[Node.js 24] [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities

[EricDunsworth]

I've noticed that in node.js 24, the htmllint task produces the following deprecation warning upon processing any files:

Running "htmllint:all" (htmllint) task
(node:25724) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
(Use node --trace-deprecation ... to show where the warning was created)
...

Here's its entry in node.js' deprecated APIs page:
DEP0190: Passing args to node:child_process execFile/spawn with shell option

I'm unable to get any useful info with node --trace-deprecation, but given what's described in the error, it's likely caused by the cross-spawn dependency. Specifically moxystudio/node-cross-spawn#176. Unfortunately, that project appears to have gone stale in late 2024 (no new releases, commits nor maintenance activity since then). Other recently-reported security issues also haven't received any follow-up.

Since grunt-html is still maintained to this day, maybe there'd be value in dropping that dependency? I'm not aware of any "drop-in" substitutes for it, but it looks like at least one other project (valeryan/vscode-phpsab#172) got rid of it and brought its functionality "in-house".