child_process vs cross-env vs execa vs node-cmd vs shell-quote vs shelljs
Executing Shell Commands and Managing Environment Variables in Node.js
Search packages..
child_processcross-envexecanode-cmdshell-quoteshelljsSimilar Packages:

Executing Shell Commands and Managing Environment Variables in Node.js

child_process is Node.js's built-in module for spawning child processes and executing system commands. cross-env is a utility for setting environment variables in a cross-platform way, commonly used in npm scripts. execa is a popular, promise-based wrapper around child_process that simplifies command execution with better defaults and cross-platform compatibility. node-cmd provides a minimal promise/callback interface for running shell commands but lacks active maintenance and advanced features. shell-quote safely escapes and formats command arguments as shell strings to prevent injection vulnerabilities. shelljs emulates Unix shell commands (like cp, ls, grep) in JavaScript with cross-platform support, allowing shell-like scripting without relying on the system shell.

Npm Package Weekly Downloads Trend

3 Years

Github Stars Ranking

Stat Detail

Package
Downloads
Stars
Size
Issues
Publish
License
child_process0165-410 years agoISC
cross-env06,52620.2 kB17 months agoMIT
execa07,493325 kB165 months agoMIT
node-cmd0285-75 years agoMIT
shell-quote05323.7 kB11a year agoMIT
shelljs014,404152 kB100a year agoBSD-3-Clause

Executing Shell Commands in Node.js: A Practical Guide for Frontend Engineers

When building frontend tooling, CI scripts, or development workflows in Node.js, you’ll often need to run shell commands — whether it’s launching a build, checking Git status, or interacting with system utilities. The JavaScript ecosystem offers several packages for this, each with different trade-offs in safety, cross-platform support, and ease of use. Let’s compare the real-world differences between child_process, cross-env, execa, node-cmd, shell-quote, and shelljs.

⚙️ Core Purpose: What Each Package Actually Does

It’s critical to understand that not all these packages do the same thing. Some execute commands, others just help format them, and one solves a completely different problem.

  • child_process: Built into Node.js. Lets you spawn child processes (e.g., run ls, git, npm). Low-level but powerful.
  • cross-env: Doesn’t run commands at all. It sets environment variables in a way that works on Windows, macOS, and Linux.
  • execa: A user-friendly wrapper around child_process with better defaults, promise support, and cross-platform fixes.
  • node-cmd: A minimal promise-based wrapper for running shell commands via child_process.exec.
  • shell-quote: Doesn’t execute anything. It safely escapes and formats command arguments as shell strings.
  • shelljs: Emulates Unix shell commands (like cp, mkdir, grep) in JavaScript, with cross-platform support.

💡 Key insight: You might use multiple of these together — e.g., shell-quote to safely build a command string, then execa to run it.

🖥️ Running Shell Commands: Direct Execution Compared

Let’s see how each execution-focused package actually runs a command like git log --oneline -5.

Using child_process (Node.js built-in)

You have three methods: spawn, exec, and execFile. spawn is preferred for long-running or large-output processes.

import { spawn } from 'child_process';

const git = spawn('git', ['log', '--oneline', '-5']);

git.stdout.on('data', (data) => {
  console.log(`stdout: ${data}`);
});

git.stderr.on('data', (data) => {
  console.error(`stderr: ${data}`);
});

git.on('close', (code) => {
  console.log(`child process exited with code ${code}`);
});

This gives full control but requires manual stream handling and error management.

Using execa

execa wraps child_process with promises, better defaults, and automatic stdout/stderr buffering.

import { execa } from 'execa';

try {
  const { stdout } = await execa('git', ['log', '--oneline', '-5']);
  console.log(stdout);
} catch (error) {
  console.error('Command failed:', error.stderr || error.message);
}

Much cleaner. Also supports shell: true if you need shell features like pipes.

Using node-cmd

A simpler promise wrapper, but only uses child_process.exec (which buffers all output in memory).

import cmd from 'node-cmd';

cmd.get(
  'git log --oneline -5',
  (err, data, stderr) => {
    if (err) {
      console.error('Error:', stderr || err);
      return;
    }
    console.log(data);
  }
);

Note: Uses callbacks by default, though you can promisify it. Also, because it uses exec, it’s risky for commands with large output.

