fix(cli): use a shared cross-platform npm process resolver without shell (#2257)

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Willow (GHOST) <git@willow.sh>

Author: 3 people

cli/src/cli.ts

@@ -8,17 +8,17 @@ import { serve } from 'srvx'
 import { createConnectorApp, generateToken, CONNECTOR_VERSION } from './server.ts'
 import { getNpmUser, NPM_REGISTRY_URL } from './npm-client.ts'
 import { initLogger, showToken, logInfo, logWarning, logError } from './logger.ts'
+import { resolveNpmProcessCommand } from './npm-process.ts'
 
 const DEFAULT_PORT = 31415
 const DEFAULT_FRONTEND_URL = 'https://npmx.dev/'
 const DEV_FRONTEND_URL = 'http://127.0.0.1:3000/'
 
 async function runNpmLogin(): Promise<boolean> {
+  const { command, args } = resolveNpmProcessCommand(['login', `--registry=${NPM_REGISTRY_URL}`])
+  const child = spawn(command, args, { stdio: 'inherit' })
+
   const { promise, resolve } = Promise.withResolvers<boolean>()
-  const child = spawn('npm', ['login', `--registry=${NPM_REGISTRY_URL}`], {
-    stdio: 'inherit',
-    shell: true,
-  })
 
   child.on('close', code => {
     resolve(code === 0)

cli/src/npm-client.ts

@@ -8,6 +8,7 @@ import { join } from 'node:path'
 import * as v from 'valibot'
 import { PackageNameSchema, UsernameSchema, OrgNameSchema, ScopeTeamSchema } from './schemas.ts'
 import { logCommand, logSuccess, logError, logDebug } from './logger.ts'
+import { resolveNpmProcessCommand } from './npm-process.ts'
 
 const execFileAsync = promisify(execFile)
 export const NPM_REGISTRY_URL = 'https://registry.npmjs.org/'
@@ -333,13 +334,10 @@ async function execNpm(args: string[], options: ExecNpmOptions = {}): Promise<Np
 
   try {
     logDebug('Executing npm command:', { command: 'npm', args: npmArgs })
-    // Use execFile instead of exec to avoid shell injection vulnerabilities
-    // On Windows, shell: true is required to execute .cmd files (like npm.cmd)
-    // On Unix, we keep it false for better security and performance
-    const { stdout, stderr } = await execFileAsync('npm', npmArgs, {
+    const { command, args: processArgs } = resolveNpmProcessCommand(npmArgs)
+    const { stdout, stderr } = await execFileAsync(command, processArgs, {
       timeout: 60000,
       env: createNpmEnv(),
-      shell: process.platform === 'win32',
     })
 
     logDebug('Command succeeded:', { stdout, stderr })
@@ -610,11 +608,11 @@ export async function packageInit(
   logCommand(`${displayCmd} (in temp dir for ${name})`)
 
   try {
-    const { stdout, stderr } = await execFileAsync('npm', npmArgs, {
+    const { command, args: processArgs } = resolveNpmProcessCommand(npmArgs)
+    const { stdout, stderr } = await execFileAsync(command, processArgs, {
       timeout: 60000,
       cwd: tempDir.path,
       env: createNpmEnv(),
-      shell: process.platform === 'win32',
     })
 
     logSuccess(`Published ${name}@0.0.0`)

cli/src/npm-process.ts

@@ -0,0 +1,24 @@
+import process from 'node:process'
+
+interface NpmProcessCommand {
+  command: string
+  args: string[]
+}
+
+export function resolveNpmProcessCommand(
+  npmArgs: string[],
+  platform = process.platform,
+  comSpec = process.env.ComSpec,
+): NpmProcessCommand {
+  if (platform === 'win32') {
+    return {
+      command: comSpec || 'cmd.exe',
+      args: ['/d', '/s', '/c', 'npm', ...npmArgs],
+    }
+  }
+
+  return {
+    command: 'npm',
+    args: npmArgs,
+  }
+}