Title: DEP0190 deprecation warning at session start on Windows (Node 22+)
Repo: vercel/vercel-plugin
Version: 0.40.0
Node: 22.x (any version emitting DEP0190)
Platform: Windows (win32)
Warning
(node:NNNNN) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
Fires on every Claude Code / Cursor session start via the SessionStart hook chain hooks/hooks.json -> session-start-profiler.mjs.
Root cause
hooks/session-start-profiler.mjs:284 builds spawn options with shell: true on Windows, then :288 and :304 invoke the file-spawn API with a binary + args + those options. Node 22 flags the args + shell:true combination because args bypass shell quoting (injection risk on hostile binary paths or arg values).
Per the comment on :274-278, shell:true was added to work around .cmd/.bat shim spawning after CVE-2024-27980. That workaround is what trips the deprecation.
Suggested fix
Switch the Windows path to a single quoted command string via the sync-shell API (which accepts a command string natively, no args array, no DEP0190):
- Build a
runProbe(binary, args) helper.
- On Windows: pass
`"${binary}" ${args.join(" ")}` to the sync-shell API.
- On non-Windows: keep the existing file-spawn call.
- Drop
shell:true from the shared options object.
Binary path quoted to survive Program Files. Static internal arg arrays need no escaping.
Alternative: keep the file-spawn API, drop shell:true, resolve the .cmd shim explicitly via PATHEXT iteration before spawn.
Impact
Non-blocking. Session continues. Cosmetic noise on every startup for Windows users on Node 22+.
Repro
- Windows + Node 22.x
- Install vercel plugin 0.40.0
- Open any Claude Code session -> warning fires from
session-start-profiler.mjs
File at: https://github.com/vercel/vercel-plugin/issues/new
Title: DEP0190 deprecation warning at session start on Windows (Node 22+)
Repo: vercel/vercel-plugin
Version: 0.40.0
Node: 22.x (any version emitting DEP0190)
Platform: Windows (win32)
Warning
Fires on every Claude Code / Cursor session start via the SessionStart hook chain
hooks/hooks.json->session-start-profiler.mjs.Root cause
hooks/session-start-profiler.mjs:284builds spawn options withshell: trueon Windows, then:288and:304invoke the file-spawn API with a binary + args + those options. Node 22 flags the args + shell:true combination because args bypass shell quoting (injection risk on hostile binary paths or arg values).Per the comment on
:274-278,shell:truewas added to work around.cmd/.batshim spawning after CVE-2024-27980. That workaround is what trips the deprecation.Suggested fix
Switch the Windows path to a single quoted command string via the sync-shell API (which accepts a command string natively, no args array, no DEP0190):
runProbe(binary, args)helper.`"${binary}" ${args.join(" ")}`to the sync-shell API.shell:truefrom the shared options object.Binary path quoted to survive
Program Files. Static internal arg arrays need no escaping.Alternative: keep the file-spawn API, drop
shell:true, resolve the.cmdshim explicitly via PATHEXT iteration before spawn.Impact
Non-blocking. Session continues. Cosmetic noise on every startup for Windows users on Node 22+.
Repro
session-start-profiler.mjsFile at: https://github.com/vercel/vercel-plugin/issues/new