Remove the usage of exec for variable cases#33544
Open
dxvladislavvolkov wants to merge 13 commits into
Open
Conversation
GoodDayForSurf
previously approved these changes
May 11, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aims to address ESLint security/detect-child-process warnings by replacing child_process.exec usage (especially with variable input) with child_process.spawn in demo utility scripts.
Changes:
- Switched TypeScript compilation in the TS→JS converter from
exec("tsc ...")tospawn("tsc", [...]). - Switched Angular demo build invocation from
exec("npm run ...")tospawn("npm", [...]).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| apps/demos/utils/ts-to-js-converter/converter.ts | Replaces exec-based tsc invocation with spawn and updates call site to pass arguments as an array. |
| apps/demos/utils/create-bundles/Angular/bundler.ts | Replaces exec-based Angular build command with spawn('npm', [...]). |
Comments suppressed due to low confidence (1)
apps/demos/utils/create-bundles/Angular/bundler.ts:55
spawn('npm', ...)should handle the child processerrorevent. If spawning fails, the unhandlederrorevent can crash the process andres()will never be called (hanging the batch). Add anngBuildProcess.on('error', ...)handler (and consider treating non-zero exit codes as failures rather than always callingres()as success).
const ngBuildProcess = spawn('npm', ['run', 'build-angular', '--', getProjectNameByDemo(demo)]);
ngBuildProcess.stdout.on('data', (data) => {
console.log(`stdout: ${data}`);
});
ngBuildProcess.stderr.on('data', (data) => {
console.error(`stderr: ${data}`);
});
ngBuildProcess.on('close', (code) => {
console.log(`child process exited with code ${code}`);
res();
});
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
apps/demos/utils/create-bundles/Angular/bundler.ts:55
spawn('npm', ...)can emit anerrorevent (e.g., ifnpmis not found). Right now there is noerrorhandler, which can crash the process and also leaveres()never called. Add anerrorlistener that logs/reports the failure and completes the callback (and consider failing the build when the exit code is non-zero).
const ngBuildProcess = spawn('npm', ['run', 'build-angular', '--', getProjectNameByDemo(demo)]);
ngBuildProcess.stdout.on('data', (data) => {
console.log(`stdout: ${data}`);
});
ngBuildProcess.stderr.on('data', (data) => {
console.error(`stderr: ${data}`);
});
ngBuildProcess.on('close', (code) => {
console.log(`child process exited with code ${code}`);
res();
});
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (1)
apps/demos/utils/create-bundles/Angular/bundler.ts:52
- There is no
'error'handler for the spawned process. If the process fails to start (e.g., missingnpm/PATH issues), neither'close'nor stdout/stderr handlers will guaranteeres()is called, which can leave the caller hanging. Add an'error'listener that logs and callsres()(or rejects, depending on expected control flow).
const ngBuildProcess = spawn('npm', ['run', 'build-angular', '--', getProjectNameByDemo(demo)]);
ngBuildProcess.stdout.on('data', (data) => {
console.log(`stdout: ${data}`);
});
ngBuildProcess.stderr.on('data', (data) => {
console.error(`stderr: ${data}`);
});
ngBuildProcess.on('close', (code) => {
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (1)
apps/demos/utils/create-bundles/Angular/bundler.ts:55
- The spawned process has no
'error'handler. Ifnpmcannot be spawned (e.g., PATH issues), Node will emit anerrorevent that can crash the script or leave the demo build promise unresolved. Add anngBuildProcess.on('error', ...)handler and ensureres()(or an error propagation path) is triggered.
const ngBuildProcess = spawn('npm', ['run', 'build-angular', '--', getProjectNameByDemo(demo)], { shell: process.platform === 'win32' });
ngBuildProcess.stdout.on('data', (data) => {
console.log(`stdout: ${data}`);
});
ngBuildProcess.stderr.on('data', (data) => {
console.error(`stderr: ${data}`);
});
ngBuildProcess.on('close', (code) => {
console.log(`child process exited with code ${code}`);
res();
});
This reverts commit 4184da5.
| cps.exec(`tsc ${args}`, (error, stdout, stderr) => { | ||
| if (error != null) { | ||
| const execTsc = (directory: string, args: string[]): Promise<string> => new Promise((resolve, reject) => { | ||
| const proc = cps.spawn('tsc', args, { cwd: directory, shell: isWindows() }); |
|
|
||
| const ngBuildCommand = `npm run build-angular -- ${getProjectNameByDemo(demo)}`; | ||
| const ngBuildProcess = exec(ngBuildCommand); | ||
| const ngBuildProcess = spawn('npm', ['run', 'build-angular', '--', getProjectNameByDemo(demo)], { shell: process.platform === 'win32' }); |
Comment on lines
+92
to
+95
| if (signal !== null) { | ||
| // eslint-disable-next-line prefer-promise-reject-errors | ||
| return reject(`tsc killed by signal ${signal}\n${stderr}\n${stdout}`); | ||
| } |
Comment on lines
+96
to
99
| if (code !== 0) { | ||
| // eslint-disable-next-line prefer-promise-reject-errors | ||
| return reject(`${error}\n${stderr}\n${stdout}`); | ||
| return reject(`tsc exited with code ${code}\n${stderr}\n${stdout}`); | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix the eslint rule - security/detect-child-process