Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix [Node.js v24] DEP0190 DeprecationWarning: spawn with shell:true + args array on gateway startup [1 pull requests, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#62881Fetched 2026-04-09 08:01:16
View on GitHub
Comments
0
Participants
1
Timeline
2
Reactions
0
Author
Stache73Stache73
Participants
Stache73Stache73
Timeline (top)
cross-referenced ×1referenced ×1

On Node.js v24, the gateway emits the following deprecation warning on startup:

(node:XXXXX) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.

This appears to be triggered by a child_process.spawn() call in OpenClaw's codebase where both a separate args array and { shell: true } are passed together. Node.js v24 introduced DEP0190 to flag this pattern because the args are concatenated without shell-escaping, which can allow shell injection if any argument contains user-controlled input.

Root Cause

This appears to be triggered by a child_process.spawn() call in OpenClaw's codebase where both a separate args array and { shell: true } are passed together. Node.js v24 introduced DEP0190 to flag this pattern because the args are concatenated without shell-escaping, which can allow shell injection if any argument contains user-controlled input.

Fix Action

Fixed

PR fix notes

PR #62910: fix(scripts): avoid DEP0190 when spawning .cmd files on Windows (Node.js v24)

Description (problem / solution / changelog)

Summary

Fixes #62881

On Node.js v24, spawn(cmd, args, { shell: true }) triggers DEP0190:

Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.

In scripts/ui.js, on Windows, commands with .cmd/.bat extensions (e.g. pnpm.cmd) go through shouldUseShellForCommand → true, which adds shell: true to the spawn options. The separate args array was still passed alongside shell: true, triggering DEP0190.

Fix: Rename createSpawnOptionsresolveSpawnCall, which now returns the effective file, args, and options together. When shell: true is needed, args are folded into the command string (cmd + " " + args.join(" ")) so no separate args array is passed to spawn/spawnSync. assertSafeWindowsShellArgs continues to validate args before the join, so the security invariant is preserved.

Test plan

  • On Windows with Node.js v24, run node scripts/ui.js install — no DEP0190 warning should appear
  • On Windows, run node scripts/ui.js dev and node scripts/ui.js build — UI builds/serves correctly
  • On non-Windows, no behaviour change (the shell path is never taken)
  • Run existing unit tests: node --test or project test command

Changed files

  • scripts/ui.js (modified, +11/-9)

Code Example

(node:XXXXX) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.

---

node --trace-deprecation C:\...\openclaw\dist\index.js gateway
RAW_BUFFERClick to expand / collapse

Summary

On Node.js v24, the gateway emits the following deprecation warning on startup:

(node:XXXXX) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.

This appears to be triggered by a child_process.spawn() call in OpenClaw's codebase where both a separate args array and { shell: true } are passed together. Node.js v24 introduced DEP0190 to flag this pattern because the args are concatenated without shell-escaping, which can allow shell injection if any argument contains user-controlled input.

Steps to reproduce

  1. Run OpenClaw gateway on Node.js v24+
  2. Check the gateway log or console output after startup
  3. Observe: [DEP0190] DeprecationWarning: Passing args to a child process with shell option true...

Expected behaviour

No DEP0190 warning. Child processes should either:

  • Use shell: false with a properly constructed args array (preferred), or
  • Use shell: true without a separate args array (pass a single command string)

Actual behaviour

DEP0190 warning emitted on every gateway start on Node.js v24+. Not breaking — gateway functions normally — but indicates a latent shell injection risk and will become noisier as Node.js deprecation tracking tightens.

Environment

  • OpenClaw: v2026.4.5
  • Node.js: v24.6.0
  • OS: Windows 10 x64 (build 19045)

Additional context

The full deprecation trace can be obtained by running the gateway with --trace-deprecation:

node --trace-deprecation C:\...\openclaw\dist\index.js gateway

This would identify the exact line in the source where the spawn call with { shell: true, args: [...] } occurs.

The fix is straightforward: locate all spawn/execFile calls using { shell: true } with a separate args array and either switch to shell: false or restructure to pass a single command string. This also removes the theoretical shell injection surface if any of those arguments ever incorporate external input.

extent analysis

TL;DR

To fix the DEP0190 deprecation warning, update the child_process.spawn() calls to either use shell: false with a properly constructed args array or shell: true with a single command string.

Guidance

  • Identify the exact line in the source where the spawn call with { shell: true, args: [...] } occurs by running the gateway with --trace-deprecation.
  • Update the child_process.spawn() calls to use shell: false and pass a properly constructed args array to avoid shell injection risks.
  • Alternatively, restructure the spawn calls to use shell: true with a single command string, ensuring that no user-controlled input is included in the command string.
  • Verify the fix by running the gateway on Node.js v24+ and checking for the absence of the DEP0190 warning.

Example

// Before (causes DEP0190 warning)
const childProcess = require('child_process');
childProcess.spawn('cmd', ['arg1', 'arg2'], { shell: true });

// After (fixes DEP0190 warning)
const childProcess = require('child_process');
childProcess.spawn('cmd', ['arg1', 'arg2'], { shell: false });

Notes

The fix requires careful review of the code to ensure that no user-controlled input is passed to the spawn calls, which could lead to shell injection vulnerabilities.

Recommendation

Apply the workaround by updating the child_process.spawn() calls to use shell: false or restructure to pass a single command string, as this will remove the theoretical shell injection surface and fix the DEP0190 warning.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#chain error#conversation history#tool integration#LLM response

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING