chore: Fix the security issue raised by running npm without a path.

hessjcg · hessjcg · commit a72d88804522 · 2025-09-19T14:28:16.000-06:00
diff --git a/examples/prisma/mysql/test/connect.cjs b/examples/prisma/mysql/test/connect.cjs
@@ -12,14 +12,20 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-const {execSync} = require('node:child_process');
+const {spawnSync} = require('node:child_process');
 const {resolve} = require('node:path');
 const t = require('tap');
 
 function generatePrismaClient() {
   const schemaPath = resolve(__dirname, '../schema.prisma');
+  const prismaPath = resolve(
+      __dirname,
+      '../../../../node_modules/.bin/prisma'
+  );
 
-  execSync(`npm exec prisma -- generate --schema=${schemaPath}`);
+  spawnSync(prismaPath, ['generate', `--schema=${schemaPath}`], {
+    stdio: 'inherit',
+  });
 }
 
 t.test('mysql prisma cjs', async t => {
diff --git a/examples/prisma/mysql/test/connect.mjs b/examples/prisma/mysql/test/connect.mjs
@@ -12,17 +12,23 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { execSync } from 'node:child_process';
+import {spawnSync} from 'node:child_process';
 import { dirname, resolve } from 'node:path'
 import { fileURLToPath } from 'node:url'
 import t from 'tap';
 
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
 function generatePrismaClient() {
-    const p = fileURLToPath(import.meta.url)
-    const __dirname = dirname(p)
     const schemaPath = resolve(__dirname, '../schema.prisma');
+    const prismaPath = resolve(
+        __dirname,
+        '../../../../node_modules/.bin/prisma'
+    );
 
-    execSync(`npm exec prisma -- generate --schema=${schemaPath}`);
+    spawnSync(prismaPath, ['generate', `--schema=${schemaPath}`], {
+        stdio: 'inherit',
+    });
 }
 
 t.test('mysql prisma mjs', async t => {
diff --git a/examples/prisma/mysql/test/connect.ts b/examples/prisma/mysql/test/connect.ts
@@ -12,21 +12,24 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import {execSync} from 'node:child_process';
+import {spawnSync} from 'node:child_process';
 import {resolve} from 'node:path';
 import t from 'tap';
 
 function generatePrismaClient() {
   const schemaPath = resolve(__dirname, '../schema.prisma');
+  const prismaPath = resolve(__dirname, '../../../../node_modules/.bin/prisma');
 
-  execSync(`npm exec prisma -- generate --schema=${schemaPath}`);
+  spawnSync(prismaPath, ['generate', `--schema=${schemaPath}`], {
+    stdio: 'inherit',
+  });
 }
 
 t.test('mysql prisma ts', async t => {
   // prisma client generation should normally be part of a regular Prisma
   // setup on user end but in order to tests in many different databases
   // we run the generation step at runtime for each variation
-  generatePrismaClient();
+  await generatePrismaClient();
 
   const {
     default: {connect},
diff --git a/examples/prisma/postgresql/test/connect.cjs b/examples/prisma/postgresql/test/connect.cjs
@@ -12,16 +12,23 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-const {execSync} = require('node:child_process');
+const {spawnSync} = require('node:child_process');
 const {resolve} = require('node:path');
 const t = require('tap');
 
 function generatePrismaClient() {
   const schemaPath = resolve(__dirname, '../schema.prisma');
+  const prismaPath = resolve(
+      __dirname,
+      '../../../../node_modules/.bin/prisma'
+  );
 
-  execSync(`npm exec prisma -- generate --schema=${schemaPath}`);
+  spawnSync(prismaPath, ['generate', `--schema=${schemaPath}`], {
+    stdio: 'inherit',
+  });
 }
 
+
 t.test('pg prisma cjs', async t => {
   // prisma client generation should normally be part of a regular Prisma
   // setup on user end but in order to tests in many different databases
diff --git a/examples/prisma/postgresql/test/connect.mjs b/examples/prisma/postgresql/test/connect.mjs
@@ -12,17 +12,23 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import { execSync } from 'node:child_process';
+import { spawnSync} from 'node:child_process';
 import { dirname, resolve } from 'node:path'
 import { fileURLToPath } from 'node:url'
 import t from 'tap';
 
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
 function generatePrismaClient() {
-    const p = fileURLToPath(import.meta.url)
-    const __dirname = dirname(p)
     const schemaPath = resolve(__dirname, '../schema.prisma');
+    const prismaPath = resolve(
+        __dirname,
+        '../../../../node_modules/.bin/prisma'
+    );
 
-    execSync(`npm exec prisma -- generate --schema=${schemaPath}`);
+    spawnSync(prismaPath, ['generate', `--schema=${schemaPath}`], {
+        stdio: 'inherit',
+    });
 }
 
 t.test('pg prisma mjs', async t => {
diff --git a/examples/prisma/postgresql/test/connect.ts b/examples/prisma/postgresql/test/connect.ts
@@ -12,14 +12,17 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import {execSync} from 'node:child_process';
+import {spawnSync} from 'node:child_process';
 import {resolve} from 'node:path';
 import t from 'tap';
 
 function generatePrismaClient() {
   const schemaPath = resolve(__dirname, '../schema.prisma');
+  const prismaPath = resolve(__dirname, '../../../../node_modules/.bin/prisma');
 
-  execSync(`npm exec prisma -- generate --schema=${schemaPath}`);
+  spawnSync(prismaPath, ['generate', `--schema=${schemaPath}`], {
+    stdio: 'inherit',
+  });
 }
 
 t.test('pg prisma ts', async t => {
