Summary
Node.js DEP0190 warning appears on every thinktank run:
`Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.`
Location
src/scoring/test-runner.ts — uses execFile with shell:true and passes args as an array. Node.js warns this is unsafe because the args aren't escaped when shell mode is used.
Fix
Either:
- Use exec (string command) instead of execFile with shell:true
- Remove shell:true and handle command resolution differently
- Suppress the warning if we've already validated the command (we do via validateTestCommand)
Summary
Node.js DEP0190 warning appears on every thinktank run:
`Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.`
Location
src/scoring/test-runner.ts — uses execFile with shell:true and passes args as an array. Node.js warns this is unsafe because the args aren't escaped when shell mode is used.
Fix
Either: