Yeah, I was referring to Node.js. And no, what Node.js offers by default seems horrible[1]. It pass its entries to system shell, that is completely insane.
Python's subprocess actually run the process inside a Python process, so there is no possibility to hang youself up in case of a vulnerability in shell code. You can explicitly run the subprocess in shell script if you need shell capabilities (glob expansion comes in mind), however you shouldn't.
Python's subprocess actually run the process inside a Python process, so there is no possibility to hang youself up in case of a vulnerability in shell code. You can explicitly run the subprocess in shell script if you need shell capabilities (glob expansion comes in mind), however you shouldn't.
[1]: https://nodejs.org/api/child_process.html