Skip to content

fix: resolve DEP0190 deprecation warning on Windows#87

Open
dengmik-commits wants to merge 1 commit into
lessweb:mainfrom
dengmik-commits:fix/dep0190
Open

fix: resolve DEP0190 deprecation warning on Windows#87
dengmik-commits wants to merge 1 commit into
lessweb:mainfrom
dengmik-commits:fix/dep0190

Conversation

@dengmik-commits
Copy link
Copy Markdown
Contributor

@dengmik-commits dengmik-commits commented May 17, 2026

问题

启动 deepcode 时出现 Node.js 废弃警告:

(node:119316) [DEP0190] DeprecationWarning: Passing args to a child process
with shell option true can lead to security vulnerabilities, as the
arguments are not escaped, only concatenated.

根因

child_process.spawn()shell: true 模式下不应该传入 args 数组——Node.js 只做简单拼接不转义,存在注入风险。v0.1.21 中 PR #77 修复 Windows CI 时引入了此回归:McpClient 和 updateCheck 共 3 处调用都传了 args 数组。

修复

将所有 spawn(cmd, args, { shell: true }) 改为 spawn([cmd, ...args].join(" "), [], { shell: true }),手动拼成字符串后传入。逻辑等价——cmd.exe 仍通过 PATHEXT 解析命令,不会触发 DEP0190,也不会有之前的 .cmd 后缀 bug。

改动文件

文件 改动
src/mcp/mcp-client.ts:141 McpClient.connect() 的 spawn 调用
src/updateCheck.ts:164 runNpmInstallGlobal() — npm 全局安装更新包
src/updateCheck.ts:208 npmViewVersion() — npm view 查询最新版本

updateCheck.ts 的两处在启动时同时触发警告是因为它们先于 MCP 初始化运行:deepcode 启动后立即检查更新和版本信息,这两个 spawn 在 npm 子命令前就触发了 DEP0190。用户看到的启动警告正是来自这里。

验证

npm run typecheck    # ✅ 零错误
npm run bundle       # ✅ dist/cli.js

启动 deepcode,不再出现 DEP0190 警告。

Closes #85

@dengmik-commits
fix: resolve DEP0190 deprecation warning on Windows
b1b2a2a 
Join command+args into a single string before passing to spawn with
shell: true to avoid Node.js DEP0190 warning on Windows.

Affected calls:
- McpClient.connect() in mcp-client.ts
- runNpmInstallGlobal() in updateCheck.ts
- npmViewVersion() in updateCheck.ts
@dengmik-commits dengmik-commits mentioned this pull request May 17, 2026
Open
@qorzj
Copy link
Copy Markdown
Collaborator

qorzj commented May 17, 2026

@dengmik-commits 发现下面的问题:

  • 【需解决】src/updateCheck.ts的改动会导致非Windows系统上的版本更新检查/安装失效。
  • 【可接受】src/mcp/mcp-client.ts的改动去除了Windows上的 DEP0190 警告,但仍依赖于原始字符串拼接,不能完全解决注入风险。

Suggested Fix
Keep the joined command only on Windows, and keep the existing safe argv form elsewhere:

if (process.platform === "win32") {
  spawn(["npm", ...args].join(" "), [], {
    stdio,
    shell: true,
  });
} else {
  spawn("npm", args, {
    stdio,
    shell: false,
  });
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Windows: DEP0190 警告 — spawn shell:true + args 数组

2 participants

@dengmik-commits @qorzj