Calls to spawn that include '.cmd' or '.bat' on windows should include '{shell: true}' argument

[phaze-ZA]

• I have searched for similar issues

This is due to the recent security patch released by node.js: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2

---

Steps to Reproduce

• Be on nodejs > 20.12.1
• Be on windows
• run npm-check-updates
• notice EINVAL error

Current Behavior

EINVAL error is thrown

Expected Behavior

Command is executed

[raineorshine]

Hi, thanks for reporting.

If there is a Windows user that would like to test a fix and open a PR that would be helpful.

[phaze-ZA]

Will set something up locally and do a thingy

[cakidnyc]

Any update? I can't use ncu on windows after updating node above v18.12.0.

[phaze-ZA]

Apologies work got intense and I forgot about this. Busy testing a fix now and will submit a PR once I confirm that it works on both windows and non-windows

[phaze-ZA]

@cakidnyc would you mind testing this PR on your side? Seems to be working fine on Mac and Windows here

[cakidnyc]

It's good for me now on Windows 11 w/ node 20.16.0, thanks! It does turn out that I had to manually delete ncu first ( npm install -g npm-check-updates didn't seem to upgrade it and uninstall -g wasn't clearing it out either). After the manual delete and reinstall, then it starting working. So, it might be that it actually was working earlier, my install was just messed up.