npm - @cyclonedx/cdxgen - Versions diffs - 11.3.2 → 11.4.1 - Mend

@cyclonedx/cdxgen 11.3.2 → 11.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

package/README.md +1 -1
package/bin/cdxgen.js +38 -16
package/bin/evinse.js +1 -25
package/bin/verify.js +4 -1
package/data/bom-1.6.schema.json +87 -65
package/data/bom-1.7.schema.json +5915 -0
package/data/component-tags.json +1 -1
package/data/spdx-licenses.json +209 -4
package/data/spdx.schema.json +29 -1
package/lib/cli/index.js +39 -31
package/lib/evinser/evinser.js +5 -1
package/lib/helpers/envcontext.js +16 -16
package/lib/helpers/utils.js +140 -46
package/lib/helpers/utils.test.js +10 -6
package/lib/managers/binary.js +19 -9
package/lib/managers/docker.js +13 -13
package/lib/managers/oci.js +24 -20
package/lib/managers/piptree.js +113 -20
package/lib/server/openapi.yaml +21 -3
package/lib/server/server.js +38 -38
package/lib/stages/postgen/annotator.js +4 -0
package/lib/stages/postgen/postgen.js +27 -6
package/lib/stages/pregen/pregen.js +3 -3
package/package.json +64 -23
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/helpers/utils.d.ts +10 -3
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/managers/oci.d.ts +1 -1
package/types/lib/managers/oci.d.ts.map +1 -1
package/types/lib/managers/piptree.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1

package/lib/managers/docker.js CHANGED Viewed

@@ -1,5 +1,4 @@
 import { Buffer } from "node:buffer";
-import { spawnSync } from "node:child_process";
 import {
   createReadStream,
   lstatSync,
@@ -25,6 +24,7 @@ import {
   getTmpDir,
   safeExistsSync,
   safeMkdirSync,
+  safeSpawnSync,
 } from "../helpers/utils.js";
 export const isWin = _platform() === "win32";
@@ -88,7 +88,7 @@ export function detectColima() {
     return true;
   }
   if (_platform() === "darwin") {
-    const result = spawnSync("colima", ["version"], {
+    const result = safeSpawnSync("colima", ["version"], {
       encoding: "utf-8",
     });
     if (result.status !== 0 || result.error) {
@@ -133,7 +133,7 @@ export function detectRancherDesktop() {
     );
     // Is Rancher Desktop running
     if (safeExistsSync(limactl) || safeExistsSync(limaHome)) {
-      const result = spawnSync("rdctl", ["list-settings"], {
+      const result = safeSpawnSync("rdctl", ["list-settings"], {
         encoding: "utf-8",
       });
       if (result.status !== 0 || result.error) {
@@ -616,7 +616,10 @@ export const parseImageName = (fullImageName) => {
  * @returns boolean true if we should use the cli. false otherwise
  */
 const needsCliFallback = () => {
-  if (_platform() === "darwin" && (detectRancherDesktop() || detectColima())) {
+  if (
+    ["true", "1"].includes(process.env.DOCKER_USE_CLI) ||
+    (_platform() === "darwin" && (detectRancherDesktop() || detectColima()))
+  ) {
     return true;
   }
   return (
@@ -658,17 +661,14 @@ export const getImage = async (fullImageName) => {
     }
     let needsPull = true;
     // Let's check the local cache first
-    let result = spawnSync(dockerCmd, ["images", "--format=json"], {
+    let result = safeSpawnSync(dockerCmd, ["images", "--format=json"], {
       encoding: "utf-8",
     });
     if (result.status === 0 && result.stdout) {
       for (const imgLine of result.stdout.split("\n")) {
         try {
           const imgObj = JSON.parse(Buffer.from(imgLine).toString());
-          if (
-            imgObj.Repository === fullImageName ||
-            imgObj?.Name?.endsWith(fullImageName)
-          ) {
+          if (`${imgObj.Repository}:${imgObj.Tag}` === fullImageName) {
             needsPull = false;
             break;
           }
@@ -678,7 +678,7 @@ export const getImage = async (fullImageName) => {
       }
     }
     if (needsPull) {
-      result = spawnSync(dockerCmd, ["pull", fullImageName], {
+      result = safeSpawnSync(dockerCmd, ["pull", fullImageName], {
         encoding: "utf-8",
         timeout: TIMEOUT_MS,
       });
@@ -696,7 +696,7 @@ export const getImage = async (fullImageName) => {
         }
       }
     }
-    result = spawnSync(dockerCmd, ["inspect", fullImageName], {
+    result = safeSpawnSync(dockerCmd, ["inspect", fullImageName], {
       encoding: "utf-8",
     });
     if (result.status !== 0 || result.error) {
@@ -1160,7 +1160,7 @@ export const exportImage = async (fullImageName, options) => {
     console.log(
       `About to export image ${fullImageName} to ${imageTarFile} using ${dockerCmd} cli`,
     );
-    const result = spawnSync(
+    const result = safeSpawnSync(
       dockerCmd,
       ["save", "-o", imageTarFile, fullImageName],
       {
@@ -1392,7 +1392,7 @@ export const getCredsFromHelper = (exeSuffix, serverAddress) => {
   if (isWin) {
     credHelperExe = `${credHelperExe}.exe`;
   }
-  const result = spawnSync(credHelperExe, ["get"], {
+  const result = safeSpawnSync(credHelperExe, ["get"], {
     input: serverAddress,
     encoding: "utf-8",
   });

