Lines 1-52javascript
1import { spawnSync } from "node:child_process";
2import fs from "node:fs";
HighChild Process
Package source references child process execution.
dist/src/system.jsView on unpkg · L1 3import http from "node:http";
4import https from "node:https";
5import path from "node:path";
6import process from "node:process";
7import { die } from "./logger.js";
8export function findCommand(command) {
9 const pathValue = process.env.PATH || "";
10 const pathExt = process.platform === "win32"
HighSame File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/src/system.jsView on unpkg · L1 11 ? (process.env.PATHEXT || ".EXE;.CMD;.BAT;.COM").split(";")
13 for (const dir of pathValue.split(path.delimiter)) {
16 for (const ext of pathExt) {
17 const candidate = path.join(dir, `${command}${ext}`);
19 fs.accessSync(candidate, fs.constants.X_OK);
23 // Continue scanning PATH.
29export function commandExists(command) {
30 return Boolean(findCommand(command));
32function escapeCmdArg(arg) {
33 // cmd.exe quoting in the cross-spawn style: double backslashes that precede
34 // a quote, double trailing backslashes, escape quotes, wrap in quotes.
35 let result = arg.replace(/(\\*)"/g, '$1$1\\"');
36 result = result.replace(/(\\*)$/, "$1$1");
39export function windowsSpawnPlan(command, args, resolve = findCommand) {
40 // Node >= 18.20 refuses to spawn .cmd/.bat shims directly (CVE-2024-27980),
41 // so npm/npx-style shims must be routed through cmd.exe explicitly.
42 const hasBatchExtension = (value) => value.toLowerCase().endsWith(".cmd") ||
43 value.toLowerCase().endsWith(".bat");
44 const resolved = hasBatchExtension(command)
46 : (resolve(command) ?? command);
47 if (!hasBatchExtension(resolved)) {
48 return { command, args, verbatim: false };
50 const commandLine = [escapeCmdArg(resolved), ...args.map(escapeCmdArg)].join(" ");
52 command: process.env.comspec || "cmd.exe",