Feat/parallel coverage

[marcosio]

Description

Type of change

• Bug fix 🐞
• New feature ✨
• Breaking change 💥
• Documentation update 📖
• Refactor 🔧

Testing

Node version:

• 20
• 22
• 24

Checklist

• Style Guidelines followed ✅
• Documentation Updated 📚
• Linters - No New Warnings ⚠️
• Local Tests Pass ✅
• Effective Tests Added ✔️
• No reduction of Coverage ✅

[hedera-eng-infrastructure]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

In general, to fix shell commands built from environment values, avoid constructing a single shell-escaped string and instead call the program with an argument array using spawn, execFile, or execFileSync (or equivalent). That way, the path values are passed directly to the program without being interpreted by a shell, making spaces and special characters safe.

For this specific case in packages/ats/contracts/scripts/tools/runParallelCoverageDocker.ts, the best fix is to stop building mergeCommand and reportCommand as single strings and instead invoke npx via spawnSync (from child_process) with an explicit args array. We already import spawn and execSync; we can extend the import to include spawnSync without affecting existing behavior. The cwd: REPO_ROOT option is preserved. Logging can still show a human-readable string, but the actual execution should use spawnSync with separate arguments:

• Replace:
  • const mergeCommand = ...; console.log(...); execSync(mergeCommand, { cwd: REPO_ROOT });
  • const reportCommand = ...; console.log(...); execSync(reportCommand, { cwd: REPO_ROOT });
• With:
  • Construct mergeArgs = ["nyc", "merge", mergeTempDir, mergedReportPath];, log npx plus joined args, then call spawnSync("npx", mergeArgs, { cwd: REPO_ROOT, stdio: "inherit" }) and check status/error.
  • Similarly, reportArgs = ["nyc", "report", "--reporter=html", "--reporter=text", "--temp-dir", COVERAGE_DIR]; and use spawnSync.

Also update the import on line 3 to import spawnSync (alongside execSync and spawn). No other files need changes.

In general, to fix this kind of problem you should avoid constructing a single shell command string that includes environment-derived paths. Instead, use the execFileSync or spawn APIs with a command and an array of arguments, so that the paths are passed directly to the executable without going through a shell. If you must use execSync, pass it a file and args rather than a full shell command, or ensure all interpolated values are safely escaped.

For this specific file, we should modify the two places in mergeReports where we build mergeCommand and reportCommand as interpolated strings and pass them to execSync. The best fix is to call execFileSync from child_process, using npx as the command, "nyc" and the rest as arguments. That way, mergeTempDir, mergedReportPath, and COVERAGE_DIR are not interpreted by a shell at all, avoiding both quoting issues and injection risk. To do this, we need to (1) import execFileSync from child_process, and (2) replace the string-based calls with execFileSync("npx", ["nyc", "merge", mergeTempDir, mergedReportPath], { cwd: REPO_ROOT, stdio: "inherit" }) and similarly for the report invocation. We should also pass stdio: "inherit" to preserve the current behavior of showing nyc output in the console.

[andrewb1269]

Approve the 3 workflow files, README, and .gitignore. Please ensure you have other folks appropriately review the remainder of the files in the PR before merging. Thanks!

[andrewb1269]

Your DCO signoff needs to be fixed as well.