Core: Fix Node 24 deprecation warning

[JReinhold]

Closes #32376

What I did

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

• stories
• unit tests
• integration tests
• end-to-end tests

Manual testing

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

Documentation

• Add or update documentation reflecting your changes
• If you are deprecating/removing a feature, make sure to update
  MIGRATION.MD

Checklist for Maintainers

• When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli-storybook/src/sandbox-templates.ts

• Make sure this PR contains one of the labels below:

  Available labels

  • bug: Internal changes that fixes incorrect behavior.
  • maintenance: User-facing maintenance tasks.
  • dependencies: Upgrading (sometimes downgrading) dependencies.
  • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
  • cleanup: Minor cleanup style change. Will not show up in release changelog.
  • documentation: Documentation only changes. Will not show up in release changelog.
  • feature request: Introducing a new feature.
  • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
  • other: Changes that don't fit in the above categories.

🦋 Canary release

This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the @storybookjs/core team here.

core team members can create a canary release here or locally with gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=<PR_NUMBER>

Greptile Summary

Updated On: 2025-09-11 11:45:39 UTC

This PR addresses Node 24 deprecation warnings (DEP0190) that occur when using spawnSync and spawn with shell: true and separate command arguments. The warning flags this pattern as a security vulnerability since arguments are not properly escaped when concatenated.

The fix applies two different approaches across the codebase:

1. Single command string approach: In upgrade.ts and postinstall.ts, commands like ['npm', 'ls'] are consolidated into single strings like 'npm ls' when using shell: true.

2. Array arguments without shell approach: In JsPackageManagerFactory.ts, the code switches from using shell commands as strings to using command arrays without the shell: true option.

The changes primarily affect package manager detection and command execution across Storybook's build and setup processes. These are internal operations that run during Storybook initialization, CLI commands, and addon installation. The corresponding test files are updated to match the new command patterns, ensuring mock expectations align with the actual implementation.

Additionally, a --trace-deprecation flag is added to the storybook:ui npm script to help developers identify similar issues during development.

Confidence score: 4/5

• This PR is safe to merge with low risk as it addresses Node 24 compatibility without changing core functionality
• Score reflects straightforward compatibility fixes with comprehensive test updates, though inconsistent approaches across files warrant minor attention
• Pay close attention to JsPackageManagerFactory.ts to ensure package manager detection still works reliably across different environments

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 88d8246

Command	Status	Duration	Result
nx run-many -t build --parallel=3	✅ Succeeded	42s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-09-11 11:12:39 UTC

[greptile-apps]

Reviewing changes made in this pull request