search

antongolub / yarn-audit-fix

The missing `yarn audit fix`
MIT License
179 stars 8 forks source link

yarn-audit-fix is broken on Windows due to recent Node.js security fix #334

Closed cliffAtOsaic closed 1 month ago

cliffAtOsaic commented 1 month ago

Description

A recent security update in Node prevents execution of shell/batch scripts. See https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2.

The fix is to call spawnSync with the parameter { shell: true } on Windows.

I am working on a fix for this; only putting it here to document the issue.

Related issues

https://github.com/TypeFox/npm-dependency-graph/issues/42 https://github.com/nodejs/node/issues/52681

Console output

> npx yarn-audit-fix
Resolve bins
Error: spawnSync npm.cmd EINVAL
    at Object.spawnSync (node:internal/child_process:1124:20)
    at Object.spawnSync (node:child_process:876:24)
    ...
    at ModuleJob.run (node:internal/modules/esm/module_job:222:25)
    at async ModuleLoader.import (node:internal/modules/esm/loader:316:24) {
  errno: -4071,
  code: 'EINVAL',
  syscall: 'spawnSync npm.cmd',
  path: 'npm.cmd',
  spawnargs: [ '--version' ]
}
Failure!
{
  error: Error: spawnSync npm.cmd EINVAL
      at Object.spawnSync (node:internal/child_process:1124:20)
      at Object.spawnSync (node:child_process:876:24)
      ...
      at ModuleJob.run (node:internal/modules/esm/module_job:222:25)
      at async ModuleLoader.import (node:internal/modules/esm/loader:316:24) {
    errno: -4071,
    code: 'EINVAL',
    syscall: 'spawnSync npm.cmd',
    path: 'npm.cmd',
    spawnargs: [ '--version' ]
  },
  status: null,
  signal: null,
  output: null,
  pid: 0,
  stdout: null,
  stderr: null
}

node:internal/modules/run_main:129
    triggerUncaughtException(
    ^
{
  error: Error: spawnSync npm.cmd EINVAL
      at Object.spawnSync (node:internal/child_process:1124:20)
      at Object.spawnSync (node:child_process:876:24)
      ...
      at ModuleJob.run (node:internal/modules/esm/module_job:222:25)
      at async ModuleLoader.import (node:internal/modules/esm/loader:316:24) {
    errno: -4071,
    code: 'EINVAL',
    syscall: 'spawnSync npm.cmd',
    path: 'npm.cmd',
    spawnargs: [ '--version' ]
  },
  status: null,
  signal: null,
  output: null,
  pid: 0,
  stdout: null,
  stderr: null
}

Node.js v20.15.1
cliffAtOsaic commented 1 month ago

Test cases are actually failing with this error which is good. Tests are working :)