Error: spawn EINVAL on Windows #715

samuelmaddock · 2024-05-08T17:33:10Z

The latest versions of Node include a security vulnerability fix which now requires calling spawn() with shell: true on Windows (Node security release blog).

node-pre-gyp info using [email protected]
node-pre-gyp info using [email protected] | win32 | x64
node-pre-gyp ERR! UNCAUGHT EXCEPTION 
node-pre-gyp ERR! stack Error: spawn EINVAL
node-pre-gyp ERR! stack     at ChildProcess.spawn (node:internal/child_process:421:11)
node-pre-gyp ERR! stack     at Object.spawn (node:child_process:761:9)
node-pre-gyp ERR! stack     at module.exports.run_gyp (C:\Users\circleci\project\node_modules\@mapbox\node-pre-gyp\lib\util\compile.js:80:18)
node-pre-gyp ERR! stack     at C:\Users\circleci\project\node_modules\@mapbox\node-pre-gyp\lib\configure.js:44:15
node-pre-gyp ERR! stack     at handle_gyp_opts (C:\Users\circleci\project\node_modules\@mapbox\node-pre-gyp\lib\util\handle_gyp_opts.js:101:10)
node-pre-gyp ERR! stack     at configure (C:\Users\circleci\project\node_modules\@mapbox\node-pre-gyp\lib\configure.js:12:3)
node-pre-gyp ERR! stack     at self.commands.<computed> [as configure] (C:\Users\circleci\project\node_modules\@mapbox\node-pre-gyp\lib\node-pre-gyp.js:86:37)
node-pre-gyp ERR! stack     at run (C:\Users\circleci\project\node_modules\@mapbox\node-pre-gyp\lib\main.js:81:30)
node-pre-gyp ERR! stack     at Object.<anonymous> (C:\Users\circleci\project\node_modules\@mapbox\node-pre-gyp\lib\main.js:125:1)
node-pre-gyp ERR! stack     at Module._compile (node:internal/modules/cjs/loader:1358:14)

I'm currently working around this by using patch-package with the following patch:

diff --git a/node_modules/@mapbox/node-pre-gyp/lib/util/compile.js b/node_modules/@mapbox/node-pre-gyp/lib/util/compile.js
index 956e5aa..0051fce 100644
--- a/node_modules/@mapbox/node-pre-gyp/lib/util/compile.js
+++ b/node_modules/@mapbox/node-pre-gyp/lib/util/compile.js
@@ -77,7 +77,9 @@ module.exports.run_gyp = function(args, opts, callback) {
     }
   }
   const final_args = cmd_args.concat(args);
-  const cmd = cp.spawn(shell_cmd, final_args, { cwd: undefined, env: process.env, stdio: [0, 1, 2] });
+  // Add 'shell' on Windows due to security vulnerability
+  // https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2
+  const cmd = cp.spawn(shell_cmd, final_args, { cwd: undefined, env: process.env, stdio: [0, 1, 2], shell: process.platform === 'win32' });
   cmd.on('error', (err) => {
     if (err) {
       return callback(new Error("Failed to execute '" + shell_cmd + ' ' + final_args.join(' ') + "' (" + err + ')'));

The text was updated successfully, but these errors were encountered:

Updated node-pre-gyp attempting to resolve this issue, but it is still unresolved upstream. For now, hack in a patch. Once upstream fixes this, we can update to the fixed version and drop this hack. For more details, see mapbox/node-pre-gyp#715

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Error: spawn EINVAL on Windows #715

Error: spawn EINVAL on Windows #715

samuelmaddock commented May 8, 2024

Error: spawn EINVAL on Windows #715

Error: spawn EINVAL on Windows #715

Comments

samuelmaddock commented May 8, 2024