npmx-dev · MathurAditya724 · Mar 23, 2026 · Mar 24, 2026 · Mar 24, 2026 · Mar 24, 2026
diff --git a/cli/src/cli.ts b/cli/src/cli.ts
@@ -8,16 +8,17 @@ import { serve } from 'srvx'
 import { createConnectorApp, generateToken, CONNECTOR_VERSION } from './server.ts'
 import { getNpmUser, NPM_REGISTRY_URL } from './npm-client.ts'
 import { initLogger, showToken, logInfo, logWarning, logError } from './logger.ts'
+import { resolveNpmProcessCommand } from './npm-process.ts'
 
 const DEFAULT_PORT = 31415
 const DEFAULT_FRONTEND_URL = 'https://npmx.dev/'
 const DEV_FRONTEND_URL = 'http://127.0.0.1:3000/'
-
 async function runNpmLogin(): Promise<boolean> {
   return new Promise(resolve => {
-    const child = spawn('npm', ['login', `--registry=${NPM_REGISTRY_URL}`], {
+    const { command, args } = resolveNpmProcessCommand(['login', `--registry=${NPM_REGISTRY_URL}`])
+
+    const child = spawn(command, args, {
       stdio: 'inherit',
-      shell: true,
     })
 
     child.on('close', code => {

diff --git a/cli/src/npm-client.ts b/cli/src/npm-client.ts
@@ -8,6 +8,7 @@ import { join } from 'node:path'
 import * as v from 'valibot'
 import { PackageNameSchema, UsernameSchema, OrgNameSchema, ScopeTeamSchema } from './schemas.ts'
 import { logCommand, logSuccess, logError, logDebug } from './logger.ts'
+import { resolveNpmProcessCommand } from './npm-process.ts'
 
 const execFileAsync = promisify(execFile)
 export const NPM_REGISTRY_URL = 'https://registry.npmjs.org/'
@@ -332,13 +333,10 @@ async function execNpm(args: string[], options: ExecNpmOptions = {}): Promise<Np
 
   try {
     logDebug('Executing npm command:', { command: 'npm', args: npmArgs })
-    // Use execFile instead of exec to avoid shell injection vulnerabilities
-    // On Windows, shell: true is required to execute .cmd files (like npm.cmd)
-    // On Unix, we keep it false for better security and performance
-    const { stdout, stderr } = await execFileAsync('npm', npmArgs, {
+    const { command, args: processArgs } = resolveNpmProcessCommand(npmArgs)
+    const { stdout, stderr } = await execFileAsync(command, processArgs, {
       timeout: 60000,
       env: createNpmEnv(),
-      shell: process.platform === 'win32',
     })
 
     logDebug('Command succeeded:', { stdout, stderr })
@@ -610,11 +608,11 @@ export async function packageInit(
     logCommand(`${displayCmd} (in temp dir for ${name})`)
 
     try {
-      const { stdout, stderr } = await execFileAsync('npm', npmArgs, {
+      const { command, args: processArgs } = resolveNpmProcessCommand(npmArgs)
+      const { stdout, stderr } = await execFileAsync(command, processArgs, {
         timeout: 60000,
         cwd: tempDir,
         env: createNpmEnv(),
-        shell: process.platform === 'win32',
       })
 
       logSuccess(`Published ${name}@0.0.0`)

diff --git a/cli/src/npm-process.ts b/cli/src/npm-process.ts
@@ -0,0 +1,24 @@
+import process from 'node:process'
+
+interface NpmProcessCommand {
+  command: string
+  args: string[]
+}
+
+export function resolveNpmProcessCommand(
+  npmArgs: string[],
+  platform = process.platform,
+  comSpec = process.env.ComSpec,
+): NpmProcessCommand {
+  if (platform === 'win32') {
+    return {
+      command: comSpec || 'cmd.exe',
+      args: ['/d', '/s', '/c', 'npm', ...npmArgs],
+    }
+  }
+
+  return {
+    command: 'npm',
+    args: npmArgs,
+  }
+}