Security News
GitHub Removes Malicious Pull Requests Targeting Open Source Repositories
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
The execa npm package is a process execution tool that simplifies working with child processes in Node.js. It provides a better user experience than the default child_process module by offering a promise-based API, improved Windows support, and additional convenience options.
Executing a shell command
This feature allows you to execute a shell command and obtain the result. The example shows how to execute the 'echo' command and print 'unicorns' to the console.
const execa = require('execa');
(async () => {
const { stdout } = await execa('echo', ['unicorns']);
console.log(stdout);
})();
Running a command synchronously
This feature is used to execute a command synchronously, blocking the event loop until the process has finished. The example synchronously executes the 'echo' command and logs the result.
const execa = require('execa');
const { stdout } = execa.sync('echo', ['unicorns']);
console.log(stdout);
Handling errors
This feature demonstrates error handling when a command fails to execute. The example attempts to run a non-existent command and catches the error.
const execa = require('execa');
(async () => {
try {
const { stdout } = await execa('wrong-command');
console.log(stdout);
} catch (error) {
console.error('Error occurred:', error);
}
})();
Streaming output
This feature allows you to stream the output of a command directly to the console or another stream. The example streams the output of the 'echo' command to the process's stdout.
const execa = require('execa');
const subprocess = execa('echo', ['unicorns']);
subprocess.stdout.pipe(process.stdout);
ShellJS is a portable Unix shell commands implementation for Node.js. It offers a higher-level API for executing commands but does not support returning promises natively.
Cross-spawn is a cross-platform solution for spawning child processes. It aims to solve compatibility issues on Windows but does not provide a promise-based API.
Process execution for humans
This package improves child_process
methods with:
zx
.npx
.stdout
and stderr
similar to what is printed on the terminal.stdout.trim()
.npm install execa
import {execa} from 'execa';
const {stdout} = await execa('echo', ['unicorns']);
console.log(stdout);
//=> 'unicorns'
For more information about Execa scripts, please see this page.
import {$} from 'execa';
const branch = await $`git branch --show-current`;
await $`dep deploy --branch=${branch}`;
import {$} from 'execa';
const args = ['unicorns', '&', 'rainbows!'];
const {stdout} = await $`echo ${args}`;
console.log(stdout);
//=> 'unicorns & rainbows!'
import {$} from 'execa';
await $({stdio: 'inherit'})`echo unicorns`;
//=> 'unicorns'
import {$} from 'execa';
const $$ = $({stdio: 'inherit'});
await $$`echo unicorns`;
//=> 'unicorns'
await $$`echo rainbows`;
//=> 'rainbows'
> node file.js
unicorns
rainbows
> NODE_DEBUG=execa node file.js
[16:50:03.305] echo unicorns
unicorns
[16:50:03.308] echo rainbows
rainbows
import {execa} from 'execa';
// Similar to `echo unicorns > stdout.txt` in Bash
await execa('echo', ['unicorns']).pipeStdout('stdout.txt');
// Similar to `echo unicorns 2> stdout.txt` in Bash
await execa('echo', ['unicorns']).pipeStderr('stderr.txt');
// Similar to `echo unicorns &> stdout.txt` in Bash
await execa('echo', ['unicorns'], {all: true}).pipeAll('all.txt');
import {execa} from 'execa';
// Similar to `cat < stdin.txt` in Bash
const {stdout} = await execa('cat', {inputFile: 'stdin.txt'});
console.log(stdout);
//=> 'unicorns'
import {execa} from 'execa';
const {stdout} = await execa('echo', ['unicorns']).pipeStdout(process.stdout);
// Prints `unicorns`
console.log(stdout);
// Also returns 'unicorns'
import {execa} from 'execa';
// Similar to `echo unicorns | cat` in Bash
const {stdout} = await execa('echo', ['unicorns']).pipeStdout(execa('cat'));
console.log(stdout);
//=> 'unicorns'
import {execa} from 'execa';
// Catching an error
try {
await execa('unknown', ['command']);
} catch (error) {
console.log(error);
/*
{
message: 'Command failed with ENOENT: unknown command spawn unknown ENOENT',
errno: -2,
code: 'ENOENT',
syscall: 'spawn unknown',
path: 'unknown',
spawnargs: ['command'],
originalMessage: 'spawn unknown ENOENT',
shortMessage: 'Command failed with ENOENT: unknown command spawn unknown ENOENT',
command: 'unknown command',
escapedCommand: 'unknown command',
stdout: '',
stderr: '',
failed: true,
timedOut: false,
isCanceled: false,
killed: false
}
*/
}
Using SIGTERM, and after 2 seconds, kill it with SIGKILL.