Using shelljs

shelljs doesn’t run arbitrary shell commands by default — it provides JavaScript equivalents of common Unix tools.

import shell from 'shelljs';

// This runs `git log --oneline -5` using shell.exec()
const result = shell.exec('git log --oneline -5', { silent: true });

if (result.code === 0) {
  console.log(result.stdout);
} else {
  console.error(result.stderr);
}

But for many tasks, you’d use its built-ins instead:

// Instead of `cp src dest`, use:
shell.cp('src', 'dest');

// Instead of `mkdir -p build`, use:
shell.mkdir('-p', 'build');

This avoids shell injection risks and works consistently across platforms.

🔒 Safety: Avoiding Shell Injection

Passing untrusted input to shell commands is dangerous. Consider this naive approach:

// DANGEROUS — don't do this!
execa(`grep ${userInput} file.txt`, { shell: true });

If userInput is '; rm -rf /', you’re in trouble.

Safe approaches:

  • Use argument arrays (not shell strings): execa('grep', [userInput, 'file.txt'])
  • Escape inputs with shell-quote when you must build a shell string:
import quote from 'shell-quote';

const safeCmd = quote(['grep', userInput, 'file.txt']);
// Produces: "grep 'safe\ input' file.txt"

await execa(safeCmd, { shell: true });

shelljs avoids this entirely by not using the shell for its built-in commands (cp, ls, etc.). But if you use shell.exec(), you’re back in shell territory — so escape inputs there too.

🌍 Cross-Platform Compatibility

Frontend tooling must work on Windows, macOS, and Linux. Here’s how each package handles it.

child_process

Works everywhere, but you must handle platform differences:

  • Windows uses .exe, .bat, .cmd extensions
  • Path separators differ (\ vs /)
  • Commands like ls don’t exist on Windows

execa

Automatically appends common extensions (.cmd, .bat) on Windows when needed. Also normalizes signals and exit codes.

// Works on Windows and Unix
await execa('npm', ['run', 'build']);

node-cmd

Relies on the system shell, so it inherits all platform quirks. No special handling for Windows.

shelljs

Explicitly designed for cross-platform scripting. Its built-in commands (cp, mv, cat, which, etc.) work identically everywhere.

// This works on Windows, macOS, Linux
shell.cp('src/*.js', 'dist/');

cross-env: The Special Case

This package solves one specific problem: setting environment variables in package.json scripts.

On Unix:

{
  "scripts": {
    "build": "NODE_ENV=production webpack"
  }
}

On Windows, that fails. So you use cross-env:

{
  "scripts": {
    "build": "cross-env NODE_ENV=production webpack"
  }
}

It doesn’t run your main command — it just ensures the env vars are set correctly before handing off to webpack.

You cannot use cross-env to run arbitrary commands or replace execa. It’s a script-line utility, not a general-purpose execution library.

🛠️ When to Use Which Package

Need maximum control or streaming output?

→ Use child_process.spawn directly. Ideal for long-running processes like dev servers.

Building a CLI tool or dev script with clean async/await?

→ Use execa. It’s the best balance of power, safety, and ergonomics.

Just need to copy files, make directories, or check paths?

→ Use shelljs built-ins. Avoids shell entirely and works everywhere.

Must construct a shell command from dynamic parts?

→ Use shell-quote to escape inputs, then pass the string to execa({ shell: true }).

Setting environment variables in npm scripts?

→ Use cross-env — and only for that.

Avoid node-cmd in new projects

While functional, node-cmd hasn’t seen active maintenance in recent years and lacks the safety and feature set of execa. It also uses child_process.exec, which can hang on large outputs. Prefer execa instead.

🧪 Real-World Example: Safe Git Tagging Script

Imagine you want to create a script that tags the current Git commit with a version from package.json.

Unsafe (don’t do this):

// Vulnerable to injection if pkg.version is malicious
execa(`git tag ${pkg.version}`, { shell: true });

Safe with execa + array args:

import { execa } from 'execa';
import { readFileSync } from 'fs';

const pkg = JSON.parse(readFileSync('package.json'));
// Validate version format here if needed

await execa('git', ['tag', pkg.version]);

Safe with shell-quote + shell:

import quote from 'shell-quote';
import { execa } from 'execa';

const cmd = quote(['git', 'tag', pkg.version]);
await execa(cmd, { shell: true });

Both are safe, but the first is simpler and avoids the shell entirely.

