Fix: Avoid shell mangling during eslint --init (#8936)

If you ran ‘eslint --init’ and selected the Google style guide, it would end up calling execSync("npm i --save-dev eslint@>=4.1.1"). Because execSync spawns the child through a shell, this had the effect of running ‘npm i --save-dev eslint@’ with its output redirected to a new file named ‘=4.1.1’, leaving the wrong version in package.json. Fix this by spawning processes using the cross-spawn package, which avoids spawning a shell at all on Unix and quotes the arguments appropriately on Windows. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
eslint · Jul 16, 2017 · 55bc35d · 55bc35d
1 parent 10c3d78
commit 55bc35d
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 14 deletions.
diff --git a/lib/util/npm-util.js b/lib/util/npm-util.js
@@ -10,7 +10,7 @@
 //------------------------------------------------------------------------------
 
 const fs = require("fs"),
-    childProcess = require("child_process"),
+    spawn = require("cross-spawn"),
     path = require("path"),
     log = require("../logging");
 
@@ -50,10 +50,10 @@ function findPackageJson(startDir) {
  * @returns {void}
  */
 function installSyncSaveDev(packages) {
-    if (Array.isArray(packages)) {
-        packages = packages.join(" ");
+    if (!Array.isArray(packages)) {
+        packages = [packages];
     }
-    childProcess.execSync(`npm i --save-dev ${packages}`, { stdio: "inherit", encoding: "utf8" });
+    spawn.sync("npm", ["i", "--save-dev"].concat(packages), { stdio: "inherit" });
 }
 
 /**
@@ -62,10 +62,11 @@ function installSyncSaveDev(packages) {
  * @returns {string[]} Gotten peerDependencies.
  */
 function fetchPeerDependencies(packageName) {
-    const fetchedText = childProcess.execSync(
-        `npm show --json ${packageName} peerDependencies`,
+    const fetchedText = spawn.sync(
+        "npm",
+        ["show", "--json", packageName, "peerDependencies"],
         { encoding: "utf8" }
-    ).trim();
+    ).stdout.trim();
 
     return JSON.parse(fetchedText || "{}");
 }

diff --git a/package.json b/package.json
@@ -39,6 +39,7 @@
     "babel-code-frame": "^6.22.0",
     "chalk": "^1.1.3",
     "concat-stream": "^1.6.0",
+    "cross-spawn": "^5.1.0",
     "debug": "^2.6.8",
     "doctrine": "^2.0.0",
     "eslint-scope": "^3.7.1",

diff --git a/tests/lib/util/npm-util.js b/tests/lib/util/npm-util.js
@@ -9,7 +9,7 @@
 //------------------------------------------------------------------------------
 
 const assert = require("chai").assert,
-    childProcess = require("child_process"),
+    spawn = require("cross-spawn"),
     sinon = require("sinon"),
     npmUtil = require("../../../lib/util/npm-util"),
     log = require("../../../lib/logging"),
@@ -170,31 +170,34 @@ describe("npmUtil", () => {
 
     describe("installSyncSaveDev()", () => {
         it("should invoke npm to install a single desired package", () => {
-            const stub = sandbox.stub(childProcess, "execSync");
+            const stub = sandbox.stub(spawn, "sync");
 
             npmUtil.installSyncSaveDev("desired-package");
             assert(stub.calledOnce);
-            assert.equal(stub.firstCall.args[0], "npm i --save-dev desired-package");
+            assert.equal(stub.firstCall.args[0], "npm");
+            assert.deepEqual(stub.firstCall.args[1], ["i", "--save-dev", "desired-package"]);
             stub.restore();
         });
 
         it("should accept an array of packages to install", () => {
-            const stub = sandbox.stub(childProcess, "execSync");
+            const stub = sandbox.stub(spawn, "sync");
 
             npmUtil.installSyncSaveDev(["first-package", "second-package"]);
             assert(stub.calledOnce);
-            assert.equal(stub.firstCall.args[0], "npm i --save-dev first-package second-package");
+            assert.equal(stub.firstCall.args[0], "npm");
+            assert.deepEqual(stub.firstCall.args[1], ["i", "--save-dev", "first-package", "second-package"]);
             stub.restore();
         });
     });
 
     describe("fetchPeerDependencies()", () => {
         it("should execute 'npm show --json <packageName> peerDependencies' command", () => {
-            const stub = sandbox.stub(childProcess, "execSync").returns("");
+            const stub = sandbox.stub(spawn, "sync").returns({ stdout: "" });
 
             npmUtil.fetchPeerDependencies("desired-package");
             assert(stub.calledOnce);
-            assert.equal(stub.firstCall.args[0], "npm show --json desired-package peerDependencies");
+            assert.equal(stub.firstCall.args[0], "npm");
+            assert.deepEqual(stub.firstCall.args[1], ["show", "--json", "desired-package", "peerDependencies"]);
             stub.restore();
         });
     });