package/lib/managers/oci.js CHANGED Viewed

@@ -1,25 +1,29 @@
 import { Buffer } from "node:buffer";
-import { spawnSync } from "node:child_process";
 import fs from "node:fs";
-import { MAX_BUFFER, getAllFiles, getTmpDir, isWin } from "../helpers/utils.js";
+import {
+  MAX_BUFFER,
+  getAllFiles,
+  getTmpDir,
+  isWin,
+  safeSpawnSync,
+} from "../helpers/utils.js";
-export function getBomWithOras(image) {
-  let result = spawnSync(
-    "oras",
-    [
-      "discover",
-      "--format",
-      "json",
-      "--artifact-type",
-      "sbom/cyclonedx",
-      image,
-    ],
-    {
-      encoding: "utf-8",
-      shell: isWin,
-      maxBuffer: MAX_BUFFER,
-    },
-  );
+export function getBomWithOras(image, platform = undefined) {
+  let parameters = [
+    "discover",
+    "--format",
+    "json",
+    "--artifact-type",
+    "sbom/cyclonedx",
+  ];
+  if (platform) {
+    parameters = parameters.concat(["--platform", platform]);
+  }
+  let result = safeSpawnSync("oras", parameters.concat([image]), {
+    encoding: "utf-8",
+    shell: isWin,
+    maxBuffer: MAX_BUFFER,
+  });
   if (result.status !== 0 || result.error) {
     console.log(
       "Install oras by following the instructions at: https://oras.land/docs/installation",
@@ -40,7 +44,7 @@ export function getBomWithOras(image) {
       ) {
         const imageRef = manifestObj.manifests[0].reference;
         const tmpDir = getTmpDir();
-        result = spawnSync("oras", ["pull", imageRef, "-o", tmpDir], {
+        result = safeSpawnSync("oras", ["pull", imageRef, "-o", tmpDir], {
           encoding: "utf-8",
           shell: isWin,
           maxBuffer: MAX_BUFFER,

