Merge pull request #1234 from afarber/1115-fix-dep0190-deprecation

fix: replace spawn shell option with explicit shell args to avoid Node.js DEP0190 warning

packages/cli/src/utils/handleAutoUpdate.test.ts

@@ -241,9 +241,12 @@ describe('handleAutoUpdate', () => {
     handleAutoUpdate(mockUpdateInfo, mockSettings, '/root', mockSpawn);
 
     expect(mockSpawn).toHaveBeenCalledWith(
-      'npm i -g @qwen-code/qwen-code@nightly',
+      expect.stringMatching(/^(bash|cmd\.exe)$/),
+      expect.arrayContaining([
+        expect.stringMatching(/^(-c|\/c)$/),
+        'npm i -g @qwen-code/qwen-code@nightly',
+      ]),
       {
-        shell: true,
         stdio: 'pipe',
       },
     );

packages/cli/src/utils/handleAutoUpdate.ts

@@ -12,6 +12,7 @@ import type { HistoryItem } from '../ui/types.js';
 import { MessageType } from '../ui/types.js';
 import { spawnWrapper } from './spawnWrapper.js';
 import type { spawn } from 'node:child_process';
+import os from 'node:os';
 
 export function handleAutoUpdate(
   info: UpdateObject | null,
@@ -53,7 +54,10 @@ export function handleAutoUpdate(
     '@latest',
     isNightly ? '@nightly' : `@${info.update.latest}`,
   );
-  const updateProcess = spawnFn(updateCommand, { stdio: 'pipe', shell: true });
+  const isWindows = os.platform() === 'win32';
+  const shell = isWindows ? 'cmd.exe' : 'bash';
+  const shellArgs = isWindows ? ['/c', updateCommand] : ['-c', updateCommand];
+  const updateProcess = spawnFn(shell, shellArgs, { stdio: 'pipe' });
   let errorOutput = '';
   updateProcess.stderr.on('data', (data) => {
     errorOutput += data.toString();

packages/cli/src/utils/sandbox.ts

@@ -291,9 +291,10 @@ export async function start_sandbox(
           sandboxEnv['NO_PROXY'] = noProxy;
           sandboxEnv['no_proxy'] = noProxy;
         }
-        proxyProcess = spawn(proxyCommand, {
+        // Note: CodeQL flags this as js/shell-command-injection-from-environment.
+        // This is intentional - CLI tool executes user-provided proxy commands.
+        proxyProcess = spawn('bash', ['-c', proxyCommand], {
           stdio: ['ignore', 'pipe', 'pipe'],
-          shell: true,
           detached: true,
         });
         // install handlers to stop proxy on exit/signal
@@ -781,9 +782,15 @@ export async function start_sandbox(
     if (proxyCommand) {
       // run proxyCommand in its own container
       const proxyContainerCommand = `${config.command} run --rm --init ${userFlag} --name ${SANDBOX_PROXY_NAME} --network ${SANDBOX_PROXY_NAME} -p 8877:8877 -v ${process.cwd()}:${workdir} --workdir ${workdir} ${image} ${proxyCommand}`;
-      proxyProcess = spawn(proxyContainerCommand, {
+      const isWindows = os.platform() === 'win32';
+      const proxyShell = isWindows ? 'cmd.exe' : 'bash';
+      const proxyShellArgs = isWindows
+        ? ['/c', proxyContainerCommand]
+        : ['-c', proxyContainerCommand];
+      // Note: CodeQL flags this as js/shell-command-injection-from-environment.
+      // This is intentional - CLI tool executes user-provided proxy commands in container.
+      proxyProcess = spawn(proxyShell, proxyShellArgs, {
         stdio: ['ignore', 'pipe', 'pipe'],
-        shell: true,
         detached: true,
       });
       // install handlers to stop proxy on exit/signal