fix(cli): properly quote prisma exec path

[ymc9]

fixes #609

Summary by CodeRabbit

• Bug Fixes
  • Fixed an issue in the CLI where Prisma execution would fail when the installation path contained spaces.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[claude]

Claude finished @ymc9's task —— View job

---

PR Review for fix(cli): properly quote prisma exec path

Todo List

• Read and analyze the changed file
• Review issue CLI fails when project path contains spaces (execPrisma: unquoted prismaPath) #609 for context
• Analyze code quality and best practices
• Check for potential bugs or issues
• Review performance considerations
• Assess security concerns
• Evaluate test coverage
• Provide comprehensive feedback

Code Review Summary

✅ Overall Assessment: APPROVED

This is a clean, focused fix that addresses a real security and reliability issue.

Detailed Analysis

🔧 Change Summary

• File: packages/cli/src/utils/exec-utils.ts:60
• Change: Added quotes around ${prismaPath} in execSync call
• Before: execSync(\node ${prismaPath} ${args}`, _options);`
• After: execSync(\node "${prismaPath}" ${args}`, _options);`

🛡️ Security Concerns - FIXED

• Issue: Path injection vulnerability if prismaPath contains spaces or special characters
• Solution: Proper quoting prevents command injection and ensures paths with spaces work correctly
• Risk Level: Medium → RESOLVED

🐛 Bug Fixes

• Windows Compatibility: Paths like C:\Program Files\... would break without quotes
• Special Characters: Paths containing spaces, parentheses, or other shell metacharacters now handled properly
• Command Execution: Prevents shell parsing errors that could cause CLI commands to fail silently

📈 Code Quality

• Best Practice: Follows shell command construction best practices
• Consistency: Aligns with how other tools handle dynamic path construction
• Simplicity: Minimal, surgical fix with zero complexity added

⚡ Performance

• Impact: None - string concatenation overhead is negligible
• Efficiency: No change to execution flow or resource usage

🧪 Test Coverage Assessment

• Current State: No direct unit tests for execPrisma function found
• Risk: Low - this is a defensive fix for edge cases
• Recommendation: Consider adding tests for path edge cases (spaces, special chars)

Edge Cases Considered

✅ Paths with spaces: C:\Program Files\node_modules\...
✅ Paths with parentheses: C:\Users\User (2)\...
✅ Unix paths with spaces: /home/user name/project/...
✅ Paths already containing quotes: Protected by shell escaping rules

Recommendations

1. Merge Approved: This fix should be merged immediately
2. Future Enhancement: Consider adding unit tests for execPrisma with various path scenarios
3. Documentation: No docs update needed - this is an internal fix

---

[coderabbitai]

📝 Walkthrough

Walkthrough

A single-line fix addressing path handling in the Prisma CLI execution utility. The prismaPath variable is now quoted when passed to the Node.js command, preventing shell path splitting when project directories contain spaces.

Changes

Cohort / File(s)	Change Summary
Prisma Path Quoting packages/cli/src/utils/exec-utils.ts	Updated execPrisma() to wrap ${prismaPath} in double quotes within the Node command invocation. Prevents shell interpretation errors when filesystem paths contain spaces. No logic or error handling changes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Spaces in paths once caused such fright,
But quotes around the path set things right!
With one simple fix, the journey's serene—
No more splitting paths in between! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: quoting the Prisma execution path to handle spaces in paths.
Linked Issues check	✅ Passed	The PR implements the proposed quick fix for issue #609 by quoting the prismaPath in the execSync command.
Out of Scope Changes check	✅ Passed	The change is focused solely on fixing the unquoted prismaPath issue; no out-of-scope modifications detected.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR fixes a bug where the ZenStack CLI fails when the project path contains spaces. The issue occurs in the execPrisma function which executes Prisma commands by constructing a shell command string without properly quoting the resolved Prisma executable path.

Changes:

• Added double quotes around the prismaPath variable in the execSync call to properly handle paths containing spaces

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@packages/cli/src/utils/exec-utils.ts`:
- Line 60: Replace the execSync invocation that runs `node "${prismaPath}"
${args}` with `execFileSync` to avoid shell parsing: change the call in
exec-utils (the `execSync` that references prismaPath and args) to use
`execFileSync('node', [prismaPath, ...args])` and ensure `args` is passed as a
string[] (update callers that currently join arrays into strings so they supply
a string[] instead); also review the fallback `execPackage(\`prisma ${args}\`,
...)` path (used when execFileSync isn't desired) and either convert it
similarly or keep it as the documented fallback but document the difference so
both code paths remain consistent.