Notification of breaking api change with v1.92 release of VS Code

[deepak1556]

Hello from the VS Code team 👋

In our next release v1.92, we will update to Electron 30 which includes Node.js 20.14.0. This Node version contains a breaking change, in response to a CVE, which may affect you if you execute .bat or .cmd files on Windows. Based on a simple scan of your extension's source code, you may be impacted by this change. The stable VS Code that contains this update will be released in early August.

Action: please try out your extension on this month's VS Code Insiders on Windows. If you are affected by this change, you will encounter an EINVAL error when you try to spawn a bat/cmd file.

Node.js has added a section on batch file spawning to their documentation. To fix any issues:

1. Find locations where you call child_process.spawn to execute a batch file on Windows
2. Add shell: true or shell: process.platform === 'win32' to the options object
3. If the batch script path may contain spaces, you will also need to wrap the path in quotation marks.

Please let us know if you run into issues or if you need clarification.

Happy coding!

[bwateratmsft]

@deepak1556 can you elaborate on this?

simple scan of your extension's source code

e.g. what was searched for and what was found?

[deepak1556]

Search was for presence of child_process module import along with presence of any .bat or .cmd commands. Given this was a search on the bundled extension it could have been from one of your dependencies as well. Best way to confirm would be to test the extension against our latest insiders.

[dbreshears]

We tested and didn't see any issues. Thanks for the heads up.