Breaking Change in NodeJS 20.12.2 (Error: spawn EINVAL)
mdtsuk opened this issue · comments
Issue description
After upgrading NodeJS to 20.12.2 deployments fail using serverless V3.37.0 on Windows 10.
Error: spawn EINVAL
Downgrading to NodeJS 20.12.1 works as expected.
Context
Environment: win32, node 20.12.2, framework 3.37.0 (local) 3.38.0v (global), plugin 7.2.0, SDK 4.5.1
(not sure if it's related but I also use serverless-bundle
to webpack the deployments)
According to https://nodejs.org/en/blog/release/v20.12.2
This is a security release.
[Notable Changes](https://nodejs.org/en/blog/release/v20.12.2#notable-changes)
CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows
how to fix this?
Stack trace shows:
× Stack api-dev failed to deploy (12s)
Environment: win32, node 20.13.1, framework 3.38.0 (local), plugin 7.2.3, SDK 4.5.1
Credentials: Local, "default" profile
Docs: docs.serverless.com
Support: forum.serverless.com
Bugs: github.com/serverless/serverless/issues
Error:
Error: spawn EINVAL
at ChildProcess.spawn (node:internal/child_process:421:11)
at Object.spawn (node:child_process:761:9)
at childProcess.spawn (C:\REDACTED\api\node_modules\cli-progress-footer\lib\private\cli-progress-footer\disable-props.js:73:50)
at C:\REDACTED\api\node_modules\serverless-webpack\lib\utils.js:73:32
at Promise._execute (C:\REDACTED\api\node_modules\bluebird\js\release\debuggability.js:384:9)
at Promise._resolveFromExecutor (C:\REDACTED\api\node_modules\bluebird\js\release\promise.js:518:18)
at new Promise (C:\REDACTED\api\node_modules\bluebird\js\release\promise.js:103:10)
at Object.spawnProcess (C:\REDACTED\api\node_modules\serverless-webpack\lib\utils.js:72:10)
at NPM.install (C:\REDACTED\api\node_modules\serverless-webpack\lib\packagers\npm.js:143:18)
at C:\REDACTED\api\node_modules\serverless-webpack\lib\packExternalModules.js:404:20
at tryCatcher (C:\REDACTED\api\node_modules\bluebird\js\release\util.js:16:23)
at Promise._settlePromiseFromHandler (C:\REDACTED\api\node_modules\bluebird\js\release\promise.js:547:31)
at Promise._settlePromise (C:\REDACTED\api\node_modules\bluebird\js\release\promise.js:604:18)
at Promise._settlePromise0 (C:\REDACTED\api\node_modules\bluebird\js\release\promise.js:649:10)
at Promise._settlePromises (C:\REDACTED\api\node_modules\bluebird\js\release\promise.js:729:18)
at _drainQueueStep (C:\REDACTED\api\node_modules\bluebird\js\release\async.js:93:12)
at _drainQueue (C:\REDACTED\api\node_modules\bluebird\js\release\async.js:86:9)
at Async._drainQueues (C:\REDACTED\api\node_modules\bluebird\js\release\async.js:102:5)
at Async.drainQueues [as _onImmediate] (C:\REDACTED\api\node_modules\bluebird\js\release\async.js:15:14)
at process.processImmediate (node:internal/timers:478:21)
Seems to be an issue in serverless-webpack's dependency, cli-progress-footer
It's been discussed here: nodejs/node#52554