package/lib/managers/piptree.js CHANGED Viewed

@@ -1,4 +1,3 @@
-import { spawnSync } from "node:child_process";
 /**
  * The idea behind this plugin came from the excellent pipdeptree package
  * https://github.com/tox-dev/pipdeptree
@@ -13,7 +12,7 @@ import {
   writeFileSync,
 } from "node:fs";
 import { delimiter, join } from "node:path";
-import { getTmpDir } from "../helpers/utils.js";
+import { getTmpDir, safeSpawnSync } from "../helpers/utils.js";
 const PIP_TREE_PLUGIN_CONTENT = `
 import importlib.metadata as importlib_metadata
@@ -22,6 +21,16 @@ import sys
 from pip._internal.metadata import pkg_resources
+REQUIREMENT_MODULE_FOUND = False
+try:
+    from packaging.requirements import Requirement
+    REQUIREMENT_MODULE_FOUND = True
+except ImportError:
+    try:
+        from pip._vendor.packaging.requirements import Requirement
+        REQUIREMENT_MODULE_FOUND = True
+    except ImportError:
+        pass
 def frozen_req_from_dist(dist):
     try:
@@ -41,8 +50,8 @@ def frozen_req_from_dist(dist):
         pass
-def get_installed_distributions():
-    dists = pkg_resources.Environment.from_paths(None).iter_installed_distributions(
+def get_installed_distributions(python_path=None):
+    dists = pkg_resources.Environment.from_paths(python_path).iter_installed_distributions(
         local_only=False,
         skip=(),
         user_only=False,
@@ -50,7 +59,81 @@ def get_installed_distributions():
     return [d._dist for d in dists]
-def find_deps(idx, path, reqs, traverse_count):
+def _get_extra_deps_from_dist(dist):
+    extra_deps = {}
+    if not dist:
+        return extra_deps
+    # all requirements, some of which may be extra-only:
+    reqs = dist.metadata.get_all('Requires-Dist') or []
+    # extras this package defines:
+    extras = dist.metadata.get_all('Provides-Extra') or []
+    for req_str in reqs:
+        req = Requirement(req_str)
+        if req.marker and 'extra' in str(req.marker):
+            # evaluate marker for each declared extra
+            for extra in extras:
+                if req.marker.evaluate({'extra': extra}):
+                    extra_deps.setdefault(extra, []).append({"name": str(req.name), "versionSpecifiers": str(req.specifier), "url": str(req.url) if req.url else None})
+    return extra_deps
+def _get_deps_from_extras(name_version_cache, name_dist_cache, extra_deps):
+    dependencies = []
+    if not extra_deps:
+        return dependencies
+    # Treat an extra with the name all as dependencies
+    all_deps = extra_deps.get("all", [])
+    for dep in all_deps:
+        dversion = name_version_cache.get(dep["name"])
+        if not dversion:
+            continue
+        dversionSpecifiers = dep.get("versionSpecifiers")
+        dpurl = f"""pkg:pypi/{dep["name"].lower()}@{dversion}"""
+        dextra_deps = _get_extra_deps_from_dist(name_dist_cache.get(dep["name"]))
+        ddependencies = _get_deps_from_extras(name_version_cache, name_dist_cache, dextra_deps)
+        dependencies.append({
+            "name": dep["name"],
+            "version": dversion,
+            "versionSpecifiers": dversionSpecifiers,
+            "purl": dpurl,
+            "extra_deps": dextra_deps,
+            "dependencies": ddependencies
+        })
+    return dependencies
+def get_installed_with_extras():
+    result = {}
+    if not REQUIREMENT_MODULE_FOUND:
+        return result
+    name_version_cache = {}
+    name_dist_cache = {}
+    for dist in importlib_metadata.distributions():
+        name = dist.metadata['Name']
+        version = dist.version or ""
+        name_version_cache[name] = version
+        name_dist_cache[name] = dist
+    for dist in importlib_metadata.distributions():
+        name = dist.metadata['Name']
+        version = dist.version or ""
+        # extras this package defines:
+        extras = dist.metadata.get_all('Provides-Extra') or []
+        # map each extra → its extra-only dependencies
+        extra_deps = _get_extra_deps_from_dist(dist)
+        purl = f"pkg:pypi/{name.lower()}@{version}"
+        dependencies = _get_deps_from_extras(name_version_cache, name_dist_cache, extra_deps)
+        result[purl] = {
+            'name': name,
+            'version': version,
+            'extras': extras,
+            'purl': purl,
+            'extra_deps': extra_deps,
+            "dependencies": dependencies
+        }
+    return result
+def find_deps(idx, path, purl, reqs, global_installed, traverse_count):
     freqs = []
     for r in reqs:
         d = idx.get(r.key)
@@ -58,17 +141,26 @@ def find_deps(idx, path, reqs, traverse_count):
             continue
         r.project_name = d.project_name if d is not None else r.project_name
         if r.key in path:
+            print(f"Cycle detected: {' -> '.join(current_path)}")
             continue
         current_path = path + [r.key]
         specs = sorted(r.specs, reverse=True)
         specs_str = ",".join(["".join(sp) for sp in specs]) if specs else ""
         dreqs = d.requires()
+        name = r.project_name
+        version = importlib_metadata.version(r.key)
+        purl = f"pkg:pypi/{name.lower()}@{version}"
+        extra_deps = global_installed.get(purl, {}).get("extra_deps", {})
+        dependencies = find_deps(idx, current_path, purl, dreqs, global_installed, traverse_count + 1) if dreqs and traverse_count < 200 else []
+        all_dependencies = global_installed.get(purl, {}).get("dependencies", [])
         freqs.append(
             {
-                "name": r.project_name,
-                "version": importlib_metadata.version(r.key),
+                "name": name,
+                "version": version,
                 "versionSpecifiers": specs_str,
-                "dependencies": find_deps(idx, current_path, dreqs, traverse_count + 1) if dreqs and traverse_count < 200 else [],
+                'purl': purl,
+                "extra_deps": extra_deps,
+                "dependencies": dependencies + all_dependencies,
             }
         )
     return freqs
@@ -77,7 +169,8 @@ def find_deps(idx, path, reqs, traverse_count):
 def main(argv):
     out_file = "piptree.json" if len(argv) < 2 else argv[-1]
     tree = []
-    pkgs = get_installed_distributions()
+    global_installed = get_installed_with_extras()
+    pkgs = get_installed_distributions(python_path=None)
     idx = {p.key: p for p in pkgs}
     traverse_count = 0
     for p in pkgs:
@@ -93,22 +186,22 @@ def main(argv):
         version = "latest"
         if len(tmpA) == 2:
             version = tmpA[1]
+        pkgName = name.split(" ")[0]
+        purl = f"pkg:pypi/{pkgName.lower()}@{version}"
+        extra_deps = global_installed.get(purl, {}).get("extra_deps", "")
+        all_dependencies = global_installed.get(purl, {}).get("dependencies", [])
+        dependencies = find_deps(idx, [p.key], purl, p.requires(), global_installed, traverse_count + 1)
         tree.append(
             {
-                "name": name.split(" ")[0],
+                "name": pkgName,
                 "version": version,
-                "dependencies": find_deps(idx, [p.key], p.requires(), traverse_count + 1),
+                "purl": purl,
+                "extra_deps": extra_deps,
+                "dependencies": dependencies + all_dependencies,
             }
         )
-    all_deps = {}
-    for t in tree:
-        for d in t["dependencies"]:
-            all_deps[d["name"]] = True
-    trimmed_tree = [
-        t for t in tree if t["name"] not in all_deps
-    ]
     with open(out_file, mode="w", encoding="utf-8") as fp:
-        json.dump(trimmed_tree, fp)
+        json.dump(tree, fp)
 if __name__ == "__main__":
@@ -141,7 +234,7 @@ export const getTreeWithPlugin = (env, python_cmd, basePath) => {
       env.PYTHONPATH = `${env.PYTHONPATH}${delimiter}${env.PIP_TARGET}`;
     }
   }
-  const result = spawnSync(python_cmd, pipPluginArgs, {
+  const result = safeSpawnSync(python_cmd, pipPluginArgs, {
     cwd: basePath,
     encoding: "utf-8",
     env,

