to and how do I pass that parameter?

I tried yarn config set shell true but that didn't fix the error.

I see this error when I execute yarn yarn-audit-fix or npx yarn-audit-fix

Example: spawn('npm.cmd', ['--version'], { shell: true, stdio: 'inherit' }

@cliffAtOsaic
Copy link

cliffAtOsaic commented Aug 2, 2024
edited
Loading

The documentation states "users can now pass { shell: true } as an option to prevent the occurrence of EINVALs errors".
My question is what process do I pass that to and how do I pass that parameter?
I tried yarn config set shell true but that didn't fix the error.
I see this error when I execute yarn yarn-audit-fix or npx yarn-audit-fix

Example: spawn('npm.cmd', ['--version'], { shell: true, stdio: 'inherit' }

I'm running yarn yarn-audit-fix or npx yarn-audit-fix and getting this error. How do I pass the { shell: true } parameter through npx or yarn?

Also tried running npx yarn-audit-fix --security-revert=CVE-2024-27980 which didn't work either.

@RobertSandiford
Copy link
Author

RobertSandiford commented Aug 2, 2024
edited
Loading

I'm running yarn yarn-audit-fix or npx yarn-audit-fix and getting this error. How do I pass the { shell: true } parameter through npx or yarn?

You can't, it's part of the code. Check for updates, or create an issue on the npx/yarn issue tracker.

Note that this may not be on ONLY cause of an EINVAL error, it's a fairly general error.

@cliffAtOsaic cliffAtOsaic mentioned this issue Aug 5, 2024
Closed
@benm071 benm071 mentioned this issue Aug 7, 2024
Closed
@back2dos back2dos mentioned this issue Aug 9, 2024
Closed
@ojj1123 ojj1123 mentioned this issue Aug 13, 2024
Merged
1 task
@BrunoCiccarino
Copy link

É o comportamento pretendido para o patch de segurança CVE-2024-27980. Você deve passar shell: truena opção no ambiente Windows se precisar spawnprogramar terminado com .batou .cmdextensão.

O patch foi implantado em 18.20.2, 20.12.2, 21.17.3e também 22.0.0 Detalhes podem ser encontrados em https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2

I don't understand, where do I pass shell: true? I'm having the same error and I'm lost...

@vochitan90
Copy link

same question - i still see the error spawn EINVAL

@RobertSandiford
Copy link
Author

RobertSandiford commented Aug 26, 2024
edited
Loading

I don't understand, where do I pass shell: true? I'm having the same error and I'm lost...

same question - i still see the error spawn EINVAL

This has been answered already:

Example: spawn('npm.cmd', ['--version'], { shell: true, stdio: 'inherit' }

As seen in the docs for the spawn comment from the child_process built in module https://nodejs.org/api/child_process.html#child_processspawncommand-args-options

This flag must be set in the code that is calling spawn(). If you are using a library or package that uses spawn incorrectly, you cannot pass some flag to node globally, this is a flag on the function call itself within the code.

@wildhart wildhart mentioned this issue Aug 27, 2024
Closed
@jackkav jackkav mentioned this issue Aug 28, 2024
Merged
vassbo added a commit to vassbo/slideshow that referenced this issue Sep 4, 2024
@vassbo
Fix shell issue on Windows
55eddd8 
nodejs/node#52681
@deepak-aupchaarik
Copy link

Yeah it's not clear where to pass this parameter for this specific scenario. I run into this while installing an npm package. The spawn error occurs after node build.js is executed. You want me to edit the build.js file? I don't even see that in the node folder. Should I do npm install --shell true? An example would help. I don't own the code calling spawn()

@RobertSandiford
Copy link
Author

RobertSandiford commented Sep 6, 2024
edited
Loading

Yeah it's not clear where to pass this parameter for this specific scenario. I run into this while installing an npm package. The spawn error occurs after node build.js is executed. You want me to edit the build.js file? I don't even see that in the node folder. Should I do npm install --shell true? An example would help. I don't own the code calling spawn()

Examples have been given. You edit the spawn call if it is your code, or if someone else maintains the code you ask them to update it. If you don't know where your code is or who maintains it.

The patch can be disabled globally by passing --security-revert=CVE-2024-27980 to node, but doing so is strongly advised against.

@richardlau
Copy link
Member

Node offers no general override to restore the pre-patch behaviour. Unfortunately yes the patch breaks semver.

https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2

While it is possible to also pass --security-revert=CVE-2024-27980 to revert the security patch, we strongly advise against doing so.

@RobertSandiford
Copy link
Author

RobertSandiford commented Sep 6, 2024
edited
Loading

Node offers no general override to restore the pre-patch behaviour. Unfortunately yes the patch breaks semver.

https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2

While it is possible to also pass --security-revert=CVE-2024-27980 to revert the security patch, we strongly advise against doing so.

My bad. Thanks. Editing the above to avoid incorrect information.

minhna added a commit to minhna/meteor that referenced this issue Sep 19, 2024
@minhna
Update npm-rebuild.js
871e18c 
When I run `npm install` on windows machine in build directory `bundle/programs/server`, I got the spawn error.
This issue is related: nodejs/node#52681 (comment)
@mshahzadiftikhar
Copy link

What is the complete command to revert this security patch from the installation? I am on windows. Looks like
node --security-revert=CVE-2024-27980 is just a CLI option. For me this error occurs when I run yarn install or npm install

igrep added a commit to custard-lang/custard that referenced this issue Oct 2, 2024
@igrep
Fix a test failure caused by nodejs/node#52681
ae2cdef 
But now vitest runs into an infinite loop. Now we should get rid of the test with the implementation, which is not used now!
@Adityav664
Copy link

It is intended behavior for the security patch CVE-2024-27980. You must pass shell: true in the option on Windows environment if you need to spawn program ended with .bat or .cmd extension.

The patch is deployed in 18.20.2, 20.12.2, 21.17.3 and also 22.0.0 Details can be found on https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2

shell: TRUE
TRUE' is deprecated.ts(6385)
function.d.ts(192, 4): The declaration was marked as deprecated here.
(alias) const TRUE: types.Boolean
import TRUE
A shorthand for sass.types.Boolean.TRUE.

@category — Legacy

@deprecated — This only works with the legacy render and * renderSync APIs. Use sassTrue with compile , * compileString, compileAsync , and compileStringAsync instead.

@Adityav664
Copy link

Adityav664 commented Oct 15, 2024
edited
Loading

I'll proceed to close this issue as it is resolved in windows by providing the {shell: true} option as documented in the release

shell: True is deprecated,
what now?
image

@vinsworldcom vinsworldcom mentioned this issue Oct 16, 2024
Open
@niteshpatare niteshpatare mentioned this issue Dec 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
child_process Issues and PRs related to the child_process subsystem. windows Issues and PRs related to the Windows platform.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests