Once #524 is merged, it would be good to deprecate shell.exec() due to its vulnerabilities and bugs. While we can mark it as deprecated in the docs, since it's a security vulnerability, we may also want to provide deprecation warnings at runtime.
However, since exec() still has a valid use case, I don't think we should ever get rid of it (so it's soft deprecation). Also, if we're still allowing people to use it, we should provide an API to skip deprecation warnings if they know what they're doing.
One approach we could take:
- add
shell.config.showDeprecationWarnings (defaults to true)
- then add a function in
common) to log a deprecation warning to stderr, only when the above option is true
- in the deprecated functions, we can call this log function explicitly, or perhaps add a plugin option for deprecated functions of the form:
deprecationMessage: 'foo is deprecated, use bar instead',
This idea is still open for discussion, so don't implement it yet until the "help wanted" label is applied.
Once #524 is merged, it would be good to deprecate
shell.exec()due to its vulnerabilities and bugs. While we can mark it as deprecated in the docs, since it's a security vulnerability, we may also want to provide deprecation warnings at runtime.However, since
exec()still has a valid use case, I don't think we should ever get rid of it (so it's soft deprecation). Also, if we're still allowing people to use it, we should provide an API to skip deprecation warnings if they know what they're doing.One approach we could take:
shell.config.showDeprecationWarnings(defaults to true)common) to log a deprecation warning to stderr, only when the above option is trueThis idea is still open for discussion, so don't implement it yet until the "help wanted" label is applied.