Node.js DEP0190 Warning on Startup with Child Process Handling

Resolved 💬 4 comments Opened Jul 30, 2025 by babySaga2025 Closed Aug 6, 2025

Bug Description

[BUG] Node.js DEP0190 deprecation warning appears on every Claude Code startup

Environment

Platform: Windows
Claude CLI version: 1.0.63
Operating System: Windows 11
Node.js version: 24.4.0
Terminal: PowerShell terminal within Cursor IDE (version 1.3.5)

Bug Description

Every time Claude Code is started on Windows, the following Node.js deprecation warning appears:

(node:11044) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
(Use `node --trace-deprecation ...` to show where the warning was created)

Steps to Reproduce

  1. Open terminal on Windows
  2. Run claude command to start Claude Code
  3. Warning appears immediately on startup

Expected Behavior

Claude Code should start without any deprecation warnings.

Actual Behavior

A Node.js DEP0190 deprecation warning is displayed every time Claude Code starts, indicating that the internal implementation is using child_process with shell: true in a potentially unsafe way where arguments aren't being properly escaped.

Additional Context

  • This warning appears to be related to Claude Code's internal Node.js implementation
  • The warning suggests that arguments are being concatenated rather than properly escaped when spawning child processes with shell: true
  • This is a code quality/security concern flagged by Node.js as deprecated due to potential security implications
  • The warning doesn't seem to affect Claude Code functionality, but indicates a practice that Node.js considers unsafe
  • Based on public searches, this appears to be an unreported issue

Technical Details

The DEP0190 deprecation warning was introduced in Node.js to flag potentially unsafe usage of the child_process module where:

  • shell: true option is used
  • Arguments are passed as arrays but not properly escaped
  • This can lead to command injection vulnerabilities

Suggested Fix

The Claude Code codebase should be updated to either:

  1. Properly escape arguments when using shell: true
  2. Use alternative approaches that don't require shell: true
  3. Use spawn() with individual arguments instead of concatenated strings

Impact

  • Low functional impact (doesn't break Claude Code)
  • Medium concern for code quality and security best practices
  • Creates noise in terminal output that may concern users

Environment Info

  • Platform: win32
  • Terminal: cursor
  • Version: 1.0.63
  • Feedback ID: d29fde8f-e8b9-44bb-9f52-95bd1b7bfe19

Errors

[]

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