no-child-process-shell-true

Disallow Node child process options that enable shell: true.

Targeted pattern scope

Node child_process execution options that enable shell: true.

What this rule reports

spawn(...) / execFile(...) options objects with shell: true.

Why this rule exists

Shell execution expands injection risk when command fragments include user-influenced input.

❌ Incorrect

spawn("cmd", ["/c", command], { shell: true });

✅ Correct

spawn("node", ["script.js"], { shell: false });

ESLint flat config example

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },

  rules: {
   "sdl/no-child-process-shell-true": "error",
  },
 },
];

When not to use it

Disable only when shell execution is unavoidable and all command fragments are strictly controlled and validated.

Package documentation

Rule source

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

ESLint flat config example​

When not to use it​

Package documentation​

Further reading​