just-scripts 2.5.0 → 2.6.0

package/src/tasks/tslintTask.ts

@@ -1,7 +1,7 @@
 import { resolve, logger, resolveCwd, TaskFunction } from 'just-task';
-import { exec, encodeArgs } from '../utils';
 import * as path from 'path';
 import * as fs from 'fs';
+import { logNodeCommand, spawn } from '../utils';
 
 export interface TsLintTaskOptions {
   config?: string;
@@ -12,7 +12,7 @@ export interface TsLintTaskOptions {
 export function tslintTask(options: TsLintTaskOptions = {}): TaskFunction {
   const projectFile = options.project || resolveCwd('./tsconfig.json');
 
-  return function tslint() {
+  return async function tslint() {
     const tslintCmd = resolve('tslint/lib/tslintCli.js');
 
     if (projectFile && tslintCmd && fs.existsSync(projectFile)) {
@@ -31,11 +31,12 @@ export function tslintTask(options: TsLintTaskOptions = {}): TaskFunction {
         args.push('--fix');
       }
 
-      const cmd = encodeArgs([process.execPath, tslintCmd, ...args]).join(' ');
-      logger.info(cmd);
-      return exec(cmd, { stdout: process.stdout, stderr: process.stderr });
-    } else {
-      return Promise.resolve();
+      const allArgs = [tslintCmd, ...args];
+      logNodeCommand(allArgs);
+      return spawn(process.execPath, allArgs, { stdio: 'inherit' });
     }
+
+    // undertaker apparently requires returning a promise, async function, or function that calls done()
+    return Promise.resolve();
   };
 }

package/src/tasks/webpackCliInitTask.ts

@@ -9,7 +9,7 @@ import { tryRequire } from '../tryRequire';
  */
 export function webpackCliInitTask(customScaffold?: string, auto = false): TaskFunction {
   return function webpackCli() {
-    const init = tryRequire('@webpack-cli/init').default;
+    const init = tryRequire('@webpack-cli/init')?.default;
     if (!init) {
       logger.warn('webpack-cli init requires three dependencies: @webpack-cli/init (preferred - as a devDependency)');
       return;

package/src/tasks/webpackCliTask.ts

@@ -1,5 +1,5 @@
 import { logger, TaskFunction, resolve } from 'just-task';
-import { spawn } from '../utils';
+import { logNodeCommand, spawn } from '../utils';
 import { getTsNodeEnv } from '../typescript/getTsNodeEnv';
 import { findWebpackConfig } from '../webpack/findWebpackConfig';
 
@@ -67,7 +67,7 @@ export function webpackCliTask(options: WebpackCliTaskOptions = {}): TaskFunctio
       }
     }
 
-    logger.info(`webpack-cli arguments: ${process.execPath} ${args.join(' ')}`);
+    logNodeCommand(args);
 
     return spawn(process.execPath, args, { stdio: 'inherit', env: options.env });
   };

package/src/tasks/webpackDevServerTask.ts

@@ -1,7 +1,7 @@
 // // WARNING: Careful about add more imports - only import types from webpack
 import { Configuration } from 'webpack';
-import { encodeArgs, spawn } from '../utils';
-import { logger, resolve, resolveCwd, TaskFunction } from 'just-task';
+import { logNodeCommand, spawn } from '../utils';
+import { resolve, resolveCwd, TaskFunction } from 'just-task';
 import * as fs from 'fs';
 import * as path from 'path';
 import { WebpackCliTaskOptions } from './webpackCliTask';
@@ -93,7 +93,7 @@ export function webpackDevServerTask(options: WebpackDevServerTaskOptions = {}):
       args = [...args, ...options.webpackCliArgs];
     }
 
-    logger.info(process.execPath, encodeArgs(args).join(' '));
+    logNodeCommand(args);
     return spawn(process.execPath, args, { stdio: 'inherit', env: options.env });
   };
 }

package/src/utils/exec.ts

@@ -1,52 +1,25 @@
 import * as cp from 'child_process';
-import { resolve } from 'path';
+import { spawn as crossSpawn } from 'cross-spawn';
+import { logger } from 'just-task';
 
-export interface ExecError extends cp.ExecException {
-  stdout?: string;
-  stderr?: string;
-}
-
-const SEPARATOR = process.platform === 'win32' ? ';' : ':';
+// `exec` and `execSync` were removed due to security issues (keeping filename for history)
 
 /**
- * Execute a command.
- *
- * @param cmd Command to execute
- * @param opts Normal exec options plus stdout/stderr for piping output. Can pass `process` for this param.
- * @returns Promise which will settle when the command completes. If output was not piped, it will be
- * returned as the promise's value. If the promise was rejected, the error will be of type `ExecError`.
+ * @deprecated This prevents issues from spaces in args, but does NOT escape shell metacharacters.
+ * For full escaping, consider a library such as `shell-quote` instead. (Note that `spawn` and tasks
+ * from this package now use `cross-spawn` which escapes spaces internally.)
  */
-export function exec(
-  cmd: string,
-  opts: cp.ExecOptions & { stdout?: NodeJS.WritableStream; stderr?: NodeJS.WritableStream } = {},
-): Promise<string | undefined> {
-  return new Promise((resolve, reject) => {
-    const child = cp.exec(cmd, opts, (error: ExecError | null, stdout?: string, stderr?: string) => {
-      if (error) {
-        error.stdout = stdout;
-        error.stderr = stderr;
-        reject(error);
-      } else {
-        resolve(stdout);
-      }
-    });
-
-    if (opts.stdout) {
-      child.stdout?.pipe(opts.stdout);
-    }
-
-    if (opts.stderr) {
-      child.stderr?.pipe(opts.stderr);
-    }
-  });
+export function encodeArgs(cmdArgs: string[]): string[] {
+  return quoteSpaces(cmdArgs);
 }
 
