Failed to start from vscode on windows with calva, error: "spawn EINVAL" - CVE-2024-27980 related?

[JanDornbusch]

I am not 100% sure if it is completely realted to shadow-cljs, but I am on windows 11 with vscode, calva, npm/npx version 10.7.0, Node JS 22.1.0 and luminus-templated project (originally and with updated shadow-cljs version 2.28.6). When try to start the REPL as Server + Client it fails with the following message:

⚡️ Starting the REPL ⚡️ using the below command line:
pushd d:\dev\Clojure\Testproject & npx.cmd shadow-cljs -d cider/cider-nrepl:0.47.1 watch app test & popd
shadow-cljs - config: d:\dev\Clojure\Testproject\shadow-cljs.edn
shadow-cljs - running: lein with-profile +dev update-in :dependencies conj [cider/cider-nrepl "0.47.1"] -- run -m shadow.cljs.devtools.cli --npm -d cider/cider-nrepl:0.47.1 watch app test
===== ERROR =================
spawn EINVAL
=============================
Jack-in process exited. Status: 1

Trying a direct launch npx shadow-cljs watch app fails with same error too.

Manually launching shadow-cljs by lein with-profile +dev run -m shadow.cljs.devtools.cli watch app --npm starts up correctly.

All I have figured out so far it might be related to a npm security update of april (blog post) which changed some spawn behaviour.

[thheller]

Hmm, that indeed looks like the cause.

I'll check it out in a bit.

[JanDornbusch]

One small update, I am more and more sure it's wrong here (maybe okay for those step into the same problem and search here first) but it seems to belong to Calva issues tracker.

Anyways steps to reproduce (tested on 2nd computer with fresh install of everything):

PS> lein new luminus my-app +kee-frame +shadow-cljs
PS> cd my-app
PS> code

tried to start the project with Start server + client failed as above. Then I restarted code and did nothing. After a while an error popped up:

LSP classpath lookup failed when running `C:\Program Files\nodejs\npx.cmd shadow-cljs classpath`. Some features may not work properly if ignored.

Error: shadow-cljs - config: C:\Users\dev\Desktop\my-app\shadow-cljs.edn
===== ERROR =================
spawn EINVAL
=============================

Choose an option:

More and more I think there is no problem here. It seems to me more an integration problem on side of calva? I will let it up to you to mark it done in case there is nothing on this side to do.

[thheller]

I am not setting { shell: true }, so I suspect that is the problem. I didn't get a chance to test this yet. Maybe I get a chance to install the new node version later today.

[JanDornbusch]

No need to hurry here as the startup by lein still works perfectly. But do you think this be the right place to add this setting? Thinking about it there might be a reason this setting not be turned on by default. And that for I would possible like calva to catch the startup error with an appropriate warning and maybe a config option to turn on this setting for sub-system startups? (In case it's really the solution).

Maybe it is not required to install the new node version to run into the problem, you might try to use it's security audit as well?

[thheller]

I don't have a clue what that setting is or why its now required. I'll need to look into that. Shouldn't be a big deal, just need some time to look at it.

[thheller]

Turns out to be trivial. Will be fixed in next release, should be soon.

[PEZ]

@JanDornbusch I haven't tried with the new Node version, but by your report it seems like Calva trips twice on this. Or rather, that both Calva and clojure-lsp runs into the problem. Calva, when trying to start the REPL, and clojure-lsp when trying to figure out the classpath. FYI: Calva has a Jack-in option for starting the shadow-cljs REPL via Leiningen.

@thheller Sounds like we don't need to fix anything in Calva regarding this?

[thheller]

FWIW I don't think there is anything you could have fixed from Calva. The problem was in the shadow-cljs script itself.

[thheller]

Should be fixed as of 2.28.7.