Skip to content

cli: avoid shell=True for npx/browser helpers #2014

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
TheodorNEngoy wants to merge 2 commits into
base: main
Choose a base branch
from
Open

cli: avoid shell=True for npx/browser helpers #2014

TheodorNEngoy wants to merge 2 commits into from
+56 −40

Conversation

@TheodorNEngoy
Copy link

@TheodorNEngoy TheodorNEngoy commented Feb 8, 2026

This removes shell=True usage from the CLI helper path (a common security footgun).

Changes:

  • _get_npx_command() now returns a subprocess-friendly command prefix and uses COMSPEC /c only when npx is a .cmd/.bat shim.
  • mcp dev runs npx @modelcontextprotocol/inspector without shell=True.
  • URL elicitation example uses webbrowser.open() for cross-platform browser opening.

Tests:

  • uv run pytest -q tests/cli/test_utils.py
  • uv run ruff check src/mcp/cli/cli.py tests/cli/test_utils.py examples/snippets/clients/url_elicitation_client.py

@TheodorNEngoy TheodorNEngoy mentioned this pull request Feb 8, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TheodorNEngoy