Drop dependency on spawn-command

[mcmxcdev]

We recently started using https://socket.dev/ as part of our dependencies maintenance and it flagged spawn-command as problematic due to it being unmaintained: https://socket.dev/npm/package/spawn-command

The last release was 8 years ago, so there's probably other solutions out there or even can be written with native Node.js nowadays.

[gustavohenke]

I'd take that warning with a grain of salt.
Just because a package hasn't been updated in a while, is that really a problem?

I've been writing code for Node.js for more than a decade now, and the child_process API has been quite stable for a while.
It's probably why spawn-command didn't need to update either.

See also:
https://fagnerbrack.com/how-the-fuck-did-we-get-here-b9bac6ba7a0f

---

On another note, we briefly played with using a different package to spawn commands between v3.0.0 to v3.2.0.
It was causing a couple of issues, so if we're to use a different package at all -- I'd like it to address #69. cc @paescuj

[mcmxcdev]

An old package itself is not a problem as long as it doesn't pull in any dependencies itself which become outdated, contain CVEs etc. Doesn't seem to be an issue with spawn-command from a quick look into our lockfile.

I simply opened this issue to raise awareness about it. If it is looked at and the conclusion is that everything is fine, even better :)

[gustavohenke]

Hi folks, this is now done in v9.0.0.
https://github.com/open-cli-tools/concurrently/releases/tag/v9.0.0