📋 Summary Table

PackageExecutes Commands?Cross-PlatformPromise-BasedShell Injection Safe?Primary Use Case
child_process✅ Yes❌ Manual❌ (callbacks/events)✅ With array argsLow-level control, streaming
execa✅ Yes✅ Yes✅ Yes✅ With array argsGeneral-purpose command execution
node-cmd✅ Yes❌ No⚠️ Callbacks❌ (uses shell by default)Legacy/simple scripts (avoid in new code)
shelljs⚠️ Via .exec()✅ Yes❌ (sync by default)✅ For built-ins, ❌ for .exec()Cross-platform file/system ops
shell-quote❌ No✅ Yes❌ N/A✅ YesSafely formatting command strings
cross-env❌ No✅ Yes❌ N/A✅ YesSetting env vars in npm scripts

💡 Final Advice

  • Default to execa for running external commands in modern Node.js tooling.
  • Reach for shelljs when you’re doing file operations (cp, rm, mkdir) — it’s safer and more portable.
  • Always use argument arrays (not shell strings) unless you absolutely need shell features like pipes or globs.
  • Never concatenate untrusted input into shell commands — use shell-quote if you must build a string.
  • Use cross-env only in package.json scripts, not in application code.
  • Avoid node-cmd — it’s outdated and less safe than alternatives.

By understanding what each tool actually does — and where their boundaries lie — you’ll write more secure, maintainable, and cross-platform frontend infrastructure.

How to Choose: child_process vs cross-env vs execa vs node-cmd vs shell-quote vs shelljs

  • child_process:

    Choose child_process when you need low-level control over process spawning, such as streaming large outputs, managing long-running processes, or fine-tuning stdin/stdout/stderr pipes. It's part of Node.js core, so no dependencies are needed, but you'll handle cross-platform quirks and error management manually.

  • cross-env:

    Choose cross-env exclusively for setting environment variables in npm scripts that must run on both Windows and Unix-like systems. It does not execute arbitrary commands and should not be used programmatically in application code — only in package.json script definitions.

  • execa:

    Choose execa for most command execution needs in modern Node.js tooling. It provides a clean promise-based API, automatic cross-platform executable resolution (e.g., .cmd on Windows), safe defaults, and robust error handling while wrapping child_process effectively.

  • node-cmd:

    Avoid node-cmd in new projects. While it offers a simple callback-based interface for running shell commands, it relies on child_process.exec (which buffers all output in memory), lacks active maintenance, and provides no cross-platform safeguards or shell injection protection.

  • shell-quote:

    Choose shell-quote when you must dynamically construct shell command strings from user input or variables and need to escape arguments safely to prevent shell injection. It does not execute commands — pair it with execa({ shell: true }) or similar when shell features are required.

  • shelljs:

    Choose shelljs when performing common file system and shell-like operations (e.g., cp, mkdir, which, grep) in a cross-platform way. Its built-in commands avoid the system shell entirely, making scripts more portable and secure, though its exec() method still requires careful input handling.

Similar Npm Packages to cross-env

cross-env is a popular npm package that allows developers to set environment variables across different operating systems in a consistent manner. This is particularly useful in Node.js applications where environment variables are often used to configure settings for development, testing, and production environments. By using cross-env, developers can avoid issues that arise from differences in how environment variables are set on Windows versus Unix-based systems, ensuring that scripts run smoothly regardless of the OS.

While cross-env is a great tool for managing environment variables, there are several alternatives that also provide functionality for handling environment configurations. Here are a few notable options:

  • dotenv is a widely used package that loads environment variables from a .env file into process.env. This allows developers to define environment-specific variables in a simple text file, making it easy to manage configurations for different environments. dotenv is particularly useful for local development and is often used in conjunction with other tools to streamline the setup process.
  • dotenv-flow extends the functionality of dotenv by allowing for multiple .env files to be used based on the environment. This means you can have separate .env files for development, testing, and production, and dotenv-flow will automatically load the appropriate file based on the current environment. This added flexibility makes it a great choice for projects that require more complex environment management.
  • env-cmd is another alternative that allows you to run scripts with environment variables defined in a separate file. It supports multiple environment files and can be used to specify different configurations for various environments. env-cmd is particularly useful for projects that need to manage multiple configurations without cluttering the main codebase with environment variable definitions.

