API Platform version(s) affected: 4.0.1
Node.js version 24.13.0
Description
Invoking pidusage(pid) results in a Node deprecation warning:
(node:26220) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
How to reproduce
Invoke pidusage(pid) on any process on Windows. This results in a childProcess spawn that sets the shell option to 'powershell.exe', which triggers the warning.
Possible Solution
Spawn gwmi without using a shell. I have no idea whether that is practical or not.
Or, you can properly escape the arguments to the executable to prevent injection risks:
const { spawn } = require('child_process');
const escape = require('shell-escape'); // Use a library for escaping
const args = escape(['-l', '-a']);
spawn(`ls ${args}`, { shell: true });
Additional Context
API Platform version(s) affected: 4.0.1
Node.js version 24.13.0
Description
Invoking pidusage(pid) results in a Node deprecation warning:
(node:26220) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
How to reproduce
Invoke pidusage(pid) on any process on Windows. This results in a childProcess spawn that sets the shell option to 'powershell.exe', which triggers the warning.
Possible Solution
Spawn gwmi without using a shell. I have no idea whether that is practical or not.
Or, you can properly escape the arguments to the executable to prevent injection risks:
Additional Context