fix(windows): reject unresolved cmd wrappers (#58436)

* fix(windows): reject unresolved cmd wrappers * fix(windows): add wrapper policy coverage * fix(windows): document wrapper fallback migration * fix(windows): drop changelog entry from pr * chore: add changelog for Windows wrapper fail-closed behavior --------- Co-authored-by: Devin Robison <drobison@nvidia.com> Co-authored-by: Devin Robison <drobison00@users.noreply.github.com>
2026-04-07 15:21:06 +00:00 · 2026-04-02 10:35:50 -07:00
parent 3e452f2671
commit 5874a387ae
6 changed files with 105 additions and 18 deletions
--- a/src/plugin-sdk/windows-spawn.ts
+++ b/src/plugin-sdk/windows-spawn.ts
@@ -37,6 +37,7 @@ export type ResolveWindowsSpawnProgramParams = {
  env?: NodeJS.ProcessEnv;
  execPath?: string;
  packageName?: string;
+  /** Trusted compatibility escape hatch for callers that intentionally accept shell-mediated wrapper execution. */
  allowShellFallback?: boolean;
 };
 export type ResolveWindowsSpawnProgramCandidateParams = Omit<
@@ -265,7 +266,7 @@ export function applyWindowsSpawnProgramPolicy(params: {
      windowsHide: params.candidate.windowsHide,
    };
  }
-  if (params.allowShellFallback !== false) {
+  if (params.allowShellFallback === true) {
    return {
      command: params.candidate.command,
      leadingArgv: [],