env-secrets 0.5.2 → 0.5.3

package/.github/workflows/deploy-docs.yml

@@ -34,7 +34,7 @@ jobs:
         working-directory: website
         run: yarn build
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v4
+        uses: actions/upload-pages-artifact@v5
         with:
           path: website/build
 

package/__e2e__/aws-exec-args.test.ts

@@ -1,4 +1,4 @@
-import { cliWithEnv } from './utils/test-utils';
+import { cliWithEnv, cliWithRealSpawn } from './utils/test-utils';
 import { registerAwsE2eContext } from './utils/aws-e2e-context';
 
 describe('AWS Program Execution CLI Args', () => {
@@ -42,3 +42,99 @@ describe('AWS Program Execution CLI Args', () => {
     expect(envVars.API_KEY).toBe('secret123');
   });
 });
+
+describe('AWS Real Spawn Execution (no NODE_ENV=test)', () => {
+  const { createTestSecret, getLocalStackEnv } = registerAwsE2eContext();
+
+  test('injected env vars are visible to the spawned child process (shell mode)', async () => {
+    const secret = await createTestSecret({
+      name: `test-secret-realspawn-${Date.now()}`,
+      value: '{"INJECTED_KEY": "injected_value"}',
+      description: 'Real spawn env injection test'
+    });
+
+    // printenv avoids any shell-quoting complexity in the test command string
+    const result = await cliWithRealSpawn(
+      ['aws', '-s', secret.prefixedName, '--', 'printenv', 'INJECTED_KEY'],
+      getLocalStackEnv()
+    );
+
+    expect(result.code).toBe(0);
+    expect(result.stdout.trim()).toBe('injected_value');
+  });
+
+  test('exit code of child process is propagated on success', async () => {
+    const secret = await createTestSecret({
+      name: `test-secret-exitcode-ok-${Date.now()}`,
+      value: '{"DUMMY": "1"}',
+      description: 'Exit code propagation test (success)'
+    });
+
+    // Use --no-shell so node -e args are passed directly without shell re-parsing
+    const result = await cliWithRealSpawn(
+      [
+        'aws',
+        '-s',
+        secret.prefixedName,
+        '--no-shell',
+        '--',
+        'node',
+        '-e',
+        'process.exit(0)'
+      ],
+      getLocalStackEnv()
+    );
+
+    expect(result.code).toBe(0);
+  });
+
+  test('exit code of child process is propagated on failure', async () => {
+    const secret = await createTestSecret({
+      name: `test-secret-exitcode-fail-${Date.now()}`,
+      value: '{"DUMMY": "1"}',
+      description: 'Exit code propagation test (failure)'
+    });
+
+    // Use --no-shell so node -e args are passed directly without shell re-parsing
+    const result = await cliWithRealSpawn(
+      [
+        'aws',
+        '-s',
+        secret.prefixedName,
+        '--no-shell',
+        '--',
+        'node',
+        '-e',
+        'process.exit(42)'
+      ],
+      getLocalStackEnv()
+    );
+
+    expect(result.code).toBe(42);
+  });
+
+  test('--no-shell passes args directly and env is injected', async () => {
+    const secret = await createTestSecret({
+      name: `test-secret-noshell-${Date.now()}`,
+      value: '{"INJECTED_KEY": "direct_value"}',
+      description: 'No-shell spawn test'
+    });
+
+    // printenv avoids any shell-quoting complexity in the test command string
+    const result = await cliWithRealSpawn(
+      [
+        'aws',
+        '-s',
+        secret.prefixedName,
+        '--no-shell',
+        '--',
+        'printenv',
+        'INJECTED_KEY'
+      ],
+      getLocalStackEnv()
+    );
+
+    expect(result.code).toBe(0);
+    expect(result.stdout.trim()).toBe('direct_value');
+  });
+});

