search

aurelia / cli

The Aurelia 1 command line tool. Use the CLI to create projects, scaffold components, and bundle your app for release.
MIT License
407 stars 133 forks source link

`au run` fails with latest node.js update for Windows #1205

Closed namitoyokota closed 5 months ago

namitoyokota commented 5 months ago

I'm submitting a bug report

Environment:

Current behavior: When running the au run command to build and create bundles, execution fails with the following error message in the console:

Local aurelia-cli v3.0.2
Starting 'run'...
`au run` is an alias of the `npm start`, you may use either of those; see README for more details.
{
  uid: 0,
  name: 'run',
  branch: false,
  error: Error: spawn EINVAL
      at ChildProcess.spawn (node:internal/child_process:421:11)
      at spawn (node:child_process:761:9)
      at C:\{PROJECT_PATH}\node_modules\aurelia-cli\lib\package-managers\base-package-manager.js:16:19
      at new Promise (<anonymous>)
      at exports.NPM.run (C:\{PROJECT_PATH}\node_modules\aurelia-cli\lib\package-managers\base-package-manager.js:15:12)
      at run (C:\{PROJECT_PATH}\aurelia_project\tasks\run.ts:20:16)
      at bound (node:domain:432:15)
      at runBound (node:domain:443:12)
      at asyncRunner (C:\{PROJECT_PATH}\node_modules\async-done\index.js:55:18)
      at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
    errno: -4071,
    code: 'EINVAL',
    syscall: 'spawn'
  },
  duration: [ 0, 29357600 ],
  time: 1713369231980
}
Error: spawn EINVAL
    at ChildProcess.spawn (node:internal/child_process:421:11)
    at spawn (node:child_process:761:9)
    at C:\{PROJECT_PATH}\node_modules\aurelia-cli\lib\package-managers\base-package-manager.js:16:19
    at new Promise (<anonymous>)
    at exports.NPM.run (C:\{PROJECT_PATH}\node_modules\aurelia-cli\lib\package-managers\base-package-manager.js:15:12)
    at run (C:\{PROJECT_PATH}\aurelia_project\tasks\run.ts:20:16)
    at bound (node:domain:432:15)
    at runBound (node:domain:443:12)
    at asyncRunner (C:\{PROJECT_PATH}\node_modules\async-done\index.js:55:18)
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  errno: -4071,
  code: 'EINVAL',
  syscall: 'spawn'
}

Problem This issue is caused by the latest Node.js security update. They found a method in which “a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.” This impacted all Windows uses in active release lines of 18.x, 20.x, and 21.x.

This is the official release documentation from Node.js.

Solution A project called node-red ran into this exact issue and was able to resolve it by simply adding an option shell: true within the spawn() constructor call.

I believe the solution is merely identical for this project. Within lib/package-managers/base-package-manager.js file, line 19 should be updated to { stdio: 'inherit', cwd: workingDirectory, shell: true }.

3cp commented 5 months ago

Thx! Do you mind to try the fix and send a PR?

3cp commented 5 months ago

If you do, please only apply shell:true for windows like node-red did, to avoid unforeseen side effect on other platforms. Thx!

namitoyokota commented 5 months ago

Sure. I have my local environment set up with the suggested changes but I'm running into the following error:

'C:\Program' is not recognized as an internal or external command, operable program or batch file.

If you have any suggestions, please let me know. Otherwise, it'll take me a bit longer to investigate and resolve this issue.

3cp commented 5 months ago

Sounds like something didn't quote around the path. C:\Program Files...

So the shell try to run C:\Program

If this is a bug in nodejs, you are probably not the only one seeing it. Make sure you are on latest version of nodejs.

namitoyokota commented 5 months ago

This issue has been resolved by #1206