const subprocess = execa('node');
setTimeout(() => {
subprocess.kill('SIGTERM', {
forceKillAfterTimeout: 2000
});
}, 1000);
Executes a command using file ...arguments
. arguments
are specified as an array of strings. Returns a childProcess
.
Arguments are automatically escaped. They can contain any character, including spaces.
This is the preferred method when executing single commands.
Executes a Node.js file using node scriptPath ...arguments
. arguments
are specified as an array of strings. Returns a childProcess
.
Arguments are automatically escaped. They can contain any character, including spaces.
This is the preferred method when executing Node.js files.
Like child_process#fork()
:
nodePath
and nodeOptions
options.shell
option cannot be usedipc
is passed to stdio
Executes a command. The command
string includes both the file
and its arguments
. Returns a childProcess
.
Arguments are automatically escaped. They can contain any character, but spaces must use ${}
like $`echo ${'has space'}`
.
This is the preferred method when executing multiple commands in a script file.
The command
string can inject any ${value}
with the following types: string, number, childProcess
or an array of those types. For example: $`echo one ${'two'} ${3} ${['four', 'five']}`
. For ${childProcess}
, the process's stdout
is used.
For more information, please see this section and this page.
Returns a new instance of $
but with different default options
. Consecutive calls are merged to previous ones.
This can be used to either:
$(options)`command`
const $$ = $(options); $$`command`; $$`otherCommand`;
Executes a command. The command
string includes both the file
and its arguments
. Returns a childProcess
.
Arguments are automatically escaped. They can contain any character, but spaces must be escaped with a backslash like execaCommand('echo has\\ space')
.
This is the preferred method when executing a user-supplied command
string, such as in a REPL.
Same as execa()
but synchronous.
Returns or throws a childProcessResult
.
Same as $`command` but synchronous.
Returns or throws a childProcessResult
.
Same as execaCommand()
but synchronous.
Returns or throws a childProcessResult
.
For all the methods above, no shell interpreter (Bash, cmd.exe, etc.) is used unless the shell
option is set. This means shell-specific characters and expressions ($variable
, &&
, ||
, ;
, |
, etc.) have no special meaning and do not need to be escaped.
The return value of all asynchronous methods is both:
Promise
resolving or rejecting with a childProcessResult
.child_process
instance with the following additional methods and properties.Same as the original child_process#kill()
except: if signal
is SIGTERM
(the default value) and the child process is not terminated after 5 seconds, force it by sending SIGKILL
.
Type: number | false
Default: 5000
Milliseconds to wait for the child process to terminate before sending SIGKILL
.
Can be disabled with false
.
Type: ReadableStream | undefined
Stream combining/interleaving stdout
and stderr
.
This is undefined
if either:
all
option is false
(the default value)stdout
and stderr
options are set to 'inherit'
, 'ipc'
, Stream
or integer
Pipe the child process's stdout
to target
, which can be:
If the target
is another execa()
return value, it is returned. Otherwise, the original execa()
return value is returned. This allows chaining pipeStdout()
then await
ing the final result.
The stdout
option must be kept as pipe
, its default value.