package/__e2e__/utils/test-utils.ts

@@ -654,6 +654,84 @@ export function restoreTestProfile(
   }
 }
 
+/**
+ * Like cliWithEnv but does NOT set NODE_ENV=test, so the real spawn path in
+ * src/index.ts is exercised instead of the early-return test branch.
+ */
+export async function cliWithRealSpawn(
+  args: string[],
+  env: Record<string, string>,
+  cwd = '.'
+): Promise<CliResult> {
+  return new Promise((resolve) => {
+    const cleanEnv = { ...process.env };
+    delete cleanEnv.AWS_PROFILE;
+    delete cleanEnv.AWS_DEFAULT_PROFILE;
+    delete cleanEnv.AWS_SESSION_TOKEN;
+    delete cleanEnv.AWS_SECURITY_TOKEN;
+    delete cleanEnv.AWS_ROLE_ARN;
+    delete cleanEnv.AWS_ROLE_SESSION_NAME;
+    delete cleanEnv.AWS_WEB_IDENTITY_TOKEN_FILE;
+    delete cleanEnv.AWS_WEB_IDENTITY_TOKEN;
+    // Deliberately omit NODE_ENV=test so real spawn is used
+    delete cleanEnv.NODE_ENV;
+
+    const defaultEnv = {
+      AWS_ENDPOINT_URL: process.env.LOCALSTACK_URL || 'http://localhost:4566',
+      AWS_ACCESS_KEY_ID: 'test',
+      AWS_SECRET_ACCESS_KEY: 'test',
+      AWS_DEFAULT_REGION: 'us-east-1',
+      AWS_REGION: 'us-east-1'
+    };
+
+    const envVars = { ...cleanEnv, ...defaultEnv, ...env };
+    const cliPath = path.resolve('./dist/index');
+    const spawnArgs = [cliPath, ...args];
+    const command = `node ${cliPath} ${args.join(' ')}`;
+
+    debugLog(`Running CLI command (real spawn): ${command}`);
+
+    const child = spawn('node', spawnArgs, { cwd, env: envVars });
+
+    let stdout = '';
+    let stderr = '';
+    child.stdout.on('data', (chunk: Buffer) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on('data', (chunk: Buffer) => {
+      stderr += chunk.toString();
+    });
+
+    child.on('close', (code: number | null, signal: NodeJS.Signals | null) => {
+      const exitCode = code ?? (signal ? 1 : 0);
+      const errorMessage = signal
+        ? `Process terminated by signal ${signal}`
+        : exitCode !== 0
+        ? `Process exited with code ${exitCode}`
+        : null;
+      const result = {
+        code: exitCode,
+        error: errorMessage ? new Error(errorMessage) : null,
+        stdout,
+        stderr
+      };
+
+      if (exitCode !== 0) {
+        debugError(
+          signal
+            ? `CLI command failed: terminated by signal ${signal}`
+            : `CLI command failed with code ${exitCode}`
+        );
+        debugError(`Command: ${command}`);
+        debugError(`Stdout: ${result.stdout}`);
+        debugError(`Stderr: ${result.stderr}`);
+      }
+
+      resolve(result);
+    });
+  });
+}
+
 export async function checkAwslocalInstalled(): Promise<void> {
   try {
     await execAwslocalCommand('awslocal --version', {});

package/__tests__/index.test.ts

@@ -39,6 +39,24 @@ const mockObjectToExport = objectToExport as jest.MockedFunction<
   typeof objectToExport
 >;
 
+// Build a ChildProcess-like mock that records event handlers
+function makeChildMock() {
+  const handlers: Record<string, ((...args: unknown[]) => void)[]> = {};
+  const child = {
+    stdio: 'inherit',
+    on: jest.fn((event: string, cb: (...args: unknown[]) => void) => {
+      if (!handlers[event]) handlers[event] = [];
+      handlers[event].push(cb);
+      return child;
+    }),
+    emit(event: string, ...args: unknown[]) {
+      (handlers[event] ?? []).forEach((cb) => cb(...args));
+    }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  } as any;
+  return child;
+}
+
 describe('index.ts CLI functionality', () => {
   beforeEach(() => {
     jest.clearAllMocks();
@@ -94,43 +112,67 @@ describe('index.ts CLI functionality', () => {
       );
     });
 