 /**
- * Encode args for a shell command.
- * @param cmdArgs Args to encode
- * @returns Encoded args
+ * Quote arguments containing spaces. Note that this does NOT do any other escaping!
+ * For more complete escaping, consider a library such as `shell-quote`, or use safer APIs which
+ * don't require escaping. (Note that `spawn` from this package now uses `cross-spawn` which
+ * escapes spaces internally.)
  */
-export function encodeArgs(cmdArgs: string[]): string[] {
+function quoteSpaces(cmdArgs: string[]): string[] {
   // Taken from https://github.com/xxorax/node-shell-escape/blob/master/shell-escape.js
   // However, we needed to use double quotes because that's the norm in more platforms
   if (!cmdArgs) {
@@ -64,36 +37,31 @@ export function encodeArgs(cmdArgs: string[]): string[] {
 }
 
 /**
- * Execute a command synchronously.
- *
- * @param cmd  Command to execute
- * @param cwd Working directory in which to run the command (default: `process.cwd()`)
- * @param returnOutput If true, return the command's output. If false/unspecified,
- * inherit stdio from the parent process (so the child's output goes to the console).
- * @returns If `returnOutput` is true, returns the command's output. Otherwise returns undefined.
+ * Log `Running: <process.execPath> <...args>`
  */
-export function execSync(cmd: string, cwd?: string, returnOutput?: boolean): string | undefined {
-  cwd = cwd || process.cwd();
-
-  const env = { ...process.env };
-  env.PATH = resolve('./node_modules/.bin') + SEPARATOR + env.PATH;
-
-  const output = cp.execSync(cmd, {
-    cwd,
-    env,
-    stdio: returnOutput ? undefined : 'inherit',
-  });
-  return returnOutput ? (output || '').toString('utf8') : undefined;
+export function logNodeCommand(...args: (string | string[])[]): void {
+  logger.info(`Running: ${process.execPath} ${quoteSpaces(args.flat()).join(' ')}`);
 }
 
 /**
- * Execute a command in a new process.
+ * Execute a command in a new process. Uses `cross-spawn` to avoid issues with spaces in arguments,
+ * but does not do any additional escaping. (For further enhancements, consider using the `execa`
+ * library instead.)
+ *
+ * **WARNING: If the `shell` option is enabled, do not pass unsanitized user input to this function.
+ * Any input containing shell metacharacters may be used to trigger arbitrary command execution.**
  *
  * @param cmd Command to execute
- * @param args Args for the command
- * @param opts Normal spawn options plus stdout/stderr for piping output. Can pass `process` for this param.
+ * @param args Args for the command. Quoting spaces is handled internally by `cross-spawn`.
+ * @param opts Normal spawn options plus stdout/stderr for piping output. (To inherit stdio from the
+ * parent process, just use `stdio: 'inherit'` instead.)
+ *
  * @returns Promise which will settle when the command completes. If the promise is rejected, the error will
- * include the child process's exit code.
+ * include the child process's exit code (`error.code`) or signal (`error.signal`) if relevant.
+ * The returned promise also has a `child` property with the spawned `ChildProcess` instance.
+ *
+ * @deprecated This function is not recommended for use outside the `just-scripts` package.
+ * Instead, consider a more mature, purpose-specific library such as `execa` or `nano-spawn`.
  */
 export function spawn(
   cmd: string,
@@ -101,8 +69,16 @@ export function spawn(
   opts: cp.SpawnOptions & { stdout?: NodeJS.WritableStream; stderr?: NodeJS.WritableStream } = {},
 ): Promise<void> {
   return new Promise((resolve, reject) => {
-    const child = cp.spawn(cmd, args, opts);
-    child.on('exit', (code: number | null, signal: string | null) => {
+    let child: cp.ChildProcess;
+    try {
+      child = crossSpawn(cmd, args, opts);
+    } catch (error) {
+      reject(error);
+      return;
+    }
+
+    const onExit = (code: number | null, signal: NodeJS.Signals | null): void => {
+      child.off('error', onError);
       if (code) {
         const error = new Error('Command failed: ' + [cmd, ...args].join(' '));
         (error as any).code = code;
@@ -114,7 +90,17 @@ export function spawn(
       } else {
         resolve();
       }
-    });
+    };
+
+    // Some error circumstances may fire 'error' rather than 'exit'
+    // https://nodejs.org/docs/latest/api/child_process.html#event-error
+    const onError = (error: Error): void => {
+      reject(error);
+      child.off('exit', onExit);
+    };
+
+    child.on('exit', onExit);
+    child.on('error', onError);
 
     if (opts.stdout) {
       child.stdout?.pipe(opts.stdout);