Like pipeStdout()
but piping the child process's stderr
instead.
The stderr
option must be kept as pipe
, its default value.
Combines both pipeStdout()
and pipeStderr()
.
Either the stdout
option or the stderr
option must be kept as pipe
, their default value. Also, the all
option must be set to true
.
Type: object
Result of a child process execution. On success this is a plain object. On failure this is also an Error
instance.
The child process fails when:
0
Type: string
The file and arguments that were run, for logging purposes.
This is not escaped and should not be executed directly as a process, including using execa()
or execaCommand()
.
Type: string
Same as command
but escaped.
This is meant to be copy and pasted into a shell, for debugging purposes.
Since the escaping is fairly basic, this should not be executed directly as a process, including using execa()
or execaCommand()
.
Type: number
The numeric exit code of the process that was run.
Type: string | Buffer
The output of the process on stdout.
Type: string | Buffer
The output of the process on stderr.
Type: string | Buffer | undefined
The output of the process with stdout
and stderr
interleaved.
This is undefined
if either:
all
option is false
(the default value)execaSync()
was usedType: boolean
Whether the process failed to run.
Type: boolean
Whether the process timed out.
Type: boolean
Whether the process was canceled.
You can cancel the spawned process using the signal
option.
Type: boolean
Whether the process was killed.
Type: string | undefined
The name of the signal that was used to terminate the process. For example, SIGFPE
.
If a signal terminated the process, this property is defined and included in the error message. Otherwise it is undefined
.
Type: string | undefined
A human-friendly description of the signal that was used to terminate the process. For example, Floating point arithmetic error
.
If a signal terminated the process, this property is defined and included in the error message. Otherwise it is undefined
. It is also undefined
when the signal is very uncommon which should seldomly happen.
Type: string
Error message when the child process failed to run. In addition to the underlying error message, it also contains some information related to why the child process errored.
The child process stderr then stdout are appended to the end, separated with newlines and not interleaved.
Type: string
This is the same as the message
property except it does not include the child process stdout/stderr.
Type: string | undefined
Original error message. This is the same as the message
property except it includes neither the child process stdout/stderr nor some additional information added by Execa.
This is undefined
unless the child process exited due to an error
event or a timeout.
Type: object
Type: boolean
Default: true
Kill the spawned process when the parent process exits unless either:
- the spawned process is detached
- the parent process is terminated abruptly, for example, with SIGKILL
as opposed to SIGTERM
or a normal exit
Type: boolean
Default: true
with $
/$.sync
, false
otherwise
Prefer locally installed binaries when looking for a binary to execute.
If you $ npm install foo
, you can then execa('foo')
.
Type: string | URL
Default: process.cwd()
Preferred path to find locally installed binaries in (use with preferLocal
).
Type: string
Default: process.execPath
(Current Node.js executable)
Path to the Node.js executable to use in child processes.
This can be either an absolute path or a path relative to the cwd
option.
Requires preferLocal
to be true
.
For example, this can be used together with get-node
to run a specific Node.js version in a child process.
Type: boolean
Default: true
Buffer the output from the spawned process. When set to false
, you must read the output of stdout
and stderr
(or all
if the all
option is true
). Otherwise the returned promise will not be resolved/rejected.
If the spawned process fails, error.stdout
, error.stderr
, and error.all
will contain the buffered data.
Type: string | Buffer | stream.Readable
Write some input to the stdin
of your binary.
Streams are not allowed when using the synchronous methods.
If the input is a file, use the inputFile
option instead.
Type: string
Use a file as input to the the stdin
of your binary.
If the input is not a file, use the input
option instead.
Type: string | number | Stream | undefined
Default: pipe
Same options as stdio
.
Type: string | number | Stream | undefined
Default: pipe
Same options as stdio
.
Type: string | number | Stream | undefined
Default: pipe
Same options as stdio
.