To see how cross-env compares with dotenv, dotenv-flow, and env-cmd, check out the comparison: Comparing cross-env vs dotenv vs dotenv-flow vs env-cmd.

Similar Npm Packages to execa

execa is a popular Node.js library that simplifies the process of executing shell commands and spawning child processes. It provides a promise-based API, making it easy to work with asynchronous operations while handling standard input, output, and error streams effectively. Execa is particularly useful for developers looking to run shell commands in a more manageable and reliable way compared to the built-in child_process module. However, there are several alternatives available that can also help with executing shell commands and managing child processes. Here are a few notable options:

  • child_process is a core Node.js module that allows you to spawn child processes and execute shell commands. While it is powerful and flexible, its API can be somewhat cumbersome, especially when dealing with asynchronous operations. Developers often find themselves writing additional boilerplate code to handle callbacks and manage streams, which can lead to less readable code. If you need a straightforward solution without adding external dependencies, the child_process module is a solid choice, but it may require more effort to use effectively.

  • cross-env is a utility that allows you to set environment variables across different operating systems in a consistent manner. While it is not a direct alternative to execa for executing commands, it is often used in conjunction with command execution libraries to ensure that environment variables are set correctly, especially when running scripts in a cross-platform environment. If your primary concern is managing environment variables while executing commands, cross-env is an excellent companion tool.

  • node-cmd is a simple Node.js library that provides a straightforward way to execute shell commands. It offers a clean API for running commands and handling their output, making it easier to work with than the native child_process module. However, it lacks some of the advanced features and flexibility that execa provides, such as promise support and better error handling. If you need a lightweight solution for executing commands without the additional features of execa, node-cmd may be suitable.

  • shelljs is a portable Unix shell commands for Node.js. It provides a comprehensive set of shell command implementations that work across different platforms. Shelljs allows you to write shell scripts in JavaScript, making it easy to execute commands and manage file operations. While it offers a rich set of features, it may be overkill if you only need to execute a few simple commands. If you are looking for a more extensive shell scripting solution, shelljs is a great option.

  • spawn-sync is a library that provides synchronous execution of shell commands. It is useful when you need to run commands in a blocking manner, ensuring that the command completes before moving on to the next line of code. However, synchronous execution can lead to performance issues in larger applications, as it blocks the event loop. If you require synchronous command execution and are aware of the potential downsides, spawn-sync can be a viable alternative.

To see how execa compares with these alternatives, check out the comparison: Comparing child_process vs cross-env vs execa vs node-cmd vs shelljs vs spawn-sync.

Similar Npm Packages to node-cmd

node-cmd is a Node.js package that provides a simple way to execute shell commands from within your Node.js applications. It abstracts the complexities of spawning child processes and allows developers to run commands easily, handle their output, and manage errors. While node-cmd is a useful tool for executing shell commands, there are several alternatives that offer similar or enhanced functionalities. Here are a few notable alternatives:

  • child_process is a built-in Node.js module that allows you to spawn child processes in a more granular way. It provides several methods for executing commands, such as exec, spawn, and fork, each with its own use cases. If you need fine control over the execution of shell commands and want to handle input/output streams directly, child_process is the go-to choice. It is part of the Node.js core, so there’s no need to install additional packages.
  • cross-env is a utility that allows you to set environment variables across different platforms (Windows, macOS, Linux) in a consistent manner. While it does not execute commands directly, it is often used in conjunction with other command execution tools to ensure that environment variables are set correctly. If your shell commands depend on specific environment variables, cross-env can help you avoid platform-specific issues.
  • execa is a modern alternative to child_process that simplifies the process of executing shell commands. It provides a promise-based API, making it easier to work with asynchronous code. execa also includes features like improved error handling, support for streaming output, and the ability to run commands with a custom shell. If you prefer a more modern and user-friendly API for executing commands, execa is an excellent choice.
  • npm-run-all is a utility that allows you to run multiple npm scripts in parallel or sequentially. While it is not a direct alternative for executing arbitrary shell commands, it can be very useful when managing complex build processes or scripts in your package.json. If your workflow involves running multiple npm scripts, npm-run-all can help streamline that process.
  • shelljs is a portable Unix shell commands for Node.js. It provides a set of shell commands that can be used in your Node.js scripts, allowing you to execute shell commands in a way that is consistent across different platforms. If you want to write scripts that resemble shell scripts but run within a Node.js environment, shelljs is a great option.

