[Node.js 24] [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities

[EricDunsworth]

I've noticed that in node.js 24, the htmllint task produces the following deprecation warning upon processing any files:

Running "htmllint:all" (htmllint) task
(node:25724) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
(Use node --trace-deprecation ... to show where the warning was created)
...

Here's its entry in node.js' deprecated APIs page:
DEP0190: Passing args to node:child_process execFile/spawn with shell option

I'm unable to get any useful info with node --trace-deprecation, but given what's described in the error, it's likely caused by the cross-spawn dependency. Specifically moxystudio/node-cross-spawn#176. Unfortunately, that project appears to have gone stale in late 2024 (no new releases, commits nor maintenance activity since then). Other recently-reported security issues also haven't received any follow-up.

Since grunt-html is still maintained to this day, maybe there'd be value in dropping that dependency? I'm not aware of any "drop-in" replacements for it, but it looks like at least one other project (valeryan/vscode-phpsab#172) got rid of it and brought its functionality "in-house".

[XhmikosR]

If you try the main branch, it should be fixed already. The issue isn't cross-env.

7b9795a

I'm not 100% sure if it's a breaking change though. Plus I don't have a lot of time but it's on my list to release a new version.

[XhmikosR]

Should be fixed in https://github.com/validator/grunt-html/releases/tag/v18.1.0

[EricDunsworth]

@XhmikosR I just updated to v18.1.0 and the deprecation warning is gone from my end. Thanks for looking into it :)!