fix(cli): centralize cross-platform npm process execution without shell

Author: MathurAditya724

cli/src/cli.ts

@@ -8,15 +8,19 @@ import { serve } from 'srvx'
 import { createConnectorApp, generateToken, CONNECTOR_VERSION } from './server.ts'
 import { getNpmUser, NPM_REGISTRY_URL } from './npm-client.ts'
 import { initLogger, showToken, logInfo, logWarning, logError } from './logger.ts'
+import { resolveNpmProcessCommand } from './npm-process.ts'
 
 const DEFAULT_PORT = 31415
 const DEFAULT_FRONTEND_URL = 'https://npmx.dev/'
 const DEV_FRONTEND_URL = 'http://127.0.0.1:3000/'
-const NPM_COMMAND = process.platform === 'win32' ? 'npm.cmd' : 'npm'
-
 async function runNpmLogin(): Promise<boolean> {
   return new Promise(resolve => {
-    const child = spawn(NPM_COMMAND, ['login', `--registry=${NPM_REGISTRY_URL}`], {
+    const { command, args } = resolveNpmProcessCommand([
+      'login',
+      `--registry=${NPM_REGISTRY_URL}`,
+    ])
+
+    const child = spawn(command, args, {
       stdio: 'inherit',
     })
 

cli/src/npm-client.ts

@@ -8,10 +8,10 @@ import { join } from 'node:path'
 import * as v from 'valibot'
 import { PackageNameSchema, UsernameSchema, OrgNameSchema, ScopeTeamSchema } from './schemas.ts'
 import { logCommand, logSuccess, logError, logDebug } from './logger.ts'
+import { resolveNpmProcessCommand } from './npm-process.ts'
 
 const execFileAsync = promisify(execFile)
 export const NPM_REGISTRY_URL = 'https://registry.npmjs.org/'
-const NPM_COMMAND = process.platform === 'win32' ? 'npm.cmd' : 'npm'
 
 function createNpmEnv(overrides: Record<string, string> = {}): Record<string, string> {
   return {
@@ -210,7 +210,7 @@ async function execNpmInteractive(
       env.npm_config_browser = 'false'
     }
 
-    const child = pty.spawn(NPM_COMMAND, npmArgs, {
+    const child = pty.spawn('npm', npmArgs, {
       name: 'xterm-256color',
       cols: 120,
       rows: 30,
@@ -332,10 +332,9 @@ async function execNpm(args: string[], options: ExecNpmOptions = {}): Promise<Np
   }
 
   try {
-    logDebug('Executing npm command:', { command: NPM_COMMAND, args: npmArgs })
-    // Use execFile instead of exec to avoid shell injection vulnerabilities.
-    // Use npm.cmd on Windows to avoid shell wrapping and DEP0190 warnings.
-    const { stdout, stderr } = await execFileAsync(NPM_COMMAND, npmArgs, {
+    logDebug('Executing npm command:', { command: 'npm', args: npmArgs })
+    const { command, args: processArgs } = resolveNpmProcessCommand(npmArgs)
+    const { stdout, stderr } = await execFileAsync(command, processArgs, {
       timeout: 60000,
       env: createNpmEnv(),
     })
@@ -609,7 +608,8 @@ export async function packageInit(
     logCommand(`${displayCmd} (in temp dir for ${name})`)
 
     try {
-      const { stdout, stderr } = await execFileAsync(NPM_COMMAND, npmArgs, {
+      const { command, args: processArgs } = resolveNpmProcessCommand(npmArgs)
+      const { stdout, stderr } = await execFileAsync(command, processArgs, {
         timeout: 60000,
         cwd: tempDir,
         env: createNpmEnv(),

cli/src/npm-process.ts

@@ -0,0 +1,24 @@
+import process from 'node:process'
+
+export interface NpmProcessCommand {
+  command: string
+  args: string[]
+}
+
+export function resolveNpmProcessCommand(
+  npmArgs: string[],
+  platform = process.platform,
+  comSpec = process.env.ComSpec,
+): NpmProcessCommand {
+  if (platform === 'win32') {
+    return {
+      command: comSpec || 'cmd.exe',
+      args: ['/d', '/s', '/c', 'npm', ...npmArgs],
+    }
+  }
+
+  return {
+    command: 'npm',
+    args: npmArgs,
+  }
+}