DeprecationWarning: Passing args to a child process with shell option true in Angular CLI package-manager.js #30821
Description
Command
add
Is this a regression?
- Yes, this behavior used to work in the previous version
The previous version in which this bug was not present was
19
Description
When running ng add @hidden-path/hidden-package, the following deprecation warning appears:
[DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated. at normalizeSpawnArguments (node:child_process:617:15) at spawn (node:child_process:756:13) at /node_modules/@angular/cli/src/utilities/package-manager.js:174:69 ...
This warning is triggered by the Angular CLI’s internal usage of child_process.spawn with shell: true and concatenated arguments in package-manager.js. According to Node.js documentation, this pattern is deprecated and can lead to security vulnerabilities.
Minimal Reproduction
ng new repro-app cd repro-app
node --trace-deprecation $(which ng) add @hidden-path/hidden-package
Exception or Error
Your Environment
_ _ ____ _ ___
/ \ _ __ __ _ _ _| | __ _ _ __ / ___| | |_ _|
/ △ \ | '_ \ / _` | | | | |/ _` | '__| | | | | | |
/ ___ \| | | | (_| | |_| | | (_| | | | |___| |___ | |
/_/ \_\_| |_|\__, |\__,_|_|\__,_|_| \____|_____|___|
|___/
Angular CLI: 20.0.0
Node: 24.1.0
Package Manager: npm 11.3.0
OS: darwin arm64
Angular: undefined
...
Package Version
------------------------------------------------------
@angular-devkit/architect 0.2000.0 (cli-only)
@angular-devkit/core 19.2.7
@angular-devkit/schematics 19.2.7
@angular/cdk 19.2.9
@schematics/angular 19.2.7
typescript 5.6.3
Anything else relevant?
No response