To see how node-cmd compares with these alternatives, check out the comparison: Comparing child_process vs cross-env vs execa vs node-cmd vs npm-run-all vs shelljs.

Similar Npm Packages to shell-quote

shell-quote is a JavaScript library designed for parsing and quoting shell commands. It provides a straightforward way to handle shell command strings, allowing developers to easily convert between shell command strings and JavaScript arrays. This is particularly useful when working with command-line interfaces or executing shell commands from within a Node.js application. The library ensures that commands are properly quoted and escaped, preventing issues related to special characters and spaces in command-line arguments.

While shell-quote is a robust solution for handling shell commands, there are several alternatives that offer similar functionality:

  • quote is a simple library that provides a straightforward way to quote strings for use in shell commands. It focuses on escaping special characters to ensure that the resulting string can be safely used in a shell context. If you need a lightweight solution for quoting strings without the overhead of parsing, quote is a great option.
  • shell-escape is another library that specializes in escaping shell command arguments. It provides a simple function to escape strings so that they can be safely included in shell commands. This library is particularly useful for developers who need to ensure that their command-line arguments are properly escaped without the need for full parsing capabilities.
  • shlex is a library that mimics the behavior of Python's shlex module, providing functions for splitting shell command strings into lists of arguments. It is particularly useful for parsing complex shell commands that may contain quoted strings or escaped characters. If you require a more comprehensive solution for parsing shell commands, shlex offers a robust set of features.

For a detailed comparison of these packages, visit: Comparing quote vs shell-escape vs shell-quote vs shlex.

Similar Npm Packages to shelljs

shelljs is a popular Node.js library that provides a portable way to execute shell commands in JavaScript. It allows developers to run shell commands directly from their Node.js scripts, making it easier to automate tasks, manage files, and perform system operations without needing to switch to the command line. Shelljs offers a simple and intuitive API that mimics Unix shell commands, making it accessible for those familiar with shell scripting.

While shelljs is a powerful tool for executing shell commands, there are several alternatives that also provide similar functionality. Here are a few noteworthy options:

  • child_process is a built-in Node.js module that allows you to spawn child processes in your application. It provides a more low-level API for executing shell commands and scripts. While it requires more boilerplate code compared to shelljs, it offers greater flexibility and control over the execution of child processes. If you need to handle complex scenarios or require specific configurations for your child processes, using child_process might be the right choice.

  • cross-env is a utility that allows you to set environment variables across different operating systems in a consistent manner. While it doesn't directly execute shell commands, it is often used in conjunction with other tools to ensure that environment variables are set correctly regardless of the platform. If your primary concern is managing environment variables for your scripts, cross-env is a lightweight and effective solution.

  • execa is a modern alternative to the built-in child_process module, providing a more user-friendly API for executing shell commands. It supports promises and async/await syntax, making it easier to work with asynchronous operations. Execa also includes features like improved error handling and the ability to handle streams, making it a great choice for developers looking for a more elegant solution than child_process.

  • node-cmd is another library that simplifies executing shell commands in Node.js applications. It provides a straightforward API for running commands and handling their output. While it may not have as many features as shelljs or execa, it is easy to use and can be a good option for simpler use cases.

  • shell-quote is a utility for parsing and quoting shell command strings. It is not a direct alternative for executing commands but can be useful when you need to build command strings safely. If you are working with dynamic command generation and want to ensure that your commands are properly quoted and parsed, shell-quote can be a valuable addition to your toolkit.

To explore how shelljs compares with these alternatives, check out the comparison: Comparing child_process vs cross-env vs execa vs node-cmd vs shell-quote vs shelljs.

README for child_process

Security holding package

This package name is not currently in use, but was formerly occupied by another package. To avoid malicious use, npm is hanging on to the package name, but loosely, and we'll probably give it to you if you want it.

You may adopt this package by contacting support@npmjs.com and requesting the name.

npm-compare.com is an independent website designed to help developers choose the most suitable npm packages. We are not affiliated with npm, Inc, the official website for the npm registry. Note that npm is a registered trademark of npm, Inc. Please share your feedback via our GitHub repository. For more details, please refer to our Terms & Privacy.