fix(cli): avoid DEP0190 warning by removing shell-based npm execution on Windows

MathurAditya724 · MathurAditya724 · commit fe19e5dbe00c · 2026-03-23T20:39:56.000+05:30
diff --git a/cli/src/cli.ts b/cli/src/cli.ts
@@ -12,12 +12,12 @@ import { initLogger, showToken, logInfo, logWarning, logError } from './logger.t
 const DEFAULT_PORT = 31415
 const DEFAULT_FRONTEND_URL = 'https://npmx.dev/'
 const DEV_FRONTEND_URL = 'http://127.0.0.1:3000/'
+const NPM_COMMAND = process.platform === 'win32' ? 'npm.cmd' : 'npm'
 
 async function runNpmLogin(): Promise<boolean> {
   return new Promise(resolve => {
-    const child = spawn('npm', ['login', `--registry=${NPM_REGISTRY_URL}`], {
+    const child = spawn(NPM_COMMAND, ['login', `--registry=${NPM_REGISTRY_URL}`], {
       stdio: 'inherit',
-      shell: true,
     })
 
     child.on('close', code => {
diff --git a/cli/src/npm-client.ts b/cli/src/npm-client.ts
@@ -11,6 +11,7 @@ import { logCommand, logSuccess, logError, logDebug } from './logger.ts'
 
 const execFileAsync = promisify(execFile)
 export const NPM_REGISTRY_URL = 'https://registry.npmjs.org/'
+const NPM_COMMAND = process.platform === 'win32' ? 'npm.cmd' : 'npm'
 
 function createNpmEnv(overrides: Record<string, string> = {}): Record<string, string> {
   return {
@@ -209,7 +210,7 @@ async function execNpmInteractive(
       env.npm_config_browser = 'false'
     }
 
-    const child = pty.spawn('npm', npmArgs, {
+    const child = pty.spawn(NPM_COMMAND, npmArgs, {
       name: 'xterm-256color',
       cols: 120,
       rows: 30,
@@ -331,14 +332,12 @@ async function execNpm(args: string[], options: ExecNpmOptions = {}): Promise<Np
   }
 
   try {
-    logDebug('Executing npm command:', { command: 'npm', args: npmArgs })
-    // Use execFile instead of exec to avoid shell injection vulnerabilities
-    // On Windows, shell: true is required to execute .cmd files (like npm.cmd)
-    // On Unix, we keep it false for better security and performance
-    const { stdout, stderr } = await execFileAsync('npm', npmArgs, {
+    logDebug('Executing npm command:', { command: NPM_COMMAND, args: npmArgs })
+    // Use execFile instead of exec to avoid shell injection vulnerabilities.
+    // Use npm.cmd on Windows to avoid shell wrapping and DEP0190 warnings.
+    const { stdout, stderr } = await execFileAsync(NPM_COMMAND, npmArgs, {
       timeout: 60000,
       env: createNpmEnv(),
-      shell: process.platform === 'win32',
     })
 
     logDebug('Command succeeded:', { stdout, stderr })
@@ -610,11 +609,10 @@ export async function packageInit(
     logCommand(`${displayCmd} (in temp dir for ${name})`)
 
     try {
-      const { stdout, stderr } = await execFileAsync('npm', npmArgs, {
+      const { stdout, stderr } = await execFileAsync(NPM_COMMAND, npmArgs, {
         timeout: 60000,
         cwd: tempDir,
         env: createNpmEnv(),
-        shell: process.platform === 'win32',
       })
 
       logSuccess(`Published ${name}@0.0.0`)
