fix(cli): Fix DEP0190 when building

[Tobbe]

Running yarn cedar build used to print "(node:90324) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated." to the terminal. This PR fixes this by not using shell: true.

[netlify]

✅ Deploy Preview for cedarjs canceled.

Name	Link
🔨 Latest commit	a28af14
🔍 Latest deploy log	https://app.netlify.com/projects/cedarjs/deploys/6958452ad7f29b000848affd

[greptile-apps]

Greptile Summary

Fixes Node.js DEP0190 deprecation warning by properly splitting the Prisma generation command into separate cmd and args parameters instead of passing a concatenated string with shell: true.

Key changes:

• Modified generatePrismaCommand() to return cmd: 'node' with args array [prismaIndexPath, 'generate', '--config=...'] instead of a shell command string
• Removed unnecessary quotes around file paths that were required for shell execution
• Removed shell: true from execa calls in buildHandler.js and runCommandTask() utility
• Improves security by avoiding shell interpretation when not needed

Confidence Score: 5/5

• This PR is safe to merge with no risk - it's a straightforward security and deprecation fix
• The changes correctly fix the DEP0190 warning by properly separating command and arguments. The refactoring improves security by removing unnecessary shell interpretation while maintaining identical functionality. All three files have minimal, well-understood changes that follow Node.js best practices.
• No files require special attention

Important Files Changed

Filename	Overview
packages/cli/src/lib/generatePrismaClient.js	Properly splits Prisma command into cmd and args array, removing shell execution requirement and fixing path quoting
packages/cli/src/commands/buildHandler.js	Removes shell: true from Prisma generation execa call, correctly using the new cmd/args format
packages/cli/src/lib/index.js	Removes shell: true from runCommandTask utility function that executes commands with separate cmd and args

Sequence Diagram

sequenceDiagram
    participant User
    participant BuildHandler
    participant GeneratePrismaClient
    participant Execa
    participant Node

    User->>BuildHandler: yarn cedar build
    BuildHandler->>GeneratePrismaClient: generatePrismaCommand()
    GeneratePrismaClient->>GeneratePrismaClient: Resolve prisma/build/index.js path
    GeneratePrismaClient-->>BuildHandler: {cmd: 'node', args: [path, 'generate', '--config=...']}
    BuildHandler->>Execa: execa(cmd, args, {stdio, cwd})
    Note over Execa: No shell interpretation needed
    Execa->>Node: Direct process spawn
    Node->>Node: prisma generate --config=...
    Node-->>Execa: Success
    Execa-->>BuildHandler: Success
    BuildHandler-->>User: Build complete

Loading

[nx-cloud]

🤖 Nx Cloud AI Fix

Ensure the fix-ci command is configured to always run in your CI pipeline to get automatic fixes in future runs. For more information, please see https://nx.dev/ci/features/self-healing-ci

---

View your CI Pipeline Execution ↗ for commit a28af14

Command	Status	Duration	Result
nx run-many -t build:pack --exclude create-ceda...	✅ Succeeded	13s	View ↗
nx run-many -t build	✅ Succeeded	10s	View ↗
nx run-many -t test --minWorkers=1 --maxWorkers=4	✅ Succeeded	1m 38s	View ↗
nx run-many -t test:types	✅ Succeeded	10s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-01-02 22:43:20 UTC