security scan prints 'The system cannot find the path specified' on Windows

[Tovli]

Summary

On Windows, npx @claude-flow/cli security scan --depth full completes the scan output but then prints:

The system cannot find the path specified.

Reproduction

Environment used to reproduce:

• OS: Windows
• Node: v22.16.0
• npm: 10.8.3
• CLI/package version in local workspace: 3.5.48

Command:

npx @claude-flow/cli security scan --depth full

Actual behavior

The scan runs and prints findings / summary, then emits an extra Windows error:

The system cannot find the path specified.

Expected behavior

The command should exit cleanly after printing the scan summary, without any extra shell/path error on Windows.

Root cause

The security scan command uses POSIX shell syntax in the dependency-audit path:

npm audit --json 2>/dev/null || true

and in the autofix path:

npm audit fix 2>/dev/null || true

That works under POSIX shells, but on Windows cmd.exe does not understand /dev/null, so it surfaces The system cannot find the path specified.

Suggested fix

Avoid shell redirection / || true here and use a platform-safe child-process call instead, e.g. spawnSync/execFile with:

• npm.cmd on win32
• npm elsewhere

and parse stdout directly.

Notes

I reproduced this locally and confirmed the error is tied to the npm audit shell invocation, not the scan itself.

[ruvnet]

Fixed in v3.5.51 (PR #1502). Removed POSIX 2>/dev/null || true from npm audit calls — replaced with stdio: 'pipe' + try/catch. Works on Windows cmd.exe and PowerShell.

npx claude-flow@3.5.51