fix: harden runWrangler against shell injection and silence DEP0190

[kirkouimet]

Summary

Closes #1182.

runWrangler in packages/cloudflare/src/cli/commands/utils/run-wrangler.ts previously called spawnSync with shell: true while interpolating flag values into single-string array entries:

spawnSync(options.packager, [
  options.packager === "bun" ? "x" : "exec",
  "wrangler",
  ...injectPassthroughFlagForArgs(options, [
    ...args,
    wranglerOpts.environment && `--env ${wranglerOpts.environment}`,  // ⚠️ single concatenated string
    wranglerOpts.configPath && `--config ${wranglerOpts.configPath}`,  // ⚠️ single concatenated string
    ...
  ].filter((v): v is string => !!v)),
], { shell: true, ... });

With shell: true, Node.js joins the args array into a shell command string without escaping, so a value containing shell metacharacters (;, &&, $(...), backticks, etc.) can break out of its intended argument boundary and execute arbitrary commands. Node.js 22 added DEP0190 specifically to flag this pattern, and that warning surfaces on every opennextjs-cloudflare deploy invoked through wrangler-action on Node 22+:

(node:NNNN) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true
can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.

Fix

• Each flag/value pair is now passed as separate array entries (["--env", value], ["--config", value], etc.) so values are never interpolated into a shell string.
• shell is set to false on POSIX, where the package manager binary can be invoked directly. This silences DEP0190 and removes the injection vector entirely.
• shell: true is retained on Windows so the package manager's .cmd shim still resolves via cmd.exe. With each value as a separate array entry, Node escapes them correctly even when the shell is involved, so the injection vector is closed on every platform.

Test plan

• pnpm code:checks (prettier + eslint + tsc) passes
• pnpm -r test — 32 files, 326 tests, all green
• End-to-end smoke test: invoking the patched runWrangler to call wrangler --version against a real project on Node 24.14.1 returns 4.87.0 with no DEP0190 emitted (previously emitted)
• Security regression test: a value of staging$(echo INJECTED > /tmp/pwned.txt) no longer executes the injected subshell — the string is passed verbatim as an argument and the file is never created (with the old code, the file IS created)
• CI on Windows runners (covered by repo's existing matrix)

---

[changeset-bot]

🦋 Changeset detected

Latest commit: 5a5a768

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@opennextjs/cloudflare	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[kirkouimet]

Great catch from Devin Review — that was a real bug. Pushed 5df6c61 splitting every multi-word arg and --flag value pair at the three affected call sites:

• populate-cache.ts: "kv bulk put" → "kv", "bulk", "put"; "--binding ${X}" → "--binding", X; "--preview ${X}" → "--preview", String(X); same treatment for the two d1 execute calls (and removed the stray quotes that were wrapping the --command SQL).
• deploy.ts and upload.ts: "versions upload" → "versions", "upload"; --var pair split; quoteShellMeta wrapper dropped since shell: false means args go to the process verbatim and shell-escaping would inject literal characters into the value.
• Dropped the now-unused quoteShellMeta imports from those three files. Left the function in helpers.ts since it might be relied on externally — happy to remove that too if maintainers prefer.

Re-verified locally: pnpm code:checks (prettier + eslint + tsc) green, pnpm -r test 326/326 pass, and an end-to-end invocation of the rebuilt runWrangler against a real wrangler CLI with ["versions", "list", "--name", "..."] reaches wrangler's auth check (i.e. arg parsing succeeds) with no DEP0190 emitted.

[vicb]

Thanks for the PR!

I have added some inline comments.

@james-elicx has done a lot of work on the CLI, I'd love to get some insights from him too

[vicb]

Could we still use shell: true now that args are separated?

[vicb]

Oh now I understand this would trigger DEP0190.

Could we please reword the comment to something like:

Setting shell to false to avoid DEP0190
See https://nodejs.org/api/deprecations.html#dep0190-passing-args-to-nodechild-process-execfilespawn-with-shell-option

Note that shell: true is required on Windows so that the package manager's .cmd shim is resolved

[vicb]

is quoteShellMeta still use anywhere? If not, we can remove that

[vicb]

What about:

Suggested change

	"--preview",
	String(populateCacheOptions.shouldUsePreviewId),
	populateCacheOptions.shouldUsePreviewId ? "--preview" : "--no-preview",

ref: https://yargs.js.org/docs/#api-reference-booleankey

[vicb]

ditto

[vicb]

This is used for the changelog.
I don't think there is a need to give details as the changes in this PR will not affect users (the behavior stays the same).

As long as the changes are described in the PR, we should be good.

Thanks!

