Passing args to `node:child_process` or `execFile/spawn` with shell option true is deprecated

[onurravli]

Is there an existing issue for this?

• I have searched the existing issues

Current behavior

In actions/start.action.ts and some of other files, we are calling node:child_process.spawn with { shell: true } option. And this can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.

Please refer this link.

Minimum reproduction code

https://github.com/nestjs/nest-cli

Steps to reproduce

No response

Expected behavior

Code should be refactored.

Package version

11.0.7

NestJS version

No response

Node.js version

No response

In which operating systems have you tested?

• macOS
• Windows
• Linux

Other

No response

[micalevisk]

did you have any suggestions or resources on how to address that?

[danopia]

Without background of why nestjs uses {shell: true}, I would suggest changing this default and also skipping the JSON-escaping that currently attempts to escape options when the shell option is not true. Then the provided flags would be provided directly to the program without any modifications.

As stands now, passing in an argument which contains a shell-style variable reference appears to result in the reference getting replaced by nest start.. And providing --no-shell to nest start results in extra quotes.

# All examples use single quotes to escape the references within my primary shell session:
$ echo '$USER'
$USER

# nest resolves variables:
$ yarnpkg nest start -- '$USER'
(node:70156) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
(Use `node --trace-deprecation ...` to show where the warning was created)
error: unknown command 'daniellamando'
                        ^
                        `-- unintended variable substitution!

# nest adds extra double quotes when --no-shell is passed:
$ yarnpkg nest start --no-shell -- '$USER'
error: unknown command '"$USER"'

The extra quotes means that --no-shell is not a workaround when trying to pass in arguments.

Warning

This seems to be the exact sort of security vulnerability that DEP0190 aims to address! Note that nest start can run arbitrary programs:

$ yarnpkg nest start -- '$(wc -l /etc/passwd > /dev/stderr; date)'
(node:71680) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
(Use `node --trace-deprecation ...` to show where the warning was created)
     132 /etc/passwd
error: unknown command 'Thu Jun 26 13:32:29 CEST 2025'

[kamilmysliwiec]

Would you like to create a PR for this issue?