Skip to content

[BUG] libnpmexec does not escape special characters in passed arguments #8918

New issue
New issue
Open
Open
[BUG] libnpmexec does not escape special characters in passed arguments#8918
Labels
Bugthing that needs fixingNeeds Triageneeds review for next steps
@soletan

Description

@soletan
soletan
opened on Jan 19, 2026

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

I am implementing a script which is using spawn() to invoke another library's CLI script via npm exec passing along arguments which are properly escaped on invoking spawn(). However, the selected script is not invoked but an error occurs due to alleged lack of escaping special characters.

Expected Behavior

As a developer I have to consider npm being a black box I can conveniently use to execute some third-party script

  • no matter its actual implementation,
  • its location in filesystem and
  • the platform I am running on.

Executing a script through npm exec I can't know how npm is processing that request internally or otherwise using npm exec would not make much sense.

Based on such an assumption, when invoking a script through npm exec, arguments with special characters escaped should not be passed along without being kept escaped/literal characters.

Yes, I can escape all arguments two, three or a thousand times. But how often do I have to escape them without knowing what npm and whatever code is involved in running the script I'm invoking is going to do with them. Is it depending on the platform? What shell are they using? Do I have to prepare to mix escapings due to different shells involved based on a resulting user's setup?

Steps To Reproduce

Reproduction works on Windows using cmd.exe, only, due to the literal escaping implemented in file try.js. In production, we already use our quoting-db to properly escape characters in all arguments.

  1. git clone https://github.com/soletan/npm-exec-issue.git
  2. npm i
  3. npm run test

Environment

  • npm: 11.7.0
  • Node.js: 22.20.0
  • OS Name: Windows 11
  • System Model Name:
  • npm config:
; "builtin" config from C:\Users\me\AppData\Roaming\npm\node_modules\npm\npmrc

prefix = "C:\\Users\\me\\AppData\\Roaming\\npm"

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v22.20.0
; npm local prefix = C:\Users\me\Temporär\dev\npm-exec-issue
; npm version = 11.7.0
; cwd = C:\Users\me\Temporär\dev\npm-exec-issue
; HOME = C:\Users\me
; Run `npm config ls -l` to show all defaults.```

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds review for next steps

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions