Skip to content

fix(render): drop shell:true from hyperframes spawn#3

Open
nguyentran4896 wants to merge 1 commit into
hoquanghai:mainfrom
nguyentran4896:fix/drop-shell-true-hyperframes
Open

fix(render): drop shell:true from hyperframes spawn#3
nguyentran4896 wants to merge 1 commit into
hoquanghai:mainfrom
nguyentran4896:fix/drop-shell-true-hyperframes

Conversation

@nguyentran4896
Copy link
Copy Markdown

@nguyentran4896 nguyentran4896 commented May 3, 2026

Summary

Removes shell: true from the spawn("npx", spawnArgs, { ... }) call in src/render/hyperframes-runner.ts. With shell: true, args are concatenated into a shell string, which is a foot-gun if any user-derived value ever flows into them. All current args are internal, so behavior is unchanged today — this is a defense-in-depth cleanup.

npx resolves via PATH on macOS/Linux without a shell, verified with a quick smoke test.

Test plan

  • npm run typecheck passes
  • npm test passes (44 tests)
  • node -e "require('child_process').spawn('npx', ['--version'], {stdio:'inherit'})" prints npx version

@nguyentran4896
fix(render): drop shell:true from hyperframes spawn
f43e90d 
shell:true is a command-injection foot-gun: if any user-derived string
ever flows into args, it would be interpreted by the shell. Args are
all internal today so behaviour is unchanged, but removing the option
now makes the codebase safer by default. On macOS/Linux npx resolves
correctly via PATH without a shell wrapper.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nguyentran4896