-    it('should spawn a program when provided', async () => {
+    it('should spawn using shell (default) with joined command string', async () => {
       const mockEnv = { SECRET_KEY: 'secret_value' };
       mockSecretsmanager.mockResolvedValue(mockEnv);
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const mockChildProcess = {
-        stdio: 'inherit'
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      } as any;
-      mockSpawn.mockReturnValue(mockChildProcess);
+      const child = makeChildMock();
+      mockSpawn.mockReturnValue(child);
 
       const program = ['node', 'script.js', 'arg1', 'arg2'];
-      const options = { secret: 'my-secret' };
+      const options = { secret: 'my-secret', shell: true };
 
-      // Simulate the action logic
       let env = await mockSecretsmanager(options);
       env = Object.assign({}, process.env, env);
 
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
         });
       }
 
-      expect(mockSpawn).toHaveBeenCalledWith(
-        'node',
-        ['script.js', 'arg1', 'arg2'],
-        {
-          stdio: 'inherit',
-          shell: true,
-          env: expect.objectContaining({
-            SECRET_KEY: 'secret_value'
-          })
+      expect(mockSpawn).toHaveBeenCalledWith('node script.js arg1 arg2', [], {
+        stdio: 'inherit',
+        shell: true,
+        env: expect.objectContaining({
+          SECRET_KEY: 'secret_value'
+        })
+      });
+    });
+
+    it('should spawn without shell when --no-shell is passed', async () => {
+      const mockEnv = { SECRET_KEY: 'secret_value' };
+      mockSecretsmanager.mockResolvedValue(mockEnv);
+
+      const child = makeChildMock();
+      mockSpawn.mockReturnValue(child);
+
+      const program = ['node', 'script.js', 'arg1'];
+      const options = { secret: 'my-secret', shell: false };
+
+      let env = await mockSecretsmanager(options);
+      env = Object.assign({}, process.env, env);
+
+      if (program && program.length > 0) {
+        if (options.shell) {
+          mockSpawn(program.join(' '), [], {
+            stdio: 'inherit',
+            shell: true,
+            env
+          });
+        } else {
+          mockSpawn(program[0], program.slice(1), { stdio: 'inherit', env });
         }
-      );
+      }
+
+      expect(mockSpawn).toHaveBeenCalledWith('node', ['script.js', 'arg1'], {
+        stdio: 'inherit',
+        env: expect.objectContaining({
+          SECRET_KEY: 'secret_value'
+        })
+      });
     });
 
     it('should not spawn a program when no program is provided', async () => {
@@ -143,7 +185,7 @@ describe('index.ts CLI functionality', () => {
 
       const program: string[] = [];
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -163,7 +205,7 @@ describe('index.ts CLI functionality', () => {
 
       const program: string[] = [];
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -173,26 +215,21 @@ describe('index.ts CLI functionality', () => {
       expect(mockSpawn).not.toHaveBeenCalled();
     });
 
-    it('should handle single program argument', async () => {
+    it('should handle single program argument (shell mode)', async () => {
       const mockEnv = { SECRET_KEY: 'secret_value' };
       mockSecretsmanager.mockResolvedValue(mockEnv);
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const mockChildProcess = {
-        stdio: 'inherit'
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      } as any;
-      mockSpawn.mockReturnValue(mockChildProcess);
+      const child = makeChildMock();
+      mockSpawn.mockReturnValue(child);
 
       const program = ['echo'];
-      const options = { secret: 'my-secret' };
+      const options = { secret: 'my-secret', shell: true };
 
-      // Simulate the action logic
       let env = await mockSecretsmanager(options);
       env = Object.assign({}, process.env, env);
 
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -219,13 +256,12 @@ describe('index.ts CLI functionality', () => {
 
       mockSecretsmanager.mockResolvedValue(mockSecrets);
 