package/lib/server/openapi.yaml CHANGED Viewed

@@ -216,12 +216,22 @@ components:
       type: object
       properties:
         type:
-          type: string
-          description: Project Type
+          type: array
+          items:
+            type: string
+          description: Project Types
           default: "universal"
           externalDocs:
             description: Single or comma separated values. See supported project types
             url: https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES
+        excludeType:
+          type: array
+          items:
+            type: string
+          description: Exclude Types
+          externalDocs:
+            description: Project types to exclude
+            url: https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES
         multiProject:
           type: boolean
         requiredOnly:
@@ -259,7 +269,7 @@ components:
         specVersion:
           type: string
           description: CycloneDX Specification version to use
-          default: "1.5"
+          default: "1.6"
         filter:
           type: array
           items:
@@ -304,6 +314,14 @@ components:
         standard:
           type: string
           description: The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. Choices are asvs-4.0.3, bsimm-v13, masvs-2.0.0, nist_ssdf-1.1, pcissc-secure-slc-1.1, scvs-1.0.0, ssaf-DRAFT-2023-11
+        minConfidence:
+          type: number
+          description: Minimum confidence needed for the identity of a component from 0 - 1, where 1 is 100% confidence.
+        technique:
+          type: array
+          items:
+            type: string
+          description: Analysis technique to use
     CycloneDXSBOM:
       type: object
       externalDocs:

