Skip to content

fix: resolve Node 24+ spawn deprecation warning (DEP0190) #1130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wing328 merged 1 commit into from
Feb 10, 2026
Merged

fix: resolve Node 24+ spawn deprecation warning (DEP0190) #1130

wing328 merged 1 commit into from
Feb 10, 2026
+13 −13

Conversation

@kaigritun
Copy link
Contributor

@kaigritun kaigritun commented Feb 10, 2026
edited by cubic-dev-ai bot
Loading

Summary

This PR fixes the Node 24+ deprecation warning (DEP0190) that occurs when running the tool:

(node:34628) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.

Changes

When using spawn() with shell: true, Node 24 now warns if args are passed as a separate array because they get concatenated internally anyway. This PR joins the command and arguments into a single command string before passing to spawn(), which is the recommended pattern.

Files modified:

  • pass-through.service.ts - Join command and args before spawning
  • version-manager.service.ts - Fix docker rmi and pull spawn calls
  • pass-through.service.spec.ts - Update test expectations to match new signature

Testing

Updated unit tests to reflect the new spawn signature. The behavior remains identical - only the way arguments are passed to spawn has changed.

Fixes #1102

Summary by cubic

Fixes the Node 24+ DEP0190 warning by switching spawn calls with shell: true to a single command string, removing the deprecation warning without changing behavior. Fixes #1102.

  • Bug Fixes
    • PassThroughService: join command and args into one string before spawn.
    • VersionManagerService: use single command string for docker pull/rmi.
    • Tests: update expectations to match the new spawn signature.

Written for commit 0a1328a. Summary will update on new commits.

@kaigritun
fix: resolve Node 24+ spawn deprecation warning (DEP0190)
0a1328a 
When using spawn with shell: true, passing args as a separate array
causes a deprecation warning in Node 24+:

'Passing args to a child process with shell option true can lead to
security vulnerabilities, as the arguments are not escaped, only
concatenated.'

This commit fixes the issue by joining the command and args into a
single command string before passing to spawn, which is the recommended
pattern for shell: true usage.

Fixes OpenAPITools#1102
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

@wing328 wing328 merged commit 083418f into OpenAPITools:master Feb 10, 2026
4 checks passed
@github-actions
Copy link

github-actions bot commented Feb 10, 2026

🎉 This PR is included in version 2.28.3 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] Use of shell: true in child_process.spawn is causing a deprecation warning in Node 24.

2 participants

@kaigritun @wing328