Breaking Change in NodeJS 20.12.2 (Error: spawn EINVAL)

Question

Breaking Change in NodeJS 20.12.2 (Error: spawn EINVAL)

Opened this issue 2 months ago · 3 comments

mdtsuk commented 2 months ago

Issue description

After upgrading NodeJS to 20.12.2 deployments fail using serverless V3.37.0 on Windows 10.

Error: spawn EINVAL

Downgrading to NodeJS 20.12.1 works as expected.

Context

Environment: win32, node 20.12.2, framework 3.37.0 (local) 3.38.0v (global), plugin 7.2.0, SDK 4.5.1
(not sure if it's related but I also use serverless-bundle to webpack the deployments)

Answer 1 · 2024-04-19T01:11:45.000Z

According to https://nodejs.org/en/blog/release/v20.12.2

This is a security release.

[Notable Changes](https://nodejs.org/en/blog/release/v20.12.2#notable-changes)
CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows

Answer 2 · 2024-04-25T07:47:21.000Z

how to fix this?

Answer 3 · 2024-05-16T10:52:29.000Z

Stack trace shows:

× Stack api-dev failed to deploy (12s)
Environment: win32, node 20.13.1, framework 3.38.0 (local), plugin 7.2.3, SDK 4.5.1
Credentials: Local, "default" profile
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

Error:
Error: spawn EINVAL
    at ChildProcess.spawn (node:internal/child_process:421:11)
    at Object.spawn (node:child_process:761:9)
    at childProcess.spawn (C:\REDACTED\api\node_modules\cli-progress-footer\lib\private\cli-progress-footer\disable-props.js:73:50)
    at C:\REDACTED\api\node_modules\serverless-webpack\lib\utils.js:73:32
    at Promise._execute (C:\REDACTED\api\node_modules\bluebird\js\release\debuggability.js:384:9)
    at Promise._resolveFromExecutor (C:\REDACTED\api\node_modules\bluebird\js\release\promise.js:518:18)
    at new Promise (C:\REDACTED\api\node_modules\bluebird\js\release\promise.js:103:10)
    at Object.spawnProcess (C:\REDACTED\api\node_modules\serverless-webpack\lib\utils.js:72:10)
    at NPM.install (C:\REDACTED\api\node_modules\serverless-webpack\lib\packagers\npm.js:143:18)
    at C:\REDACTED\api\node_modules\serverless-webpack\lib\packExternalModules.js:404:20
    at tryCatcher (C:\REDACTED\api\node_modules\bluebird\js\release\util.js:16:23)
    at Promise._settlePromiseFromHandler (C:\REDACTED\api\node_modules\bluebird\js\release\promise.js:547:31)
    at Promise._settlePromise (C:\REDACTED\api\node_modules\bluebird\js\release\promise.js:604:18)
    at Promise._settlePromise0 (C:\REDACTED\api\node_modules\bluebird\js\release\promise.js:649:10)
    at Promise._settlePromises (C:\REDACTED\api\node_modules\bluebird\js\release\promise.js:729:18)
    at _drainQueueStep (C:\REDACTED\api\node_modules\bluebird\js\release\async.js:93:12)
    at _drainQueue (C:\REDACTED\api\node_modules\bluebird\js\release\async.js:86:9)
    at Async._drainQueues (C:\REDACTED\api\node_modules\bluebird\js\release\async.js:102:5)
    at Async.drainQueues [as _onImmediate] (C:\REDACTED\api\node_modules\bluebird\js\release\async.js:15:14)
    at process.processImmediate (node:internal/timers:478:21)

Seems to be an issue in serverless-webpack's dependency, cli-progress-footer

It's been discussed here: nodejs/node#52554