package/lib/server/server.js CHANGED Viewed

@@ -1,4 +1,3 @@
-import { spawnSync } from "node:child_process";
 import fs from "node:fs";
 import http from "node:http";
 import path from "node:path";
@@ -7,7 +6,7 @@ import { URL } from "node:url";
 import bodyParser from "body-parser";
 import connect from "connect";
 import { createBom, submitBom } from "../cli/index.js";
-import { getTmpDir, isSecureMode } from "../helpers/utils.js";
+import { getTmpDir, isSecureMode, safeSpawnSync } from "../helpers/utils.js";
 import { postProcess } from "../stages/postgen/postgen.js";
 import compression from "compression";
@@ -16,6 +15,37 @@ import compression from "compression";
 const TIMEOUT_MS =
   Number.parseInt(process.env.CDXGEN_SERVER_TIMEOUT_MS) || 10 * 60 * 1000;
+const ALLOWED_PARAMS = [
+  "type",
+  "excludeType",
+  "multiProject",
+  "requiredOnly",
+  "noBabel",
+  "installDeps",
+  "projectId",
+  "projectName",
+  "projectGroup",
+  "projectVersion",
+  "parentUUID",
+  "serverUrl",
+  "apiKey",
+  "specVersion",
+  "filter",
+  "only",
+  "autoCompositions",
+  "gitBranch",
+  "lifecycle",
+  "deep",
+  "profile",
+  "exclude",
+  "includeFormulation",
+  "includeCrypto",
+  "standard",
+  "minConfidence",
+  "technique",
+  "tlpClassification",
+];
 const app = connect();
 app.use(
@@ -58,7 +88,7 @@ const gitClone = (repoUrl, branch = null) => {
     `Cloning Repo${branch ? ` with branch ${branch}` : ""} to ${tempDir}`,
   );
-  const result = spawnSync("git", gitArgs, {
+  const result = safeSpawnSync("git", gitArgs, {
     encoding: "utf-8",
     shell: false,
   });
@@ -69,41 +99,11 @@ const gitClone = (repoUrl, branch = null) => {
   return tempDir;
 };
-const parseQueryString = (q, body, options = {}) => {
-  if (body && Object.keys(body).length) {
-    options = Object.assign(options, body);
-  }
-  const queryParams = [
-    "type",
-    "multiProject",
-    "requiredOnly",
-    "noBabel",
-    "installDeps",
-    "projectId",
-    "projectName",
-    "projectGroup",
-    "projectVersion",
-    "parentUUID",
-    "serverUrl",
-    "apiKey",
-    "specVersion",
-    "filter",
-    "only",
-    "autoCompositions",
-    "gitBranch",
-    "lifecycle",
-    "deep",
-    "profile",
-    "exclude",
-    "includeFormulation",
-    "includeCrypto",
-    "standard",
-  ];
-  for (const param of queryParams) {
-    if (q[param]) {
-      let value = q[param];
+const parseQueryString = (q, body = {}, options = {}) => {
+  // Priority is query params followed by body
+  for (const param of ALLOWED_PARAMS) {
+    if (q[param] || body[param]) {
+      let value = q[param] || body[param];
       // Convert string to boolean
       if (value === "true") {
         value = true;

package/lib/stages/postgen/annotator.js CHANGED Viewed

@@ -99,6 +99,7 @@ export function textualMetadata(bomJson) {
   const { bomType, bomTypeDescription } = findBomType(bomJson);
   const metadata = bomJson.metadata;
   const lifecycles = metadata?.lifecycles || [];
+  const tlpClassification = metadata.distribution;
   const cryptoAssetsCount = bomJson?.components?.filter(
     (c) => c.type === "cryptographic-asset",
   ).length;
@@ -122,6 +123,9 @@ export function textualMetadata(bomJson) {
       }
     }
   }
+  if (tlpClassification) {
+    text = `${text} The Traffic Light Protocol (TLP) classification for this document is '${tlpClassification}'.`;
+  }
   if (lifecycles && Array.isArray(lifecycles)) {
     if (lifecycles.length === 1) {
       const thePhase = lifecycles[0].phase;

