Which Cloudflare product(s) does this pertain to?
Wrangler
What version(s) of the tool(s) are affected?
wrangler@4.87.0 (latest) and earlier 4.x. Confirmed on main.
What version of Node are you using?
Node 24 (e.g. GitHub Actions ubuntu-latest runners).
Describe the Bug
Every wrangler deploy (and other CLI entry points) under Node 24 emits:
(node:2877) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
(Use `node --trace-deprecation ...` to show where the warning was created)
Root Cause
The warning originates from the bundled execa inside wrangler-dist/cli.js. packages/wrangler/package.json pins:
execa@6.1.0 is the highest 6.x ever published, and it pre-dates the Node 24 DEP0190 fix. The fix landed in execa#1199, released as execa@9.5.3 (2025-05-08). It works around DEP0190 by pre-concatenating args into the command string before calling node:child_process when shell: true is set (lib/arguments/shell.js).
Because Wrangler bundles its dependencies via esbuild, downstream consumers cannot upgrade execa themselves — the bump has to happen here.
Reproduction Steps
- Use Node 24.
- Install
wrangler@4.87.0.
- Run
wrangler deploy against any Worker (a [build] section is not required — the warning fires from elsewhere in the wrangler runtime path that uses execa with shell: true).
- Observe the
DEP0190 deprecation warning in stderr.
The warning is also visible from cloudflare/wrangler-action@v3, but the action itself doesn't use execa — it bubbles up from the wrangler CLI it spawns.
Suggested Fix
Bump execa from ^6.1.0 to ^9.5.3 (or latest ^9.6.1) in packages/wrangler/package.json. execa 9 is ESM-only, which wrangler already is, so the migration should be straightforward. The same bump is likely warranted in any other workers-sdk package that bundles execa for runtime use (e.g. packages/wrangler/src/deployment-bundle/run-custom-build.ts uses execaCommand with shell: true).
Please provide a link to a minimal reproduction
n/a — reproduces on any wrangler deploy under Node 24.
Which Cloudflare product(s) does this pertain to?
Wrangler
What version(s) of the tool(s) are affected?
wrangler@4.87.0(latest) and earlier 4.x. Confirmed onmain.What version of Node are you using?
Node 24 (e.g. GitHub Actions
ubuntu-latestrunners).Describe the Bug
Every
wrangler deploy(and other CLI entry points) under Node 24 emits:Root Cause
The warning originates from the bundled
execainsidewrangler-dist/cli.js.packages/wrangler/package.jsonpins:execa@6.1.0is the highest 6.x ever published, and it pre-dates the Node 24 DEP0190 fix. The fix landed in execa#1199, released as execa@9.5.3 (2025-05-08). It works around DEP0190 by pre-concatenatingargsinto the command string before callingnode:child_processwhenshell: trueis set (lib/arguments/shell.js).Because Wrangler bundles its dependencies via esbuild, downstream consumers cannot upgrade execa themselves — the bump has to happen here.
Reproduction Steps
wrangler@4.87.0.wrangler deployagainst any Worker (a[build]section is not required — the warning fires from elsewhere in the wrangler runtime path that uses execa withshell: true).DEP0190deprecation warning in stderr.The warning is also visible from
cloudflare/wrangler-action@v3, but the action itself doesn't use execa — it bubbles up from the wrangler CLI it spawns.Suggested Fix
Bump
execafrom^6.1.0to^9.5.3(or latest^9.6.1) inpackages/wrangler/package.json. execa 9 is ESM-only, whichwrangleralready is, so the migration should be straightforward. The same bump is likely warranted in any otherworkers-sdkpackage that bundles execa for runtime use (e.g.packages/wrangler/src/deployment-bundle/run-custom-build.tsusesexecaCommandwithshell: true).Please provide a link to a minimal reproduction
n/a — reproduces on any
wrangler deployunder Node 24.