@eltonssouza/development-utility-kit 0.14.0 → 0.14.1

package/bin/cli.js

@@ -267,6 +267,31 @@ function harnessVersion() {
   }
 }
 
+// ─── spawn helpers (DEP0190-safe) ─────────────────────────────────────────────
+
+/**
+ * Whether a binary resolves on PATH — cross-platform, no shell (so no DEP0190).
+ * @param {string} bin
+ * @returns {boolean}
+ */
+function isOnPath(bin) {
+  const probe = process.platform === 'win32' ? 'where' : 'which';
+  const r = spawnSync(probe, [bin], { stdio: 'ignore' });
+  return r.status === 0;
+}
+
+/**
+ * Run a TRUSTED, static command line. A shell is needed on Windows to resolve
+ * `.cmd`/`.bat` shims (npm, git, rtk). Passing the command as a SINGLE string
+ * (not args[] + shell:true) avoids Node's DEP0190 warning. Never pass untrusted
+ * input — quote path arguments at the call site.
+ * @param {string} cmd
+ * @param {object} [opts]
+ */
+function runShell(cmd, opts = {}) {
+  return spawnSync(cmd, { shell: true, ...opts });
+}
+
 // ─── adoptProject (install / update) ──────────────────────────────────────────
 
 /**
@@ -432,17 +457,11 @@ function adoptProject(opts) {
   process.stdout.write('Written        : CLAUDE.md\n');
 
   // Auto-install duk globally when running via npx (duk not yet in PATH).
-  const dukCheck = spawnSync('duk', ['--version'], {
-    shell: process.platform === 'win32',
-    stdio: 'ignore',
-  });
-  if (dukCheck.error) {
+  if (!isOnPath('duk')) {
     process.stdout.write('\nInstalling duk CLI globally...\n');
-    const globalInstall = spawnSync(
-      'npm',
-      ['install', '-g', '@eltonssouza/development-utility-kit'],
-      { stdio: 'inherit', shell: process.platform === 'win32' }
-    );
+    const globalInstall = runShell('npm install -g @eltonssouza/development-utility-kit', {
+      stdio: 'inherit',
+    });
     if (globalInstall.status === 0) {
       process.stdout.write('duk installed globally. Run: duk help\n');
     } else {
@@ -530,10 +549,9 @@ function newProject(name, options) {
   fs.mkdirSync(target, { recursive: true });
 
   // 2. git init (non-fatal if git not installed; warn and continue)
-  const gitResult = spawnSync('git', ['init', '-q'], {
+  const gitResult = runShell('git init -q', {
     cwd: target,
     stdio: 'inherit',
-    shell: process.platform === 'win32',
   });
   if (gitResult.status !== 0) {
     process.stdout.write('Warning: "git init" failed or git is not in PATH. Continuing without git repo.\n');
@@ -707,9 +725,8 @@ function dashboard(passthroughArgs) {
 
   if (!fs.existsSync(nodeModulesDir)) {
     process.stdout.write('Installing dashboard dependencies (first run)...\n');
-    const result = spawnSync('npm', ['install', '--prefix', dashboardDir], {
+    const result = runShell(`npm install --prefix "${dashboardDir}"`, {
       stdio: 'inherit',
-      shell: process.platform === 'win32',
     });
     if (result.status !== 0) {
       process.stderr.write('Error: npm install failed for dashboard dependencies.\n');
@@ -718,8 +735,7 @@ function dashboard(passthroughArgs) {
   }
 
   // FR-008: print rtk gain output before starting the server
-  const rtkResult = spawnSync('rtk', ['gain'], {
-    shell: process.platform === 'win32',
+  const rtkResult = runShell('rtk gain', {
     stdio: ['ignore', 'pipe', 'ignore'],
   });
   if (rtkResult.status === 0 && rtkResult.stdout && rtkResult.stdout.length > 0) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eltonssouza/development-utility-kit",
-  "version": "0.14.0",
+  "version": "0.14.1",
   "description": "npx installer for the development-utility-kit harness",
   "bin": {
     "duk": "bin/cli.js"