Suggested change

	fix: harden `runWrangler` against shell injection and silence Node.js DEP0190.
	`runWrangler` previously called `spawnSync` with `shell: true` while interpolating
	flag values into single-string array entries (e.g. `` `--env ${wranglerOpts.environment}` ``).
	With `shell: true`, Node.js joins the arguments into a shell command string without
	escaping, so a value containing shell metacharacters (`;`, `&&`, `$(...)`, backticks,
	etc.) could break out of its intended argument boundary. Node.js 22 added `DEP0190`
	specifically to flag this pattern, and that warning surfaced on every `opennextjs-cloudflare deploy`
	invoked through `wrangler-action` on Node 22+.
	Each flag/value pair is now passed as separate array entries, and `shell` is set to
	`false` on POSIX (where the package manager binary can be invoked directly). `shell: true`
	is retained on Windows so the package manager's `.cmd` shim still resolves via `cmd.exe`,
	but values are no longer interpolated into the shell command, so the injection vector
	is closed on every platform.
	Closes [#1182](https://github.com/opennextjs/opennextjs-cloudflare/issues/1182).
	fix: harden `runWrangler` against shell injection and silence Node.js DEP0190.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@opennextjs/cloudflare@1248

commit: 5a5a768

[kirkouimet]

Thanks for the review! Pushed 227371e addressing all four points. Re-verified locally: pnpm code:checks green, pnpm -r test 326/326 pass, end-to-end invocation against a real wrangler CLI parses each token correctly with no DEP0190 emitted, and a security regression test confirms --env 'staging$(echo INJECTED > /tmp/pwned.txt)' no longer evaluates the subshell.

shell: true with separated args

Tried it. Doesn't work for two reasons:

1. shell: true still emits DEP0190 regardless of how the args were passed in. Node concatenates [cmd, ...args].join(' ') into a shell command string before spawning, and that's what the deprecation flags. So going back to shell: true un-fixes the original warning.
2. The shell then re-tokenizes the concatenated string, which breaks values containing whitespace or shell metacharacters. Concrete repro:

   spawnSync('printf', ['%s\n', '--command', 'CREATE TABLE foo (x INT);'], {shell: true})
   // /bin/sh: -c: syntax error near unexpected token '('

   Our d1 execute --command "CREATE TABLE ..." would die on the parens.

So shell: false on POSIX is load-bearing for both the warning fix and to let the SQL --command value pass through intact.

quoteShellMeta

Removed. Verified there are no other call sites and dropped the test mock entry too.

--preview / --no-preview

Applied at all three call sites. The third one (the kv bulk put call at line 539) had the same --preview ${bool} pattern, so I converted it for consistency. Let me know if you'd rather I revert that one.

One follow-up worth flagging

Per Node's child_process docs, shell: true for .cmd resolution on Windows is "not recommended, see DEP0190". The Windows carve-out we kept (shell: process.platform === "win32") means Windows users will still see the deprecation warning, even though the injection vector is now closed on every platform.

The clean fix is to switch this spawnSync to cross-spawn (already a transitive dep, ~10KB, what npm/yarn/eslint/prettier use), which would let us drop the platform branch and have shell: false everywhere. I held off on that since (a) you didn't ask for it and (b) the repo's CI is ubuntu-only so I can't verify the Windows path locally. Happy to do a focused follow-up PR if you'd like.

[vicb]

@kirkouimet thank you so much!

shell: true with separated args

IIUC 2 says shell: true would not work, still it is used on windows. What's different there?

Maybe also linked to your last point?
I'd rather avoid a package that has not been updated in 2y.

Probably a point to discuss more before merging this PR

quoteShellMeta

👍

--preview / --no-preview

Consistency is the best, thanks!

[james-elicx]

we'll likely want to keep this given that it still uses shell: true on win32

[james-elicx]

i think the sql statements might still need to be quoted for windows?

[james-elicx]

isn't it still left open on windows?

[kirkouimet]

Took another swing at this. Pushed 382e5d1 which silences DEP0190 on Windows too, plus 9f39728 addressing the rest of the review feedback. End result: DEP0190 is silenced on every platform, the injection vector is closed everywhere, and call sites don't need to know about Windows.

Windows DEP0190 (the asymmetry @vicb flagged)

Per Node.js docs (Spawning .bat and .cmd files on Windows), the recommended pattern is to spawn cmd.exe directly with /c rather than relying on shell: true. The Windows path in runWrangler now does that:

spawnSync("cmd.exe", ["/d", "/s", "/c", `"${escapedCommandLine}"`], {
    shell: false,
    windowsVerbatimArguments: true,
    ...
});

Where escapedCommandLine is the joined, quoteShellMeta-escaped tokens. windowsVerbatimArguments: true tells Node not to add its own escaping on top of ours. This mirrors how cross-spawn handles non-.exe commands internally, without taking on cross-spawn as a dependency (your concern about its release cadence still stands).