package/lib/stages/postgen/postgen.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { existsSync, readFileSync, rmSync } from "node:fs";
+import { readFileSync, rmSync } from "node:fs";
 import { join, relative } from "node:path";
 import process from "node:process";
 import { PackageURL } from "packageurl-js";
@@ -9,6 +9,7 @@ import {
   getTimestamp,
   getTmpDir,
   hasAnyProjectType,
+  safeExistsSync,
 } from "../../helpers/utils.js";
 import { extractTags, findBomType, textualMetadata } from "./annotator.js";
@@ -31,7 +32,7 @@ function relativeDir(d, options) {
     return rd.includes("all-layers") ? rd.split("all-layers").pop() : rd;
   }
   const baseDir = options.filePath || process.cwd();
-  if (existsSync(baseDir)) {
+  if (safeExistsSync(baseDir)) {
     const rdir = relative(baseDir, d);
     return rdir.startsWith(join("..", "..")) ? d : rdir;
   }
@@ -200,7 +201,7 @@ export function applyStandards(bomJson, options) {
         "templates",
         `${astandard}.cdx.json`,
       );
-      if (existsSync(templateFile)) {
+      if (safeExistsSync(templateFile)) {
         const templateData = JSON.parse(readFileSync(templateFile, "utf-8"));
         if (templateData?.metadata?.licenses) {
           if (!bomJson.metadata.licenses) {
@@ -224,6 +225,26 @@ export function applyStandards(bomJson, options) {
   return bomJson;
 }
+/**
+ * Method to normalize the identity field from a component's evidence block.
+ *
+ * In different versions of CycloneDX, the `identity` field can be either a single object or an array of objects.
+ * This function ensures that the result is always an array for consistent processing.
+ *
+ * @param {Object} comp - The component object potentially containing evidence.identity.
+ * @returns {Array} An array of identity objects (empty if none are present).
+ */
+function normalizeIdentities(comp) {
+  const identity = comp?.evidence?.identity;
+  if (Array.isArray(identity)) {
+    return identity;
+  }
+  if (identity) {
+    return [identity];
+  }
+  return [];
+}
 /**
  * Method to get the purl identity confidence.
  *
@@ -235,7 +256,7 @@ function getIdentityConfidence(comp) {
     return undefined;
   }
   let confidence;
-  for (const aidentity of comp?.evidence?.identity || []) {
+  for (const aidentity of normalizeIdentities(comp)) {
     if (aidentity?.field === "purl") {
       if (confidence === undefined) {
         confidence = aidentity.confidence || 0;
@@ -258,7 +279,7 @@ function getIdentityTechniques(comp) {
     return undefined;
   }
   const techniques = new Set();
-  for (const aidentity of comp?.evidence?.identity || []) {
+  for (const aidentity of normalizeIdentities(comp)) {
     if (aidentity?.field === "purl") {
       for (const amethod of aidentity.methods || []) {
         techniques.add(amethod?.technique);
@@ -304,7 +325,7 @@ export function filterBom(bomJson, options) {
       // Set.intersection is only available in node >= 22. See Bug# 1651
       if (
         usedTechniques &&
-        !new Set([...usedTechniques].filter((i) => allowedTechniques.has(i)))
+        ![...usedTechniques].some((i) => allowedTechniques.has(i))
       ) {
         filtered = true;
         continue;

package/lib/stages/pregen/pregen.js CHANGED Viewed

@@ -1,4 +1,3 @@
-import { spawnSync } from "node:child_process";
 import { existsSync, mkdtempSync, readFileSync, readdirSync } from "node:fs";
 import { arch, platform } from "node:os";
 import { delimiter, dirname, join, resolve } from "node:path";
@@ -27,6 +26,7 @@ import {
   isMac,
   isSecureMode,
   isWin,
+  safeSpawnSync,
 } from "../../helpers/utils.js";
 /**
@@ -207,7 +207,7 @@ export function tryLoadNvmAndInstallTool(nodeVersion) {
       fi
       `;
-  const result = spawnSync(process.env.SHELL || "bash", ["-c", command], {
+  const result = safeSpawnSync(process.env.SHELL || "bash", ["-c", command], {
     encoding: "utf-8",
     shell: process.env.SHELL || true,
   });
@@ -232,7 +232,7 @@ export function doNpmInstall(filePath, nvmNodePath) {
   if (isSecureMode) {
     installArgs = `${installArgs} --ignore-scripts --no-audit`;
   }
-  const resultNpmInstall = spawnSync(
+  const resultNpmInstall = safeSpawnSync(
     process.env.SHELL || "bash",
     [
       "-i",