Skip to content

fix: shell command built from environment values #48000

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: shell command built from environment values #48000

wants to merge 1 commit into from
+4 −5

Conversation

ptrgits
Copy link

@ptrgits ptrgits commented Aug 8, 2025

fix the problem, we should avoid constructing a shell command string and passing it to execSync. Instead, use execFileSync (or execFile for async) and pass the script path and arguments as separate parameters. This prevents the shell from interpreting spaces or special characters in the path or arguments. Specifically, in runScript, replace the use of execSync with execFileSync, and update the construction of the command so that the script path and arguments are passed separately. Also, import execFileSync from node:child_process. Only the file script/release/release.ts needs to be changed, specifically the runScript function and its usage.

Checklist

Release Notes

Notes:

@ptrgits ptrgits requested a review from a team as a code owner August 8, 2025 05:24
@welcome Welcome
Copy link

welcome bot commented Aug 8, 2025

💖 Thanks for opening this pull request! 💖

Semantic PR titles

We use semantic commit messages to streamline the release process. Before your pull request can be merged, you should update your pull request title to start with a semantic prefix.

Examples of commit messages with semantic prefixes:

  • fix: don't overwrite prevent_default if default wasn't prevented
  • feat: add app.isPackaged() method
  • docs: app.isDefaultProtocolClient is now available on Linux

Commit signing

This repo enforces commit signatures for all incoming PRs.
To sign your commits, see GitHub's documentation on Telling Git about your signing key.

PR tips

Things that will help get your PR across the finish line:

  • Follow the JavaScript, C++, and Python coding style.
  • Run npm run lint locally to catch formatting errors earlier.
  • Document any user-facing changes you've made following the documentation styleguide.
  • Include tests when adding/changing behavior.
  • Include screenshots and animated GIFs whenever possible.

We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can.

@electron-cation electron-cation bot added the new-pr 🌱 PR opened recently label Aug 8, 2025
@electron-cation electron-cation bot removed the new-pr 🌱 PR opened recently label Aug 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
no-backport semver/none
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ptrgits @reitowo