shx docs — injection-proof shell runner with typed parsers | SlothLabs

A type-safe, injection-proof shell runner with typed output parsers — three native implementations.

shx documentation

shx is a type-safe shell runner with safe-by-default interpolation and typed output parsers. Shelling out is usually either unsafe (string concatenation — hello injection) or stringly-typed (you hand-parse every stdout). shx fixes both.

Two guarantees, three languages

▸Injection-proof by construction. Commands are built from an argument list and spawned without a shell. Every interpolated or user-supplied value is exactly one argument — there is nothing to break out of because there is no shell.
▸Output is typed. text, lines, json, csv, and custom parsers are a first-class part of running a command, not an afterthought.
▸Tiny dependency footprint in every language.

The languages differ only where idioms differ: TypeScript uses tagged templates, Rust a builder plus a cmd! macro, Kotlin varargs / lists. The one-value-equals-one-argument safety boundary is identical everywhere.