Blog: add shell true mention to april sec release (#6665)

* Blog: add shell true mention to april sec release

* Update pages/en/blog/vulnerability/april-2024-security-releases-2.md

Co-authored-by: Richard Lau <[email protected]>
Signed-off-by: Rafael Gonzaga <[email protected]>

---------

Signed-off-by: Rafael Gonzaga <[email protected]>
Co-authored-by: Richard Lau <[email protected]>

Author: RafaelGSS

pages/en/blog/vulnerability/april-2024-security-releases-2.md

@@ -16,6 +16,11 @@ following issues.
 
 Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
 
+It is important to note that there has been a breaking change for Windows users who utilize `child_process.spawn` and `child_process.spawnSync`.
+Node.js will now error with `EINVAL` if a `.bat` or `.cmd` file is passed to `child_process.spawn` and `child_process.spawnSync` without the `shell` option set.
+If the input to `spawn`/`spawnSync` is sanitized, users can now pass `{ shell: true }` as an option to prevent the occurrence of EINVALs errors.
+
+While it is possible to also pass `--security-revert=CVE-2024-27980` to revert the security patch, we strongly advise against doing so.
 Impact:
 
 - This vulnerability affects all Windows users in active release lines: 18.x, 20.x, 21.x