How I accidentally contributed to an open-source project
Latest node.js patch that broke an CLI project.
I can’t do my job
My local environment stopped working. The command to run and build an Aurelia project, a frontend web framework built by the original creator of Angular, mysteriously failed with the following error message:
error: Error: spawn EINVAL
at ChildProcess.spawn (node:internal/child_process:421:11)
at spawn (node:child_process:761:9)
...
The almighty Google search
Since none of the typical solutions like reinstalling dependencies or reverting back the recent changes worked, I searched on the internet for a solution.
Eventually, I came across a discussion forum from an open-source project called Node-RED. Node-RED is a low-code development tool for visual programming. The project maintainers had come across the same error message and they found that the recent security release from Node.js was the root cause.
Node.js codebase included a method in which “a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.” This impacted all Windows
users in active release lines of 18.x
, 20.x
, and 21.x
.
Since I am on Windows 11
using their latest 21.7.3
, this was likely the issue. Node-RED maintainers were able to resolve this issue quickly by adding an option property of shell: true
to the spawn()
constructor argument.
The CLI repository
Looking at the Aurelia's CLI project on GitHub, I found a line referencing the exact spawn
method without the shell
option set.
However, the Aurelia develompent team has since moved to completely rewrite the project (Aurelia v2) so the repository has not been updated in 6 months.
Solutions (in order from worst to best)
Stop using Windows
This is not an option since I work for an organization with 99% of developers using Windows. However, good news is that our servers are all Linux; therefore, this error is only thrown during local development.
Downgrade Node.js
Downgrading the Node.js version to the latest LTS release will solve the problem for now. However, this is a temporary solution as more developers will run into this issue upon a Node.js update.
Additionally, since no one has yet reported this issue on their GitHub issues page, I opened a new thread explaining the issue I was having as well as the solution.
Contribute to the open-source project
Within a few hours of writing a thorough explanation of my findings, the maintainer of the project commented on the issue asking for me to create a pull request.
Up to this point, I’ve never contributed or even attempted to contribute to an open-source project. This was also an CLI project which I don’t have experience working on. Not only that, the project has over 400 stars and 5,000 weekly downloads on npm.
Despite the hesitation, my manager encouraged me to attempt making the change. He thought that it would be a great experience for me.
With a few minor roadblocks, I manged to push the code change and the package was released to npm a few days later. Installing the new version on my machine, our project started working again.
Throughout this journey, I learned how to think about open-source contribution. Within the developer community, it is commonly understood that contributing to open-source is how you can get a good job. However, I think we might have it backwards.
Contributing to open source doesn’t make you a good developer. Good developers contribute to open-source.
Managing Node.js versions properly
To this day, I'm not sure how my machine automatically updated the Node.js version but my speculation is Chocolatey, an optionally installed package manager upon installation of Node.js. However, my big take away is that I now have an approach to managing the versions intentionally:
Decide on an LTS release to use everywhere (local and servers).
Match your machine’s version with the production server.
Subscribe to the Node.js blog and manually install any new releases to test your local environment. After confirming, downgrade to the LTS version. If the latest version fails one of your tools, search the repository online (typically on GitHub) and report the issue if there isn't one already.
Manage these versions using nvm.