au run fails with latest node.js update for Windows

[namitoyokota]

I'm submitting a bug report

• Library Version:
  3.0.2

Environment:

• Operating System:
  Windows 11

• Node Version:
  21.7.3

• NPM Version:
  10.2.5

• Browser:
  all

• Language:
  all

• Loader/bundler:
  all

Current behavior:
When running the au run command to build and create bundles, execution fails with the following error message in the console:

Local aurelia-cli v3.0.2
Starting 'run'...
`au run` is an alias of the `npm start`, you may use either of those; see README for more details.
{
  uid: 0,
  name: 'run',
  branch: false,
  error: Error: spawn EINVAL
      at ChildProcess.spawn (node:internal/child_process:421:11)
      at spawn (node:child_process:761:9)
      at C:\{PROJECT_PATH}\node_modules\aurelia-cli\lib\package-managers\base-package-manager.js:16:19
      at new Promise (<anonymous>)
      at exports.NPM.run (C:\{PROJECT_PATH}\node_modules\aurelia-cli\lib\package-managers\base-package-manager.js:15:12)
      at run (C:\{PROJECT_PATH}\aurelia_project\tasks\run.ts:20:16)
      at bound (node:domain:432:15)
      at runBound (node:domain:443:12)
      at asyncRunner (C:\{PROJECT_PATH}\node_modules\async-done\index.js:55:18)
      at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
    errno: -4071,
    code: 'EINVAL',
    syscall: 'spawn'
  },
  duration: [ 0, 29357600 ],
  time: 1713369231980
}
Error: spawn EINVAL
    at ChildProcess.spawn (node:internal/child_process:421:11)
    at spawn (node:child_process:761:9)
    at C:\{PROJECT_PATH}\node_modules\aurelia-cli\lib\package-managers\base-package-manager.js:16:19
    at new Promise (<anonymous>)
    at exports.NPM.run (C:\{PROJECT_PATH}\node_modules\aurelia-cli\lib\package-managers\base-package-manager.js:15:12)
    at run (C:\{PROJECT_PATH}\aurelia_project\tasks\run.ts:20:16)
    at bound (node:domain:432:15)
    at runBound (node:domain:443:12)
    at asyncRunner (C:\{PROJECT_PATH}\node_modules\async-done\index.js:55:18)
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  errno: -4071,
  code: 'EINVAL',
  syscall: 'spawn'
}

• What is the expected behavior?
  Command should execute without any errors and start a local web server.

• What is the motivation / use case for changing the behavior?
  The project is unable to be ran locally.

---

Problem
This issue is caused by the latest Node.js security update. They found a method in which “a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.” This impacted all Windows uses in active release lines of 18.x, 20.x, and 21.x.

This is the official release documentation from Node.js.

Solution
A project called node-red ran into this exact issue and was able to resolve it by simply adding an option shell: true within the spawn() constructor call.

I believe the solution is merely identical for this project. Within lib/package-managers/base-package-manager.js file, line 19 should be updated to { stdio: 'inherit', cwd: workingDirectory, shell: true }.

[3cp]

Thx!
Do you mind to try the fix and send a PR?

[3cp]

If you do, please only apply shell:true for windows like node-red did, to avoid unforeseen side effect on other platforms. Thx!

[namitoyokota]

Sure. I have my local environment set up with the suggested changes but I'm running into the following error:

'C:\Program' is not recognized as an internal or external command, operable program or batch file.

If you have any suggestions, please let me know. Otherwise, it'll take me a bit longer to investigate and resolve this issue.

[3cp]

Sounds like something didn't quote around the path.
C:\Program Files...

So the shell try to run C:\Program

If this is a bug in nodejs, you are probably not the only one seeing it. Make sure you are on latest version of nodejs.

[namitoyokota]

This issue has been resolved by #1206