-      // Simulate the action logic
       let env = await mockSecretsmanager({ secret: 'my-secret' });
       env = Object.assign({}, process.env, env);
 
       const program = ['echo'];
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -247,13 +283,12 @@ describe('index.ts CLI functionality', () => {
     it('should handle secretsmanager returning empty object', async () => {
       mockSecretsmanager.mockResolvedValue({});
 
-      // Simulate the action logic
       let env = await mockSecretsmanager({ secret: 'my-secret' });
       env = Object.assign({}, process.env, env);
 
       const program = ['echo'];
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -276,6 +311,128 @@ describe('index.ts CLI functionality', () => {
         'AWS connection failed'
       );
     });
+
+    describe('ChildProcess error and exit handling', () => {
+      beforeEach(() => {
+        jest.spyOn(process, 'exit').mockImplementation(() => {
+          throw new Error('process.exit called');
+        });
+        jest.spyOn(console, 'error').mockImplementation(() => undefined);
+      });
+
+      afterEach(() => {
+        jest.restoreAllMocks();
+      });
+
+      it('should print error message and exit 1 on child process error', async () => {
+        const mockEnv = { SECRET_KEY: 'secret_value' };
+        mockSecretsmanager.mockResolvedValue(mockEnv);
+
+        const child = makeChildMock();
+        mockSpawn.mockReturnValue(child);
+
+        let env = await mockSecretsmanager({ secret: 'my-secret' });
+        env = Object.assign({}, process.env, env);
+
+        const program = ['nonexistent-cmd'];
+        mockSpawn(program.join(' '), [], {
+          stdio: 'inherit',
+          shell: true,
+          env
+        });
+
+        // Simulate attaching handlers as src/index.ts does
+        child.on('error', (err: Error) => {
+          // eslint-disable-next-line no-console
+          console.error(`Failed to start process: ${err.message}`);
+          process.exit(1);
+        });
+
+        expect(() => child.emit('error', new Error('spawn ENOENT'))).toThrow(
+          'process.exit called'
+        );
+
+        // eslint-disable-next-line no-console
+        expect(console.error).toHaveBeenCalledWith(
+          'Failed to start process: spawn ENOENT'
+        );
+        expect(process.exit).toHaveBeenCalledWith(1);
+      });
+
+      it('should propagate child exit code 0', async () => {
+        const mockEnv = { SECRET_KEY: 'secret_value' };
+        mockSecretsmanager.mockResolvedValue(mockEnv);
+
+        const child = makeChildMock();
+        mockSpawn.mockReturnValue(child);
+
+        let env = await mockSecretsmanager({ secret: 'my-secret' });
+        env = Object.assign({}, process.env, env);
+
+        mockSpawn(['node', '-e', '"process.exit(0)"'].join(' '), [], {
+          stdio: 'inherit',
+          shell: true,
+          env
+        });
+
+        child.on('exit', (code: number | null, signal: string | null) => {
+          process.exit(signal ? 1 : code ?? 0);
+        });
+
+        expect(() => child.emit('exit', 0, null)).toThrow(
+          'process.exit called'
+        );
+        expect(process.exit).toHaveBeenCalledWith(0);
+      });
+
+      it('should propagate non-zero child exit code', async () => {
+        const mockEnv = { SECRET_KEY: 'secret_value' };
+        mockSecretsmanager.mockResolvedValue(mockEnv);
+
+        const child = makeChildMock();
+        mockSpawn.mockReturnValue(child);
+
+        let env = await mockSecretsmanager({ secret: 'my-secret' });
+        env = Object.assign({}, process.env, env);
+
+        mockSpawn(['node', '-e', '"process.exit(42)"'].join(' '), [], {
+          stdio: 'inherit',
+          shell: true,
+          env
+        });
+
+        child.on('exit', (code: number | null, signal: string | null) => {
+          process.exit(signal ? 1 : code ?? 0);
+        });
+
+        expect(() => child.emit('exit', 42, null)).toThrow(
+          'process.exit called'
+        );
+        expect(process.exit).toHaveBeenCalledWith(42);
+      });
+
+      it('should exit 1 when child is killed by a signal', async () => {
+        const mockEnv = { SECRET_KEY: 'secret_value' };
+        mockSecretsmanager.mockResolvedValue(mockEnv);
+
+        const child = makeChildMock();
+        mockSpawn.mockReturnValue(child);
+
+        let env = await mockSecretsmanager({ secret: 'my-secret' });
+        env = Object.assign({}, process.env, env);
+
+        mockSpawn('sleep 10', [], { stdio: 'inherit', shell: true, env });
+
+        child.on('exit', (code: number | null, signal: string | null) => {
+          process.exit(signal ? 1 : code ?? 0);
+        });
+
+        expect(() => child.emit('exit', null, 'SIGTERM')).toThrow(
+          'process.exit called'
+        );
+        expect(process.exit).toHaveBeenCalledWith(1);
+      });
+    });
   });
 