Type: boolean
Default: false
Add an .all
property on the promise and the resolved value. The property contains the output of the process with stdout
and stderr
interleaved.
Type: boolean
Default: true
Setting this to false
resolves the promise with the error instead of rejecting it.
Type: boolean
Default: true
Strip the final newline character from the output.
Type: boolean
Default: true
Set to false
if you don't want to extend the environment variables when providing the env
property.
Execa also accepts the below options which are the same as the options for child_process#spawn()
/child_process#exec()
Type: string | URL
Default: process.cwd()
Current working directory of the child process.
Type: object
Default: process.env
Environment key-value pairs. Extends automatically from process.env
. Set extendEnv
to false
if you don't want this.
Type: string
Explicitly set the value of argv[0]
sent to the child process. This will be set to file
if not specified.
Type: string | string[]
Default: pipe
Child's stdio configuration.
Type: string
Default: 'json'
Specify the kind of serialization used for sending messages between processes when using the stdio: 'ipc'
option or execaNode()
:
- json
: Uses JSON.stringify()
and JSON.parse()
.
- advanced
: Uses v8.serialize()
Type: boolean
Prepare child to run independently of its parent process. Specific behavior depends on the platform.
Type: number
Sets the user identity of the process.
Type: number
Sets the group identity of the process.
Type: boolean | string
Default: false
If true
, runs file
inside of a shell. Uses /bin/sh
on UNIX and cmd.exe
on Windows. A different shell can be specified as a string. The shell should understand the -c
switch on UNIX or /d /s /c
on Windows.
We recommend against using this option since it is:
Type: string | null
Default: utf8
Specify the character encoding used to decode the stdout
and stderr
output. If set to null
, then stdout
and stderr
will be a Buffer
instead of a string.
Type: number
Default: 0
If timeout is greater than 0
, the parent will send the signal identified by the killSignal
property (the default is SIGTERM
) if the child runs longer than timeout milliseconds.
Type: number
Default: 100_000_000
(100 MB)
Largest amount of data in bytes allowed on stdout
or stderr
.
Type: string | number
Default: SIGTERM
Signal value to be used when the spawned process will be killed.
Type: AbortSignal
You can abort the spawned process using AbortController
.
When AbortController.abort()
is called, .isCanceled
becomes false
.
Requires Node.js 16 or later.
Type: boolean
Default: false
If true
, no quoting or escaping of arguments is done on Windows. Ignored on other platforms. This is set to true
automatically when the shell
option is true
.
Type: boolean
Default: true
On Windows, do not create a new console window. Please note this also prevents CTRL-C
from working on Windows.
Type: boolean
Default: false
Print each command on stderr
before executing it.
This can also be enabled by setting the NODE_DEBUG=execa
environment variable in the current process.
.node()
only)Type: string
Default: process.execPath
Node.js executable used to create the child process.
.node()
only)Type: string[]
Default: process.execArgv
List of CLI options passed to the Node.js executable.
Gracefully handle failures by using automatic retries and exponential backoff with the p-retry
package:
import pRetry from 'p-retry';
const run = async () => {
const results = await execa('curl', ['-sSL', 'https://sindresorhus.com/unicorn']);
return results;
};
console.log(await pRetry(run, {retries: 5}));
import {execa} from 'execa';
const abortController = new AbortController();
const subprocess = execa('node', [], {signal: abortController.signal});
setTimeout(() => {
abortController.abort();
}, 1000);
try {
await subprocess;
} catch (error) {
console.log(subprocess.killed); // true
console.log(error.isCanceled); // true
}
import {getBinPath} from 'get-bin-path';
const binPath = await getBinPath();
await execa(binPath);
execa
can be combined with get-bin-path
to test the current package's binary. As opposed to hard-coding the path to the binary, this validates that the package.json
bin
field is correctly set up.
execa
execa
using any Node.js versionFAQs
Process execution for humans
We found that execa demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.