POSIX path is unchanged from the previous round: spawnSync(packager, args, { shell: false }), no escaping needed because each value is a separate argv entry.

quoteShellMeta (back, but moved)

@james-elicx was right that removing it was a Windows regression. It's restored in helpers.ts, but with one important change: it's now used internally by runWrangler rather than at every call site. The function escapes every token once, when constructing the cmd.exe /c command line. This means:

• populate-cache.ts, deploy.ts, and upload.ts revert to passing plain string arrays. No process.platform === "win32" ? quoteShellMeta(x) : x boilerplate.
• Future callers of runWrangler don't need to remember to quote.
• Net diff is actually 3 lines smaller than before this round, despite adding the full Windows code path.

Other points

• Comment in run-wrangler.ts: rewrote to explain the cmd.exe approach with a link to the Node docs (since the previous "shell:true required on Windows" comment is no longer accurate).
• Changeset: kept @vicb's one-liner. The user-visible behavior remains "the warning goes away and injection is closed"; both are now true on every platform.
• --preview / --no-preview: applied at all three call sites in the previous round, kept.
• Closes #1182: still accurate.

Verification (the honest caveat)

Verified locally on macOS: pnpm code:checks green, pnpm -r test 326/326 pass, end-to-end invocation against a real wrangler CLI works without DEP0190, security regression test confirms subshell injection is blocked, and a simulated cmd.exe command line construction produces correct escaping for paths-with-spaces and SQL-with-parens.

What I cannot verify locally: the Windows code path actually executing on real Windows. The repo's CI is ubuntu-only, and I don't have a Windows machine. The pattern matches cross-spawn's production implementation, the escaping is the codebase's existing well-tested function, and Node's docs explicitly recommend this approach, so I'm reasonably confident it works. But please validate on Windows before merging. Happy to follow any debugging if it turns out something needs tweaking.

[kirkouimet]

Excellent catch from Devin Review.

The bug

quoteShellMeta caret-escaped cmd.exe metacharacters AND THEN wrapped the result in "...". cmd.exe treats ^ as literal inside double quotes, so the carets that were supposed to escape (, ), ;, etc. became literal ^ characters in the argument value. The D1 CREATE TABLE SQL would have arrived at wrangler as CREATE TABLE foo ^(x INT^)^; rather than valid SQL.

The fix

Pushed 229c45f replacing the Windows branch with cross-spawn's escapeArgument algorithm. The correct approach is:

1. Double backslash sequences that precede a quote (Windows argv parser quirk)
2. Wrap the value in "..."
3. Caret-escape every metacharacter, including the wrapping quotes themselves

The wrapping carets pair with the outer cmd.exe /d /s /c "..." parse: cmd.exe consumes them during command-line parsing, then re-parses the now-unquoted-but-still-quoted-internally string as a normal command, where the receiving program sees a normally-quoted argument. This is the production-tested algorithm used by cross-spawn, which is what npm/yarn/eslint/prettier all rely on for Windows spawn.

Verification

• Output matches cross-spawn's escapeArgument byte-for-byte across 8 representative inputs (SQL with parens, JSON with embedded quotes, paths with spaces, empty strings, etc.)
• Added helpers.spec.ts with 9 tests including an explicit regression test for the SQL case Devin flagged
• pnpm code:checks green, pnpm -r test 33 files / 335 tests pass (added 9 new)
• End-to-end POSIX test still works without DEP0190

Caveat from earlier still applies: the new Windows escaping is verified by simulation (output identical to cross-spawn's, which IS production-tested on Windows), but the actual cmd.exe execution path on real Windows hardware needs validation before merging.

[vicb]

The latest version looks much simpler hence better. Thanks for the updates.

We need to test on:

• WSL
• Windows

Before merging

[vicb]

The implementation seems to works for POSIX and windows, could you please update the comment to reflect that

[vicb]

Suggested change

	// POSIX fallback (preserved for any external callers): standard shell quoting.
	// POSIX shell quoting.

[vicb]

Move this up as it is used for both win and non win ands merge with l135/136

[vicb]

Could you please re-add the former comment on this

[kirkouimet]

Pushed 5a5a768 addressing the four inline comments. All comment-only changes, no behavioral diff:

• helpers.ts:76 — rewrote the quoteShellMeta docstring so the Windows and POSIX branches get equal weight rather than POSIX appearing as a footnote.
• helpers.ts:101 — applied your suggestion verbatim (// POSIX shell quoting.).
• run-wrangler.ts:127 — hoisted the shell: false / DEP0190 explanation up so it covers both branches, then prose describing the POSIX path and the Windows path in turn. Dropped the now-redundant inner comment.
• run-wrangler.ts:115 — restored the stdio explanatory comment that was dropped when stdio got hoisted to a const in the earlier refactor.

pnpm code:checks green, all 335 tests pass.