   describe('Debug logging', () => {
@@ -314,12 +471,8 @@ describe('index.ts CLI functionality', () => {
       const mockEnv = { SECRET_KEY: 'secret_value' };
       mockSecretsmanager.mockResolvedValue(mockEnv);
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const mockChildProcess = {
-        stdio: 'inherit'
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      } as any;
-      mockSpawn.mockReturnValue(mockChildProcess);
+      const child = makeChildMock();
+      mockSpawn.mockReturnValue(child);
 
       const program = ['node', 'script.js', 'arg1'];
 
@@ -331,7 +484,7 @@ describe('index.ts CLI functionality', () => {
         // Simulate debug logging
         mockDebugInstance(`${program[0]} ${program.slice(1).join(' ')}`);
 
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -438,16 +591,12 @@ describe('index.ts CLI functionality', () => {
       const mockSecrets = { SECRET_KEY: 'secret_value' };
       mockSecretsmanager.mockResolvedValue(mockSecrets);
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const mockChildProcess = {
-        stdio: 'inherit'
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      } as any;
-      mockSpawn.mockReturnValue(mockChildProcess);
-
-      const options: { secret: string; output?: string } = {
-        secret: 'my-secret'
-        // No output option
+      const child = makeChildMock();
+      mockSpawn.mockReturnValue(child);
+
+      const options: { secret: string; output?: string; shell: boolean } = {
+        secret: 'my-secret',
+        shell: true
       };
 
       const program = ['echo', 'hello'];
@@ -474,7 +623,7 @@ describe('index.ts CLI functionality', () => {
         const env = Object.assign({}, process.env, secrets);
 
         if (program && program.length > 0) {
-          mockSpawn(program[0], program.slice(1), {
+          mockSpawn(program.join(' '), [], {
             stdio: 'inherit',
             shell: true,
             env
@@ -483,7 +632,7 @@ describe('index.ts CLI functionality', () => {
       }
 
       expect(mockSecretsmanager).toHaveBeenCalledWith(options);
-      expect(mockSpawn).toHaveBeenCalledWith('echo', ['hello'], {
+      expect(mockSpawn).toHaveBeenCalledWith('echo hello', [], {
         stdio: 'inherit',
         shell: true,
         env: expect.objectContaining({
@@ -538,9 +687,10 @@ describe('index.ts CLI functionality', () => {
       mockObjectToExport.mockReturnValue(mockEnvContent);
       mockExistsSync.mockReturnValue(false);
 
