Notification of breaking api change with v1.92 release of VS Code

[deepak1556]

Hello from the VS Code team 👋

In our next release v1.92, we will update to Electron 30 which includes Node.js 20.14.0. This Node version contains a breaking change, in response to a CVE, which may affect you if you execute .bat or .cmd files on Windows. Based on a simple scan of your extension's source code, you may be impacted by this change. The stable VS Code that contains this update will be released in early August.

Action: please try out your extension on this month's VS Code Insiders on Windows. If you are affected by this change, you will encounter an EINVAL error when you try to spawn a bat/cmd file.

Node.js has added a section on batch file spawning to their documentation. To fix any issues:

1. Find locations where you call child_process.spawn to execute a batch file on Windows
2. Add shell: true or shell: process.platform === 'win32' to the options object
3. If the batch script path may contain spaces, you will also need to wrap the path in quotation marks.

Please let us know if you run into issues or if you need clarification.

Happy coding!

[baronfel]

Thank you for the heads-up! Appreciate the due diligence here.

[nagilson]

Thank you, I like this way of doing notices and this is very considerate of you.

I looked and we dont seem to spawn any .cmd or .bat files in particular. We also do set shell to true for some of our other calls and do use quotation marks, so I would expect us to be good :)