Namito’s Clean Code

Error: spawn EINVAL

Latest node.js patch for Windows broke a CLI command.

Namito Yokota's photo
Namito Yokota
·

2 min read

I can’t do my job

About a week ago, I ran into an error which prevented us from running our frontend codebase locally:

error: Error: spawn EINVAL
  at ChildProcess.spawn (node:internal/child_process:421:11)
  at spawn (node:child_process:761:9)
  ...

Searching the internet, I came across a discussion forum from Node-RED. Maintainers of Node-RED had come across the same issue and found that a security release from Node.js was the root cause.

Node.js maintainers found a method in which “a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.” This impacted all Windows users in active release lines of 18.x, 20.x, and 21.x. This included my machine using Windows 11 and the latest version of Node, 21.7.3.

Node-RED resolved this issue quickly by adding an option property of shell: true to the spawn() constructor call.

For some context, our codebase is created with a JavaScript framework known was Aurelia. It’s relatively lesser known framework with a small user base. The above message was a result of the command line output when running the command, au run, which should build the app and create bundles in the process.

Looking at the Aurelia CLI’s codebase, line 18 within the JavaScript file lib/package-managers/base-package-manager.js should be updated to include the new property: { stdio: 'inherit', cwd: workingDirectory, shell: true }.

Now, here is the problem. Aurelia’s CLI package has not been updated in 6 months. Welp, I guess this is what we get for using a shiny new project (at the time) with a small community.

Sacrifice

Aurelia has since moved to completely rewrite the project: Aurelia v2. Since our codebase depends on our own component library created with the v1, migrating to v2 is not a simple task.

Solutions in order from worst to best

  1. Stop using Windows.

  2. Downgrade Node.js.

  3. Stop using au run . Use webpack server instead.

  4. Create a pull request to update the Aurelia CLI package.

My answer

Not using Windows is a losing fight since I work for an organization. Downgrading Node.js isn’t a good solution as it is a security patch.

So, I’ve opened an issue on Aurelia CLI’s GitHub repository for hopefully someone can take a look! Until then, I’ll be using webpack serve ✌️

spawnAureliaNode.jsWindowscliSecuritychild_process