-      const options: { secret: string; output: string } = {
+      const options: { secret: string; output: string; shell: boolean } = {
         secret: 'my-secret',
-        output: '/tmp/secrets.env'
+        output: '/tmp/secrets.env',
+        shell: true
       };
 
       const program = ['echo', 'hello'];
@@ -566,7 +716,7 @@ describe('index.ts CLI functionality', () => {
         const env = Object.assign({}, process.env, secrets);
 
         if (program && program.length > 0) {
-          mockSpawn(program[0], program.slice(1), {
+          mockSpawn(program.join(' '), [], {
             stdio: 'inherit',
             shell: true,
             env

package/dist/index.js

@@ -91,6 +91,7 @@ const awsCommand = program
     .option('-p, --profile <profile>', 'profile to use')
     .option('-r, --region <region>', 'region to use')
     .option('-o, --output <file>', 'output secrets to file instead of environment variables')
+    .option('--no-shell', 'run program directly without a shell (disables shell expansion)')
     .action((program, options) => __awaiter(void 0, void 0, void 0, function* () {
     if (!options.secret) {
         exitWithError(new Error('Missing required option --secret for this command.'));
@@ -123,10 +124,20 @@ const awsCommand = program
                 console.log(JSON.stringify(env));
                 return;
             }
-            (0, node_child_process_1.spawn)(program[0], program.slice(1), {
-                stdio: 'inherit',
-                shell: true,
-                env
+            const child = options.shell
+                ? (0, node_child_process_1.spawn)(program.join(' '), [], {
+                    stdio: 'inherit',
+                    shell: true,
+                    env
+                })
+                : (0, node_child_process_1.spawn)(program[0], program.slice(1), { stdio: 'inherit', env });
+            child.on('error', (err) => {
+                // eslint-disable-next-line no-console
+                console.error(`Failed to start process: ${err.message}`);
+                process.exit(1);
+            });
+            child.on('exit', (code, signal) => {
+                process.exit(signal ? 1 : code !== null && code !== void 0 ? code : 0);
             });
         }
     }

package/docker-compose.yaml

@@ -1,7 +1,7 @@
 services:
   localstack:
     container_name: 'localstack'
-    image: localstack/localstack:latest
+    image: localstack/localstack:3
     ports:
       - '4566:4566' # LocalStack Gateway
     environment:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "env-secrets",
-  "version": "0.5.2",
+  "version": "0.5.3",
   "description": "get secrets from a secrets vault and inject them into the running environment",
   "main": "index.js",
   "author": "Mark C Allen (@markcallen)",
@@ -31,7 +31,7 @@
   },
   "devDependencies": {
     "@everydaydevopsio/ballast": "^3.2.1",
-    "@types/debug": "^4.1.12",
+    "@types/debug": "^4.1.13",
     "@types/jest": "^29.5.14",
     "@types/node": "^18.19.130",
     "@typescript-eslint/eslint-plugin": "^5.62.0",
@@ -53,9 +53,9 @@
     "typescript": "^4.9.5"
   },
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.1004.0",
-    "@aws-sdk/client-sts": "^3.1004.0",
-    "@aws-sdk/credential-providers": "^3.1004.0",
+    "@aws-sdk/client-secrets-manager": "^3.1030.0",
+    "@aws-sdk/client-sts": "^3.1030.0",
+    "@aws-sdk/credential-providers": "^3.1030.0",
     "commander": "^9.5.0",
     "debug": "^4.4.3"
   },

package/src/index.ts

@@ -121,6 +121,10 @@ const awsCommand = program
     '-o, --output <file>',
     'output secrets to file instead of environment variables'
   )
+  .option(
+    '--no-shell',
+    'run program directly without a shell (disables shell expansion)'
+  )
   .action(async (program, options) => {
     if (!options.secret) {
       exitWithError(
@@ -163,10 +167,22 @@ const awsCommand = program
           return;
         }
 
-        spawn(program[0], program.slice(1), {
-          stdio: 'inherit',
-          shell: true,
-          env
+        const child = options.shell
+          ? spawn(program.join(' '), [], {
+              stdio: 'inherit',
+              shell: true,
+              env
+            })
+          : spawn(program[0], program.slice(1), { stdio: 'inherit', env });
+
+        child.on('error', (err) => {
+          // eslint-disable-next-line no-console
+          console.error(`Failed to start process: ${err.message}`);
+          process.exit(1);
+        });
+
+        child.on('exit', (code, signal) => {
+          process.exit(signal ? 1 : code ?? 0);
         });
       }
     }